Zero trust without tunnel


I’m dealing with an issue regarding the functionality of Zero Trust. I have one domain, for example, let’s call it, which I further divide into the subdomains devel and stable. I have my DNS records on Cloudflare, where my records are proxied to exposed addresses on the internet. There, my HA proxy resides, which handles HTTP/HTTPS requests and sends them to K8s.

I’m trying to deploy a Zero Trust solution for one application and allow access only through an email domain or through the public address I use within my network. However, these settings don’t seem to do anything. If I try to log in to the web using a different public address not configured as allowed in the Zero Trust settings, the pages load without prompting for an email address.

My DNS records look something like this:

A devel X.X.X.X (IP) Proxied
CNAME *devel

for stable is the same but another proxied IP

Zero Trust includes rules for the domain, which I want to block. However, applying rules seems to be problematic. I tried applying only one rule, which is block-all, but it didn’t do anything, and the web application remained accessible.

I might be missing some configuration. In the guides and documentation, I only found methods using tunnels. However, since I have a public address exposed for my K8s cluster, I don’t necessarily need to use tunnels. Thank you in advance for any feedback.

Hey there!
I’d advise you to double check the zero trust configuration
Then try to test the zero trust rules by attempting to access the application from a different IP address or email domain and verify the controls are enforced as expected and not blocked
Also check the DNS settings that should be correctly configured to route traffic.
If all fail i’d say to try the remote tunneling route since it will provide more control and will solve the issue