Cloudflare Mesh: Secure private networking

My name is Nikita. I'm a product manager for Cloudflare Tandem and Cloudflare Mesh. I have Thomas with me. Yes. Hi, everyone. My name is Thomas. I'm here with Nikita. I'm a product manager on the developer platform, and we've cooked up something very interesting. We're really excited to share it with you. Nikita, I know you want to introduce us to a very interesting announcement. Go for it. Yeah, let's let's do this. So we know that private networking, right, tends to get slightly complicated, especially if you really don't have experience with this. And if you are just a developer, and you want to just connect this thing to that thing securely, and you don't really want to concern yourself with SASE, Zero Trust, private connectivity, what are CGNAT IPs, and all of these things, you just want it to work. And it's already a challenge. Now we live in the blissful new area where we also have AI agents, right? And sometimes you need to connect these AI agents to the same environments that you have in a way that won't expose the agent and also will not allow the agent to do things that the agent is not supposed to do, right? So there is this added complexity in this agentic world that we are entering at full speed these days. So imagine you have your laptop, or your iPhone, and you want to SSH into your VM in staging. Or you have an agent, and you are cooking up something cool, like we are here, and you want to test against this dev environment from your laptop, and you want your agent to fix things in your dev environment in real time. So you need some kind of secure connectivity in between those things. Cloudflare 1, as a thing, may be slightly intimidating for developers, especially if they are not used to the Zero Trust concepts. So today we are making all of the functionality that is required for you to have a secure private networking for everyone and everything, users, nodes, agents, and even workers, accessible, user -friendly, into an all-in-one place so that you could set this up in under five minutes without zero previous experience, and just unblock yourself and ship the stuff that you want to ship rather than try to make sense of VPNs, private networks, and some other setups that you may have to tunnel this traffic. So that's what we have. And as a preview of how this can potentially look like, this is our shiny new UI. This is the empty state that you are going to see in Cloudflare dashboard under networking mesh. And the welcome screen pretty much is self -explanatory. You will have a web server here, and I can zoom in a little bit. You can have a DB replica here. For example, these are two VMs that can now talk to each other over this private IP that is shown here. And this is your MacBook, and it can also access both the web server and DB replica. So if you are running a cloud code or something in your MacBook, it will also be able to access the web server and DB replica and do some operations with them without you having to really configure anything other than install Cloudflare 1 client and log in. So let's try this thing. We will add a new node, and we'll call it Cloudflare TV. If you have never had a Cloudflare 1 account before, you will also be prompted for team name. It's just so that you have a URL to log in. Then you decide who can connect to your mesh. You can decide between it's just you, if you're a single developer, or my team, and we will detect your email domain and we'll populate it here. So really, you can do this in five seconds. Then we will configure a lot of things under the hood in your Cloudflare 1 account. You will have a gateway enabled for traffic filtering, device profiles, all of the things that you really shouldn't concern yourself with. You will see some warnings here if you do have existing Cloudflare 1 configuration. That's the case in my account, so this won't happen on your account if it's a new account. Then essentially what you're going to do to make this node available for your private networking is you will download Cloudflare warp package, which is our Cloudflare 1 client. Nodes are for Linux-based VMs, so this is more like service traffic. Once you do this command, then you can register this as a node in your environment, and I'm just gonna do this right now. Let's move on to the other screen, which is here, and I'm just gonna execute this command, and we have connected. So now that we have connected, we can move back here, and voila! This node is online, and you have this private IP address that can only be accessed from within your Cloudflare account, and now other things in your account can talk to this VM using this IP, and all of this is over a private, fully encrypted, post -quantum secure mask tunnel. So you essentially get an enterprise-grade security and Zero Trust without doing anything, just by going through this flow. And then you can use these commands to essentially test the connectivity and reach these services from your laptop or from another device. So the next step is you either add a second node, so another VM, so that it could talk to this VM, or you install Cloudflare 1 agent on your laptop, and then you will be able to use this private IP address to talk to this node. So once you've... I have a quick question. So what you just did now, you were SSHed into a virtual machine, and then you ran the warp-cli command in order to add that machine to your mesh network. Exactly, that is correct. And so this is my laptop, this is my VM. Yes, yes. So I'm going to my main account also to show you how an advanced setup of this looks like, where you have dozens of devices. So by default, we have 50 users for free in Cloudflare 1, and we give 50 nodes for free in Cloudflare Mesh, so you can have a very advanced setup where you have multiple things talking to each other. So what I'm gonna do is I will use the CGNet IP from one of those things to show you the connectivity. So let me go here, the same steps in my advanced account, and then we will register the same node here. So Nikita, I just want to make sure that I'm following because I can no longer see your screen. You showed us a very quick, simple account, and you switched us over to your more advanced account. To advanced account that I'm logged in now. So I've just executed the command that you execute when you register a new node. So this is the token that is associated with your mesh node, and this is how you essentially enable the tunnel in your VM. So I've just moved essentially this VM from one account into another simply by deregistering it and registering it again with a different token. So now I can, and I will again do the shuffle of the screens. Now it's registered in my other account, and it's available over this CGNet IP. And now what we are going to do is we are going to test connectivity. So I'm going to go back to the terminal window, and this is my MacBook, right? So this is not a VM or anything like this. And what I'm going to do is I will ping this node first over the CGNet IP, and I get the response. So this is the private IP. You cannot reach it or ping it from the outside. It only makes sense inside your Cloudflare account. And I have a little service in my VM that is just returning like PHP info style information about this VM. It's essentially looking like this. This is the response. So what I'm going to do is I'm going to use this private IP to query this service from my MacBook, and I get it using curl. And I will also, because we are all visual people and we like browsers, I will also open this IP using my Chrome, and it will render this page that is again only available privately inside my Cloudflare account. And that means that essentially these things that exist in my account, this thing, this thing, this thing, this thing, can talk to each other without me configuring anything other than just installing Cloudflare one client or Forbes CLI. It's the same thing on these devices. And all of my devices that also exist in my account can also access these things using this private IPs. So this essentially removes all hard work from configuring and using private networking. Like it's as easy as that, and it only takes a few minutes to configure this. That's awesome. And the reason why your laptop was able to hit the virtual machine on which you had that was connected to the mesh network is because your laptop too was connected to the mesh network, right? That is a very important point. Yes, so let's show this flow then end-to-end so that we understand how this actually works. So I will share my entire screen, and essentially we have a warp client, right? This is how it looks. It's already connected. It's connected to my account. The way I know it's connected to my account is because there is this team name that is associated with it, and that's how you're going to authenticate. So I'm logging out. This is what you will see the first time you launch Cloudflare One Client. Private browsing is for people that just need private browsing without Cloudflare account. You don't want that. You want Zero Trust security. So we will click continue here, and I'm like, okay, what is my team name? So if you don't remember your team name and you've set it up a million years ago, what you are going to do is you are going to go to common use cases here, connect your mesh, and it will give you the link for Cloudflare One Client here, and it will also in step two give you the team name. So you can just copy paste it, put it in here, and then there is a device enrollment policy in there. So if you are already authenticated using Google account or email one pass token, then Cloudflare One Client will just let you in. Otherwise, you will need to authenticate yourself with a password or something. And now you just click connect, and all of a sudden you can ping this note. And I will click disconnect right now, and you will see that all of a sudden this IP is not reachable because I'm on the public Internet. As easy as that. That's awesome. That's awesome. Nikita, I love this demo because I'm a developer. I'm not a networking engineer. I'm not an expert at any of this. And so some of these words that you've been saying, gateway device policies, doesn't mean much to me. But what I like about the mesh experience is I've had the chance to try it out myself. And it's really simple to get started. I don't know anything about Warp CLI or any of these, but I can go and set this up myself. So as a developer, I've been making sure like I've been trying out OpenClaw locally, trying to get OpenClaw to connect securely to some of the other resources, but also trying to connect from agents that I build on the developer platform to some of my private resources. And I want to share some of the work that we've done to make that possible. So let me go ahead and go for it. This is super exciting. Yeah, I'll just share my whole screen. So I went through your flow, I went through your flow, I added a node, I had a virtual machine running. And on this machine, I have a very simple Hello World server. This could be like an MCP server, I could make it an API, I could make it more interesting. But right now I kept it for Hello World just to keep things simple. I also have my laptop, my personal laptop connected to this mesh network. So I can ping and I can curl that server just like you showed us. But I want to show something that's very interesting because we made it possible for your workers, your Drupal objects, all of the developer platform to connect to any resource within the mesh network. And so you can imagine if you're building agents on top of workers with the agents SDK, you might want to access either a private database, securely, or a private MCP server or private LLM. And so you can do that now with workers VPC. I want to share with you. So I have my virtual machine running. And let me show you. So you are showing your SSH. I'm showing you here, these are my SSH logs. I have the server running on port 3000. And what I can do here is with workers VPC, we have a new workers VPC networks binding. And I can say, hey, this is my binding. Let's call it mesh. And what network is it going to connect to? It's going to connect to the mesh network, the CF1 network, right? And so once that's done, when this worker is deployed into my account, we now have access to this binding. We can put in any HTTP requests through there to whatever device we want. And so if I take you back to my mesh network here, we know that this is the mesh IP for my Linux virtual machine running that simple server, right? And so what I can do is in my worker code, it's obviously extremely simple. And I've done it just for this. But when we'll go to the path slash hello, we're going to go to that mesh IP to port 3000, on which I have the server running. And then we'll show you the result. And so what we've done is let me just go ahead and run npm run dev. So this is actually going to run the worker locally, but connect to the VPC binding remotely. And if I open this link, this was the helper page. And so now if I go to my slash hello route, you'll see that this is the hello world response that I'm providing in my server on my virtual machine. Yeah, this is awesome. So now that means that anything in your mesh network, hypothetically, you could connect to it from your workers. And then I went ahead and deployed it as well. And now if you go to VPC network test slash hello, you'll see the actual result from the server. And so in production, you could have an agent running, it's calling back end MCP, or you could just have it for this for your applications, right, you could have a private database, a private API that you're calling from your workers. And now everything works with mesh, you could connect from either a local device to ping remote database or remote staging database. Or you could get that production traffic going through your workers and your agents SDK. So this is so cool. Yeah, yeah, it's, it's, it's, I feel like light bulbs, I feel like a lot of people are gonna have light bulb moments, because right now, mesh means that you can connect every single device in your network, whether it's your production traffic coming from workers and the agents SDK, or remote virtual machines that you have in external clouds, or your local device, right? Or heck, you told me that you can even do this from your mobile apps, right? Yes, you can, you can. Yeah. So I think that's, that's, that's really awesome. You can do this for either your application traffic with the with agents SDK, you could even do this with with an open claw, where you're securely accessing your open claw deployments from your app, let's say, from from your mobile device. So I've been loving this mesh. And it's been great to work on it with with you, Nikita, and your team. It's amazing. The pleasure is mine. Like, I'm so excited, like about all the opportunities that this unlocks for everyone, developers, hobbyists, and enterprises are all alike. The beauty of the Cloudflare one client that you don't need to configure anything on device itself, right, you just log in, and that's it. And you get all of the configuration that's already required to proxy this private traffic correctly, straight away, zero config. One thing to confirm here, so you mentioned you can send an HTTP request from a worker into your mesh network, any other protocols that we can expect? Will this work with something else? Yeah, so we are working to have TCP. And we're starting with TCP to be accessible from hyperdrive. So we are working to make sure that your databases are accessible in a fast manner. And we are working with the workers team in order to make sure that you can access raw TCP, right, so that you can open and send TCP packets directly from a worker. So we have a lot of stuff that are coming as a result of this. And some of these are going to apply not only for private networks, but also for public networking. Yeah, it's really exciting. And the other thing that I wanted to touch on is, I know that you also mentioned gateway and policies and device management. I think like mesh, you can start really simple. But I think the beauty is that as your requirements evolve, maybe your team grows, maybe you start with a 10 person team, and then you become 100 person team, you can go and extend as much as you want into CF1, right? And you don't need to migrate or do anything. So essentially, gateway, whatever you know what it is or not, you are already using it under the hood to proxy this private traffic. Gateway is a super powerful thing that allows you to configure traffic policies that go beyond normal firewalls, right? You can say that this user can access this environment, but not that environment. This user can use SSH, but cannot use FTP or things like this, right? So and there are dozens of enterprise grade, super useful features there from data loss prevention to Cosby that scans your cloud environment, like all of this is already there for you whenever you are ready to explore this. But we don't want to impose all of these features on you when you just want to connect three devices together. So this is like an easy, simple front door into the beautiful world of Cloudflare 1. And the moment you are ready to explore more, you can just enable other things in your Cloudflare 1 account, and everything plays well together with it. In the same way, whatever you enable in your Cloudflare 1 account, your VPC binding will be able to access this as well, because it's not just for Cloudflare 1 client, it's anything that exists on your Cloudflare 1 network, even your IPsec, GRE, CNI, even if that exists in your account, this will be able to work with your VPC in the future. So it can extend to whatever you need it to do. And we are so happy that this is like a very powerful technology that we are providing to everyone, essentially for free, and we are so excited to see what users are going to build with this. Likewise, I'm also very excited to see what folks are going to build with DevPlat connectivity to Mesh. I think this is just the start of a really interesting path along private networking and the integration with the developer platform, continuation of what we've done with Workers VPC. So yeah, very exciting announcement today. And make sure to check out everything that we are launching during Agents Week this week. We have dozens and dozens of amazing announcements, so if Mesh got you excited, definitely check blog.Cloudflare.com, because you are going to find a lot of awesome stuff there, so you don't miss out on it. Cool. Thanks, everyone. See ya.