cloudflare · thomasgauvin · Nov 4, 2025 · Aug 5, 2025 · Aug 7, 2025 · Aug 7, 2025
@@ -0,0 +1,17 @@
+---
+title: Workers VPC Services (Beta)
+description: Access private resources in your VPC from Cloudflare Workers
+date: 2025-09-25T01:00:00Z
+---
+
+We're excited to announce the beta release of **Workers VPC Services**, enabling Cloudflare Workers to securely access resources in your private networks.
+
+## What's new
+
+- **VPC Services**: Create secure connections to internal APIs, databases, and services through Cloudflare Tunnel
+- **Service Bindings**: Access private resources using familiar Worker binding syntax
+- **Multi-cloud Support**: Connect to resources across AWS, Azure, GCP, and on-premise infrastructure
+
+## Getting started
+
+Set up a Cloudflare Tunnel, create a VPC Service, add service bindings to your Worker, and access private resources securely. [Refer to the documentation](/workers-vpc/) to get started.
@@ -0,0 +1,125 @@
+---
+title: Workers Binding API
+pcx_content_type: reference
+sidebar:
+  order: 4
+---
+
+import { Tabs, TabItem, Render } from "~/components";
+
+VPC Service bindings provide a convenient API for accessing VPC Services from your Worker. Each binding represents a connection to a service in your private network through a Cloudflare Tunnel.
+
+Each request made on the binding will route to the specific service that was configured for the VPC Service, while restricting access to the rest of your private network.
+
+:::note
+
+Workers VPC is currently in beta. Features and APIs may change before general availability. While in beta, Workers VPC is available for free to all Workers plans.
+
+:::
+
+## VPC Service binding
+
+A VPC Service binding is accessed via the `env` parameter in your Worker's fetch handler. It provides a `fetch()` method for making HTTP requests to your private service.
+
+## fetch()
+
+Makes an HTTP request to the private service through the configured tunnel.
+
+```js
+const response = await env.VPC_SERVICE_BINDING.fetch(resource, options);
+```
+
+:::note
+The [VPC Service configurations](/workers-vpc/configuration/vpc-services/#vpc-service-configuration) will always be used to connect and route requests to your services in external networks, even if a different URL or host is present in the actual `fetch()` operation of the Worker code.
+
+The information provided in the `fetch()` operation is not used to route requests, and instead only populates the `Host` field for a HTTP request that can be parsed by the server and used for Server Name Indication (SNI).
+:::
+
+### Parameters
+
+- `resource` (string | URL | Request) - The URL to fetch. This must be an absolute URL including protocol, host, and path (for example, `http://internal-api:8080/api/users`)
+- `options` (optional RequestInit) - Standard fetch options including:
+  - `method` - HTTP method (GET, POST, PUT, DELETE, etc.)
+  - `headers` - Request headers
+  - `body` - Request body
+  - `signal` - AbortSignal for request cancellation
+
+:::note[Absolute URLs Required]
+VPC Service fetch requests must use absolute URLs including the protocol (`http`/`https`), host, and path. Relative paths are not supported.
+:::
+
+### Return value
+
+Returns a `Promise<Response>` that resolves to a [standard Fetch API Response object](https://developer.mozilla.org/en-US/docs/Web/API/Response).
+
+### Examples
+
+#### Basic GET request
+
+```js
+export default {
+	async fetch(request, env) {
+		const privateRequest = new Request(
+			"http://internal-api.company.local/users",
+		);
+		const response = await env.VPC_SERVICE_BINDING.fetch(privateRequest);
+		const users = await response.json();
+
+		return new Response(JSON.stringify(users), {
+			headers: { "Content-Type": "application/json" },
+		});
+	},
+};
+```
+
+#### POST request with body
+
+```js
+export default {
+	async fetch(request, env) {
+		const privateRequest = new Request(
+			"http://internal-api.company.local:8080/users",
+			{
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Authorization: `Bearer ${env.API_TOKEN}`,
+				},
+				body: JSON.stringify({
+					name: "John Doe",
+					email: "[email protected]",
+				}),
+			},
+		);
+
+		const response = await env.VPC_SERVICE_BINDING.fetch(privateRequest);
+
+		if (!response.ok) {
+			return new Response("Failed to create user", { status: response.status });
+		}
+
+		const user = await response.json();
+		return new Response(JSON.stringify(user), {
+			headers: { "Content-Type": "application/json" },
+		});
+	},
+};
+```
+
+#### Request with HTTPS and IP address
+
+```js
+export default {
+	async fetch(request, env) {
+		const privateRequest = new Request("https://10.0.1.50:8443/api/data");
+		const response = await env.VPC_SERVICE_BINDING.fetch(privateRequest);
+
+		return response;
+	},
+};
+```
+
+## Next steps
+
+- Configure [service bindings in wrangler.toml](/workers-vpc/configuration/vpc-services/)
+- Refer to [usage examples](/workers-vpc/examples/)
@@ -0,0 +1,12 @@
+---
+title: Configuration
+pcx_content_type: navigation
+sidebar:
+  group:
+    hideIndex: true
+  order: 3
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />
@@ -0,0 +1,35 @@
+---
+title: Hardware requirements
+pcx_content_type: concept
+sidebar:
+  order: 3
+---
+
+import { TunnelCalculator } from "~/components";
+
+## Recommendations
+
+For production use cases, we recommend the following baseline configuration:
+
+- Run a cloudflared replica on two dedicated host machines per network location. Using two hosts enables server-side redundancy. See [tunnel availability and replicas](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) for setup instructions.
+- Size each host with minimum 4GB of RAM and 4 CPU cores.
+
+This setup is usually sufficient to handle traffic from small-medium sized applications. The actual amount of resources used by cloudflared will depend on many variables, including the number of requests per second, bandwidth, network path, and hardware. If usage increases beyond your existing tunnel capacity, you can scale your tunnel by increasing the hardware allocated to the cloudflared hosts.
+
+## Capacity calculator
+
+To estimate tunnel capacity requirements for your deployment, refer to the [tunnel capacity calculator in the Zero Trust documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/).
+
+## Scaling considerations
+
+Monitor tunnel performance and scale accordingly:
+
+- **CPU utilization**: Keep below 70% average usage
+- **Memory usage**: Maintain headroom for traffic spikes
+- **Network bandwidth**: Ensure adequate throughput for peak loads
+- **Connection count**: Scale cloudflared vertically when approaching capacity limits
+
+## Next steps
+
+- Configure [tunnel deployment](/workers-vpc/configuration/tunnel/)
+- Set up [high availability](/workers-vpc/configuration/tunnel/) with multiple replicas
@@ -0,0 +1,70 @@
+---
+title: Cloudflare Tunnel
+pcx_content_type: concept
+sidebar:
+  order: 2
+---
+
+import { GlossaryTooltip, Tabs, TabItem, Example } from "~/components";
+
+Cloudflare Tunnel creates secure connections from your infrastructure to Cloudflare's global network, providing the network connectivity that allows Workers to access your private resources.
+
+When you create a VPC Service, you specify a tunnel ID and target service. Workers VPC then routes requests from your Worker to the appropriate tunnel, forwards traffic to your private network, connects to the specified hostname or IP address, and returns responses back to your Worker.
+
+The tunnel maintains persistent connections to Cloudflare, eliminating the need for inbound firewall rules or public IP addresses.
+
+:::note
+This section provides tunnel configuration specific to Workers VPC use cases. For comprehensive tunnel documentation including monitoring and advanced configurations, refer to the [full Cloudflare Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/).
+:::
+
+## Create and run tunnel (`cloudflared`)
+
+Cloudflare Tunnel requires the installation of a lightweight and highly scalable server-side daemon, `cloudflared`, to connect your infrastructure to Cloudflare.
+
+Cloudflare Tunnels can be created one of two ways:
+
+1. **Remotely-managed tunnels (recommended):** Remotely-managed configurations are stored on Cloudflare, allowing you to manage the tunnel from any machine using the dashboard, API, or Terraform.
+2. **Locally-managed tunnels:** A locally-managed tunnel is created by running `cloudflared tunnel create <NAME>` on the command line. Tunnel configuration is stored in your local cloudflared directory.
+
+For Workers VPC, we recommend creating a remotely-managed tunnel through the dashboard. Follow the [Tunnels for Workers VPC dashboard setup guide](/workers-vpc/get-started/) to create your tunnel with provided installation commands shown in the dashboard.
+
+For locally-managed tunnels, refer to the [`cloudflared` locally-managed tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/) guide. For manual installation, refer to the [`cloudflared` downloads page](/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/) for platform-specific installation instructions.
+
+:::note[Important Note]
+Cloudflare Tunnels can either be configured for usage with [Cloudflare Zero Trust](/cloudflare-one/) or [Workers VPC](/workers-vpc/).
+
+Use Tunnels with Zero Trust when you are exposing internal applications securely to your employees with Cloudflare Access and hostnames.
+
+Use Tunnels with Workers VPC when you want to access private APIs, private databases, internal services or other HTTP services within your cloud or on-premise private network from Workers.
+
+The same `cloudflared` instance can be used to cover both Zero Trust and Workers VPC use cases simultaneously.
+
+:::
+
+:::note
+
+[Ingress configurations](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/) for locally-managed tunnels are only relevant when using tunnels to expose services to the public internet, and are not required for Workers VPC as routing is handled by the VPC Service configuration.
+
+:::
+
+## Cloud platform setup guides
+
+For platform-specific tunnel deployment instructions for production workloads:
+
+- [AWS](/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/aws/) - Deploy tunnels in Amazon Web Services
+- [Azure](/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/azure/) - Deploy tunnels in Microsoft Azure
+- [Google Cloud](/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/google-cloud-platform/) - Deploy tunnels in Google Cloud Platform
+- [Kubernetes](/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes/) - Deploy tunnels in Kubernetes clusters
+- [Terraform](/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/terraform/) - Deploy tunnels using Infrastructure as Code
+
+Refer to the full Cloudflare Tunnel documentation on [how to setup Tunnels for high availability and failover with replicas](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/).
+
+:::note
+We do not recommend using `cloudflared` in autoscaling setups because downscaling (removing replicas) will break existing user connections to that replica. Additionally, `cloudflared` does not load balance across replicas; replicas are strictly for high availability and requests are routed to the nearest replica.
+:::
+
+## Next steps
+
+- Configure [VPC Services](/workers-vpc/configuration/vpc-services/) to connect your tunnels to Workers
+- Review [hardware requirements](/workers-vpc/configuration/tunnel/hardware-requirements/) for capacity planning
+- Review the [complete Cloudflare Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/) for advanced features
@@ -0,0 +1,134 @@
+---
+title: VPC Services
+pcx_content_type: concept
+sidebar:
+  order: 1
+---
+
+import {
+	GlossaryTooltip,
+	Tabs,
+	TabItem,
+	Example,
+	Render,
+	WranglerConfig,
+} from "~/components";
+
+VPC Services are the core building block of Workers VPC. They represent specific resources in your private network that Workers can access through Cloudflare Tunnel.
+
+You can use bindings to connect to VPC Services from Workers. Every request made to a VPC Service using its `fetch` function will be securely routed to the configured service in the private network.
+
+VPC Services enforce that requests are routed to their intended service without exposing the entire network, securing your workloads and preventing server-side request forgery (SSRF).
+
+:::note
+
+Workers VPC is currently in beta. Features and APIs may change before general availability. While in beta, Workers VPC is available for free to all Workers plans.
+
+:::
+
+## VPC Service configuration
+
+A VPC Service consists of:
+
+- **Type**: Currently only `http` is supported (support for `tcp` coming soon)
+- **Tunnel ID**: The Cloudflare Tunnel that provides network connectivity
+- **Hostname or IPv4/IPv6 addresses**: The hostname, or IPv4 and/or IPv6 addresses to use to route to your service from the tunnel in your private network
+- **Ports**: HTTP and/or HTTPS port configuration (optional, defaults to 80/443)
+
+:::note
+The [VPC Service configurations](/workers-vpc/configuration/vpc-services/#vpc-service-configuration) will always be used to connect and route requests to your services in external networks, even if a different URL or host is present in the actual `fetch()` operation of the Worker code.
+
+The information provided in the `fetch()` operation is not used to route requests, and instead only populates the `Host` field for a HTTP request that can be parsed by the server and used for Server Name Indication (SNI).
+:::
+
+## Configuration example
+
+The following is an example of a VPC Service for a service using custom HTTP and HTTPS ports, and both IPv4 and IPv6 addresses. These configurations represent the expected contract of the [REST API for creating a VPC Service](https://developers.cloudflare.com/api/resources/zero_trust/subresources/connectivity/subresources/directory/subresources/services/), a type of service within the broader connectivity directory.
+
+```json
+{
+	"type": "http",
+	"name": "human-readable-name",
+
+	// Port configuration (optional - defaults to 80/443)
+	"http_port": 80,
+	"https_port": 443,
+
+	// Host configuration
+	"host": {
+		"ipv4": "10.0.0.1",
+		"ipv6": "fe80::",
+		"network": {
+			"tunnel_id": "0191dce4-9ab4-7fce-b660-8e5dec5172da"
+		}
+	}
+}
+```
+
+The following is an example of a VPC Service for a service using custom HTTP and HTTPS ports as well, using a hostname. Note that since we are using a hostname, we must provide our service with a `resolver_network` that optionally has `resolver_ips`.
+
+```json
+{
+	"type": "http",
+	"name": "human-readable-name",
+
+	// Port configuration (optional - defaults to 80/443)
+	"http_port": 80,
+	"https_port": 443,
+
+	// Hostname Host (with DNS resolver)
+	"host": {
+		"hostname": "example.com",
+		"resolver_network": {
+			"tunnel_id": "0191dce4-9ab4-7fce-b660-8e5dec5172da",
+			"resolver_ips": ["10.0.0.1"]
+		}
+	}
+}
+```
+
+## Workers binding configuration
+
+Once you have created a VPC Service, you can bind it to your Worker:
+
+<WranglerConfig>
+```toml
+name = "my-worker"
+main = "src/index.js"
+
+[[vpc_services]]
+binding = "PRIVATE_API"
+service_id = "5634563546"
+remote = true
+
+````
+</WranglerConfig>
+
+You can have multiple service bindings:
+
+<WranglerConfig>
+```toml
+[[vpc_services]]
+binding = "PRIVATE_API"
+service_id = "5634563546"
+remote = true
+
+[[vpc_services]]
+binding = "PRIVATE_DATABASE"
+service_id = "7856789012"
+remote = true
+
+[[vpc_services]]
+binding = "INTERNAL_CACHE"
+service_id = "3412345678"
+remote = true
+
+````
+
+</WranglerConfig>
+
+## Next steps
+
+- Set up [Cloudflare Tunnel](/workers-vpc/configuration/tunnel/) for your environment
+- Learn about the [Service Binding API](/workers-vpc/api/)
+- Refer to [examples](/workers-vpc/examples/) of common use cases