Workers VPC egress now flows through Cloudflare Gateway policies
Workers using VPC Network bindings can now route their public Internet traffic through Cloudflare Gateway, applying existing Zero Trust policies (DNS, HTTP, Network) and gaining visibility into worker egress alongside other traffic logs.
Workers using a VPC Network binding with network_id: "cf1:network" now egress to public Internet destinations through Cloudflare Gateway. This means your existing Zero Trust traffic policies — DNS, HTTP, Network, and egress — extend to traffic that originates from your Workers, the same way they do for WARP users today.
- Worker
Calls
env.EGRESS.fetch() - VPC binding ↓
- Cloudflare Mesh
Bind via
cf1:network - ↓
- Cloudflare Gateway
Policies applied:
DNS HTTP Network - ↓
- ↗ Public Internet
Any public hostname or IP
What you get by default:
- Visibility. Worker egress shows up in Gateway DNS, HTTP, and Network logs alongside your other traffic, so you can audit what your Workers are calling and when.
- Enforcement. Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block.
wrangler.jsonc
{ "vpc_networks": [ { "binding": "EGRESS", "network_id": "cf1:network", "remote": true, }, ],}wrangler.toml
[[vpc_networks]]binding = "EGRESS"network_id = "cf1:network"remote = true
JavaScript
// Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");TypeScript
// Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");
For configuration options, refer to VPC Networks. For policy authoring, refer to Cloudflare Gateway traffic policies.
Source: original entry ↗