Gateway, Cloudflare Mesh, Workers VPC - Filter Workers' public Internet traffic using Gateway policies
Workers using a VPC Network binding with network_id: "cf1:network" now egress to public Internet destinations through Cloudflare Gateway. This means your existing Zero Trust traffic policies — DNS, HTTP, Network, and egress — extend to traffic that originates from your Workers, the same way they do for WARP users today.
-
Calls
env.EGRESS.fetch() -
Bind via
cf1:network -
↓
-
Policies applied:
-
↓
-
↗ Public Internet
Any public hostname or IP
What you get by default:
-
Visibility. Worker egress shows up in Gateway DNS, HTTP, and Network logs alongside your other traffic, so you can audit what your Workers are calling and when.
-
Enforcement. Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block.
-
wrangler.jsonc
<div><div><span>{</span></div></div><div><div><span> </span><span>"</span><span>vpc_networks</span><span>"</span><span>:</span><span> </span><span>[</span></div></div><div><div><span> </span><span>{</span></div></div><div><div><span> </span><span>"</span><span>binding</span><span>"</span><span>:</span><span> </span><span>"EGRESS"</span><span>,</span></div></div><div><div><span> </span><span>"</span><span>network_id</span><span>"</span><span>:</span><span> </span><span>"cf1:network"</span><span>,</span></div></div><div><div><span> </span><span>"</span><span>remote</span><span>"</span><span>:</span><span> </span><span>true</span><span>,</span></div></div><div><div><span> </span><span>},</span></div></div><div><div><span> </span><span>],</span></div></div><div><div><span>}</span></div></div> -
wrangler.toml
<div><div><span>[[</span><span>vpc_networks</span><span>]]</span></div></div><div><div><span>binding</span><span> </span><span>=</span><span> </span><span>"EGRESS"</span></div></div><div><div><span>network_id</span><span> </span><span>=</span><span> </span><span>"cf1:network"</span></div></div><div><div><span>remote</span><span> </span><span>=</span><span> </span><span>true</span></div></div> -
JavaScript
<div><div><span>// Egress to a public destination — subject to your Gateway policies and logged</span></div></div><div><div><span>const</span><span> </span><span>response</span><span> </span><span>=</span><span> </span><span>await</span><span> </span><span>env</span><span>.</span><span>EGRESS</span><span>.</span><span>fetch</span><span>(</span><span>"https://api.example.com/data"</span><span>)</span><span>;</span></div></div> -
TypeScript
<div><div><span>// Egress to a public destination — subject to your Gateway policies and logged</span></div></div><div><div><span>const</span><span> </span><span>response</span><span> </span><span>=</span><span> </span><span>await</span><span> </span><span>env</span><span>.</span><span>EGRESS</span><span>.</span><span>fetch</span><span>(</span><span>"https://api.example.com/data"</span><span>)</span><span>;</span></div></div>
For configuration options, refer to VPC Networks. For policy authoring, refer to Cloudflare Gateway traffic policies.
Fetched June 19, 2026
