VPN replacement

Retire the VPN. Onboard Zero Trust.

Tap any VPN client to focus the mapping.

LEGACY VPNNANOSEKCLOUDFLAREAudit appsMap usersPilot waveDecommission VPNCisco AnyConnectPalo Alto GlobalProtectFortiClientOpenVPNWireGuard / IPsecAccess (ZTNA)WARP clientCloudflare TunnelDevice postureGateway

Legacy VPN → Zero Trust

From Cisco AnyConnect, through Audit apps → Map users → Pilot wave → Decommission VPN, into the Cloudflare destinations on the right.
Discuss your Cloudflare roadmap View checklist
On this page

Nanosek helps organizations retire broad network VPN access by moving applications and user groups to Cloudflare Zero Trust. The rollout starts with discovery and pilot apps, then expands with measured user migration.

Topics: cloudflare, migration, legacy, cloudflare, zero, trust

Machine-readable context: /ai-index.json

Who this is for

Enterprise security, infrastructure, platform, and network teams responsible for public applications or workforce access.
Organizations migrating from legacy CDN, WAF, bot, access, or edge platforms.
Teams that need Cloudflare expertise without slowing down production delivery.

Problems solved

  • Legacy rules and platform behavior are difficult to translate safely.
  • Cutover windows require rollback planning, stakeholder alignment, and live validation.
  • Security controls need tuning before they can move from monitoring to enforcement.
  • Operations teams need logging, ownership, and change control after launch.

Delivery approach

1

Discovery of current architecture, traffic patterns, domains, rules, identities, integrations, and operational constraints.

2

Mapping of existing controls into Cloudflare primitives with clear decisions for keep, replace, simplify, or retire.

3

Staged implementation using test zones, shadow logging, monitor mode, canary traffic, and documented approval gates.

4

Post-cutover tuning, dashboarding, incident workflow alignment, and managed operations handoff.

Architecture

DNS, certificates, origin reachability, cache behavior, and failover paths.
WAF rulesets, custom rules, exceptions, bot signals, API controls, and rate limits.
Identity provider integration, device posture, user groups, tunnels, and access policies where Zero Trust is involved.
Logpush destinations, SIEM fields, alerting, ownership, and retention requirements.

Migration steps

  1. 01 Assess the existing environment and define success criteria.
  2. 02 Create a Cloudflare target architecture and migration backlog.
  3. 03 Build and test controls in monitoring or non-production mode.
  4. 04 Run stakeholder validation and prepare rollback procedures.
  5. 05 Execute phased cutover with live monitoring.
  6. 06 Tune enforcement and transition to managed operations.

Risks and mitigations

Risk

False positives during WAF or bot enforcement.

Mitigation

Start in logging or simulate mode, review traffic, and promote controls gradually.

Risk

DNS or certificate disruption during cutover.

Mitigation

Lower TTLs, validate records, preload certificates, and keep rollback instructions ready.

Risk

Missing visibility after migration.

Mitigation

Configure Logpush, dashboards, alerts, and operational ownership before launch.

Risk

Behavior differences between legacy vendor and Cloudflare.

Mitigation

Use mapping workshops, test cases, and canary validation before full traffic shift.

Deliverables

  • Current-state assessment and risk register.
  • Cloudflare target architecture.
  • Migration or implementation plan.
  • Cutover and rollback runbook.
  • Configured Cloudflare services and validation notes.
  • Post-launch tuning backlog and operating model.

Frequently asked questions

Can Nanosek handle emergency Cloudflare migrations?
Yes. Nanosek can prioritize stabilization work such as DNS onboarding, WAF baseline controls, origin protection, and emergency traffic validation.
Do migrations require downtime?
Most migrations can be planned to avoid downtime, but this depends on DNS, certificate, origin, and application constraints. Nanosek builds rollback and validation steps into the plan.
Can Nanosek manage Cloudflare after launch?
Yes. Nanosek provides managed Cloudflare operations including tuning, monitoring, change support, incident response, and optimization.

Discuss your Cloudflare roadmap

Nanosek can help design and deliver a plan that fits your environment, timeline, and constraints.

Talk to Nanosek Read the Blog
Ready to talk?

Deliver Cloudflare without surprises.

Whether you're migrating, hardening, or operating Cloudflare — Nanosek brings authorized MSP & ASDP delivery, rollback-ready cutovers, and managed operations after launch.

Talk to Nanosek Run readiness assessment