For a network engineer, the cutover weekend is often the most stressful 48 hours of their career. Imagine a 30,000-user organization attempting to flip 1,000+ legacy applications from fragmented VPNs to a new architecture in a single window. The stakes are immense: a single misconfigured firewall rule or a timed-out session can halt essential services and lead to operational gridlock.

This "big bang" migration risk is the single greatest barrier to Zero Trust adoption. Organizations often feel trapped between an aging, vulnerable infrastructure and a migration process that feels too risky to attempt.

Cloudflare and Technology Solutions Provider CDW are changing this narrative. We believe that a successful transition to SASE (Secure Access Service Edge) shouldn't feel like a leap into the dark. By combining Cloudflare’s global Zero Trust platform with CDW’s experience navigating the industry’s most complex deployment failures, we provide the strategic roadmap to de-risk the journey. We don't just move your "plumbing" — we ensure your legacy debt is transformed into a modern, agile security posture without the downtime.

Leveraging partner expertise to avoid migration traps

Traditional migrations often fail because they treat the network as simple plumbing rather than a complex ecosystem of applications. Without a granular strategy, many organizations fall into the "lift and shift" trap — attempting to move hundreds of applications simultaneously without understanding their back-end dependencies.

To avoid this, CDW uses a risk-aware, tiered methodology. This approach categorizes every application in your environment by its technical complexity. We move simple, modern apps first to build momentum while saving complex, legacy systems for a more controlled, later stage.

A recent large-scale public sector project serves as a cautionary example of what can happen without this structure. In this case, a team attempted to migrate 500 applications at once. Because they lacked a tiered methodology to prioritize their 4,000+ applications, the move led to systemic service disruptions.

CDW’s role is to act as the architect that prevents these failures. CDW strategists, many of whom are former security practitioners, analyze these industry-wide failure points to identify recurring anti-patterns that derail Zero Trust journeys and build a more resilient migration blueprint. By treating migration as an application modernization project rather than a single connectivity swap, CDW ensures that security requirements are built into the foundation of the move rather than bolted on as an afterthought.

Modernizing legacy apps with Cloudflare Access

To move away from the all-or-nothing risks of the past, we start with the foundation of the solution: Cloudflare Access. Before we look at how to migrate complex legacy applications, it’s important to understand the value of the platform itself. Cloudflare Access replaces the broad, vulnerable perimeter of a traditional VPN with a Zero Trust model. Instead of granting a user access to an entire network segment, Access evaluates every single request based on identity, device posture, and other contextual signals. This significantly reduces the attack surface and prevents the lateral movement that leads to the kind of systemic outages we discussed earlier.

Once this security layer is in place, we can begin "wrapping" legacy applications in Cloudflare Access. This allows us to modernize the security posture of an old app without actually rewriting its code.

We do this wrapping in Cloudflare Access using a specific logic:

• Problem: A legacy application with no built-in Multi-Factor Authentication (MFA) is exposed via a standard VPN, creating a high-risk entry point for attackers.

• Mitigation: Using Cloudflare Tunnel, we create an outbound-only connection with both Single Sign-On (SSO) and MFA built-in. This effectively hides the application from the public Internet, as it no longer has a public IP address to scan or attack.

• Policy: We then apply a Cloudflare Access policy at the edge. This requires an endpoint hardware-based MFA check and a device health scan before a single packet ever reaches your server.

By using this wrapping technique, CDW and Cloudflare make it possible for organizations to migrate at their own pace. You get the immediate security benefits of a modern cloud environment, while your legacy apps continue to run safely in the background.

Pre-migration audit

Before launching a pilot, IT leaders must audit the environment for architectural readiness, ensuring legacy systems are technically compatible with modern security protocols. “For large deployments, we focus on application modernization,” says Eric Marchewitz, a security solutions executive at CDW. “Many legacy applications could break if least privilege access was applied without proper preparation."

1. Architectural & identity assessment

• Determine identity providers: Confirm which applications rely on a federated Identity Provider (such as Okta) versus those using legacy local directories.

• Map dependencies: Document backend database and API dependencies for each application to prevent service interruptions. This data identifies the hidden API calls that typically break during a cutover if service token-based Tunnel connectivity is not maintained on the backend.

2. Establish firebreak

Separate the project into a Strategy Group (focused on security standards) and an Implementation Group (focused on efficiency). This ensures that high-level security requirements, like those needed to prevent lateral movement, are not bypassed for the sake of deployment speed.

3. Persistent session stress test

Identify applications using legacy architectures to maintain session persistence and avoid connection drops during cellular tower switching. Cloudflare’s architecture, supported by Dynamic Path MTU Discovery (PMTUD), maintains a persistent session at the edge even as the client IP changes. Identifying these users during the audit allows us to displace expensive, rigid legacy hardware with a modern, single-pass architecture.

4. Categorization & timeline setting

Once complete, the remaining stack is tiered to set realistic implementation timelines:

Application Tier	Description	Estimated Migration Effort
Tier 0 (Modern SaaS Apps)	Native SAML/OIDC support so Cloudflare acts as a clientless identity provider proxy during authentication	1–3 hours per app
Tier 1 (Internal Web Apps)	Standard identity headers and modern web protocols support a clientless reverse proxy deployment with Cloudflare Tunnel	3–6 hours per app
Tier 2 (Non-Web Client-Server Apps)	Specific port/protocol support or thick-client configurations required so both Cloudflare One Client and Cloudflare Tunnel deployments are used	4–8 hours per app
Tier 3 (Legacy Enterprise Apps)	Complex server-side connectivity (e.g. peer-to-peer, bidirectional) or back-end dependency requirements so Cloudflare Mesh or WAN deployments may complement Cloudflare Tunnel to support.	1–3 days per app; may require code revisions

The roadmap to escape velocity

To achieve "escape velocity" from legacy hardware, CDW follows a phased rollout that prioritizes coexistence over replacement.

1. Phase 1: Strategy & Infrastructure: Formation of strategy and implementation teams. This phase includes identifying CDW strategists — former CISOs and architects — to act as peer sounding boards.

2. Phase 2: Pilot Rollout: Deployment of the Cloudflare One Client to a pilot group of employees. During this phase, we address common friction points like the "latency tax,"  ensuring performance doesn't compromise security.

3. Phase 3: Production Scaling: Full scaling across the organization. We maintain a dual-client period where users run both legacy VPN and Cloudflare Access in tandem, ensuring a safe rollback path and an easier end-user transition to the new Zero Trust approach.

Performance as a security feature

Cloudflare’s single-pass architecture runs every security check simultaneously. 

"When we talk to customers about the connectivity cloud, the most impactful change isn't just the modern security posture. It's the operational velocity,” notes Annika Garbers, Head of Cloudflare One GTM. “Moving to a single control plane allows a security team to stop being a bottleneck.”

By building on a post-quantum encrypted foundation, we ensure this bridge is future-proofed against the next generation of threats.

Build your bridge with Cloudflare One's agile SASE

Modernization is about building a bridge, not a "big bang." This methodology is refined through our Partner Technical Advisory Board, where partner feedback informs our product roadmap directly. By focusing on application modernization and a phased rollout, organizations can regain architectural control and eliminate the fragmentation penalty for good.

The combination of Cloudflare’s SASE platform and CDW’s migration expertise provides a safety net for the journey. You get the immediate security benefits of identity-based access and phish-resistant MFA, without the operational gridlock of a massive, unmapped cutover.

The goal isn't just to move your applications to the cloud. It’s to ensure that when you get there, your environment is more resilient, more visible, and significantly harder to breach.

Ready to de-risk your journey to a zero trust architecture? Use CDW’s Zero Trust Maturity Assessment to identify the hidden dependencies in your environment. Reach out to a Cloudflare One expert to start your transition with a proven blueprint.