workers vpc docs pass 2

Author: thomasgauvin

src/content/changelog/workers-vpc/2025-08-05-workers-vpc.mdx

@@ -0,0 +1,35 @@
+---
+title: Workers VPC Private Network Services (Beta)
+description: Access private resources in your VPC from Cloudflare Workers
+date: 2025-09-25T01:00:00Z
+---
+
+We're excited to announce the beta release of **Workers VPC Private Network Services**, enabling Cloudflare Workers to securely access resources in your private networks across AWS, Azure, GCP, and on-premise infrastructure.
+
+## What's new
+
+- **Private Network Services**: Create secure connections to internal APIs, databases, and services that aren't exposed to the public internet
+- **Service Bindings**: Access private resources using familiar Worker binding syntax
+- **Multi-cloud Support**: Connect to resources across major cloud providers with platform-specific setup guides
+- **Cloudflare Tunnel Integration**: Leverage existing tunnel infrastructure for secure, outbound-only connections
+
+## Getting started
+
+1. Set up a Cloudflare Tunnel in your private network
+2. Create a Private Network Service using Wrangler
+3. Add the service binding to your Worker configuration
+4. Access your private resources securely from Workers
+
+[Read the documentation](/workers-vpc/) to learn more and get started.
+
+## Beta limitations
+
+During the beta period:
+- Only HTTP/HTTPS protocols are supported (TCP support coming soon)
+- Maximum 100 Private Network Services per account
+- Maximum 10 service bindings per Worker
+- Available on paid Workers plans only
+
+## Feedback
+
+We'd love to hear your feedback on Workers VPC. Please share your experience and feature requests in the [Cloudflare Community](https://community.cloudflare.com/).

src/content/changelog/workers-vpc/2025-09-25-workers-vpc.mdx

@@ -0,0 +1,119 @@
+---
+title: Workers Binding API
+pcx_content_type: reference
+sidebar:
+  order: 4
+---
+
+import { Tabs, TabItem, Render } from "~/components";
+
+VPC Service bindings provide a convenient API for accessing VPC Services from your Worker. Each binding represents a connection to a service in your private network through a Cloudflare Tunnel.
+
+Each request made on the binding will route to the specific service that was configured for the VPC Service, while restricting access to the rest of your private network.
+
+:::note
+
+Workers VPC is currently in beta. Features and APIs may change before general availability. During the beta, Workers VPC is available for free to all Workers plans.
+
+:::
+
+## VPC Service binding
+
+A VPC Service binding is accessed via the `env` parameter in your Worker's fetch handler. It provides a `fetch()` method for making HTTP requests to your private service.
+
+## fetch()
+
+Makes an HTTP request to the private service through the configured tunnel.
+
+```javascript
+const response = await env.VPC_SERVICE_BINDING.fetch(url, options);
+```
+
+### Parameters
+
+- `url` (string | URL | Request) - The URL to fetch. This must be an absolute URL including protocol, host, and path (for example, `http://internal-api:8080/api/users`)
+- `options` (optional RequestInit) - Standard fetch options including:
+  - `method` - HTTP method (GET, POST, PUT, DELETE, etc.)
+  - `headers` - Request headers
+  - `body` - Request body
+  - `signal` - AbortSignal for request cancellation
+
+:::note[Absolute URLs Required]
+VPC Service fetch requests must use absolute URLs including the protocol (http/https), host, and path. Relative paths are not supported.
+:::
+
+### Return value
+
+Returns a `Promise<Response>` that resolves to a standard Fetch API Response object.
+
+### Examples
+
+#### Basic GET request
+
+```javascript
+export default {
+	async fetch(request, env) {
+		const privateRequest = new Request(
+			"http://internal-api.company.local/users",
+		);
+		const response = await env.VPC_SERVICE_BINDING.fetch(privateRequest);
+		const users = await response.json();
+
+		return new Response(JSON.stringify(users), {
+			headers: { "Content-Type": "application/json" },
+		});
+	},
+};
+```
+
+#### POST request with body
+
+```javascript
+export default {
+	async fetch(request, env) {
+		const privateRequest = new Request(
+			"http://internal-api.company.local:8080/users",
+			{
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Authorization: `Bearer ${env.API_TOKEN}`,
+				},
+				body: JSON.stringify({
+					name: "John Doe",
+					email: "[email protected]",
+				}),
+			},
+		);
+
+		const response = await env.VPC_SERVICE_BINDING.fetch(privateRequest);
+
+		if (!response.ok) {
+			return new Response("Failed to create user", { status: response.status });
+		}
+
+		const user = await response.json();
+		return new Response(JSON.stringify(user), {
+			headers: { "Content-Type": "application/json" },
+		});
+	},
+};
+```
+
+#### Request with HTTPS and IP address
+
+```javascript
+export default {
+	async fetch(request, env) {
+		const privateRequest = new Request("https://10.0.1.50:8443/api/data");
+		const response = await env.VPC_SERVICE_BINDING.fetch(privateRequest);
+
+		return response;
+	},
+};
+```
+
+## Next steps
+
+- Configure [service bindings in wrangler.toml](/workers-vpc/configuration/vpc-services/)
+- View [usage examples](/workers-vpc/examples/)

src/content/docs/workers-vpc/api/index.mdx

@@ -1,12 +1,12 @@
 ---
-title: Features
+title: Configuration
 pcx_content_type: navigation
 sidebar:
   group:
     hideIndex: true
-  order: 5
+  order: 3
 ---
 
 import { DirectoryListing } from "~/components";
 
-<DirectoryListing />
+<DirectoryListing />

src/content/docs/workers-vpc/features/index.mdx renamed to src/content/docs/workers-vpc/configuration/index.mdx

@@ -0,0 +1,37 @@
+---
+title: Hardware requirements
+pcx_content_type: concept
+sidebar:
+  order: 3
+---
+
+import { TunnelCalculator } from "~/components";
+
+## Recommendations
+
+For production use cases, we recommend the following baseline configuration:
+
+- Run a cloudflared replica on two dedicated host machines per network location. Using two hosts enables server-side redundancy and traffic balancing.
+- Size each host with minimum 4GB of RAM and 4 CPU cores.
+
+This setup is usually sufficient to handle traffic from small-medium sized applications. The actual amount of resources used by cloudflared will depend on many variables, including the number of requests per second, bandwidth, network path and hardware. As additional users are onboarded, or if network traffic increases beyond your existing tunnel capacity, you can scale your tunnel by adding an additional cloudflared host in that location.
+
+## Capacity calculator
+
+Use the calculator below to estimate tunnel capacity requirements for your deployment:
+
+<TunnelCalculator />
+
+## Scaling considerations
+
+Monitor tunnel performance and scale accordingly:
+
+- **CPU utilization**: Keep below 70% average usage
+- **Memory usage**: Maintain headroom for traffic spikes
+- **Network bandwidth**: Ensure adequate throughput for peak loads
+- **Connection count**: Add replicas when approaching capacity limits
+
+## Next steps
+
+- Configure [tunnel deployment](/workers-vpc/configuration/tunnel/)
+- Set up [high availability](/workers-vpc/configuration/tunnel/) with multiple replicas

src/content/docs/workers-vpc/configuration/tunnel/hardware-requirements.mdx

@@ -0,0 +1,102 @@
+---
+title: Cloudflare Tunnel
+pcx_content_type: concept
+sidebar:
+  order: 2
+---
+
+import { GlossaryTooltip, Tabs, TabItem, Example } from "~/components";
+
+Cloudflare Tunnel creates secure connections from your infrastructure to Cloudflare's global network, providing the network connectivity that allows Workers to access your private resources.
+
+When you create a VPC Service, you specify a tunnel ID and target service. Workers VPC then routes requests from your Worker to the appropriate tunnel, forwards traffic to your private network, connects to the specified hostname or IP address, and returns responses back to your Worker.
+
+The tunnel maintains persistent connections to Cloudflare, eliminating the need for inbound firewall rules or public IP addresses.
+
+:::note
+This section provides tunnel configuration specific to Workers VPC use cases. For comprehensive tunnel documentation including monitoring and advanced configurations, refer to the [full Cloudflare Tunnel documentation](/cloudflare-one/connections/connect-networks/).
+:::
+
+## Quick setup
+
+### Install cloudflared
+
+<Tabs>
+<TabItem label="Linux">
+
+```sh
+curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
+chmod +x cloudflared
+sudo mv cloudflared /usr/local/bin/
+```
+
+</TabItem>
+<TabItem label="macOS">
+
+```sh
+brew install cloudflared
+```
+
+</TabItem>
+<TabItem label="Windows">
+
+```powershell
+choco install cloudflared
+```
+
+</TabItem>
+<TabItem label="Docker">
+
+```sh
+docker pull cloudflare/cloudflared:latest
+```
+
+</TabItem>
+</Tabs>
+
+### Create and run tunnel
+
+Authenticate with Cloudflare, create your tunnel, and run it with a basic configuration that routes all traffic to your local services:
+
+```sh
+cloudflared tunnel login
+cloudflared tunnel create workers-vpc-tunnel
+```
+
+Create `~/.cloudflared/config.yml` with your tunnel configuration:
+
+```yaml
+tunnel: <YOUR_TUNNEL_ID>
+credentials-file: /home/user/.cloudflared/<YOUR_TUNNEL_ID>.json
+
+ingress:
+  - hostname: "*"
+    service: http://localhost:8080
+    originRequest:
+      noTLSVerify: true
+  - service: http_status:404
+```
+
+Start the tunnel:
+
+```sh
+cloudflared tunnel run workers-vpc-tunnel
+```
+
+## Cloud platform setup guides
+
+For platform-specific tunnel deployment instructions for production workloads:
+
+- [AWS](/cloudflare-one/connections/connect-networks/deployment-guides/aws/) - Deploy tunnels in Amazon Web Services
+- [Azure](/cloudflare-one/connections/connect-networks/deployment-guides/azure/) - Deploy tunnels in Microsoft Azure
+- [Google Cloud](/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform/) - Deploy tunnels in Google Cloud Platform
+- [Kubernetes](/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes/) - Deploy tunnels in Kubernetes clusters
+- [Terraform](/cloudflare-one/connections/connect-networks/deployment-guides/terraform/) - Deploy tunnels using Infrastructure as Code
+
+Refer to the full Cloudflare Tunnel documentation on [how to setup Tunnels for high availability and failover with replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/).
+
+## Next steps
+
+- Configure [VPC Services](/workers-vpc/configuration/vpc-services/) to connect your tunnels to Workers
+- Review [hardware requirements](/workers-vpc/configuration/tunnel/hardware-requirements/) for capacity planning
+- Review the [complete Cloudflare Tunnel documentation](/cloudflare-one/connections/connect-networks/) for advanced features