Introduction
Pomerium is a context-aware access proxy that authenticates and authorizes every request before forwarding it to an upstream service. It replaces traditional VPNs with a BeyondCorp-inspired model where identity, device, and context determine access rather than network position.
What Pomerium Does
- Authenticates users via any OpenID Connect identity provider
- Authorizes requests based on user identity, group membership, and device context
- Proxies HTTP, gRPC, TCP, and WebSocket traffic to upstream services
- Provides a service account system for machine-to-machine access
- Logs every access decision for audit and compliance
Architecture Overview
Pomerium runs as a single Go binary or set of services (authenticate, authorize, proxy, databroker). It intercepts incoming requests, redirects unauthenticated users to the configured IdP, evaluates authorization policies written in a declarative YAML format, and forwards approved requests to the upstream service. Session state is stored in an embedded databroker.
Self-Hosting & Configuration
- Deploy as a single binary, Docker container, or Kubernetes Helm chart
- Configure routes and policies in a YAML file or via the Pomerium Enterprise console
- Integrate with any OIDC provider: Google, Okta, Azure AD, Auth0, and others
- Enable device identity verification with client certificates
- Use the Pomerium CLI for TCP tunneling to non-HTTP services like SSH and databases
Key Features
- VPN replacement: access internal apps from any network without a VPN client
- Fine-grained policies based on user email, group, domain, and device posture
- Automatic TLS certificate provisioning via Let's Encrypt
- Built-in service discovery for Kubernetes with Ingress Controller support
- Sub-millisecond authorization decisions cached at the proxy layer
Comparison with Similar Tools
- Tailscale/WireGuard — network-level mesh VPN; Pomerium operates at the application layer with per-request authorization
- OAuth2 Proxy — simpler auth proxy without policy engine; Pomerium adds fine-grained authorization and device context
- Cloudflare Access — SaaS zero trust proxy; Pomerium is self-hosted with no vendor dependency
- Teleport — focuses on SSH and database access; Pomerium covers HTTP, gRPC, and TCP generically
- Authentik — identity provider with proxy mode; Pomerium is a dedicated access proxy with richer policy language
FAQ
Q: Can Pomerium replace my VPN? A: Yes. Pomerium provides access to internal services based on identity rather than network position, eliminating the need for a VPN in most cases.
Q: Which identity providers does Pomerium support? A: Any OIDC-compliant provider including Google Workspace, Okta, Azure AD, Auth0, Keycloak, and GitLab.
Q: Does Pomerium support non-HTTP protocols? A: Yes. The Pomerium CLI can tunnel TCP traffic, enabling secure access to SSH, databases, and other TCP services.
Q: How does Pomerium handle TLS? A: Pomerium can automatically provision and renew TLS certificates via Let's Encrypt, or you can provide your own certificates.