ConfigsApr 19, 2026·3 min read

Pomerium — Identity-Aware Zero Trust Access Proxy

Pomerium is an open source reverse proxy that provides secure, identity-aware access to internal applications without a VPN, implementing BeyondCorp-style zero trust networking with SSO integration.

AI
AI Open Source · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install via Homebrew
brew install pomerium/tap/pomerium
# Or run as a Docker container
docker run -v /path/to/config.yaml:/pomerium/config.yaml:ro -p 443:443 pomerium/pomerium:latest

Introduction

Pomerium is a context-aware access proxy that authenticates and authorizes every request before forwarding it to an upstream service. It replaces traditional VPNs with a BeyondCorp-inspired model where identity, device, and context determine access rather than network position.

What Pomerium Does

  • Authenticates users via any OpenID Connect identity provider
  • Authorizes requests based on user identity, group membership, and device context
  • Proxies HTTP, gRPC, TCP, and WebSocket traffic to upstream services
  • Provides a service account system for machine-to-machine access
  • Logs every access decision for audit and compliance

Architecture Overview

Pomerium runs as a single Go binary or set of services (authenticate, authorize, proxy, databroker). It intercepts incoming requests, redirects unauthenticated users to the configured IdP, evaluates authorization policies written in a declarative YAML format, and forwards approved requests to the upstream service. Session state is stored in an embedded databroker.

Self-Hosting & Configuration

  • Deploy as a single binary, Docker container, or Kubernetes Helm chart
  • Configure routes and policies in a YAML file or via the Pomerium Enterprise console
  • Integrate with any OIDC provider: Google, Okta, Azure AD, Auth0, and others
  • Enable device identity verification with client certificates
  • Use the Pomerium CLI for TCP tunneling to non-HTTP services like SSH and databases

Key Features

  • VPN replacement: access internal apps from any network without a VPN client
  • Fine-grained policies based on user email, group, domain, and device posture
  • Automatic TLS certificate provisioning via Let's Encrypt
  • Built-in service discovery for Kubernetes with Ingress Controller support
  • Sub-millisecond authorization decisions cached at the proxy layer

Comparison with Similar Tools

  • Tailscale/WireGuard — network-level mesh VPN; Pomerium operates at the application layer with per-request authorization
  • OAuth2 Proxy — simpler auth proxy without policy engine; Pomerium adds fine-grained authorization and device context
  • Cloudflare Access — SaaS zero trust proxy; Pomerium is self-hosted with no vendor dependency
  • Teleport — focuses on SSH and database access; Pomerium covers HTTP, gRPC, and TCP generically
  • Authentik — identity provider with proxy mode; Pomerium is a dedicated access proxy with richer policy language

FAQ

Q: Can Pomerium replace my VPN? A: Yes. Pomerium provides access to internal services based on identity rather than network position, eliminating the need for a VPN in most cases.

Q: Which identity providers does Pomerium support? A: Any OIDC-compliant provider including Google Workspace, Okta, Azure AD, Auth0, Keycloak, and GitLab.

Q: Does Pomerium support non-HTTP protocols? A: Yes. The Pomerium CLI can tunnel TCP traffic, enabling secure access to SSH, databases, and other TCP services.

Q: How does Pomerium handle TLS? A: Pomerium can automatically provision and renew TLS certificates via Let's Encrypt, or you can provide your own certificates.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Keel — Automated Kubernetes Workload Updates

Keel is a Kubernetes operator that automates Helm, DaemonSet, StatefulSet, and Deployment updates when new container images are pushed to a registry, with approval workflows and notification support.

AI Open Source

Goldilocks — Right-Size Kubernetes Resource Requests

Goldilocks is a Kubernetes utility by Fairwinds that uses the Vertical Pod Autoscaler to generate resource request and limit recommendations, helping teams optimize costs and prevent OOM kills.

AI Open Source

Coroot — Open Source Observability with AI Root Cause Analysis

Coroot is a self-hosted observability and APM tool that combines metrics, logs, traces, and continuous profiling with eBPF-based auto-instrumentation and AI-powered root cause analysis in predefined dashboards.

AI Open Source
Home🔍Search👤Me