VPNs have played an important role in enterprise networking for years.
They gave remote users a way to access corporate resources from outside the office. But the way people work has changed dramatically. Users no longer only need occasional access to internal systems. They need fast, secure, consistent access to private applications, SaaS platforms, cloud services and business tools from anywhere.
That shift has exposed some of the weaknesses in traditional VPN-based access.
Cloudflare’s coffee shop networking model often starts with replacing legacy VPN access with Zero Trust Network Access, or ZTNA. This first step gives organisations a foundation for more consistent, identity-based security across both remote and office-based users.
Why VPNs create problems for modern access
Traditional VPNs were built around the idea of extending access to the corporate network. In many cases, this gives users broad network-level access rather than access only to the specific applications they need.
That can create three key challenges.
1. Overly permissive access
VPNs can open the door to lateral movement if an attacker compromises a user account or device. Because the VPN connects the user into the network, the access model can be broader than necessary.
This is a symptom of the older castle-and-moat model, where users may be granted wide access once they are inside the perimeter.
Modern security increasingly requires the opposite approach: access should be limited, contextual and specific to the resource being requested.
2. Operational complexity
VPN infrastructure can create operational overhead for IT teams.
There may be on-premises concentrators to maintain, manual configuration work when onboarding new users or applications, and support tickets related to login failures or performance issues.
For lean IT teams, that overhead matters. Every hour spent troubleshooting access issues is time not spent on higher-value improvement work.
3. Slow or inconsistent performance
VPNs can also affect user experience, especially when traffic is backhauled to a distant data centre.
If access is slow or frustrating, users may look for workarounds. In some cases, they may disconnect from the VPN or avoid using it, creating visibility and control gaps.
How ZTNA changes the access model
Zero Trust Network Access changes the question from:
“Is this user on the network?”
to:
“Should this user, on this device, in this context, access this specific application?”
Cloudflare Access, Cloudflare’s ZTNA service, connects users only to the applications they are authorised to use. Access is based on identity, context, least privilege and policy rather than broad network access.
This creates a more precise model.
Instead of placing users inside the network, ZTNA evaluates each request and applies access controls at the application level.
Why this supports coffee shop networking
Coffee shop networking treats every location as untrusted. That means the organisation does not rely on whether a user is in the office, at home or on public Wi-Fi.
ZTNA is a natural foundation for this approach because access is enforced independently of network location.
With ZTNA, users can have the same safe, fast and consistent experience whether they are at corporate headquarters, a coffee shop or their home office.
This consistency is the real value.
Users should not have one security experience in the office, another at home and another when travelling. The access policy should follow the user.
What the first step includes
Cloudflare’s recommended first step for coffee shop networking is to modernise user-to-application access.
This can include deploying the Cloudflare One Client to end-user devices for device-level visibility, proxy controls and encrypted connectivity.
Cloudflare also notes that clientless access can help support contractors, suppliers and third parties on unmanaged devices when browser-based access is appropriate.
Cloudflare Tunnel can also connect applications and private networks to Cloudflare without requiring publicly routable IP addresses or additional VM infrastructure. For applications in data centres, Cloudflare Network Interconnect can be used to connect infrastructure directly to Cloudflare over dedicated links.
The benefits of starting with VPN replacement
Starting with VPN replacement can create a practical entry point for wider network modernisation.
It helps organisations reduce broad access, improve user experience, centralise policy management and begin shifting security away from location-based controls.
It also lays the groundwork for the next stages of coffee shop networking. Once user access is modernised, organisations can look at branch connectivity, non-user traffic, web security, SaaS access and broader SASE consolidation.
What organisations should consider before replacing VPN
VPN replacement should still be planned carefully.
Organisations need to understand which applications users access, where those applications sit, which identity providers are in use, which devices are managed and how contractors or third parties connect.
They should also consider legacy applications that may need special handling and user groups that may have different access requirements.
The goal is not just to remove a VPN. The goal is to create a more precise, consistent and manageable access model.
Final thoughts
VPN replacement is often the first step towards coffee shop networking because it addresses one of the biggest sources of friction in modern access.
It reduces dependence on broad network-level access and creates a stronger foundation for Zero Trust.
For organisations dealing with slow VPN performance, access complexity or inconsistent controls between remote and office users, ZTNA offers a more modern way forward.
Coffee shop networking starts with a simple principle: the network location should not decide whether access is trusted.
Access should be based on identity, context and policy.
