megachangelog
Feature

Workers VPC egress now flows through Cloudflare Gateway policies

Workers using VPC Network bindings can now route their public Internet traffic through Cloudflare Gateway, applying existing Zero Trust policies (DNS, HTTP, Network) and gaining visibility into worker egress alongside other traffic logs.

Workers using a VPC Network binding with network_id: "cf1:network" now egress to public Internet destinations through Cloudflare Gateway. This means your existing Zero Trust traffic policies — DNS, HTTP, Network, and egress — extend to traffic that originates from your Workers, the same way they do for WARP users today.

  1. Worker

    Calls env.EGRESS.fetch()

  2. VPC binding
  3. Cloudflare Mesh

    Bind via cf1:network

  4. Cloudflare Gateway

    Policies applied:

    DNS HTTP Network
  5. Public Internet

    Any public hostname or IP

Gateway logs DNS HTTP Network

What you get by default:

  • Visibility. Worker egress shows up in Gateway DNS, HTTP, and Network logs alongside your other traffic, so you can audit what your Workers are calling and when.
  • Enforcement. Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block.
  • wrangler.jsonc

    {  "vpc_networks": [    {      "binding": "EGRESS",      "network_id": "cf1:network",      "remote": true,    },  ],}
  • wrangler.toml

    [[vpc_networks]]binding = "EGRESS"network_id = "cf1:network"remote = true
  • JavaScript

    // Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");
  • TypeScript

    // Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");

For configuration options, refer to VPC Networks. For policy authoring, refer to Cloudflare Gateway traffic policies.

workersvpcgatewayzero-trusttraffic-policies

Source: original entry ↗