Gateway, Cloudflare Mesh, Workers VPC - Filter Workers' public Internet traffic using Gateway policies
Cloudflare has announced that Workers using a VPC Network binding with network_id "cf1:network" will now egress to public internet destinations through Cloudflare Gateway. This integration means that existing Zero Trust traffic policies—including DNS, HTTP, Network, and egress policies—extend to traffic originating from Workers, just as they do for WARP users. By default, Worker egress traffic appears in Gateway DNS, HTTP, and Network logs, enabling developers to audit which external endpoints their Workers call. Additionally, any existing Gateway policy whose selectors match a Worker request will be enforced, including allow/block lists, DNS category filtering, and HTTP destination rules. For example, if an organization has already blocked a certain category for its workforce, Workers will inherit that block automatically. The feature is configured in wrangler.jsonc by adding a VPC network binding with the network_id set to "cf1:network" and the remote property set to true. This update bridges the gap between Cloudflare's serverless compute and its Zero Trust security layer, giving developers more control over Worker outbound traffic without additional code changes.
Developers can now apply Zero Trust policies to Worker egress traffic without extra code.