PickYourTechPickYourTech home
Pomerium logo

Pomerium

Clientless, zero‑trust access proxy for internal web applications

VPN & Zero Trust Networks

Pomerium provides secure, clientless connections to internal web apps and services, eliminating VPNs with policy‑driven, identity‑aware access that’s deployed alongside your workloads.

Pomerium banner

Overview

Highlights

Clientless, tunnel‑free access via standard browsers
Identity‑aware policy enforcement for each request
Deployable alongside applications for low latency
Integrates with common SSO/OpenID Connect providers

Pros

  • Eliminates need for corporate VPN
  • Fast connections without tunneling overhead
  • Granular per‑action verification improves security
  • Customizable policies integrate organizational data

Considerations

  • Requires deployment and management of proxy infrastructure
  • Learning curve for policy configuration
  • Not a full network‑level VPN replacement
  • Dependent on compatible identity provider integration

Managed products teams compare with

When teams consider Pomerium, these hosted platforms usually appear on the same shortlist.

Zscaler logo

Zscaler

Cloud-based zero trust security platform providing secure access to applications without traditional VPNs

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Enterprises seeking zero‑trust access to internal web tools
  • Remote teams needing secure, clientless connectivity
  • Organizations that already use SSO/IdP solutions
  • Teams wanting to place security controls close to workloads

Not ideal when

  • Use cases demanding full network tunneling (e.g., legacy protocols)
  • Environments without an existing identity provider
  • Simple static sites that don’t require access control
  • Scenarios where latency is critical and a proxy adds an extra hop

How teams use it

Remote employee accesses internal dashboard

Securely logs in via SSO and reaches the dashboard without VPN, with policies enforcing role‑based access.

Third‑party vendor accesses a specific API

Vendor authenticates through the corporate IdP, and Pomerium grants time‑limited, context‑aware access to the API endpoint.

CI/CD pipeline calls internal service

Pipeline uses service‑account identity; Pomerium validates the request and forwards it, keeping internal services shielded from the public internet.

Zero‑trust segmentation for microservices

Microservices communicate through Pomerium, ensuring each request is authorized based on identity and request context.

Tech snapshot

Go97%
TypeScript2%
Jsonnet1%
Shell1%
Lua1%
Makefile1%

Tags

identitygovpngatewayidentity-aware-proxybeyondcorpaigatewaypomeriumreverse-proxyzero-trustiam

Frequently asked questions

What does “clientless” mean?

It means users do not need to install VPN clients; access is performed through standard web browsers or HTTP clients that are redirected through the proxy.

How is Pomerium different from a traditional VPN?

Unlike VPNs that create a network tunnel, Pomerium operates at the application layer, verifying each request against identity and policy before forwarding it, providing finer‑grained security without tunneling overhead.

Which identity providers are supported?

Pomerium integrates with common SSO providers such as Okta, Azure AD, Google Workspace, and any OpenID Connect‑compatible IdP.

Can I self‑host Pomerium?

Yes, the project is open source under Apache‑2.0 and can be deployed on‑premises or in any cloud environment; a hosted option called Pomerium Zero is also available.

Does Pomerium require a separate control plane?

The core proxy can run independently; for advanced management and GUI you may use the optional hosted control plane (Pomerium Zero), but it is not mandatory.

Project at a glance

Active
Visit siteView repo
Stars
4,644
Watchers
4,644
Forks
322
LicenseApache-2.0
Repo age7 years old
Last commit17 hours ago
Primary languageGo

Last synced 3 hours ago