Identity-aware access control, honestly reviewed. No marketing fluff, just what you get when you replace your VPN with it.

TL;DR

What it is: Open-source (Apache-2.0) identity and context-aware reverse proxy — every request to your internal apps gets verified against policy before it’s allowed through, with no VPN client required [README][website].
Who it’s for: Engineering teams, DevOps leads, and security-conscious founders running internal dashboards, databases, staging apps, or Kubernetes clusters who want to stop issuing VPN credentials to contractors and remote workers [website][2].
Cost savings: Replacing a commercial VPN gateway or a SaaS access proxy like Cloudflare Access eliminates per-seat or per-connection billing. Pomerium’s open-source core is free; you run it on your own infrastructure [README].
Key strength: Per-request authorization, not session-based access. Once you authenticate to a VPN, you’re typically on the network. With Pomerium, every single request is checked against policy using identity, device state, time, and context [website].
Key weakness: Requires HTTPS for every route and forces you to define an explicit access policy on everything — there’s no “allow all traffic” default. That’s a feature, not a bug, but it means more setup than dropping in a standard NGINX reverse proxy [4].

What is Pomerium

Pomerium is a reverse proxy that sits in front of your internal applications and enforces who can reach what, at the request level. The official description is “identity and context-aware access proxy” [README]. In plain terms: instead of connecting your employees and contractors to a VPN that gives them broad network access, you point Pomerium at each internal service and let it enforce policy at the door.

The practical difference matters. A VPN authenticates you once — then you’re on the network. Pomerium verifies every request against a policy that can include your identity provider group membership, the time of day, your device’s security posture, and custom context. A contractor can be granted access to exactly one staging app for exactly the hours you specify, and nothing else [website].

The project is written in Go, Apache-2.0 licensed, and sits at 4,717 GitHub stars. The company behind it (Pomerium, Inc.) offers two commercial products on top of the open core: Pomerium Zero (a hosted control plane with a management GUI) and Pomerium Enterprise (a self-hosted commercial tier with enterprise features) [website][README]. The open-source version gives you the proxy itself and is genuinely functional without either.

The project has been leaning hard into AI agent access as a use case — their homepage now leads with “Zero Trust access for every identity. Humans. Services. And AI Agents.” and explicitly mentions securing MCP servers, AI agent prompts, and autonomous workflows [website]. This is a real expansion of the use case, not just rebranding: the same policy engine that controls human access can gate which AI agents can reach which APIs.

Why people choose it

The clearest customer story comes from Traders Club [2], a Brazilian fintech platform with 470,000 traders. Their situation is one you’ll recognize: a cloud-first, remote-first organization that looked at traditional VPN architecture and concluded it didn’t fit. “It doesn’t make sense to have a traditional security architecture where everything is in your office or data center for VPN users to access”, their Head of Information Security explained [2].

They evaluated VeraCloud and Cloudflare Access before choosing Pomerium. The deciding factors were Pomerium’s identity-driven access model (integrating directly with Google as their IdP), centralized audit logging for LGPD compliance (Brazil’s GDPR equivalent), and the ability to deploy it themselves [2]. Post-deployment: “Pomerium is great because it’s completely zero trust. I hate this buzzword but it’s true for Pomerium.” [2]

The performance case also shows up in the website’s testimonials. One unnamed team replaced OAuth2 Proxy and NGINX with Pomerium and reported a 23x throughput improvement on the same hardware [website]. A “top global software company” called it “one of the rare security products that just works” [website].

The Kubernetes migration case [4] reveals a different, practical reason people choose Pomerium: the Ingress NGINX controller is being retired. With the Kubernetes community winding down maintenance on Ingress NGINX, teams are evaluating replacements, and the Pomerium ingress controller migrates almost identically — you change the ingressClassName from nginx to pomerium and add a policy annotation. The key difference is that Pomerium mandates HTTPS and requires an explicit policy on every route, which catches configuration gaps that NGINX silently allowed [4].

Features

Based on the README, website, and deployment documentation:

Core proxy:

Clientless access — users authenticate via their browser, no VPN client to install or manage [website][README]
Per-request authorization, not per-session [website]
Identity provider integration (the entire model is built around IdP groups and claims)
Context-aware policy: identity, device posture, time, custom signals [website]
Native SSH access as a use case (browser-based terminal proxied through policy) [website]
Full audit log of every request decision [website][2]

Policy system:

YAML/JSON policy definitions at the route level [4]
Group-based access control via IdP claims [2][4]
Time-bound and just-in-time access policies [website]
Policy change history [website]
any: true pass-through mode for gradual migration from NGINX [4]

Kubernetes:

Native Ingress controller with annotation-based policy [3][4]
cert-manager integration for automatic TLS [3][4]
Helm chart for deployment [4]

AI and service access:

MCP server access control — policy applied to AI agent requests [website]
Service-to-service authentication (CI/CD, internal APIs, backend services) [website]
Kubernetes ingress for multi-tenant environments [website]

Commercial tiers (not open source):

Pomerium Zero: hosted control plane, management GUI, free tier available [README]
Pomerium Enterprise: self-hosted with enterprise management features [website]

Pricing: SaaS vs self-hosted math

Pomerium’s open-source core is free under Apache-2.0. You host it yourself, and the proxy functionality — identity-aware routing, per-request policy, audit logging — is all included with no license fee [README].

Pomerium Zero (their hosted control plane): a free tier is available at console.pomerium.app [README]. Full pricing tiers for paid plans are not publicly listed in available documentation — the pricing page at https://www.pomerium.com/pricing exists but specific numbers weren’t accessible for this review. Expect usage-based or seat-based SaaS pricing typical of this category.

Pomerium Enterprise: self-hosted commercial product. Pricing is contact-sales only [website].

Self-hosted open source:

License cost: $0
Infrastructure: $5–20/mo for a VPS (or existing Kubernetes infrastructure)
TLS certificate management via cert-manager: free [4]

For comparison purposes (general market context, not Pomerium-specific): Commercial VPN solutions and SaaS access proxies in this category typically charge per-seat, per-month. The cost of Cloudflare Access, Tailscale Business, or a traditional enterprise VPN gateway scales with headcount and often includes network egress charges. Self-hosting Pomerium eliminates that scaling cost entirely. For a team of 25 users, replacing a $5–10/seat/month SaaS access proxy with a self-hosted Pomerium instance on existing infrastructure saves $1,500–$3,000/year.

Deployment reality check

The deployment story is honest: Pomerium is not a beginner’s first self-hosted project. It’s a security proxy with genuine requirements that exist for good reasons.

What you actually need:

A server or Kubernetes cluster to run it on
A registered domain with DNS control
TLS certificates (cert-manager handles this automatically in Kubernetes; you manage it yourself on bare metal) [4]
An identity provider (Google Workspace, Okta, Auth0, any OIDC provider)
The ability to write YAML policy definitions

What changes from NGINX: If you’re migrating from Ingress NGINX, the configuration is structurally similar — you change ingressClassName and add a policy annotation [4]. The minimum viable policy for a public route is allow: any: true, which functions as a traditional reverse proxy with no auth added. You can then tighten policy route by route [4].

What can go sideways:

The most documented pain point is the cert-manager HTTP-01 challenge deadlock on Kubernetes [3]. In Pomerium v0.29, a known issue arises where cert-manager needs to issue a TLS secret before Pomerium will register the route, but Pomerium refuses to register the route before the TLS secret exists. The result is a bootstrap deadlock that prevents certificate issuance. As of the support thread in July 2025, the fix was available in the main branch but not in the stable release [3]. If you’re deploying on Kubernetes with cert-manager and HTTP-01 challenges, test this specifically before committing to a version.

HTTPS is mandatory. Pomerium requires TLS on every route — there’s no option for HTTP-only routes. This is correct security posture but adds friction during initial setup compared to NGINX defaults [4].

Policy is mandatory. Unlike NGINX where you can configure routes with no access control, Pomerium requires every route to have an explicit policy. For basic reverse proxy functionality with no access control, you write allow: any: true. This feels like overhead until the first time it catches a misconfigured route that would have been publicly exposed [4].

For a Kubernetes shop: budget 2–4 hours for initial deployment, including working through the cert-manager integration. For bare-metal: longer, since you manage TLS and identity provider configuration manually.

Pros and cons

Pros

Apache-2.0 license. No Fair-code restrictions, no commercial use clauses. Self-host, fork, embed in your own product freely [README]. This matters if you’re building a platform for clients.
Per-request, not per-session authorization. The security model is fundamentally stronger than VPN — each request is independently verified against current policy [website].
Clientless access. Users authenticate via browser. No VPN client to deploy, troubleshoot, or update across a distributed workforce [website][README].
Audit log by design. Every access decision is logged, with who accessed what, when, and the policy reasoning. Useful for compliance (Traders Club used this specifically for LGPD compliance) [website][2].
Kubernetes-native. The ingress controller is a real migration path for Ingress NGINX users — near-identical configuration syntax with policy layered on top [4].
Proven at scale. 20,000+ users secured at a Fortune 500 financial services company per the website’s testimonials [website]. 23x performance improvement reported over OAuth2 Proxy + NGINX [website].
AI agent access control. Genuine use case, not just marketing — the same proxy can gate MCP server access and AI agent API calls with the same policy model used for human access [website].

Cons

Steeper setup than NGINX. Mandatory HTTPS, mandatory policy on every route, mandatory IdP integration. Correct defaults, but the ramp-up is real [4].
cert-manager deadlock bug (Kubernetes, v0.29). A documented HTTP-01 challenge bootstrap issue that required a main-branch fix as of July 2025. Not fatal, but check the status before deploying [3].
Commercial features not clearly documented in public. Pricing and the specific feature split between open-source, Zero, and Enterprise aren’t easy to find. The website’s “Pricing” page exists but the detail wasn’t publicly accessible for this review [website].
4,717 GitHub stars is modest for this category. Authelia sits at 27,517 stars, Authentik at 21,004, Teleport at 20,131 [5]. Pomerium is a real product with enterprise customers, but its community size is smaller than the leaders.
Not a general-purpose auth solution. Pomerium doesn’t replace an identity provider — it’s a proxy that delegates authentication to one. You still need Google Workspace, Okta, or similar. If you’re also looking to self-host your IdP, Authelia or Authentik handle that use case; Pomerium doesn’t [5].

Who should use this / who shouldn’t

Use Pomerium if:

You have internal apps, dashboards, or APIs that employees and contractors need to reach remotely, and you want to eliminate VPN complexity.
You’re on Kubernetes and looking at Ingress NGINX alternatives before the March 2026 retirement deadline [4].
You need per-request audit logs for compliance (SOC 2, GDPR, LGPD) [2][website].
You want to secure AI agent access to internal tools with the same policy model used for human access [website].
You’re comfortable with YAML configuration and have an OIDC identity provider already in place.

Skip it (use Authelia or Authentik instead) if:

You need to also self-host your identity provider, MFA, and SSO. Authelia and Authentik are full auth stacks; Pomerium is a proxy that delegates to an external IdP [5].

Skip it (use Tailscale or WireGuard instead) if:

Your use case is connecting arbitrary TCP services (not just HTTP/HTTPS), or you need mesh networking between nodes. Pomerium is HTTP-first; WireGuard-based solutions cover more protocol surface [5].

Skip it (use Cloudflare Access instead) if:

You don’t want to manage infrastructure at all and are willing to pay per-seat for a managed zero trust access solution with a faster setup path.

Skip it (use oauth2-proxy instead) if:

You have a simple “add Google login to this one app” use case. oauth2-proxy is lighter-weight for single-service authentication without the full policy framework [5].

Alternatives worth considering

Authelia — 27,517 stars. Full SSO/MFA portal for web apps. Handles authentication itself (LDAP, TOTP, WebAuthn) rather than delegating to an external IdP. Better if you’re also self-hosting your identity stack [5].
Authentik — 21,004 stars. “The authentication glue you need.” Full identity provider with proxy capabilities. More comprehensive than Pomerium on the IdP side; more opinionated on deployment [5].
oauth2-proxy — 14,199 stars. Reverse proxy that adds OAuth/OIDC authentication to existing services. Lighter than Pomerium, less full-featured policy-wise, solid for simpler use cases [5].
Teleport — 20,131 stars. Certificate-based access for SSH, Kubernetes, databases, and web apps. Strong for engineering teams managing server access; more infrastructure overhead than Pomerium [5].
Cloudflare Access — SaaS alternative. Faster to set up, no infrastructure to manage, costs per seat. The right choice if you want the zero-trust access model without the ops burden.
Tailscale / Headscale — 37,514 stars (Headscale). WireGuard-based overlay network. Not a reverse proxy — more like a VPN alternative for connecting devices and services. Headscale is the self-hosted control plane. Different model than Pomerium but solves adjacent problems [5].

For a small engineering team replacing VPN access to internal services, the realistic shortlist is Pomerium vs Authentik vs Cloudflare Access. Pomerium if you want Apache-2.0 open source and already have an IdP. Authentik if you’re also building out the identity layer. Cloudflare Access if setup time matters more than cost.

Bottom line

Pomerium is the clean answer to a specific, common problem: you have internal services that people need to reach remotely, your VPN is either expensive, painful to manage, or both, and you want something that enforces actual access control rather than “connected to the network = can reach everything.” The Apache-2.0 license, per-request policy model, and clientless architecture are genuine differentiators. The trade-off is a real setup investment — mandatory HTTPS, mandatory policy definitions, and an external IdP dependency — that makes it more complex out of the box than dropping in NGINX.

The cert-manager deadlock issue on Kubernetes (v0.29) is worth watching if that’s your deployment target [3], but the core proxy is production-proven at Fortune 500 scale [website] with real compliance use cases [2]. For a team currently paying per-seat for Cloudflare Access or fighting a commercial VPN license, the math for self-hosting Pomerium is straightforward: one afternoon of setup, then a recurring bill that doesn’t exist.

Sources

Pomerium — Terms of Service (pomerium.com). https://www.pomerium.com/terms-of-service/
Pomerium — Traders Club Customer Story (pomerium.com). https://www.pomerium.com/customer-stories/traders-club/
Pomerium Community Forum — v0.29 Kubernetes + Letsencrypt HTTP deadlock (discuss.pomerium.com). https://discuss.pomerium.com/t/pomerium-v0-29-on-kubernetes-letsencrypt-http-deadlock/485
Codango — Migrating from Ingress NGINX to Pomerium Ingress Controller (codango.com). https://codango.com/migrating-from-ingress-nginx-to-pomerium-ingress-controller/
RelatedRepos — authelia/authelia alternatives and similar packages (relatedrepos.com). https://relatedrepos.com/gh/authelia/authelia

Primary sources:

GitHub repository and README: https://github.com/pomerium/pomerium (4,717 stars, Apache-2.0 license)
Official website: https://www.pomerium.com
Pricing page: https://www.pomerium.com/pricing
Documentation: https://www.pomerium.com/docs/
Pomerium Zero console: https://console.pomerium.app

Related DevOps & Infrastructure Tools

View all 196 →

Coolify

52K

Self-hosting platform that deploys apps, databases, and services to your own server with a single click. Open-source alternative to Heroku, Netlify, and Vercel.

devops Apache-2.0