Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Comprehensive Cloudflare platform skill covering Workers, D1, R2, KV, AI, Durable Objects, and security.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/workers-vpc/README.md
1# Workers VPC Connectivity23Connect Cloudflare Workers to private networks and internal infrastructure using TCP Sockets.45## Overview67Workers VPC connectivity enables outbound TCP connections from Workers to private resources in AWS, Azure, GCP, on-premises datacenters, or any private network. This is achieved through the **TCP Sockets API** (`cloudflare:sockets`), which provides low-level network access for custom protocols and services.89**Key capabilities:**10- Direct TCP connections to private IPs and hostnames11- TLS/StartTLS support for encrypted connections12- Integration with Cloudflare Tunnel for secure private network access13- Full control over wire protocols (database protocols, SSH, MQTT, custom TCP)1415**Note:** This reference documents the TCP Sockets API. For the newer Workers VPC Services product (HTTP-only service bindings with built-in SSRF protection), refer to separate documentation when available. VPC Services is currently in beta (2025+).1617## Quick Decision: Which Technology?1819Need private network connectivity from Workers?2021| Requirement | Use | Why |22|------------|-----|-----|23| HTTP/HTTPS APIs in private network | VPC Services (beta, separate docs) | SSRF-safe, declarative bindings |24| PostgreSQL/MySQL databases | [Hyperdrive](../hyperdrive/) | Connection pooling, caching, optimized |25| Custom TCP protocols (SSH, MQTT, proprietary) | **TCP Sockets (this doc)** | Full protocol control |26| Simple HTTP with lowest latency | TCP Sockets + [Smart Placement](../smart-placement/) | Manual optimization |27| Expose on-prem to internet (inbound) | [Cloudflare Tunnel](../tunnel/) | Not Worker-specific |2829## When to Use TCP Sockets3031**Use TCP Sockets when you need:**32- ✅ Direct control over wire protocols (e.g., Postgres wire protocol, SSH, Redis RESP)33- ✅ Non-HTTP protocols (MQTT, SMTP, custom binary protocols)34- ✅ StartTLS or custom TLS negotiation35- ✅ Streaming binary data over TCP3637**Don't use TCP Sockets when:**38- ❌ You just need HTTP/HTTPS (use `fetch()` or VPC Services)39- ❌ You need PostgreSQL/MySQL (use Hyperdrive for pooling)40- ❌ You need WebSocket (use native Workers WebSocket)4142## Quick Start4344```typescript45import { connect } from 'cloudflare:sockets';4647export default {48async fetch(req: Request): Promise<Response> {49// Connect to private service50const socket = connect(51{ hostname: "db.internal.company.net", port: 5432 },52{ secureTransport: "on" }53);5455try {56await socket.opened; // Wait for connection5758const writer = socket.writable.getWriter();59await writer.write(new TextEncoder().encode("QUERY\r\n"));60await writer.close();6162const reader = socket.readable.getReader();63const { value } = await reader.read();6465return new Response(value);66} finally {67await socket.close();68}69}70};71```7273## Architecture Pattern: Workers + Tunnel7475Most private network connectivity combines TCP Sockets with Cloudflare Tunnel:7677```78┌─────────┐ ┌─────────────┐ ┌──────────────┐ ┌─────────────┐79│ Worker │────▶│ TCP Socket │────▶│ Tunnel │────▶│ Private │80│ │ │ (this API) │ │ (cloudflared)│ │ Network │81└─────────┘ └─────────────┘ └──────────────┘ └─────────────┘82```83841. Worker opens TCP socket to Tunnel hostname852. Tunnel endpoint routes to private IP863. Response flows back through Tunnel to Worker8788See [configuration.md](./configuration.md) for Tunnel setup details.8990## Reading Order91921. **Start here (README.md)** - Overview and decision guide932. **[api.md](./api.md)** - Socket interface, types, methods943. **[configuration.md](./configuration.md)** - Wrangler setup, Tunnel integration954. **[patterns.md](./patterns.md)** - Real-world examples (databases, protocols, error handling)965. **[gotchas.md](./gotchas.md)** - Limits, blocked ports, common errors9798## Key Limits99100| Limit | Value |101|-------|-------|102| Max concurrent sockets per request | 6 |103| Blocked destinations | Cloudflare IPs, localhost, port 25 |104| Scope requirement | Must create in handler (not global) |105106See [gotchas.md](./gotchas.md) for complete limits and troubleshooting.107108## Best Practices1091101. **Always close sockets** - Use try/finally blocks1112. **Validate destinations** - Prevent SSRF by allowlisting hosts1123. **Use Hyperdrive for databases** - Better performance than raw TCP1134. **Prefer fetch() for HTTP** - Only use TCP when necessary1145. **Combine with Smart Placement** - Reduce latency to private networks115116## Related Technologies117118- **[Hyperdrive](../hyperdrive/)** - PostgreSQL/MySQL with connection pooling119- **[Cloudflare Tunnel](../tunnel/)** - Secure private network access120- **[Smart Placement](../smart-placement/)** - Auto-locate Workers near backends121- **VPC Services (beta)** - HTTP-only service bindings with SSRF protection (separate docs)122123## Reference124125- [TCP Sockets API Documentation](https://developers.cloudflare.com/workers/runtime-apis/tcp-sockets/)126- [Connect to databases guide](https://developers.cloudflare.com/workers/tutorials/connect-to-postgres/)127- [Cloudflare Tunnel setup](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/)128