Back to all labs
LAB 03

Zero Trust

Protect your workforce, applications, and data with a modern security framework

45 minutes Level 1 3 Captains
Access Lab Guide
AccessCloudflare TunnelGatewayWARP

Summary

This hands-on lab provides participants with the practical skills needed to deploy Cloudflare's Zero Trust platform. By the end of the session, you will know how to secure remote user access, applications, and corporate data using core Zero Trust components.

Objectives

  • Enable and deploy the foundational elements of Cloudflare Zero Trust.
  • Securely connect self-hosted applications to the Cloudflare network using Cloudflare Tunnel.
  • Protect self-hosted applications using identity-aware security policies provided by Cloudflare Access.
  • Deploy web traffic filtering and security policies for user internet access using Cloudflare Gateway.

Lab Authors

FA
Fiffy Amiera Digital Solutions Engineer
JHL
Jun Hao Lee Digital Solutions Engineer
SA
Shahrul Azhar Digital Solutions Engineer

Lab Modules

Step-by-step hands-on modules

1

Getting Started

30 min

Welcome to the BlazeHack ZTNA lab. This module walks you through accessing your dedicated lab environment — a Windows user workstation and an Ubuntu origin server — and integrating a SAML-based Identity Provider so that Cloudflare Access can verify user identities.

Objective: Access and verify the Cloudflare managed lab environment, verify your team domain prefix, and integrate a SAML-based Identity Provider with Cloudflare One.

Key Steps:

  • Access the lab environment and locate your lab slug
  • Verify your Cloudflare Zero Trust team domain prefix
  • Register a SAML provider using your lab slug
  • Add the SAML IdP to your Cloudflare account
  • Test and confirm the SAML integration
2

Cloudflare Access

45 min

Cloudflare Access provides visibility and control over who has access to your custom hostnames. This module covers defining access policies, protecting self-hosted applications, enrolling devices using the WARP client, and publishing internal applications through Cloudflare Tunnel without exposing origin servers.

Objective: Configure Cloudflare Access to protect internal applications, enroll users with the Cloudflare One Client, and publish internal applications securely using Cloudflare Tunnel.

Key Steps:

  • Set up DNS and verify public site access
  • Create Access policies for employees and IT admins
  • Protect the status page with a Self-hosted Access application
  • Enroll the WARP client and verify the Zero Trust connection
  • Create a Cloudflare Tunnel and publish the intranet site
3

Cloudflare Gateway

45 min

Cloudflare Gateway is a Secure Web Gateway that secures and inspects corporate internet traffic. This module layers DNS filtering, Remote Browser Isolation, and Data Loss Prevention to build a comprehensive threat defense posture for your workforce.

Objective: Configure DNS policy to block security-risk domains, isolate traffic for internal applications using Remote Browser Isolation, and create a DLP-enabled HTTP policy to stop sensitive data leaks to ChatGPT.

Key Steps:

  • Forward traffic to Gateway and enable TLS decryption
  • Create a DNS policy to block all security-risk categories
  • Verify DNS policy enforcement and review logs
  • Create an HTTP Isolation policy for an internal application
  • Create a DLP profile and HTTP policy to block ChatGPT prompt exfiltration

Ready to start this lab?

Join the hands-on session and build something real.

Access Lab Guide View All Labs