Skip to content
Visit Access on GitHub
Set theme to dark (⇧+D)

Migrate from Zone Lockdown

Some teams use Cloudflare's Zone Lockdown feature alongside their Virtual Private Network deployment to only allow IP ranges in that VPN to connect to applications. This model relies on IP ranges, rather than identity, to control who can reach sensitive applications.

Cloudflare Access can replace Zone Lockdown deployments with a zero-trust model built on your team's SSO. The migration takes less than 10 minutes. Once cutover, end users can deprecate their VPN client and administrators have more granular control and logging over user connections.

Zone Lockdown

Zone Lockdown specifies a list of one or more IP addresses, CIDR ranges, or networks that are the only IPs allowed to access a domain, subdomain, or URL. Zone Lockdown allows multiple destinations in a single rule as well as IPv4 and IPv6 addresses. IP addresses not specified in the Zone Lockdown rule are denied access to the specified resources.

Migration to Cloudflare Access

With Zone Lockdown enabled, your team has already completed many of the steps required to set up Cloudflare Access. Replacing the IP rules with identity-based rules requires the following additional steps.

  1. Navigate to the Teams dashboard. Enable Cloudflare Access for your account.
  2. Integrate your organization's identity provider.
  3. Selecting Applications to begin building an identity-based policy.
  4. Choose the hostname protected by Zone Lockdown today. Add an Access policy to only allow connections from users in your organization. Test the connection from an IP allowed by your Zone Lockdown policy.
  5. Return to the Firewall tab of the Cloudflare dashboard and remove the Zone Lockdown policies.