Update WVPC docs to discuss roles and runtime behavior (#26421)

xortive · web-flow · commit e99e402c21a7 · 2025-11-12T11:52:51.000-06:00
diff --git a/src/content/docs/fundamentals/manage-members/roles.mdx b/src/content/docs/fundamentals/manage-members/roles.mdx
@@ -77,6 +77,9 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
 | Waiting Room Read                                            | Can read [Waiting Room](/waiting-room/) configuration.                                                                                                                                                                                                                                                                                                                                                                            |
 | Workers Platform Admin                                       | Grants edit and read access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/), [R2](/r2/), Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. |
 | Workers Platform (Read-only)                                 | Grants read-only access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/), [R2](/r2/), Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced.     |
+| Connectivity Directory Read                                  | Can view [Workers VPC Services](/workers-vpc/) and [Cloudflare Tunnels](/workers-vpc/configuration/tunnel/).
+| Connectivity Directory Bind                                  | Can read, list, and bind to [Workers VPC Services](/workers-vpc/), as well as read and list [Cloudflare Tunnels](/workers-vpc/configuration/tunnel/).
+| Connectivity Directory Admin                                 | Can view, edit, create, and delete [Workers VPC Services](/workers-vpc/), including the ability to create VPC Services that bind to [Cloudflare Tunnel](/workers-vpc/configuration/tunnel/).
 | Zaraz Admin                                                  | Can edit and publish [Zaraz](/zaraz/) configuration.                                                                                                                                                                                                                                                                                                                                                                              |
 | Zaraz Edit                                                   | Can edit [Zaraz](/zaraz/) configuration.                                                                                                                                                                                                                                                                                                                                                                                          |
 | Zaraz Read                                                   | Can read [Zaraz](/zaraz/) configuration.                                                                                                                                                                                                                                                                                                                                                                                          |
diff --git a/src/content/docs/workers-vpc/configuration/tunnel/index.mdx b/src/content/docs/workers-vpc/configuration/tunnel/index.mdx
@@ -9,7 +9,9 @@ import { GlossaryTooltip, Tabs, TabItem, Example } from "~/components";
 
 Cloudflare Tunnel creates secure connections from your infrastructure to Cloudflare's global network, providing the network connectivity that allows Workers to access your private resources.
 
-When you create a VPC Service, you specify a tunnel ID and target service. Workers VPC then routes requests from your Worker to the appropriate tunnel, forwards traffic to your private network, connects to the specified hostname or IP address, and returns responses back to your Worker.
+When you create a VPC Service, you specify a tunnel ID and target service. Workers VPC then routes requests from your Worker to the specified tunnel, which establishes a connection to the specified hostname or IP address, such that the target service receives the request and returns a response back to your Worker.
+
+To allow members to create VPC Services that represent a target service reachable via a tunnel, you must assign them the **Connectivity Directory Admin** role. Members must possess **Connectivity Directory Bind** role to bind to existing VPC Services from worker.
 
 The tunnel maintains persistent connections to Cloudflare, eliminating the need for inbound firewall rules or public IP addresses.
 
diff --git a/src/content/docs/workers-vpc/configuration/vpc-services.mdx b/src/content/docs/workers-vpc/configuration/vpc-services.mdx
@@ -20,6 +20,8 @@ You can use bindings to connect to VPC Services from Workers. Every request made
 
 VPC Services enforce that requests are routed to their intended service without exposing the entire network, securing your workloads and preventing server-side request forgery (SSRF).
 
+Members must possess **Connectivity Directory Bind** role to bind to existing VPC Services from Workers. Creating VPC Services requires members to possess the **Connectivity Directory Admin** role.
+
 :::note
 
 Workers VPC is currently in beta. Features and APIs may change before general availability. While in beta, Workers VPC is available for free to all Workers plans.
@@ -34,13 +36,24 @@ A VPC Service consists of:
 - **Tunnel ID**: The Cloudflare Tunnel that provides network connectivity
 - **Hostname or IPv4/IPv6 addresses**: The hostname, or IPv4 and/or IPv6 addresses to use to route to your service from the tunnel in your private network
 - **Ports**: HTTP and/or HTTPS port configuration (optional, defaults to 80/443)
+- **Resolver IPs**: Optionally, a specific resolver IP can be provided -- when not provided, `cloudflared` will direct DNS traffic to the currently configured default system resolver.
+
+Requests are encrypted in flight until they reach your network via a tunnel, regardless of the scheme used in the URL provided to `fetch`. If the `http` scheme is used, a plaintext connection is established to the service from the tunnel.
+
+The `https` scheme can be used for an encrypted connection within your network, between the tunnel and your service. When the `https` scheme is specified, a hostname provided to the `fetch()` operation is utilized as the Server Name Indication (SNI) value.
+
+VPC Services default to allowing both `http` and `https` schemes to be used. You can provide values for only one of `http_port` or `https_port` to enforce the use of a particular scheme.
+
+When Workers VPC is unable to establish a connection to your service, `fetch()` will throw an exception.
 
 :::note
-The [VPC Service configurations](/workers-vpc/configuration/vpc-services/#vpc-service-configuration) will always be used to connect and route requests to your services in external networks, even if a different URL or host is present in the actual `fetch()` operation of the Worker code.
 
-The host provided in the `fetch()` operation is not used to route requests, and instead only populates the `Host` field for a HTTP request that can be parsed by the server and used for Server Name Indication (SNI), when the `https` scheme is specified.
+The [VPC Service configuration](/workers-vpc/configuration/vpc-services/#vpc-service-configuration) host and port(s) will always be used to connect and route requests to your services, even if a different host or port is present in the URL provided to the `fetch()` operation in the Worker code.
+
+The host provided in the `fetch()` operation is not used to route requests, and instead only populates the `Host` field for a HTTP request, or `Host` and the Server Name Indication (SNI) value presented to your service for a HTTPS request.
+
+The port provided in the `fetch()` operation is ignored — the port specified in the VPC Service configuration for the provided scheme will be used.
 
-The port provided in the `fetch()` operation is ignored — the port specified in the VPC Service configuration will be used.
 :::
 
 ## Configuration example
@@ -83,7 +96,7 @@ The following is an example of a VPC Service for a service using custom HTTP and
 		"hostname": "example.com",
 		"resolver_network": {
 			"tunnel_id": "0191dce4-9ab4-7fce-b660-8e5dec5172da",
-			"resolver_ips": ["10.0.0.1"]
+			"resolver_ips": ["10.0.0.1"] // Optional
 		}
 	}
 }
@@ -100,29 +113,29 @@ main = "src/index.js"
 
 [[vpc_services]]
 binding = "PRIVATE_API"
-service_id = "5634563546"
-remote = true
+service_id = "e6a0817c-79c5-40ca-9776-a1c019defe70"
+remote = true # When true, utilizes [remote bindings](/workers/development-testing/#remote-bindings) to allow access to the VPC Service during local development.
 
 ```
 </WranglerConfig>
 
-You can have multiple service bindings:
+You can have multiple VPC service bindings:
 
 <WranglerConfig>
 ```toml
 [[vpc_services]]
 binding = "PRIVATE_API"
-service_id = "5634563546"
+service_id = "daf43e8c-a81a-4242-9912-4a2ebe4fdd79"
 remote = true
 
 [[vpc_services]]
 binding = "PRIVATE_DATABASE"
-service_id = "7856789012"
+service_id = "453b6067-1327-420d-89b3-2b6ad16e6551"
 remote = true
 
 [[vpc_services]]
 binding = "INTERNAL_CACHE"
-service_id = "3412345678"
+service_id = "6c39b574-237e-49f4-852a-cea5a93ed8f9"
 remote = true
 
 ```
diff --git a/src/content/docs/workers-vpc/examples/private-api.mdx b/src/content/docs/workers-vpc/examples/private-api.mdx
@@ -65,6 +65,7 @@ compatibility_date = "2024-01-01"
 [[vpc_services]]
 binding = "INTERNAL_API"
 service_id = "<YOUR_SERVICE_ID>"
+remote = true
 
 ```
 </WranglerConfig>
diff --git a/src/content/docs/workers-vpc/get-started.mdx b/src/content/docs/workers-vpc/get-started.mdx
@@ -37,6 +37,8 @@ Before you begin, ensure you have completed the following:
 Additionally, you will need:
 
 - Access to a private network (your local network, AWS VPC, Azure VNet, GCP VPC, or on-premise networks)
+- The **Connectivity Directory Bind** role to bind to existing VPC Services from Workers.
+- Or, the **Connectivity Directory Admin** role to create VPC Services, and bind to them from Workers.
 
 ## 1. Create a new Worker project
 
