I’ve done a lot of work in this space and the short answer is: VPN with MFA makes more sense for the vast majority of your stuff, unless you plan on deploying some sort of agent-based endpoint to handle 3rd party attestation to your devices (duo trusted access).
If I'm able to afford it in the future, moving to a cloud provider like GCP may make sense for flexibility, but I think I'd like to stick to my cheaper solution for now. I believe I can save significant amounts of money using standard VPS servers over GCP/AWS infrastructure. I'm not necessarily against using GCP in the future, but right now I'd like to save as much money as possible in the early stages of my project.
#Beyondcorp open source software free
This seems like it would probably be one of the simplest options, and it's free for all GCP services, but I would need to use GCP for all of my infrastructure. Google Cloud Platform's Identity-Aware Proxy seems to be Google's original internal BeyondCorp implementation, but for cloud customers. But at least I wouldn't be locked into a proprietary cloud solution. Also, I'd likely need to run it on its own server, and the costs of that server may end up being equivalent to or even more than what I'm paying for Cloudflare Argo for some time.
#Beyondcorp open source software manual
This looks really good and like it'll meet all my requirements, but of course it requires some manual setup and maintenance compared to Cloudflare Access. My second choice is the open source Pritunl Zero BeyondCorp server. I suppose I could just set it up and switch to something else if it ever becomes too costly, but then there's the hassle of transitioning to a new solution. And also, I don't really want or care about the Argo routing component I'm only interested in Argo Tunnel. But I fear getting locked into 10 cents per GB could come back to bite me. So this might actually be a really good deal. I also already use Cloudflare for everything. The private infrastructure will only be accessed by our small team of employees and should have very little inbound traffic (at least relative to traffic from users) for a long time, unless there's something I'm not anticipating. To put SSH and other services behind Cloudflare Access, you need to use Argo Tunnel, and Argo costs $5/per month + 10 cents per GB (with first 1 GB free). My first choice was Cloudflare Access, which is free and ticks all of the other boxes except by default it only protects HTTP services and not SSH or anything else. I'm okay with using either a third party/cloud service or an open source solution. I'm looking for a free or cheap way to set this up for my infrastructure. This seems like an appealing model to me, but it doesn't seem very common yet. To have every Google employee work successfully from untrusted networks without the use of a VPN. Google's BeyondCorp mission (2011-present) All access to services must be authenticated, authorized, and encrypted.Access to services is granted based on what we know about you and your device.Connecting from a particular network must not determine which services you can access.Single sign-on, access proxy, access control engine, user inventory, device inventory, security policy, and trust repository. My understanding is the big new thing is Google's BeyondCorp security model which does away with VPNs and just makes everything directly Internet-facing and protected behind an auth layer. The traditional approach would be to set up a VPN and keep everything on the internal network, but that can carry its own issues (can be annoying and disruptive to switch networks results in a "hard shell, soft interior" without other measures). I'd like it to be restricted for all services: SSH, HTTPS, etc. I'm looking to set up some private infrastructure (developer infrastructure like internal wikis, internal webapps, GitLab) and would like to lock every server down behind some sort of SSO with MFA.