Changelog

New updates and improvements at Cloudflare.

Reach Cloudflare WAN destinations from Workers VPC

May 21, 2026

You can now use VPC Network bindings with network_id: "cf1:network" to reach your full private network from Workers, including:

Cloudflare Mesh nodes and client devices
Subnet routes and hostname routes announced through Cloudflare Tunnel or Cloudflare Mesh
Destinations connected through Cloudflare WAN on-ramps — GRE, IPsec, and CNI

This means a single VPC Network binding can route Worker requests to private services regardless of how those services are connected to Cloudflare: through a Cloudflare Tunnel from a cloud VPC, a Mesh node on a private subnet, or a Cloudflare WAN on-ramp from your data center or branch site.

wrangler.jsonc
wrangler.toml

{
  "vpc_networks": [
    {
      "binding": "PRIVATE_NETWORK",
      "network_id": "cf1:network",
      "remote": true,
    },
  ],
}

[[vpc_networks]]
binding = "PRIVATE_NETWORK"
network_id = "cf1:network"
remote = true

At runtime, the URL you pass to fetch() determines the destination:

// Reach a service behind a Cloudflare WAN IPsec on-ramp
const response = await env.PRIVATE_NETWORK.fetch("http://10.50.0.100:8080/api");

For configuration options, refer to VPC Networks.