Cloudflare Zero Trust & SASE — Pre-Class Lab Requirements

Students are responsible for arriving on Day 1 with a working lab environment. You need two virtual machines — a Windows 11 client and an Ubuntu 24.04 LTS server — on separate subnets that cannot reach each other directly, a registered public domain that you own, and a Cloudflare Enterprise account with the Zero Trust Premier Bundle applied, a Logpush entitlement, and that domain added as an active DNS zone on the Enterprise plan.

The Zero Trust Premier Bundle is a single account-level subscription that covers every Zero Trust feature the labs use:

Access — applications, infrastructure targets, service tokens, short-lived SSH certificates
Browser Isolation
CASB
Device management — posture, profiles, enrollment
DEX — synthetic tests, remote diagnostics
DLP — profiles, detection entries, payload encryption
Gateway — DNS, HTTP, and Network firewall policies, TLS decryption, proxy endpoints
Internal DNS
Mesh
Tunnel

Logpush and Log Explorer are not included in the Premier Bundle and must be requested separately.

You do not need Dedicated Egress IPs, Email Security, Cloudflare WAN, Magic Transit, or Magic Firewall.

The account should be clean — no pre-existing tunnels, policies, Access apps, or enrolled devices. Work with your Cloudflare account team or partner manager to get the account provisioned; lead time can vary, so start early.

If any entitlement is missing, specific labs will fail and you will not be able to catch up during class.

Virtual Machine Specifications

Windows 11 Client

Requirement	Value
Operating system	Windows 11 (Pro or Enterprise)
CPU	2 vCPU minimum
RAM	4 GB minimum
Disk	40 GB minimum
Internet access	Required

Pre-installed software: A web browser (Edge, Chrome, or Firefox), PowerShell, Notepad (runnable as Administrator), Computer Management (lusrmgr.msc), and the OpenSSH client (Settings > Apps > Optional Features > OpenSSH Client).

Do not pre-install Cloudflare WARP / Cloudflare One Client — you install it from scratch during Lab 1.

Ubuntu 24.04 LTS Server

Requirement	Value
Operating system	Ubuntu 24.04 LTS (Server)
CPU	2 vCPU minimum
RAM	2 GB minimum
Disk	20 GB minimum
Public IP address	Required — the VM must be reachable from the internet
Firewall	Required — a network firewall in front of the VM (cloud security group, virtual firewall, or hardware firewall) that you can open and close inbound ports on

Pre-installed software: Docker (engine + compose), OpenSSH Server (sshd), OpenSSL, curl, dig (dnsutils package), and a text editor (nano or similar).

Docker containers (must be running before class)

Container	Ports	Service
`website`	80/tcp	Corporate website; published through Tunnel in Lab 2
`intranet`	8000 → 80/tcp	Intranet app; published through Tunnel in Lab 3
`dns`	53/udp, 53/tcp, 67/udp	Internal DNS and DHCP
`samba`	139/tcp, 445/tcp	SMB file sharing
`ftp`	default FTP ports	FTP server

Do not pre-install cloudflared or Cloudflare Mesh — both are installed during labs via commands generated by the dashboard.

Automated setup

With internet access temporarily enabled on the Ubuntu VM, run this single command to install Docker, download the AcmeCorp site content, and start all five containers:

curl -fsSL https://zt-lab-prereqs.pages.dev/setup.sh | sudo bash

After the script completes, disable internet access on the VM. If you prefer to set things up manually, download the individual components:

acmecorp-website.tar.gz — AcmeCorp corporate website (port 80)
acmecorp-intranet.tar.gz — AcmeCorp intranet (port 8000)
docker-compose.yml — Docker Compose configuration for all five containers

Firewall and initial inbound ports

The Ubuntu VM must sit behind a network firewall that you can control — an AWS Security Group, Azure NSG, GCP Firewall Rule, or equivalent. This must be a firewall external to the VM, not a host-based firewall like ufw. The following inbound ports must be open before class:

Port	Protocol	Service	Purpose
80	TCP	Website	AcmeCorp corporate website
8000	TCP	Intranet	AcmeCorp intranet application
22	TCP	SSH	Remote access for lab exercises

Why this matters: A key lesson in the labs is demonstrating the value of Cloudflare Tunnel. You will first access the website directly via its public IP, then publish it through a Tunnel, and then close the firewall ports — proving that the origin no longer needs direct inbound access. If you do not have a firewall you can control, you will not be able to demonstrate this.

Outbound access: The Ubuntu VM needs outbound internet access for initial setup (Docker, downloading lab components) and for cloudflared and Cloudflare Mesh to establish outbound connections to Cloudflare during the labs.

Network Architecture

The two VMs must be on separate subnets with no direct route between them at the private network level. Both VMs have internet access. The Ubuntu VM has a public IP and a firewall controlling inbound access.

+------------------------+         +------------------------+
|   Windows 11 Client    |         |    Ubuntu Server        |
|   Subnet A             |   NO    |   Subnet B              |
|   (e.g. 10.90.0.0/24)  | ===X=== |   (e.g. 10.91.0.0/24)  |
|   Has internet         | DIRECT  |   Has internet          |
|                        | ROUTE   |   Has public IP         |
|                        |         |   Has firewall          |
+------------------------+         +------------------------+

The Windows VM can reach the Ubuntu VM's public IP (through the internet), but not its private IP directly. This simulates a real-world scenario where the origin server sits in a data center reachable only via its public address. During the labs, you will publish services through Cloudflare Tunnel and then close the firewall — eliminating direct access and forcing all traffic through Cloudflare.

The exact IP addresses and subnets do not matter. Use whatever your virtualization platform assigns and substitute your actual values wherever the lab guide references specific IPs.

Cloudflare Account — What to Request

Tell your Cloudflare account team or partner manager you need the following:

Subscription	Scope	Notes
Enterprise account	Account	Required account type
Zero Trust Premier Bundle	Account add-on	Single subscription that enables all Zero Trust features used in the labs
Logpush	Account add-on	Not included in the Premier Bundle; must be requested separately
Log Explorer	Account add-on	Not included in the Premier Bundle; must be requested separately
Enterprise DNS zone	Zone	Your registered domain added to the account on the Enterprise plan

You must also own a registered public domain and add it to the account as the Enterprise DNS zone. The labs use this domain to publish internal services through Cloudflare Tunnel (e.g., web.yourdomain.com, ssh.yourdomain.com, intranet.yourdomain.com). The domain name does not matter — a cheap TLD from any registrar works — but it must be a real, publicly resolvable domain with its nameservers pointed to Cloudflare. Register one before class if you do not already have one available.

The account should be provisioned but otherwise clean — no tunnels, no policies, no Access apps, no enrolled devices. Lab 1 starts from a blank slate.

Your Zero Trust organization must have a team name initialized. Confirm by checking that https://<team-name>.cloudflareaccess.com loads a Cloudflare sign-in page.

External URLs Your Windows VM Must Reach

Make sure corporate firewalls or proxy policies do not block these:

URL	Purpose
`https://dash.cloudflare.com`	Cloudflare dashboard
`https://<team-name>.cloudflareaccess.com`	Zero Trust sign-in and App Launcher
`https://labs.cloudflare.com/saml/register`	Shared lab SAML IdP registration
`https://1.1.1.1/Cloudflare_WARP_Release-x64.msi`	Cloudflare One Client MSI download
`https://github.com/cloudflare/cloudflared/releases/latest`	cloudflared CLI download (optional exercise)
`https://warp-diag-log-viewer.pages.dev/`	warp-diag log viewer
`https://www.jwt.io`	JWT decoder
`https://www.whatismyip.com`	IP verification
`https://malware.testcategory.com`	Gateway malware test domain
`https://dlptest.com`	DLP test site
`https://self-signed.badssl.com`	Untrusted certificate test
`https://expired.badssl.com`	Untrusted certificate test
`https://lab.cfiq.io/zt/v1/seed`	Tenant control verification

Pre-Class Verification Checklist

Run through this the day before class. If anything fails, fix it before Day 1.

VMs

Windows VM boots; you can log in
Windows VM reaches the internet (https://dash.cloudflare.com loads)
Windows VM has OpenSSH client (ssh -V in PowerShell returns a version)
Windows VM does not have Cloudflare WARP pre-installed
Ubuntu VM boots; you can log in via console
Ubuntu VM can reach the internet (curl -s https://cloudflare.com returns HTML)
Docker is running: docker ps shows 5 containers (website, intranet, dns, samba, ftp)
curl http://localhost on Ubuntu returns HTML
curl http://localhost:8000 on Ubuntu returns HTML
openssl version works
dig -v works
systemctl status sshd shows active
Windows can reach the Ubuntu VM's public IP (curl http://<ubuntu-public-ip> returns AcmeCorp HTML)
Windows cannot ping the Ubuntu VM's private IP
Network firewall is controllable — you can open/close port 80 on the Ubuntu VM from the firewall, not from the VM itself

Cloudflare Account

Sign in to https://dash.cloudflare.com and navigate to your account
Zero Trust dashboard loads (Overview page, not an upsell page)
Team name is visible under Settings
DNS zone shows Active on the Enterprise plan with nameservers pointed to Cloudflare
Gateway > Firewall policies page loads with DNS, Network, and HTTP tabs
Access > Applications page loads
DLP > Profiles page loads and shows predefined profiles (expect 12)
DEX page loads (not an upsell page)
Browser Isolation is visible in the sidebar or as an action in the HTTP policy builder
Logpush > Jobs page loads (not an upsell page)
Log Explorer page loads (not an upsell page)

Cloud Provider Tips

Any cloud provider works. Below are tips for keeping costs low on the three most common platforms. The labs only run for a few days, so you can spin up the VMs before class and tear them down after.

AWS

Resource	Recommendation	Notes
Windows Client	`t3.medium` (2 vCPU, 4 GB)	AWS does not offer Windows 11 AMIs. Use the Windows Server 2022 Full Base AMI with Desktop Experience — the lab exercises will work. Roughly $1/day on-demand.
Ubuntu Server	`t3.small` (2 vCPU, 2 GB)	Use the Ubuntu 24.04 LTS AMI from Canonical. Roughly $0.50/day on-demand.
Networking	VPC with two subnets	Create a VPC with two subnets (no routes between them). Assign a public IP to the Ubuntu VM. Use a Security Group on the Ubuntu VM as the firewall — open TCP 22, 80, 8000 inbound.

Cost note: AWS now offers a Free plan for new customers: $100 in credits on signup plus up to $100 more from completing activities, valid for 6 months. If you create a new AWS account for the lab, the Free plan credits should cover the cost of running both VMs for a few days of class. On the Paid plan, new customers also receive up to $200 in credits. Check aws.amazon.com/free for current details, as AWS updates these offers frequently. Stop both instances outside of class hours to conserve credits.

Azure

Resource	Recommendation	Notes
Windows 11 Client	`Standard_B2s` (2 vCPU, 4 GB)	Azure offers Windows 11 VM images directly — no workaround needed.
Ubuntu Server	`Standard_B2s` (2 vCPU, 4 GB)	Use the Ubuntu 24.04 LTS image from Canonical.
Networking	Virtual Network with two subnets	Create one VNet with two subnets (no peering or routing between them). Assign a public IP to the Ubuntu VM. Use a Network Security Group (NSG) on the Ubuntu VM’s subnet as the firewall.

Cost note: New Azure accounts receive $200 in credit for the first 30 days, which is more than enough for a few days of lab work. The 12-month free tier includes 750 hours/month each of B2pts v2 (Arm-based) and B2ats v2 (AMD-based) Linux VMs — but these are Arm/AMD burstable instances and may not match the lab’s x86 requirements. Use the $200 trial credit with B2s instances instead. Deallocate both VMs outside class hours to stop billing. Check azure.microsoft.com/pricing/free-services for current details.

GCP

Resource	Recommendation	Notes
Windows Client	`e2-medium` (2 vCPU, 4 GB)	GCP does not offer Windows 11 images. Use a Windows Server 2022 image with Desktop Experience.
Ubuntu Server	`e2-small` (2 vCPU, 2 GB)	Use the Ubuntu 24.04 LTS image. The always-free `e2-micro` (0.25 vCPU, 1 GB) is too small for Docker.
Networking	VPC with separate subnets	Place each VM in a separate subnet in the same region. Assign an external IP to the Ubuntu VM. Use VPC Firewall Rules as the firewall — create a rule allowing TCP 22, 80, 8000 inbound to the Ubuntu VM only.

Cost note: New GCP accounts receive $300 in free credit valid for 90 days. This is the most generous trial of the three providers and will easily cover a few days of lab work. GCP bills per second after the first minute. Stop both VMs outside class hours. Check cloud.google.com/free for current details.

General tips (all providers)

Spin up late, tear down early. Create VMs 1–2 days before class to verify the setup. Destroy them the day after class ends.
Stop VMs when not in use. You are billed for compute while running. Stopping (not deleting) preserves the disk but stops compute charges.
Use the smallest disk possible. 40 GB for Windows, 20 GB for Ubuntu. Larger disks cost more per month even when the VM is stopped.
Pick a region close to you. Lower latency makes the lab experience smoother. Pricing varies by region — check before launching.
Set a billing alert. Every provider lets you set budget alerts. Set one at $20 so you are not surprised.

FAQ

Can I use Windows 10 instead of 11?

The labs target Windows 11. Windows 10 will likely work but some UI paths may differ. Windows 11 is strongly recommended.

Can I use a different Ubuntu version?

Ubuntu 24.04 LTS is the tested version. Other Debian-based distributions may work but package names, systemd behavior, and Docker setup may differ.

Can two students share one Cloudflare account?

No. Each student needs their own account and team name. Shared accounts cause policy conflicts and log confusion.

What if I cannot get an Enterprise account in time?

You will not be able to complete the labs. Browser Isolation, DLP, DEX, Infrastructure Access, Mesh, and Gateway proxy endpoints all require the Premier Bundle. Start the provisioning request as early as possible.