Workers using a VPC Network binding with network_id: "cf1:network" now egress to public Internet destinations through Cloudflare Gateway. This means your existing Zero Trust traffic policies — DNS, HTTP, Network, and egress — extend to traffic that originates from your Workers, the same way they do for WARP users today.
-
Calls
env.EGRESS.fetch() - VPC binding ↓
-
Bind via
cf1:network - ↓
- ↓
- ↗ Public Internet
Any public hostname or IP
What you get by default:
- Visibility. Worker egress shows up in Gateway DNS, HTTP, and Network logs alongside your other traffic, so you can audit what your Workers are calling and when.
- Enforcement. Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block.
wrangler.jsonc
{"vpc_networks": [{"binding": "EGRESS","network_id": "cf1:network","remote": true,},],}wrangler.toml
[[vpc_networks]]binding = "EGRESS"network_id = "cf1:network"remote = true
JavaScript
// Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");TypeScript
// Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");
For configuration options, refer to VPC Networks. For policy authoring, refer to Cloudflare Gateway traffic policies.
Source: Cloudflare
Latest Posts
- (Updated) Microsoft Teams: Test microphone and speaker before joining a meeting [MC1288530]
- (Updated) Microsoft 365 Copilot: Copilot chat pane and Summary feature in OneNote Mobile (Android) [MC1309746]
- Radar – Finer-grained chart granularity on Cloudflare Radar for longer time ranges
- Gateway, Cloudflare Mesh, Workers VPC – Filter Workers’ public Internet traffic using Gateway policies
