Workers using a VPC Network binding with network_id: "cf1:network" now egress to public Internet destinations through Cloudflare Gateway. This means your existing Zero Trust traffic policies — DNS, HTTP, Network, and egress — extend to traffic that originates from your Workers, the same way they do for WARP users today.
-
Calls
env.EGRESS.fetch() - VPC binding ↓
-
Bind via
cf1:network - ↓
- ↓
- ↗ Public Internet
Any public hostname or IP
What you get by default:
- Visibility. Worker egress shows up in Gateway DNS, HTTP, and Network logs alongside your other traffic, so you can audit what your Workers are calling and when.
- Enforcement. Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block.
wrangler.jsonc
{"vpc_networks": [{"binding": "EGRESS","network_id": "cf1:network","remote": true,},],}wrangler.toml
[[vpc_networks]]binding = "EGRESS"network_id = "cf1:network"remote = true
JavaScript
// Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");TypeScript
// Egress to a public destination — subject to your Gateway policies and loggedconst response = await env.EGRESS.fetch("https://api.example.com/data");
For configuration options, refer to VPC Networks. For policy authoring, refer to Cloudflare Gateway traffic policies.
Source: Cloudflare
Latest Posts
- Power Platform admin center – Advanced connector policies [MC1403390]
- Amazon EC2 M8a instances now available in the Asia Pacific (Mumbai) region
- Amazon RDS Custom now supports the latest CU and GDR updates for Microsoft SQL Server
- Amazon EC2 C7a instances are now available in the Asia Pacific (Singapore) Region
