Multiple ZeroTrust configs from one Cloudflare account

I am looking to setup Cloudflare ZeroTrust for multiple clients. We already by default setup their DNS for management in our Cloudflare console.

My question is this. With one Cloudflare account (we’ll call it Service Provider) and 3 clients, (we will call them Client 1, Client 2 & Client 3), can you setup three different discrete Zero Trust configurations?

The goal would be to setup Client 1’s SMB shares, print services, etc. along with Internal web services using the Zero Trust tools (tunnel & WARP) within our Cloudflare portal. BUT ALSO, setup Client 2’s with their specific configuration and Client 3’s with their specific configuration.

The reason being is that we would like the same ease we have today of logging into one portal to administer all client DNS records. We would like the same ease in managing each client’s discrete Zero Trust implementation. Is this possible ?

It could be done, it’s not as easy as managing zones which are generally discreet. Basically every policy would have to have an explicit deny all, with an exception for a given client. An some things such as custom pages are global configs. You’ll also likely need to test virtual networks heavily (along with the rest) before deciding to go that route.

Ok thanks for the recommendation. Not looking to create long term management headaches for myself. I guess the first step will be to create a new Cloudflare account for the client and then transfer their domain into it and then manage that instance going forward.

I had heard that Cloudflare was looking to create an MSP type of offering but I think they want the minimum monthly spend to be something like $5,000.00. We currently do spend at that level with other providers, but without offering a ramp to get there while you migrate your clients it doesn’t make financial sense for us or our clients at this point in time

Thanks again…

I’d look to manage this via terraform if at all possible. Short term headache for long term consistency (also allows you to implement a baseline set of best practices for a new customer and then customize from there as needed).

2 Likes

Yeah, that sounds like the move with this as we are preparing to move a lot of our clients to a location agnostic posture. The baseline config will be very similar.

1 Like