Pomerium is a potential implementation of a BeyondCorp architecture that is similar to ORY OathKeeper or GCP IAP. This architecture is a newer security model than traditional VPNs and allows you to guard your internal services while still having them be directly internet facing. This makes both your individual machine story much easier as well as your BYOD story.
Pomerium has several limitations that may make it unsuitable for your network.
- In order to work with a consul service mesh you are limited to forward-auth mode. This has only limited upstream support and can be fiddly to get working due to questionable documentation surrounding it both with proxy implementations and with Pomerium itself.
- Even though Pomerium isn't proxying the traffic, the policy that you can create is limited by what Envoy (which is vendored into Pomerium as a binary artifact...) is capable of matching. This is why Pomerium has a static port attached to its consul service registratio