Coffee shop networking with Cloudflare One

Cloudflare| 00:06:38|Mar 26, 2026
Chapters5
The chapter explains SASE as a framework for securely connecting users, devices, and applications, using a coffee-shop example to illustrate how private traffic must stay within the corporate network and how Cloudflare’s connectivity cloud can mesh dispersed locations, devices, and services.

Cloudflare One weaves physical shops, cloud apps, and data centers into one secure, flexible network using Cloudflare WAN, Cloudflare 1 appliances, and anycast routing.

Summary

Cloudflare’s Simon walks through a practical vision of a modern, cookie-cutter corporate network built with Cloudflare One. He starts by contrasting typical SaaS security with the reality that a business like a coffee company needs to connect HQ, dozens of shops, POS devices, cameras, and cloud-hosted apps—while keeping that traffic private. The walkthrough introduces Cloudflare WAN to create IP-set tunnels from the Seattle HQ to the Cloudflare network, assigning private address ranges. For shop locations, a lightweight Cloudflare 1 appliance shipped to the ISP router forms additional IP-set connections, with each shop receiving its own private network range. Traffic from guest Wi‑Fi is routed through Cloudflare and protected by the secure web gateway. Remote IT staff connect via a device agent, letting them reach shop devices as if they were in headquarters. The narrative emphasizes anycast IP routing to connect users and offices to the nearest Cloudflare data center, supported by a vast footprint of data centers and peering relationships. The coffee company example expands to back-end connectivity to a data center in San Jose, the ability to connect directly to customer switches, and virtual connections from racks to the nearest data center. Finally, Simon shows how an AWS-hosted internal wiki can be securely connected with a lightweight software agent, controlled by Cloudflare policies for authenticated access. The result is a hybrid, zero-trust-ready network that preserves user experience while layering in firewalling, DNS, load balancing, DoS protection, and data-loss protection across internet-bound traffic. The video closes by positioning Cloudflare’s connectivity cloud as a way to recreate a traditional network while applying modern security controls.

Key Takeaways

  • Cloudflare WAN creates IP-set tunnels from a headquarters network to the Cloudflare backbone, with private address ranges assigned to each site.
  • Each coffee shop gets a Cloudflare 1 appliance that connects via a local ISP router, establishing a dedicated IP-set connection back to Cloudflare.
  • Anycast IP routing ensures users and sites connect to the nearest Cloudflare data center for secure, optimized traffic.
  • Guest Wi‑Fi traffic is routed through Cloudflare and protected by a secure web gateway to block malicious sites.
  • Remote IT staff connect through a device agent, granting secure, location-agnostic access to shop devices as if they were in HQ.
  • Direct connections to local data center racks or to nearby Cloudflare data centers extend private networking to on-prem servers.
  • An AWS-hosted wiki or other private apps can be selectively connected with a software agent and governed by Cloudflare access policies.

Who Is This For?

IT and network admins evaluating or migrating to a Cloudflare One SAS architecture. It’s especially useful for organizations with distributed retail locations, private cloud apps, and on-site devices that require secure, flexible connectivity without sacrificing user experience.

Notable Quotes

""The ability to mesh together different networks, applications, and users no matter where they are.""
Introductory claim about connectivity cloud’s core value.
""Each connector creates an IP set connection back to Cloudflare and each device can be administered remotely via the Cloudflare dashboard.""
Explains how shop locations are provisioned.
""Any traffic destined for the internet can also be filtered to ensure only access to legitimate sites and blocking any unsafe transfer of company data.""
Highlights security and policy enforcement.
""We use any cast IP networking to ensure secure connections to users and offices are made to the geographically nearest Cloudflare data center.""
Describes performance/latency optimization.
""Think of it like having a coffee shop in every neighborhood so everyone doesn't have to walk far to get a cup of coffee.""
Metaphor illustrating global reach.

Questions This Video Answers

  • How does Cloudflare WAN connect a headquarters network to the Cloudflare network?
  • What is a Cloudflare 1 appliance and how does it work in multi-store deployments?
  • How does anycast IP routing improve performance for distributed networks?
  • Can Cloudflare connect on-prem racks to the cloud securely without rearchitecting the network?
  • How can Cloudflare policies control access to internal apps hosted in AWS?
Cloudflare OneCloudflare WANCloudflare 1 applianceanycast IPSASE/VSOsecure web gatewayprivate networkingsite-to-site tunnelsremote accesscloud connectivity cloud
Full Transcript
When looking at secure access service edge or sassy platforms, we often talk about a user getting remote access into some privately hosted application. The focus is often userto application where the goal is network micro segmentation and a user can only access an application over a specific address and port. But corporate networks exist to carry traffic in many other ways. Let's take for example a retail coffee company with many coffee shops, each providing customers free access to the internet with their guest Wi-Fi, but also connecting employees to internal applications. Each shop also houses point of sale devices, security cameras, and other network enabled equipment that need access to the internet, but also might require access to other private networks to back up data or be monitored by internal tools. IT staff also need to remotely access these devices from a corporate office network. A lot of this traffic is private and should only remain on the corporate network. This is where Cloudflare's connectivity cloud really comes into its own. The ability to mesh together different networks, applications, and users no matter where they are. Let's dive deeper into our coffee company example. Right. First, they have their main headquarters in Seattle. Most HQ employees live locally and about half travel into the office with the other half working remote at home. Second, they have around 40 coffee shops down the west coast of America, each with a few employees in each. And then they have an internal company wiki which is running in a virtual environment in Amazon Web Services with its own virtual private network. And then finally, the security cameras at all their coffee shops need to back up data to a central service that you've got running on servers that you run and host in a rack in a data center in San Jose. You see how these network locations are all quite different. Cloudflare has a variety of ways all these networks can be connected together. Uh let's start by connecting the headquarters network in Seattle. We can use something called Cloudflare WAN which is our service that creates IP set tunnels from the headquarters office back to the Cloudflare network and assign a private network range to it. This is using regular standard IPS set protocols and can easily leverage functionality in a network router or firewall that exists at headquarters. Next, let's look at each coffee shop. You can ship out to each location a physical device running the Cloudflare 1 appliance. It's essentially a lightweight appliance that can be plugged into the local ISP router. Each connector creates an IP set connection back to Cloudflare and each device can be administered remotely via the Cloudflare dashboard. Private network ranges can then be assigned to each coffee shop and now we have the beginnings of a new modern corporate network. So IT admins in the Seattle office can now remotely access point of sale devices in each coffee shop location. Also, because we want to provide customers in each shop free internet access using the guest Wi-Fi, all traffic from that location is now rooted through Cloudflare. And we can use our secure web gateway to block any access to malicious websites. And this keeps customers safe while they sip their cappuccinos. But what about the IT staff working from home? They're not connected to any of these networks. No worries. They can use our device agent which connects them to Cloudflare and in turn gives them access to this new corporate network as if they were connected in headquarters. Now it can manage the devices in each coffee shop no matter if they're on a plane, sitting in an office or in a coffee shop. When each network or user connects, it does so to the nearest Cloudflare data center, which is a key feature of our network, where we use any cast IP networking to ensure secure connections to users and offices are made to the geographically nearest Cloudflare data center so that traffic is then secured and optimized as close as possible to the user or to that network. And we have data centers in over 300 cities and have over 12,000 network peering relationships allowing us to ensure fast connectivity from user to the network. Think of it like having a coffee shop in every neighborhood so everyone doesn't have to walk far to get a cup of coffee. But what about those camera backups? Remember the backup service is running in a data center in San Jose. Most likely than not, Cloudflare is also running our own servers in the same data center. And you can offer direct connections from Cloudflare to your network switches, further extending your corporate network. And even if your servers are not in the exact same data center, we can create a virtual connection directly from your rack to the nearest Cloudflare data center. Now we've got everything connected. Let's add a new application into the mix. Let's say the company is launching a new internal company wiki and they're running the service in AWS, Amazon Web Services. We don't need to connect the entire AWS private network. We just install a software agent on the wiki server that creates a secure tunnel back to Cloudflare and connects that application to the network that anyone on that network can now access the application. Policies in Cloudflare control who can access the wiki, ensuring users authenticate with valid credentials and are using secure devices. You can see that Cloudflare is able to connect a wide variety of networks from the physical office locations to virtual application networks in the cloud as well as direct your servers running in your data centers. So much of the complexity from legacy network architectures is abstracted into our connectivity cloud making life much easier for IT and network admins. And once connected to Cloudflare, it's not just about routting traffic. Firewalling, DNS, load balancing, protecting from denialless service attacks, content caching, and a lot more are all easily enabled. Any traffic destined for the internet can also be filtered to ensure only access to legitimate sites and blocking any unsafe transfer of company data. The flexibility of Cloudflare's connectivity cloud allows you to connect all sorts of networks, applications, and users. It's possible to recreate your classic corporate network and then apply on top of it all the modern zero trust services to ensure high security without compromising the user experience. Well, thanks for watching. This video is part of a series which explains how to build your new corporate network using Cloudflare's SAS platform. Watch the other videos in this series to learn more. Hi, I'm Simon from Cloudflare. Congrats on finding this video. We also cover a wide variety of topics including application security, corporate networking, and all the developer content the internet can hold.

More from Cloudflare

Kimi Found 40+ Security Issues in Our Code. Open Source AI Is Here | Michelle Chen thumbnail

Kimi Found 40+ Security Issues in Our Code. Open Source AI Is Here | Michelle Chen

The episode covers rapid advances in open-source AI, with Kimmy demonstrating how security teams and developers leverage

00:35:13
AI Agents Now Rank With the Top 3 Hacking Teams: Chema Alonso thumbnail

AI Agents Now Rank With the Top 3 Hacking Teams: Chema Alonso

The interview with KMA Alonso covers a journey through cybersecurity—from early database and SQL injection work to high-

00:48:39
Cybersecurity Predictions 2026: What Security Leaders Learned in 2025 thumbnail

Cybersecurity Predictions 2026: What Security Leaders Learned in 2025

The Connectivity Cloud podcast explores how AI is reshaping security, governance, and business enablement, emphasizing t

00:24:18
Proactive WAF Vulnerability Protection & Firewall for AI + Multiplayer Chess Demo in ChatGPT thumbnail

Proactive WAF Vulnerability Protection & Firewall for AI + Multiplayer Chess Demo in ChatGPT

This December 2025 edition covers Cloudflare’s latest security updates, including protecting against the new React vulne

00:25:43

Related Videos

I moved off Tailscale thumbnail

I moved off Tailscale

 Cloudflare Developers
00:10:49
I almost quit YouTube.... thumbnail

I almost quit YouTube....

 NetworkChuck
00:23:08

Get daily recaps from
Cloudflare

AI-powered summaries delivered to your inbox. Save hours every week while staying fully informed.

Get Started