Transport Government Zero Trust Access Gateway / SWG

Abu Dhabi Airports replaced VPN with identity-based access across two airports.

How Brixio implemented Cloudflare Zero Trust for Abu Dhabi Airports, replacing VPN dependencies with identity-based access for remote, VPN, and HQ users across Zayed International and Al Bateen airports.

Abu Dhabi, UAE Zayed Intl. + Al Bateen 4 min read
Abu Dhabi Airports
CONNECTIVITY3 → 1Scenarios unified under a single security model
VPN0Internal apps still requiring VPN access
COVERAGE2Airports under unified Zero Trust posture
POPULATION100%Employees, contractors and vendors covered by MFA + SSO

The challenge

Abu Dhabi Airports Company operates Zayed International Airport and Al Bateen Executive Airport, serving millions of passengers annually. As a critical infrastructure operator, ADAC required a security posture that matched the sensitivity of its operations.

The existing architecture presented several risks:

  • VPN dependencies for remote access. Employees and contractors accessed internal applications via VPN, creating broad network access and increased exposure if credentials were compromised.
  • Inconsistent security across connectivity modes. Users at HQ, on VPN, and working from home had different security postures, with no unified policy enforcement.
  • Broad network access instead of application-level control. The VPN granted network-level access rather than restricting users to the specific applications they needed.
  • Third-party and vendor access. External contractors required access to internal applications, but VPN access expanded their reach beyond what they actually needed.
  • Limited visibility. The security team lacked granular insight into user activity and access patterns.

What Brixio deployed

Three connectivity scenarios, one security model

ADAC defined three scenarios that needed consistent protection: employees working remotely from home, employees working remotely while connected to a VPN, and employees working on the ADAC network (HQ). Brixio designed and deployed a Cloudflare Zero Trust architecture that enforced consistent identity-based policies across all three.

Zero Trust Network Access (ZTNA)

  • Replaced traditional VPN with Cloudflare Access for identity-based authentication.
  • Role-based access controls (RBAC) so employees and contractors reach only the applications they need.
  • MFA and SSO enforced for all users.

Secure Web Gateway (SWG) with WARP

  • WARP client deployed on managed devices for encrypted, inspected traffic.
  • DNS-level security policies enforced regardless of location.
  • Split tunneling and local domain fallback configured for optimal traffic flow.

Application-level access control

  • Granular application segmentation replacing broad network access.
  • Policy-based access tied to user identity, role, and device posture.
  • Third-party and vendor access scoped to specific applications, not the network.

Monitoring and audit

  • Detailed access logs for monitoring and compliance.
  • Security event visibility for ADAC's operations team.

Architecture

Three connectivity scenarios converge on a single Cloudflare Zero Trust enforcement plane.

Remote employee Home / mobile
VPN user Legacy path
HQ / on-site ADAC network
Cloudflare Zero Trust
ACCESSSWGWARPMFA
Internal apps Per-app policy
SaaS & cloud SSO enforced
Vendor systems Scoped access

Results

After rollout across both airports, the security model was unified across the three connectivity scenarios, and access was scoped at the application level for every user population.

VPN dependencies eliminatedInternal applications no longer require VPN access for any user population.
Consistent security postureIdentity-based policy applied uniformly across remote, VPN, and HQ paths.
Granular application accessPer-app authorisation replaces broad network-level access for every user.
Secure third-party accessContractors and vendors reach only scoped applications, never the network.
Sector perspective

The ZTNA pattern repeats across critical infrastructure operators.

Airport operations sit inside every critical-infrastructure regulatory framework (NIS2 in Europe, NESA in the UAE, ICAO globally). Multiple user populations (employees, contractors, vendors), multiple connectivity scenarios (remote, HQ, VPN), and strict security requirements make this deployment representative of the challenges critical infrastructure operators face globally.

NIS2 NESA UAE ICAO
See our professional servicesCybersecurity for Government
Other client stories

More Brixio × Cloudflare deployments

Entertainment WAF Bot Management

Zero-downtime WAF migration with KSA data residency

Zero-downtime WAF migration across 80+ hostnames and 5 TLDs, meeting Saudi data sovereignty requirements.

Read the case study
Transport WAF Bot Management

NESA-aligned application security for UAE ports and logistics

WAF, Bot Management and API Shield on public-facing Dubai government applications, aligned to NESA controls.

Read the case study
Education Cloudflare Tunnel Gateway / SWG

Multi-entity SASE for a UAE driving-education network

Branch connectivity and secure access on Cloudflare SASE for a driving-education network.

Read the case study
Your Cloudflare environment, audited

Find out where your Zero Trust posture stands today.

Run a free Snapshot to map your current exposure, identify gaps in identity-based access, and get a prioritised roadmap from a Cloudflare ASDP partner.

Get a free Cloudflare audit Talk to a specialist