Pomerium — Identity-Aware Zero Trust Access Proxy

Introduction

Pomerium is a context-aware access proxy that authenticates and authorizes every request before forwarding it to an upstream service. It replaces traditional VPNs with a BeyondCorp-inspired model where identity, device, and context determine access rather than network position.

What Pomerium Does

• Authenticates users via any OpenID Connect identity provider
• Authorizes requests based on user identity, group membership, and device context
• Proxies HTTP, gRPC, TCP, and WebSocket traffic to upstream services
• Provides a service account system for machine-to-machine access
• Logs every access decision for audit and compliance

Architecture Overview

Pomerium runs as a single Go binary or set of services (authenticate, authorize, proxy, databroker). It intercepts incoming requests, redirects unauthenticated users to the configured IdP, evaluates authorization policies written in a declarative YAML format, and forwards approved requests to the upstream service. Session state is stored in an embedded databroker.

Self-Hosting & Configuration

• Deploy as a single binary, Docker container, or Kubernetes Helm chart
• Configure routes and policies in a YAML file or via the Pomerium Enterprise console
• Integrate with any OIDC provider: Google, Okta, Azure AD, Auth0, and others
• Enable device identity verification with client certificates
• Use the Pomerium CLI for TCP tunneling to non-HTTP services like SSH and databases

Key Features

• VPN replacement: access internal apps from any network without a VPN client
• Fine-grained policies based on user email, group, domain, and device posture
• Automatic TLS certificate provisioning via Let's Encrypt
• Built-in service discovery for Kubernetes with Ingress Controller support
• Sub-millisecond authorization decisions cached at the proxy layer

Comparison with Similar Tools

• Tailscale/WireGuard — network-level mesh VPN; Pomerium operates at the application layer with per-request authorization
• OAuth2 Proxy — simpler auth proxy without policy engine; Pomerium adds fine-grained authorization and device context
• Cloudflare Access — SaaS zero trust proxy; Pomerium is self-hosted with no vendor dependency
• Teleport — focuses on SSH and database access; Pomerium covers HTTP, gRPC, and TCP generically
• Authentik — identity provider with proxy mode; Pomerium is a dedicated access proxy with richer policy language

FAQ

Q: Can Pomerium replace my VPN? A: Yes. Pomerium provides access to internal services based on identity rather than network position, eliminating the need for a VPN in most cases.

Q: Which identity providers does Pomerium support? A: Any OIDC-compliant provider including Google Workspace, Okta, Azure AD, Auth0, Keycloak, and GitLab.

Q: Does Pomerium support non-HTTP protocols? A: Yes. The Pomerium CLI can tunnel TCP traffic, enabling secure access to SSH, databases, and other TCP services.

Q: How does Pomerium handle TLS? A: Pomerium can automatically provision and renew TLS certificates via Let's Encrypt, or you can provide your own certificates.

Sources

• https://github.com/pomerium/pomerium
• https://www.pomerium.com