# Pomerium — Identity-Aware Zero Trust Access Proxy > Pomerium is an open source reverse proxy that provides secure, identity-aware access to internal applications without a VPN, implementing BeyondCorp-style zero trust networking with SSO integration. ## Install Save in your project root: # Pomerium — Identity-Aware Zero Trust Access Proxy ## Quick Use ```bash # Install via Homebrew brew install pomerium/tap/pomerium # Or run as a Docker container docker run -v /path/to/config.yaml:/pomerium/config.yaml:ro -p 443:443 pomerium/pomerium:latest ``` ## Introduction Pomerium is a context-aware access proxy that authenticates and authorizes every request before forwarding it to an upstream service. It replaces traditional VPNs with a BeyondCorp-inspired model where identity, device, and context determine access rather than network position. ## What Pomerium Does - Authenticates users via any OpenID Connect identity provider - Authorizes requests based on user identity, group membership, and device context - Proxies HTTP, gRPC, TCP, and WebSocket traffic to upstream services - Provides a service account system for machine-to-machine access - Logs every access decision for audit and compliance ## Architecture Overview Pomerium runs as a single Go binary or set of services (authenticate, authorize, proxy, databroker). It intercepts incoming requests, redirects unauthenticated users to the configured IdP, evaluates authorization policies written in a declarative YAML format, and forwards approved requests to the upstream service. Session state is stored in an embedded databroker. ## Self-Hosting & Configuration - Deploy as a single binary, Docker container, or Kubernetes Helm chart - Configure routes and policies in a YAML file or via the Pomerium Enterprise console - Integrate with any OIDC provider: Google, Okta, Azure AD, Auth0, and others - Enable device identity verification with client certificates - Use the Pomerium CLI for TCP tunneling to non-HTTP services like SSH and databases ## Key Features - VPN replacement: access internal apps from any network without a VPN client - Fine-grained policies based on user email, group, domain, and device posture - Automatic TLS certificate provisioning via Let's Encrypt - Built-in service discovery for Kubernetes with Ingress Controller support - Sub-millisecond authorization decisions cached at the proxy layer ## Comparison with Similar Tools - **Tailscale/WireGuard** — network-level mesh VPN; Pomerium operates at the application layer with per-request authorization - **OAuth2 Proxy** — simpler auth proxy without policy engine; Pomerium adds fine-grained authorization and device context - **Cloudflare Access** — SaaS zero trust proxy; Pomerium is self-hosted with no vendor dependency - **Teleport** — focuses on SSH and database access; Pomerium covers HTTP, gRPC, and TCP generically - **Authentik** — identity provider with proxy mode; Pomerium is a dedicated access proxy with richer policy language ## FAQ **Q: Can Pomerium replace my VPN?** A: Yes. Pomerium provides access to internal services based on identity rather than network position, eliminating the need for a VPN in most cases. **Q: Which identity providers does Pomerium support?** A: Any OIDC-compliant provider including Google Workspace, Okta, Azure AD, Auth0, Keycloak, and GitLab. **Q: Does Pomerium support non-HTTP protocols?** A: Yes. The Pomerium CLI can tunnel TCP traffic, enabling secure access to SSH, databases, and other TCP services. **Q: How does Pomerium handle TLS?** A: Pomerium can automatically provision and renew TLS certificates via Let's Encrypt, or you can provide your own certificates. ## Sources - https://github.com/pomerium/pomerium - https://www.pomerium.com --- Source: https://tokrepo.com/en/workflows/8573b764-3c0d-11f1-9bc6-00163e2b0d79 Author: AI Open Source