SovereignCloak replaces your VPN with Microsoft Entra ID-enforced, per-application access over QUIC — deployed entirely inside your own Azure subscription. Your users' traffic never touches a third-party server.
"A VPN grants access to your network.
Which means a stolen credential does too."
Once inside a VPN, attackers can reach any system on the network. Zero Trust grants access to one application at a time.
Traditional VPNs authenticate once at the perimeter. SovereignCloak verifies Entra ID identity on every session, every application.
VPNs log connections. SovereignCloak logs every application access, every byte, every group policy decision — in your own infrastructure.
Three steps. No PhD in networking required.
Run bash azure-deploy.sh from Azure Cloud Shell. Provisions a VM, installs Docker, pulls container images, configures Caddy TLS, and hardens the port — all automatically.
Enter your Tenant ID and Client ID — the same App Registration you already use. The gateway validates JWTs and reads group memberships. No new identity system, no new passwords.
In the admin dashboard, map domains to target IPs and restrict access by Entra security group. Deploy the Windows agent to your fleet. Users access resources transparently — no VPN client, no manual connection.
SaaS ZTNA vendors route your employees' traffic through their global network. We don't. We can't.
| Capability | SovereignCloak | Zscaler ZPA | Cloudflare Access | Tailscale | WireGuard |
|---|---|---|---|---|---|
| Traffic stays in your infra | ✓ Always | ✗ Routes via Zscaler cloud | ✗ Routes via Cloudflare | ⚠ Coord. server in cloud | ✓ Yes |
| Microsoft Entra ID native | ✓ JWT + groups | ~ Requires SAML bridge | ~ Requires IdP connector | ⚠ OIDC plugin required | ✗ No identity layer |
| QUIC / TLS 1.3 transport | ✓ Native QUIC | ~ TLS 1.2 fallback | ✓ Yes | ✗ WireGuard UDP only | ✗ WireGuard UDP |
| Transparent proxy (all apps) | ✓ DNS + TCP intercept | ~ Agent required per app | ~ Browser-only without agent | ⚠ Subnet router needed | ✗ Network-level only |
| Per-application access control | ✓ Domain + group | ✓ Yes | ✓ Yes | ⚠ ACLs (network-level) | ✗ Network-level only |
| SPA dark port (zero attack surface) | ✓ UDP 443 dark | ✗ | ✗ | ✗ Discoverable | ✗ |
| One-time licensing (no per-user SaaS fee) | ✓ BYOL | ✗ $15–30/user/month | ✗ Per-seat subscription | ✗ $6–18/user/month | ✓ Free (OSS) |
| Deploy to your own Azure subscription | ✓ ARM template | ✗ | ✗ | ⚠ Coord. server stays SaaS | ~ Manual setup |
0-RTT reconnection after network changes. Performs better than TCP-based VPNs on lossy connections. No port-forwarding required.
RFC 9000UDP 443 is hidden behind iptables DROP by default. A 40-byte HMAC-SHA256 packet opens the firewall for 30 seconds — the port is invisible to scanners.
Single-Packet AuthEach route policy maps to a specific Entra security group. JWT group claims are verified per-stream. Users only see domains they're authorised to access.
Per-stream authWinDivert intercepts DNS and TCP at the kernel level. Every app — browsers, curl, Python, legacy ERP — routes through the tunnel without any configuration changes.
Layer 4 · all appsEvery access event — granted, denied, terminated — is logged with user identity, domain, bytes transferred, and group decision. SIEM webhook export included.
SIEM webhookTerminate any active user session from the dashboard in real time. The gateway closes the QUIC connection immediately. Useful for incident response or offboarding.
Real-time terminationPatient data never leaves your infrastructure. HIPAA and DPDP compliance without changing your perimeter.
HIPAA · DPDP · SOC 2RBI and PCI-DSS require data to stay within defined geographic boundaries. Our self-hosted model keeps it there.
RBI · PCI-DSS · SOXSensitive government workloads cannot transit commercial clouds. SovereignCloak deploys to on-prem or sovereign cloud regions.
DFARS · CMMC · Data sovereigntyPrivileged communications and classified workloads require zero vendor visibility. Your infrastructure, your eyes only.
ABA Rules · Privileged accessNo monthly fees that scale against you. Pay once per deployment, not per user per month.
Send us your name and work email. We'll send you a trial license and walk you through a 10-minute deployment on your own Azure subscription.