- Setup: Cano explained that users go from zero to a working private network in under five minutes through a dashboard wizard, with no networking expertise required.
- Bidirectional: This means every device and server gets a private IP and can reach every other device and server, not just client-to-server, but server-to-server, device-to-device, and now Worker-to-anything.
- Developer Platform integration: A Cloudflare Worker or an agent built with the Agents SDK can reach an entire private network through a single binding in its configuration file.
“The core problem hasn’t changed: you need private resources to be reachable without exposing them to the public Internet,” Cano said. “What’s changed is who’s connecting.”
How Mesh works
Cloudflare Mesh builds on the company’s existing WARP infrastructure. The WARP Connector is now being rebranded as a Mesh node. The WARP Client becomes the Cloudflare One Client. Every enrolled endpoint gets a private IP and bidirectional reachability to every other endpoint in the account.
The key integration for agents is the Workers VPC binding. A Cloudflare Worker or an agent built with the Agents SDK gains access to the entire Mesh network through a single line in its configuration file. That binding is account-scoped, meaning a Worker in one account cannot reach Mesh nodes in another.
Cano walked through the request path.
“Worker issues a fetch() through its VPC Network binding, the request hits Cloudflare’s edge,” Cano said. “Cloudflare routes it through the Mesh network to the target private IP. The Mesh node or device at that IP receives the request and responds back through the same path.”
On visibility, Cano said every request passes through Cloudflare’s Gateway and is logged. Gateway network policies can restrict which IPs or ports are reachable, and bindings can be revoked at any time without redeploying the Worker.
