§ BROCH vs CLOUDFLARE ZERO TRUST

Broch keeps your traffic — and your devices — on your own network. Cloudflare Zero Trust routes them through Cloudflare’s.

Both publish services behind your firewall and broker access to them. The difference is whose network the traffic crosses, whether a lightweight CLI runs the specific tunnels you ask for or an agent routes all your device’s traffic by default, whose systems the logs land in, and whose account it all depends on.

deploy Broch read the docs

§ THE SHORT VERSION

Broch is self-hosted. It runs in your own cloud or on-prem, installs no device-wide agent, and keeps every byte of traffic inside your network — decrypted only on servers you control. Access is brokered through the identity provider you already run, deny-all by default, and the logs are generated in your infrastructure and streamed straight to your SIEM. The traffic, the access decisions, and the audit trail all stay on your side of the line, under your account, no one else’s. Cloudflare Zero Trust is a capable SASE platform with a real identity layer — but it routes your services through Cloudflare’s edge and, by default, hauls all of your users’ device traffic there too, and none of it runs without a Cloudflare account.

§ SIDE BY SIDE

Broch vs Cloudflare Zero Trust, line by line.

Capability	Broch	Cloudflare Zero Trust
Where it runs	Your infrastructure — Azure, AWS, on-prem (Docker / Terraform / Bicep); runs independently	A connector (`cloudflared`) in your infra + Cloudflare’s global network; requires a Cloudflare account
Client footprint	A lightweight CLI that runs the specific tunnels you ask for — no device-wide agent	Cloudflare One Client (WARP) routes all the device’s traffic — every port and protocol — to Cloudflare’s edge by default (split-tunnel can scope it); required for private-IP access
Data sovereignty	Traffic never leaves your network	Transits Cloudflare’s edge, decrypted there (regionalizable with Data Localization — still on Cloudflare)
In your vendor data-path?	No — software you run, not a service in the path	Yes — Cloudflare is in the path
Compliance burden	Inside your existing audit (self-hosted) — no vendor to assess	Cloudflare is a vendor you must assess
Identity sovereignty	Your own IdP (any OIDC); access granted to IdP roles/groups, enforced in your deployment; no unauthenticated tunnels	Your own IdP (SAML/OIDC) via Cloudflare Access — identity-aware policies, IdP groups; enforced at Cloudflare’s edge
Default exposure	Deny-all — no tunnel without an admin-assigned policy (localhost included); non-loopback targets must be admin-registered (Service Registry); revoke and live tunnels drop	Connector operator sets ingress rules to any reachable origin; no admin-enforced allow-list
User attribution	Every tunnel’s activity tied to the IdP identity that created it — in your own SIEM	Via Cloudflare Access identity
Log ownership	Generated in your infra, streamed to your SIEM (Datadog, Seq, OpenTelemetry, stdout), no tier gate	Generated by Cloudflare, stored in Cloudflare; export to your SIEM via Logpush (Enterprise)
Transport	Open standards you can inspect — SSH over WebSocket, OIDC/JWT, YARP; runs in your infra	Open-source connector (`cloudflared`) that connects to Cloudflare’s proprietary edge
Pricing	$10 per developer seat / mo — flat; you set the seat count and seats auto-assign up to it, no metering, no tier gates	Free under 50 users; $7/user above — every user counted, and SIEM log export needs the Contract tier (Zero Trust, Pay-as-you-go)

§ WHY TEAMS CHOOSE BROCH

Five reasons sovereignty-bound teams choose Broch over Cloudflare Zero Trust.

Your traffic shouldn’t cross a third party’s network.

Broch keeps the entire path inside your network — no edge in the middle, no device agent hauling traffic out, decrypted only on servers you control. Nothing transits a vendor. Cloudflare Zero Trust routes your traffic through its global edge, where it’s decrypted by default — their own docs: “Cloudflare must decrypt traffic in order to cache and filter” — and on the access side the device agent (Cloudflare One Client) routes all of your users’ traffic, every port and protocol, to that edge by default (split-tunnel can narrow it). Data Localization can pin decryption to a region, but it still happens on Cloudflare’s infrastructure; there’s no proxied mode where Cloudflare never sees your plaintext.

Self-hosted — no third-party account in the loop.

Broch runs entirely in your infrastructure — Docker, Terraform, Bicep. A provider outage, a policy change, a jurisdiction you can’t use: your call to make, not a dependency you inherited. Cloudflare Tunnel can’t run without Cloudflare — even a locally-managed tunnel has to cloudflared tunnel login, carry a Cloudflare-issued certificate, and terminate on Cloudflare’s network.

Deny-by-default, with an admin allow-list of targets.

With Broch, a developer with no admin-assigned policy can expose nothing — not even their own localhost. Non-loopback targets must be registered in Broch’s Service Registry and named in a policy; the grant is live, so revoke it and running tunnels drop. With Cloudflare Tunnel, whoever runs the connector writes the ingress rules, and the upstream can be any address the connector host can reach — there’s no admin-enforced allow-list of permitted origins.

Audit and operational logs in your SIEM — generated in your infrastructure.

Broch emits structured events as they happen, straight to your own logging stack (Datadog, Seq, OpenTelemetry, stdout), no tier gate — generated in your infrastructure and kept there. Cloudflare’s access and gateway logs are “events generated by Cloudflare One services”: they originate in Cloudflare’s cloud, are stored there first, and reach your SIEM only through Logpush — an Enterprise feature.

see what Broch logs, and how the rest of the security model works →

Licensed per seat — and we don’t track your users.

Broch is licensed per developer seat. You set the seat count; seats auto-assign on first use, up to that count — nobody hand-picks who gets one. Hit the limit and the developer gets a clear message; an admin raises the count from the console and it applies live, prorated. Cloudflare charges per user, so counting your people is built into the model. What Broch reports for licensing is a seat count, never an identity. We don’t want to know who your users are — that’s not our business, the same way your traffic isn’t.

compare Broch, ngrok & Cloudflare side by side → Broch vs ngrok →

§ READY?

Run your own tunnels in minutes.

Deploy with Docker, Terraform, or Bicep. Bring your identity provider. Keep your traffic, your logs, and your keys on your side of the line.

deploy Broch read the docs

Cloudflare is a trademark of its respective owner. Broch is not affiliated with or endorsed by Cloudflare. Comparisons reflect Cloudflare’s publicly documented behavior at the time of writing (June 2026).