Cloudflare Mesh: Secure private networking

My name is Nikita. I am product manager for Cloudflare Tunnel and Cloudflare Mesh. I have Thomas with me. Yes. Hi everyone. My name is Thomas. I'm here with Nikita. I'm a product manager on the developer platform and we've cooked up something very interesting. We're really excited to share it with you. Nikita, I know you want to introduce us to a very interesting announcement. Go for it. Yeah, let's let's do this. So we know that private networking right tends to get slightly complicated especially if you really don't have experience with this and if you are just a developer and you want to just connect this thing to that thing securely and you don't really want to concern yourself with sassy zero trust uh private connectivity what are senat IPs and all of these things you just want it to work and it's already a challenge now we live in the blissful new area where we also have AI agents, right? And sometimes you need to connect these AI agents to the same environments that you have in a way that won't expose the agent and also will not allow the agent to do things that the agent is not supposed to do. Right? So there is this added complexity in this agentic world that we are entering at full speed these days. So imagine you have your laptop or your iPhone and you want to SSH into your VM in staging or you have an agent and you are cooking up something cool like we are here and you want to test against this dev environment from your laptop and you want your agent to fix things in your dev environment in real time. So you need some kind of secure connectivity in between those things. Cloudflare one as a thing may be slightly intimidating for developers especially if they are not used to the zero trust concepts. So today we are making all of the functionality that is required for you to have a secure private networking for everyone and everything users nodes agents and even workers accessible userfriendly into an all-in-one place so that you could set this up in under five minutes without zero previous experience and just unblock yourself and ship the stuff that you want to ship rather then try to make sense of uh VPN's private networks and some other setups that you may have to tunnel this traffic. So that's what we have and as a preview of how this can potentially look like. This is our um shiny new UI. This is the empty state that you're going to see in uh Cloudflare dashboard under networking mash. And uh the welcome screen pretty much is self-explanatory. You will have a web server here and I can zoom in a little bit. You can have a DB replica here for example. These are two VMs that can now talk to each other over this private IP that is shown here. And this is your MacBook. And it can also access both the web server and DB replica. So if you are running a cloud code or something um in your uh MacBook, it will also be able to access the web server and DB replicate and do some operations with them without you having to really configure uh anything other than install Cloudflare one client and logging in. Um so let's try this thing. We will add a new node uh and we will call it Cloudflare TV. If you have never had a Cloudflare one um account before, you will also be prompted for team name. It's just so that you have a URL to login. Then you decide who can connect to your mesh. Um you can decide between it's just you if you are a single developer or my team um and we will uh detect your um email domain and we'll prepopulate it here. So really um you can do this in 5 seconds. Then we will configure a lot of things under the hood in your Cloudflare 1 account. You will have uh gateway enabled for traffic filtering, device profiles, all of the things that you really shouldn't um concern yourself with. Uh you will see uh some warnings here if you do have some existing Cloudflare 1 configuration. Uh that's the case in my account. So this won't happen on your account uh if it's a new account. And then essentially what you are going to do to make this node available for your private networking um is you will uh download um Cloudflare warp package which is our Cloudflare one client. Um nodes are for uh Linux- based VMs. So this is more like service traffic. Um once you uh do this command then you can register this as uh a note in your environment. And I'm just gonna do this right now. Let's move on to the other screen which is here. And I'm just going to execute this command. And we have connected. So now that we have connected, we can move back here. And voila, this node is online and you have this private IP address that can only be accessed from within your Cloudflare account. And now other things in your account can talk to this VM using this IP and all of this is over uh a private fully encrypted postquantum secure mask tunnel. Um so you essentially get an enterprisegrade security and zero trust without doing anything just by going through this flow. uh and then you can use these commands to essentially um test the connectivity and reach these services from your laptop or from another device. So the next step is you either add a second node so another VM so that it could talk to this VM or you install Cloudflare 1 agent on your laptop and then you will be able to use this private IP address uh to talk to this node. So once you I have a quick question. So what you just did now, you were sshed into a virtual machine and then you ran the warp CLI command in order to add that machine to your mesh network. Exactly. That is correct. And uh so this is my uh laptop. This is my uh VM. Yes. Yes. So, um I'm uh going to uh go to my main account also to show you how an advanced setup of this looks like where you have dozens of devices. So, by default we um have uh 50 users for free in Cloudflare 1 and we give 50 nodes for free in Cloudflare Mash. So, you can have a very adv advanced setup where you have multiple things talking to each other. So what I'm going to do is I will um use the siget IP from one of those things uh to show you the connectivity. So let me go here the same steps in my advanced account and then we will register the same node here. So Nikita I just want to make sure that I'm following because I can no longer see your screen. You showed us a very quick simple account and you switched us over to your more advanced account to advanced account that I'm logged in now. So I've just executed the command that you execute when you register a new node. So this is the token that is associated with your mash node and this is how you essentially enable uh the tunnel in your VM. So I've just moved essentially this VM from one account into another simply by dregistering it and registering it again with a different token. Um so now I can uh and I will again do the shuffle of the screens. Now it's registered in my other account and it's available over this IP. And now what we are going to do is we are going to test connectivity. So I'm going to go back to the terminal window and this is my uh MacBook right so this is not a VM or anything like this and what I'm going to do is I will ping this note first over the sigenet IP and I get the response so this is the private IP you cannot reach it or ping it from the outside it only makes sense inside your Cloudflare account and I have a little service uh in my uh VM that is just returning uh like PHP info style information about this VM. It's essentially looking like this. This is the response. So what I'm going to do is I'm going to use this private IP to curate this service from my MacBook and I uh get it using uh curl and I will also because we are all visual people and we like browsers. I will also open this IP uh using my Chrome and it will render this page that is again only available privately um inside my Cloudflare um account. And that means that essentially these things that exist in my account, this thing, this thing, this thing, this thing can talk to each other without me configuring anything other than just installing Cloudflare one client or Forb CLI. It's the same thing on these devices. And all of my uh devices that also exist in my account can also access these things using this private IPs. So this essentially removes all uh hard work from uh configuring and using private networking. Like it's as easy as that and it only takes a few minutes to configure this. That's awesome. And the reason why your laptop was able to hit the virtual machine on which you had that was connected to the mesh network is because your laptop too was connected to the mesh network. Right. That is a very important point. Yes. So let's show this flow then end to end so that we understand how this actually works. So I will share my entire screen. Uh and essentially we have a warp client right this is how it looks. It's already connected. It's connected to my account. The way I know it's connected to my account is because there is this team name that is associated with it. And that's how you're going to authenticate. So I'm logging out. Um this is what you will see the first time you launch Cloudflare one client. Private browsing is for people that just need private browsing without Cloudflare account. You don't want that. You want zero trust security. So we will click continue here. And I'm like okay what is my team name? So if you don't remember your team name and you've set it up million years ago, what you are going to do is you are going to go to common use cases here. connect your mesh and it will give you the link for Cloudflare ROM client here and it will also in step two give you the team name so you can just copy paste it put it in here and then there is a device enrollment policy in there so if you already authenticated using Google account or email on one pass token then Cloudflare one client will just let you in otherwise you will need to authenticate yourself with a passport or something with a password um and now you just click connect and all of a sudden you can ping this note and I will click disconnect right now and you will see that all of a sudden this IP is not reachable because I'm on the public internet as easy as that. That's awesome. That's awesome. Nikita, I love this demo because I'm a developer. I'm not a networking engineer. I'm not an expert at any of this. And so some of these some of these words that you've been saying gateway device policies doesn't mean much to me. But what I like about the mesh experience is I've had the chance to try it out myself and it's really simple to get started. Uh I don't know anything about Warp CLI or any of these, but I can go and set this up myself. So as a developer, I've been making sure like I've been trying out OpenClaw locally, trying to get OpenCloud to connect securely to some of the other resources, but also trying to connect from agents that I build on the developer platform to some of my private resources. and I want to share some of the work that we've done to make that possible. So, let me go ahead and and go for it. This is super exciting. Yeah, I'll just share my whole screen. So, I went through your flow. I went through your flow. I added a node. I had a virtual machine running. Um, and on this machine I have a very simple hello world server. This could be like a MCP server. I could make it an API. I could make it more interesting, but right now I kept it for Hello World just to keep things simple. Um, I also have my laptop, my personal laptop connected to this mesh network. So, I can I can ping and I can curl that network uh that server just like you showed us. But I want to show something that's very interesting because we made it possible for your workers, your durable objects, all of the developer platform to connect to any resource within the mesh network, right? Right. And so you can imagine if you're building agents on top of workers with the agents SDK, you might want to access either a private database securely or a private MCP server or private LLM. And so you can do that now with workers VPC. I want to share with you. So I have my virtual machine running. Uh and let me let me show you. So you were showing your SSH uh I'm showing you here. These are my SSH logs. I have the server running on port 3000. And what I can do here is uh with workers VPC, we have a new workers VPC networks binding. And I can say, hey, this is my binding. Let's call it mesh. And what network is it going to connect to? It's going to connect to the mesh network, the CF1 network, right? And so once that's done, when this worker is deployed into my account, we now have access to this binding. we can put in any HTTP request through there to uh whatever uh device we want. And so if I take you back to um my mesh mesh uh network here, we know that this is the mesh IP for my Linux virtual machine running that simple server, right? And so what I can do is in my worker code, it's it's obviously extremely simple and I've done it just for this. But when we'll go to the path /hello, we're going to go to that mesh IP to port 3000 on which I have uh uh the the server running and then we'll we'll show you the result. And so what we've done is let me just go ahead and run npm rundev. So this is actually going to run the worker locally but connect to the VPC binding remotely. And if I open this link, this was the helper page. And so now if I go to my /hello route, you'll see that this is the the hello world response that I'm that I'm providing in in my my server on my virtual machine. Yeah, this is awesome. So now that means that any anything in your mesh network hypothetically you could connect to it from your workers. And then I went ahead and deployed it as well. And now if you go to VBC network test um uh hello um you'll see the actual result from from the server. And so in production you could have an agent running. It's calling a backend MCP or you could just have it for this for your applications right you could have a private database a private API that you're calling from your workers and now everything works with mesh. you could connect uh from either a local device to ping a remote database or remote staging database or you could get that uh production traffic going through your workers and your agents SDK. So this was this is so cool. Yeah. Yeah. It's it's it's I feel like light bulbs I I feel like a lot of people are going to have light bulb moments because right now mesh means that you can connect every single device in your network whether it's your production traffic coming from workers and the agents SDK or remote virtual machines that you have in external clouds or your local device right or heck you told me that you can even do this from uh your mobile apps right yes you can you M yeah. So I think that that's that's that's really awesome. Uh you could do this for either your application traffic with the with agents SDK. Uh you could even do this with with an open claw where you're securely accessing your open claw deployments from your app. Let's say from from uh your mobile device. So I've been loving this mesh uh and it's been great to work uh on it with with you Nikita and you and team. It's amazing. The pleasure is mine. Like I'm so excited like about all the opportunities that this unlocks for everyone, developers, hop be and enterprises all alike. The beauty of the Cloudflare one client that you don't need to configure anything on device itself, right? You just log in and that's it. And you get all of the configuration that's already required to proxy this private traffic correctly straight away. Zero config. One thing to confirm here. So you mentioned you can send an HTTP request from a worker into your mesh network. Any other protocols that we can expect? Will this work with something else? Yeah, so we are working to have TCP and we're starting with TCP to be accessible from hyperdrive. So we are working to to make sure that your databases are are accessible in a fast manner and we are working with the workers team in order to make sure that you can access raw TCP right so so that you can open and send TCP packets directly from a worker. So we have a lot of stuff that are coming as a result of this and some of these are are are going to apply not only for private networks but also for for public networking. Yeah, it's it's uh it's really exciting. And the other thing that I wanted to to touch on is I know that you were were you also mentioned gateway and policies and device management. But I think like mesh you can start really simple but I think the beauty is that as your requirements evolve maybe your team grows maybe you start with a 10 person team and then you become a 100 person team you can go and extend as much as you want into CF1 right and you don't need to uh migrate or do anything so essentially um gateway whatever you know what it is or not you are already using it under the hood to proxy this private traffic gateway is a super powerful thing that allows ows you to configure traffic policies that go beyond normal firewalls, right? You can say that this user can access this environment but not that environment. This user can use SSH but cannot use FTP or things like this, right? So, and there are dozens of enterprisegrade super useful features there from data loss prevention to CASBY that scans your cloud environment. Like all of this is already there for you whenever you are ready to explore this. But we don't want to impose all of these features on you when you just want to connect three devices together. So this is like an easy simple front door into the beautiful world of Cloudflare 1. And the moment you are ready to explore more, you can just enable other things in your Cloudflare 1 account and everything plays well together with it. Um, in the same way, whatever you enable in your Cloudflare 1 account, your VPC binding will be able to access this as well because it's not just for Cloudflare 1 client. It's anything that exists on your Cloudflare one network. even your IPAC JRE CNI even if that exists in your account this will be able to work with your VPC in the future. So you can it can it can extend to whatever you need it to do and we are so happy that this is like a very powerful technology that we are providing to everyone essentially for free and we are so excited to see what users are going to build with this. Likewise, I'm also very excited to see what folks are going to build with with dev plat connectivity to mesh. I think this is just the start of a a really interesting path along private networking and the integration with the developer platform continuation of what we've done with workers VPC. So yeah, very exciting announcement today and make sure to check out everything that we are launching during agents week this week. We have dozens and dozens of amazing announcements. So, if Mash got you excited, definitely check blog.cloudflare.com because you're going to find a lot of awesome stuff there, too. Don't miss out on it. Cool. Thanks everyone. See you.