Identity at the Edge, Origins in the Dark
Reachable without a single inbound port open.
Cloudflare Access in front of outbound-only tunnels means internal apps are reachable without exposing a single inbound port. The origin never listens on the public internet, so there is nothing to scan or exploit from outside.
The edge as policy engine
Add Workers for programmable edge logic and per-request identity checks and the edge becomes both the front door and the policy engine. It composes cleanly with a WAF and rate limiting for real defense in depth.
Where AI helps
Risk-based access decisions can weigh behavioral signals in real time, and lightweight edge inference can classify or filter requests before they ever reach an origin. Identity stops being a single yes-or-no and becomes a continuous, contextual score.