CONCEPT Cited by 1 source

VPN-to-ZTA migration

VPN-to-ZTA migration is the motion of transitioning a corporate network from a perimeter VPN (broad network access behind a single authenticator) toward Zero Trust Architecture (per-application, per-user, per-device access decisions). The destination is fewer-and-smaller VPN tunnels + more-and-finer application-scoped access gates, not a single-cutover replacement.

Why it's a motion, not a flip

At any realistic engineering-org scale, the assumption that "a single new access substrate can replace the VPN instantly" does not hold. Yelp's 2025-04-15 disclosure is the canonical worked example on the wiki:

"Work was already underway to shift less sensitive applications to alternate access methods like our MTLS based Edge Gateway. However, this was not an immediate solution for all employees and required significant effort for widespread implementation. This led us to understand that we needed a solution that could support all Yelpers today, with the goal of reducing its use to more granular use cases in the future." (Source: sources/2025-04-15-yelp-journey-to-zero-trust-access)

The resulting architecture is a cohabitation of:

• A faster, more observable, more flexible broad-network- access path (Netbird replacing Pulse Secure) — still a VPN-shape primitive but with per-peer policies and mesh fault tolerance.
• A per-application access path (Yelp's MTLS-based Edge Gateway) for less-sensitive web applications that don't require broad network access.

Over time the balance shifts: more applications move to the per-application gate, VPN utilisation shrinks, policies on "broad, binary policies on huge subnets and network segments" become "more fine grained access control structures."

Why pure-VPN substrates hit a wall

Yelp names the structural limits of their Pulse deployment:

• Throughput ceiling (low-tens-of-Mbps downloads, materially below modern engineering-workflow demands).
• Authentication UX friction (SAML-via-Ivanti "cumbersome browser-to-VPN client handoff").
• Coarse-grained access (broad binary policies on subnets, no per-user-per-application decisions).
• HA model (single-tunnel-per-session; no transparent failover).

Each of these limits can be chipped away by a modern VPN replacement (like Netbird) without fully adopting ZTA — but the long-run destination remains ZTA because the coarse-grained- access limit is architectural, not implementation-detail.

The OIDC + device posture component

During migration, authentication protocol ladder moves:

• LDAP → SAML → OIDC

with each step unlocking stronger verification signals. The canonical pattern Yelp describes is OIDC + device posture: user identity + managed-device signal + security posture are all required before access is granted. This is a strictly richer access decision than a raw credential check, and it can be adopted during VPN-to-ZTA migration (Yelp does so at the Netbird/Okta integration point, not only at a future Edge Gateway). (Source: sources/2025-04-15-yelp-journey-to-zero-trust-access)

Seen in

• sources/2025-04-15-yelp-journey-to-zero-trust-access — Yelp's explicit framing of ZTA as the direction-of-travel, with Netbird replacing Pulse Secure as an intermediate step and MTLS Edge Gateway as the per-app destination.

Related

• concepts/zero-trust-authorization — the end-state doctrine.
• systems/netbird — the intermediate-state VPN replacement.
• systems/pulse-secure — the retired perimeter-VPN predecessor.
• patterns/oidc-plus-device-posture-access-gate — the auth pattern adopted during migration.
• concepts/sso-authentication — the OIDC substrate.
• concepts/mtls — the Edge-Gateway-side authentication mechanism.