adjust examples to include s3 example, more context across examples

Author: thomasgauvin

src/content/docs/workers-vpc/api/index.mdx

@@ -29,6 +29,12 @@ Makes an HTTP request to the private service through the configured tunnel.
 const response = await env.VPC_SERVICE_BINDING.fetch(resource, options);
 ```
 
+:::note
+The [VPC Service configurations](/workers-vpc/configuration/vpc-services/#vpc-service-configuration) will always be used to connect and route requests to your services in external networks, even if a different URL or host is present in the actual `fetch()` operation of the Worker code.
+
+The information provided in the `fetch()` operation is not used to route requests, and instead only populates the `Host` field for a HTTP request that can be parsed by the server and used for Server Name Indication (SNI).
+:::
+
 ### Parameters
 
 - `resource` (string | URL | Request) - The URL to fetch. This must be an absolute URL including protocol, host, and path (for example, `http://internal-api:8080/api/users`)
@@ -39,7 +45,7 @@ const response = await env.VPC_SERVICE_BINDING.fetch(resource, options);
   - `signal` - AbortSignal for request cancellation
 
 :::note[Absolute URLs Required]
-VPC Service fetch requests must use absolute URLs including the protocol (http/https), host, and path. Relative paths are not supported.
+VPC Service fetch requests must use absolute URLs including the protocol (`http`/`https`), host, and path. Relative paths are not supported.
 :::
 
 ### Return value

src/content/docs/workers-vpc/configuration/tunnel/index.mdx

@@ -59,6 +59,10 @@ For platform-specific tunnel deployment instructions for production workloads:
 
 Refer to the full Cloudflare Tunnel documentation on [how to setup Tunnels for high availability and failover with replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/).
 
+:::note
+We do not recommend using `cloudflared` in autoscaling setups because downscaling (removing replicas) will break existing user connections to that replica. Additionally, `cloudflared` does not load balance across replicas; replicas are strictly for high availability and requests are routed to the nearest replica.
+:::
+
 ## Next steps
 
 - Configure [VPC Services](/workers-vpc/configuration/vpc-services/) to connect your tunnels to Workers

src/content/docs/workers-vpc/configuration/vpc-services.mdx

@@ -35,6 +35,12 @@ A VPC Service consists of:
 - **Hostname or IPv4/IPv6 addresses**: The hostname, or IPv4 and/or IPv6 addresses to use to route to your service from the tunnel in your private network
 - **Ports**: HTTP and/or HTTPS port configuration (optional, defaults to 80/443)
 
+:::note
+The [VPC Service configurations](/workers-vpc/configuration/vpc-services/#vpc-service-configuration) will always be used to connect and route requests to your services in external networks, even if a different URL or host is present in the actual `fetch()` operation of the Worker code.
+
+The information provided in the `fetch()` operation is not used to route requests, and instead only populates the `Host` field for a HTTP request that can be parsed by the server and used for Server Name Indication (SNI).
+:::
+
 ## Configuration example
 
 The following is an example of a VPC Service for a service using custom HTTP and HTTPS ports, and both IPv4 and IPv6 addresses. These configurations represent the expected contract of the [REST API for creating a VPC Service](https://developers.cloudflare.com/api/resources/zero_trust/subresources/connectivity/subresources/directory/subresources/services/), a type of service within the broader connectivity directory.
@@ -95,7 +101,7 @@ binding = "PRIVATE_API"
 service_id = "5634563546"
 remote = true
 
-```
+````
 </WranglerConfig>
 
 You can have multiple service bindings:
@@ -117,7 +123,7 @@ binding = "INTERNAL_CACHE"
 service_id = "3412345678"
 remote = true
 
-```
+````
 
 </WranglerConfig>
 

src/content/docs/workers-vpc/examples/private-api.mdx

@@ -1,5 +1,5 @@
 ---
-title: Access private API
+title: Access a private API or website
 pcx_content_type: example
 ---
 
@@ -9,13 +9,29 @@ This example demonstrates how to access a private REST API that is not exposed t
 
 ## Prerequisites
 
-- A private API running in your VPC/virtual network
-- Cloudflare Tunnel configured and running (follow the [Get Started guide](/workers-vpc/get-started/) to set up)
+- A virtual machine/EC2 instance running in your VPC/virtual network
+- A private API or website running in your VPC/virtual network with security rules allowing access to the virtual machine that will be running `cloudflared`
 - Workers account with Workers VPC access
 
-## 1. Create the VPC Service
+## 1. Set up Cloudflare Tunnel
 
-First, create a service for your internal API:
+A Cloudflare Tunnel creates a secure connection from your private network to Cloudflare. This tunnel will allow Workers to securely access your private resources.
+
+1. Navigate to the [Workers VPC dashboard](https://dash.cloudflare.com/?to=/:account/workers/vpc/tunnels) and select the **Tunnels** tab.
+
+2. Select **Create** to create a new tunnel.
+
+3. Enter a name for your tunnel (for example, `private-api-tunnel`) and select **Save tunnel**.
+
+4. Choose your operating system and architecture. The dashboard will provide specific installation instructions for your environment.
+
+5. Follow the provided commands to download and install `cloudflared` on your VM, and execute the service installation command with your unique token.
+
+The dashboard will confirm when your tunnel is successfully connected. Note the tunnel ID for the next step.
+
+## 2. Create the Workers VPC Service
+
+First, create a Workers VPC Service for your internal API:
 
 ```bash
 npx wrangler vpc service create api-service \
@@ -25,9 +41,18 @@ npx wrangler vpc service create api-service \
   --http-port 8080
 ```
 
+You can also create a VPC Service for a service using its hostname:
+
+```bash
+npx wrangler vpc service create api-service \
+  --type http \
+  --tunnel-id <YOUR_TUNNEL_ID> \
+  --hostname internal-hostname.example.com
+```
+
 Note the service ID returned for the next step.
 
-## 2. Configure your Worker
+## 3. Configure your Worker
 
 Update your `wrangler.toml`:
 
@@ -41,81 +66,32 @@ compatibility_date = "2024-01-01"
 binding = "INTERNAL_API"
 service_id = "<YOUR_SERVICE_ID>"
 
-[vars]
-API_VERSION = "v2"
-
 ````
 </WranglerConfig>
 
-## 3. Implement the Worker
+## 4. Implement the Worker
 
 In your Workers code, use the VPC Service binding in order to send requests to the service:
 
 ```js title="index.js"
 export default {
 	async fetch(request, env, ctx) {
-		// Parse the incoming request
-		const url = new URL(request.url);
-
-		// Add authentication for internal API
-		const headers = new Headers(request.headers);
-		headers.set("X-Internal-Auth", env.INTERNAL_API_KEY);
-		headers.set("X-Request-ID", crypto.randomUUID());
-
-		// Transform the path to internal API format
-		const internalPath = `/api/${env.API_VERSION}${url.pathname}`;
-
 		try {
-			// Forward request to internal API
-			const response = await env.INTERNAL_API.fetch(
-				`http://10.0.1.50:8080${internalPath}${url.search}`,
-				{
-					method: request.method,
-					headers: headers,
-					body: request.body,
-				},
-			);
-
-			// Add CORS headers for browser requests
-			const responseHeaders = new Headers(response.headers);
-			responseHeaders.set("Access-Control-Allow-Origin", "*");
-			responseHeaders.set(
-				"Access-Control-Allow-Methods",
-				"GET, POST, PUT, DELETE, OPTIONS",
-			);
-
-			// Return the response
-			return new Response(response.body, {
-				status: response.status,
-				statusText: response.statusText,
-				headers: responseHeaders,
-			});
+			// Fetch data from internal API and process it before returning
+			const response = await env.INTERNAL_API.fetch("http://10.0.1.50:8080/api/data");
+
+			// Use the response of the private API to perform more logic in Workers, before returning the final response
+			return response;
 		} catch (error) {
-			// Log error for debugging
-			console.error("Failed to reach internal API:", error);
-
-			// Return user-friendly error
-			return new Response(
-				JSON.stringify({
-					error: "Service temporarily unavailable",
-					timestamp: new Date().toISOString(),
-				}),
-				{
-					status: 503,
-					headers: {
-						"Content-Type": "application/json",
-						"Retry-After": "30",
-					},
-				},
-			);
+			return new Response("Service unavailable", { status: 503 });
 		}
 	},
 };
 ````
 
 This guide demonstrates how you could create a simple proxy in your Workers. However, you could use VPC Services to fetch APIs directly and manipulate the responses to enable you to build more full-stack and backend functionality on Workers.
 
-## 4. Deploy and test
+## 5. Deploy and test
 
 Now, you can deploy and test your Worker that you have created:
 
@@ -125,14 +101,7 @@ npx wrangler deploy
 
 ```bash
 # Test GET request
-curl https://private-api-gateway.workers.dev/users \
-  -H "Authorization: Bearer your-token"
-
-# Test POST request
-curl -X POST https://private-api-gateway.workers.dev/users \
-  -H "Authorization: Bearer your-token" \
-  -H "Content-Type: application/json" \
-  -d '{"name": "John Doe", "email": "[email protected]"}'
+curl https://private-api-gateway.workers.dev
 ```
 
 ## Next steps

src/content/docs/workers-vpc/examples/private-s3-bucket.mdx

@@ -0,0 +1,151 @@
+---
+title: Access a private S3 bucket
+pcx_content_type: example
+---
+
+import { Tabs, TabItem, WranglerConfig } from "~/components";
+
+This example demonstrates how to access a private S3 bucket that is not exposed to the public internet. In this guide, we will configure a Workers VPC Service for an internal S3-compatible storage service, create a Worker that makes requests to that bucket, and deploy the Worker to validate our changes.
+
+## Prerequisites
+
+- A private S3-compatible storage service running in your VPC/virtual network (such as AWS S3 VPC endpoint, MinIO, or similar)
+- A virtual machine/EC2 instance running in the same VPC as your S3 VPC endpoint
+- Workers account with Workers VPC access
+
+## 1. Set up Cloudflare Tunnel
+
+A Cloudflare Tunnel creates a secure connection from your private network to Cloudflare. This tunnel will allow Workers to securely access your private resources.
+
+1. Navigate to the [Workers VPC dashboard](https://dash.cloudflare.com/?to=/:account/workers/vpc/tunnels) and select the **Tunnels** tab.
+
+2. Select **Create** to create a new tunnel.
+
+3. Enter a name for your tunnel (for example, `s3-tunnel`) and select **Save tunnel**.
+
+4. Choose your operating system and architecture. The dashboard will provide specific installation instructions for your environment.
+
+5. Follow the provided commands to download and install `cloudflared` on your VM, and execute the service installation command with your unique token.
+
+The dashboard will confirm when your tunnel is successfully connected. Note the tunnel ID for the next step.
+
+## 2. Create the Workers VPC Service
+
+First, create a Workers VPC Service for your internal S3 storage:
+
+```bash
+npx wrangler vpc service create s3-storage \
+  --type http \
+  --tunnel-id <YOUR_TUNNEL_ID> \
+  --hostname s3.us-west-2.amazonaws.com
+```
+
+You can also create a Workers VPC Service using an IP address (for example, if using MinIO):
+
+```bash
+npx wrangler vpc service create s3-storage \
+  --type http \
+  --tunnel-id <YOUR_TUNNEL_ID> \
+  --ipv4 10.0.1.60 \
+  --http-port 9000
+```
+
+Note the service ID returned for the next step.
+
+## 3. Configure S3 bucket policy
+
+Configure your S3 bucket to allow anonymous access from your VPC endpoint. This works for unencrypted S3 objects:
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "AllowAnonymousAccessFromVPCE",
+			"Effect": "Allow",
+			"Principal": "*",
+			"Action": ["s3:GetObject", "s3:ListBucket"],
+			"Resource": [
+				"arn:aws:s3:::your-bucket-name",
+				"arn:aws:s3:::your-bucket-name/*"
+			],
+			"Condition": {
+				"StringEquals": {
+					"aws:sourceVpce": "vpce-your-endpoint-id"
+				}
+			}
+		}
+	]
+}
+```
+
+### Testing S3 access directly
+
+You can test S3 access directly from the VM where your Cloudflare Tunnel is running to verify the bucket policy is working correctly. These commands should work without any AWS credentials:
+
+```bash
+# Test listing bucket contents
+curl -i https://s3.us-west-2.amazonaws.com/your-bucket-name/
+
+# Test downloading a specific file
+curl -i https://your-bucket-name.s3.us-west-2.amazonaws.com/test-file.txt
+```
+
+## 4. Configure your Worker
+
+Update your `wrangler.toml`:
+
+<WranglerConfig>
+```toml
+name = "private-s3-gateway"
+main = "src/index.js"
+compatibility_date = "2024-01-01"
+
+[[vpc_services]]
+binding = "S3_STORAGE"
+service_id = "<YOUR_SERVICE_ID>"
+
+````
+</WranglerConfig>
+
+## 5. Implement the Worker
+
+In your Workers code, use the Workers VPC Service binding in order to send requests to the service:
+
+```js title="index.js"
+export default {
+	async fetch(request, env, ctx) {
+		try {
+			// Fetch a file from the private S3 bucket via VPC endpoint
+			const response = await env.S3_STORAGE.fetch("https://s3.us-west-2.amazonaws.com/my-bucket/data.json");
+
+			// Use the response from S3 to perform more logic in Workers, before returning the final response
+			return response;
+		} catch (error) {
+			return new Response("Storage unavailable", { status: 503 });
+		}
+	},
+};
+````
+
+This guide demonstrates how you could access private object storage from your Workers. You could use Workers VPC Services to fetch files directly and manipulate the responses to enable you to build more full-stack and backend functionality on Workers.
+
+## 6. Deploy and test
+
+Now, you can deploy and test your Worker that you have created:
+
+```bash
+npx wrangler deploy
+```
+
+```bash
+# Test GET request
+curl https://private-s3-gateway.workers.dev
+```
+
+## Next steps
+
+- Add [authentication and authorization](/workers/examples/auth-with-headers/)
+- Implement [rate limiting](/durable-objects/api/)
+- Set up [monitoring and alerting](/analytics/analytics-engine/)
+- Explore [other examples](/workers-vpc/examples/)