VPC Services

VPC Services are the core building block of Workers VPC. They represent specific resources in your private network that Workers can access through Cloudflare Tunnel.

You can use bindings to connect to VPC Services from Workers. Every request made to a VPC Service using its fetch function will be securely routed to the configured service in the private network.

VPC Services enforce that requests are routed to their intended service without exposing the entire network, securing your workloads and preventing server-side request forgery (SSRF).

VPC Service configuration

A VPC Service consists of:

Type: Currently only http is supported (support for tcp coming soon)
Tunnel ID: The Cloudflare Tunnel that provides network connectivity
Hostname or IPv4/IPv6 addresses: The hostname, or IPv4 and/or IPv6 addresses to use to route to your service from the tunnel in your private network
Ports: HTTP and/or HTTPS port configuration (optional, defaults to 80/443)

Configuration example

The following is an example of a VPC Service for a service using custom HTTP and HTTPS ports, and both IPv4 and IPv6 addresses. These configurations represent the expected contract of the REST API for creating a VPC Service ↗, a type of service within the broader connectivity directory.

{
  "type": "http",
  "name": "human-readable-name",

  // Port configuration (optional - defaults to 80/443)
  "http_port": 80,
  "https_port": 443,

  // Host configuration
  "host": {
    "ipv4": "10.0.0.1",
    "ipv6": "fe80::",
    "network": {
      "tunnel_id": "0191dce4-9ab4-7fce-b660-8e5dec5172da"
    }
  }
}

The following is an example of a VPC Service for a service using custom HTTP and HTTPS ports as well, using a hostname. Note that since we are using a hostname, we must provide our service with a resolver_network that optionally has resolver_ips.

{
  "type": "http",
  "name": "human-readable-name",

  // Port configuration (optional - defaults to 80/443)
  "http_port": 80,
  "https_port": 443,

  // Hostname Host (with DNS resolver)
  "host": {
    "hostname": "example.com",
    "resolver_network": {
      "tunnel_id": "0191dce4-9ab4-7fce-b660-8e5dec5172da",
      "resolver_ips": ["10.0.0.1"]
    }
  }
}

Workers binding configuration

Once you have created a VPC Service, you can bind it to your Worker:

wrangler.jsonc
wrangler.toml

{
  "$schema": "./node_modules/wrangler/config-schema.json",
  "name": "my-worker",
  "main": "src/index.js",
  "vpc_services": [
    {
      "binding": "PRIVATE_API",
      "service_id": "5634563546",
      "remote": true
    }
  ]
}

name = "my-worker"
main = "src/index.js"

[[vpc_services]]
binding = "PRIVATE_API"
service_id = "5634563546"
remote = true

You can have multiple service bindings:

wrangler.jsonc
wrangler.toml

{
  "$schema": "./node_modules/wrangler/config-schema.json",
  "vpc_services": [
    {
      "binding": "PRIVATE_API",
      "service_id": "5634563546",
      "remote": true
    },
    {
      "binding": "PRIVATE_DATABASE",
      "service_id": "7856789012",
      "remote": true
    },
    {
      "binding": "INTERNAL_CACHE",
      "service_id": "3412345678",
      "remote": true
    }
  ]
}

[[vpc_services]]
binding = "PRIVATE_API"
service_id = "5634563546"
remote = true

[[vpc_services]]
binding = "PRIVATE_DATABASE"
service_id = "7856789012"
remote = true

[[vpc_services]]
binding = "INTERNAL_CACHE"
service_id = "3412345678"
remote = true

Next steps

Set up Cloudflare Tunnel for your environment
Learn about the Service Binding API
Refer to examples of common use cases

Was this helpful?

Community
X
Discord
YouTube
GitHub