Zero Trust Network Access (ZTNA) with NetBird – The Open-Source Alternative

In a world where cloud-native architectures, remote development, and complex multi-cluster infrastructures have become the norm, traditional VPN-based access is simply outdated. Zero Trust Network Access (ZTNA) is not just a trend but a necessity: a modern paradigm where trust is never blind and every access is explicitly verified—regardless of location, device, or network.

In this article, we explain:

• What ZTNA is and how it differs from traditional VPN/network access
• Why ZTNA is indispensable for secure, cloud-native software delivery pipelines
• Comparison between established industry-standard ZTNA providers and the open-source solution NetBird
• Why we at ayedo rely on NetBird – benefits of the OSS strategy
• Technical integration of ZTNA with OIDC, Kubernetes & cross-network scenarios

What is ZTNA – and what makes it different?

ZTNA is based on the core principle of “Never trust, always verify.” Unlike VPNs that trust traditional network zones, ZTNA individually verifies each connection—even within the internal network. Authentication (often OIDC-based), device status, context, and identity determine whether access is granted—and only to the permissible target resources, following the Least Privilege principle. This is often combined with terms like “Software-Defined Perimeter (SDP)” or “Secure Access Service Edge (SASE).” Here are some key advantages:

• App-centric, not network-wide trust
• Dynamic, continuous, context-based
• Microsegmentation prevents lateral movement of attackers
• Scalable for hybrid/cloud/edge scenarios
• Compliance-friendly – detailed logs, identity security, access control

Well-known VPN technologies, on the other hand:

• Often grant too much access (“logged-in user = full network access”)
• Often allow lateral movements with a compromised account
• Are hard to scale and difficult to manage from complex networks
• Are hardly suitable for multi-cloud or edge segmentations

Why is ZTNA strategic for cloud-native software delivery?

Modern software development imposes the following requirements on network security:

• Global developer connections – team members operate from anywhere
• Ephemeral infrastructure model – dynamic pipeline, canary/feature flows
• Microservices architecture – services must be securely and selectively accessible
• Regulatory audits & compliance – identity-based access chains are essential

At the same time, developers do not want to be slowed down by security. A traditional firewall with a VPN conglomerate slows innovation, while ZTNA enables secure, auditable, yet seamless access.

Current studies show: 83% of engineers bypass security mechanisms just to remain productive—because legacy access paths like static firewall rules and VPNs no longer scale (Source).

ZTNA is thus the future of cloud-native delivery—because it ensures security without friction, granular access, and compliance access.

Industry solutions at a glance: Providers in competition

There is a growing number of established ZTNA providers. Here are some examples:

• Fortinet Universal ZTNA / FortiClient / FortiAuthenticator – Vendor-integral, MFA, identity control, app segmentation (Source)
• Cisco Secure Zero Trust / SASE – Identity-first with deployment in complex hybrid/IoT scenarios (Source)
• NordLayer – Cloud-supported ZTNA with SSO, MFA integration, device posture, visibility (Source)
• VirnetX One / Matrix – Platform-based, ZTNA for various protocols (HTTPS, RDP…), developed for intelligence agencies (Source)
• Systancia cyberelements.io – Europe’s answer, combines ZTNA, PAM, IAM in a SaaS solution (Source)
• Zscaler / Hillstone Networks / Cloudflare Access – Part of SSE or SASE suites, especially for distributed companies with mobile-first strategies (Source)

Common features of proprietary offerings:

• Strong identity integration, MFA
• Management offering (cloud dashboard, policies)
• High availability, support, SLAs

But also: vendor lock-in, licensing costs, no local control, rarely in-house hostable.

NetBird in focus: Open Source ZTNA for the Sovereign Private Cloud

While many ZTNA solutions are proprietary, costly, and heavily vendor-driven, NetBird takes a fundamentally different approach: open source, built on WireGuard, with support for all major operating systems and platforms. It combines a lean architecture with modern standards like OIDC for identity and access control.

Core features of NetBird:

• WireGuard-based – ultra-fast, encrypted peer-to-peer connections
• Cross-platform – Linux, Windows, macOS, iOS, Android
• Zero Trust by Design – every access is identity-verified
• OIDC integration – seamless connection to existing identity providers (Azure AD, Google, Okta, etc.)
• Self-hosting possible – full control, no vendor lock-in
• Kubernetes-ready – deployment both inside and outside clusters

This positions NetBird between traditional enterprise products and modern open-source communities—as an accessible, auditable, and cost-effective solution.

Comparison: Proprietary providers vs. NetBird

a) Architecture & Transparency

Proprietary solutions like Cisco Secure or Fortinet offer powerful management suites but are often cumbersome and opaque. NetBird, on the other hand, is open, source code available, and lightweight. Companies see how their data flows run and can audit the code.

b) Cost Model

License-based providers work with user or gateway licenses, which can quickly become expensive as the organization grows. NetBird as an OSS solution can be self-hosted or used in managed variants—economically much more flexible.

c) Integration Capability

While large providers often rely on their own ecosystems (e.g., Cisco, Zscaler), NetBird integrates seamlessly into existing toolchains. Especially in cloud-native environments, where Kubernetes, GitOps, and OIDC dominate, this openness is a decisive advantage.

d) Compliance & Control

Proprietary cloud services raise questions of data sovereignty—where do logs run, where are the policy engines? With NetBird, companies can operate everything in their own infrastructure, GDPR and ISO27001 compliant.

e) Developer Friendliness

Another plus: NetBird is lightweight and developer-centric. Developers don’t have to manage a complex VPN setup but can access the required resources directly via OIDC login and client app.

Why Open Source in ZTNA is a strategic advantage

Choosing an open-source solution like NetBird is more than a cost issue—it’s a strategic decision for control, transparency, and future-proofing.

• Vendor independence: No risk of the provider changing prices or discontinuing the service
• Auditability: Source code open—security audits possible internally and externally
• Community & Innovation: OSS evolves dynamically, with rapid features and fixes
• Self-determination: Operation on-premises or in your own cloud possible at any time
• Compatibility: Instead of proprietary standards, NetBird relies on open protocols and APIs

These features are particularly essential for critical infrastructures, regulated industries, and companies with compliance requirements. NetBird is an enabler of digital sovereignty.

ZTNA in the cloud-native delivery pipeline

ZTNA is not just a security feature but an enabler for modern delivery models. In a Kubernetes-based environment, this means:

• Kubernetes access via OIDC – developers authenticate once and receive finely-tuned access to namespaces and services.
• Service-to-service security – even internal services communicate only through secure, identity-verified channels.
• Remote development – whether developers work in the office, home office, or on the go: they access clusters, repos, and tools consistently and securely.
• CI/CD integration – build agents or runners also receive only the accesses they actually need.

With ZTNA, the software supply chain is secured from start to finish—from the commit in GitLab to runtime in the Kubernetes cluster.

ayedo & NetBird: Practical integration

At ayedo, we use NetBird as a central ZTNA solution in our developer platforms. Typical scenarios include:

• Access to Kubernetes clusters for developers and operators via OIDC, without traditional VPN hurdles
• Network resources in hybrid infrastructures (e.g., bare-metal data centers + cloud nodes) linked via NetBird
• Air-gapped setups – NetBird also runs in environments with restricted internet connectivity
• Multi-tenant isolation – tenant-capable configuration for different teams and projects

This enables us to provide developers with seamless, secure, and controlled access to exactly the resources they need—no more, no less.

Conclusion: ZTNA with NetBird = Security + Openness + Future

ZTNA is no longer an option but a necessity for companies that want to operate cloud-native infrastructures securely and efficiently. Proprietary solutions offer stability but bring dependencies, costs, and opacity.

NetBird shows that there is another way: fast, flexible, open, OIDC-integrated, and auditable.

Especially in a time when developer freedom, regulatory requirements, and supply chain security must be considered together, an open-source solution like NetBird is a crucial building block. Combined with ayedo Developer Platforms, it becomes a secure, scalable foundation for modern software delivery.

Further Reading

• What is NetBird?
• Developer Platforms by ayedo
• Governance & Security for AI Teams in Kubernetes