{"id":485,"date":"2026-05-21T00:00:00","date_gmt":"2026-05-21T00:00:00","guid":{"rendered":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/05\/21\/workers-vpc-reach-cloudflare-wan-destinations-from-workers-vpc-3\/"},"modified":"2026-05-21T00:00:00","modified_gmt":"2026-05-21T00:00:00","slug":"workers-vpc-reach-cloudflare-wan-destinations-from-workers-vpc-3","status":"publish","type":"post","link":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/05\/21\/workers-vpc-reach-cloudflare-wan-destinations-from-workers-vpc-3\/","title":{"rendered":"Workers VPC &#8211; Reach Cloudflare WAN destinations from Workers VPC"},"content":{"rendered":"<p>You can now use <a href=\"https:\/\/developers.cloudflare.com\/workers-vpc\/configuration\/vpc-networks\/\">VPC Network<\/a> bindings with <code>network_id: \"cf1:network\"<\/code> to reach your full private network from Workers, including:<\/p>\n<ul>\n<li><a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/connectors\/cloudflare-mesh\/\">Cloudflare Mesh<\/a> nodes and client devices<\/li>\n<li>Subnet routes and hostname routes announced through <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/connectors\/cloudflare-tunnel\/\">Cloudflare Tunnel<\/a> or Cloudflare Mesh<\/li>\n<li>Destinations connected through <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-wan\/\">Cloudflare WAN<\/a> on-ramps \u2014 GRE, IPsec, and CNI<\/li>\n<\/ul>\n<p>This means a single VPC Network binding can route Worker requests to private services regardless of how those services are connected to Cloudflare: through a Cloudflare Tunnel from a cloud VPC, a Mesh node on a private subnet, or a Cloudflare WAN on-ramp from your data center or branch site.<\/p>\n<ul>\n<li>\n<p>wrangler.jsonc<\/p>\n<div>\n<div>\n<figure>\n<pre data-language=\"jsonc\"><code class=\"language-jsonc\"><div><div><span>{<\/span><\/div><\/div><div><div><span>  <\/span><span>\"<\/span><span>vpc_networks<\/span><span>\"<\/span><span>:<\/span><span> <\/span><span>[<\/span><\/div><\/div><div><div><span>    <\/span><span>{<\/span><\/div><\/div><div><div><span>      <\/span><span>\"<\/span><span>binding<\/span><span>\"<\/span><span>:<\/span><span> <\/span><span>\"PRIVATE_NETWORK\"<\/span><span>,<\/span><\/div><\/div><div><div><span>      <\/span><span>\"<\/span><span>network_id<\/span><span>\"<\/span><span>:<\/span><span> <\/span><span>\"cf1:network\"<\/span><span>,<\/span><\/div><\/div><div><div><span>      <\/span><span>\"<\/span><span>remote<\/span><span>\"<\/span><span>:<\/span><span> <\/span><span>true<\/span><span>,<\/span><\/div><\/div><div><div><span>    <\/span><span>},<\/span><\/div><\/div><div><div><span>  <\/span><span>],<\/span><\/div><\/div><div><div><span>}<\/span><\/div><\/div><\/code><\/pre>\n<div>\n<div><\/div>\n<\/div>\n<\/figure>\n<\/div><\/div>\n<\/li>\n<li>\n<p>wrangler.toml<\/p>\n<div>\n<div>\n<figure>\n<pre data-language=\"toml\"><code class=\"language-toml\"><div><div><span>[[<\/span><span>vpc_networks<\/span><span>]]<\/span><\/div><\/div><div><div><span>binding<\/span><span> <\/span><span>=<\/span><span> <\/span><span>\"PRIVATE_NETWORK\"<\/span><\/div><\/div><div><div><span>network_id<\/span><span> <\/span><span>=<\/span><span> <\/span><span>\"cf1:network\"<\/span><\/div><\/div><div><div><span>remote<\/span><span> <\/span><span>=<\/span><span> <\/span><span>true<\/span><\/div><\/div><\/code><\/pre>\n<div>\n<div><\/div>\n<\/div>\n<\/figure>\n<\/div><\/div>\n<\/li>\n<\/ul>\n<p>At runtime, the URL you pass to <code>fetch()<\/code> determines the destination:<\/p>\n<div>\n<figure>\n<pre data-language=\"js\"><code class=\"language-js\"><div><div><span>\/\/ Reach a service behind a Cloudflare WAN IPsec on-ramp<\/span><\/div><\/div><div><div><span>const<\/span><span> <\/span><span>response<\/span><span> <\/span><span>=<\/span><span> <\/span><span>await<\/span><span> <\/span><span>env<\/span><span>.<\/span><span>PRIVATE_NETWORK<\/span><span>.<\/span><span>fetch<\/span><span>(<\/span><span>\"http:\/\/10.50.0.100:8080\/api\"<\/span><span>)<\/span><span>;<\/span><\/div><\/div><\/code><\/pre>\n<div>\n<div><\/div>\n<\/div>\n<\/figure>\n<\/div>\n<aside>\n<p>Note<\/p>\n<div>\n<p>For destinations behind Cloudflare WAN on-ramps (GRE, IPsec, or CNI), your network must route the <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-wan\/configuration\/how-to\/configure-cloudflare-source-ips\/\">Cloudflare source IP range<\/a> back through the on-ramp so reply traffic returns to Cloudflare. Without this route, stateful flows will fail. This is part of standard Cloudflare WAN onboarding.<\/p>\n<\/div>\n<\/aside>\n<p>For configuration options, refer to <a href=\"https:\/\/developers.cloudflare.com\/workers-vpc\/configuration\/vpc-networks\/\">VPC Networks<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>You can now use VPC Network bindings with network_id: &#8220;cf1:network&#8221; to reach your full private network from Workers, including: Cloudflare Mesh nodes and client devices Subnet routes and hostname routes announced through Cloudflare Tunnel or Cloudflare Mesh Destinations connected through Cloudflare WAN on-ramps \u2014 GRE, IPsec, and CNI This means a single VPC Network binding [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-485","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/comments?post=485"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/485\/revisions"}],"wp:attachment":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/media?parent=485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/categories?post=485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/tags?post=485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}