--- title: Reach Cloudflare WAN destinations from Workers VPC description: VPC Network bindings using cf1:network now reach destinations connected through Cloudflare WAN on-ramps (GRE, IPsec, CNI), in addition to Cloudflare Mesh nodes and subnet or hostname routes announced through Cloudflare Tunnel or Mesh. image: https://developers.cloudflare.com/changelog-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) [ ← Back to all posts ](https://developers.cloudflare.com/changelog/) ## Reach Cloudflare WAN destinations from Workers VPC May 21, 2026 [ Workers VPC ](https://developers.cloudflare.com/workers-vpc/) You can now use [VPC Network](https://developers.cloudflare.com/workers-vpc/configuration/vpc-networks/) bindings with `network_id: "cf1:network"` to reach your full private network from Workers, including: * [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) nodes and client devices * Subnet routes and hostname routes announced through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) or Cloudflare Mesh * Destinations connected through [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) on-ramps — GRE, IPsec, and CNI This means a single VPC Network binding can route Worker requests to private services regardless of how those services are connected to Cloudflare: through a Cloudflare Tunnel from a cloud VPC, a Mesh node on a private subnet, or a Cloudflare WAN on-ramp from your data center or branch site. * [ wrangler.jsonc ](#tab-panel-1002) * [ wrangler.toml ](#tab-panel-1003) JSONC ``` { "vpc_networks": [ { "binding": "PRIVATE_NETWORK", "network_id": "cf1:network", "remote": true, }, ], } ``` TOML ``` [[vpc_networks]] binding = "PRIVATE_NETWORK" network_id = "cf1:network" remote = true ``` At runtime, the URL you pass to `fetch()` determines the destination: JavaScript ``` // Reach a service behind a Cloudflare WAN IPsec on-ramp const response = await env.PRIVATE_NETWORK.fetch("http://10.50.0.100:8080/api"); ``` Note For destinations behind Cloudflare WAN on-ramps (GRE, IPsec, or CNI), your network must route the [Cloudflare source IP range](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-cloudflare-source-ips/) back through the on-ramp so reply traffic returns to Cloudflare. Without this route, stateful flows will fail. This is part of standard Cloudflare WAN onboarding. For configuration options, refer to [VPC Networks](https://developers.cloudflare.com/workers-vpc/configuration/vpc-networks/).