The way teams think about private network access has quietly changed. A year ago, the things knocking on your internal APIs were your developers and your services. Today, there's a growing third category: AI agents — running autonomously, without interactive logins, against infrastructure that was never designed to let them in.
Cloudflare wants to solve that. Today, the company launched Cloudflare Mesh, a private networking product built on post-quantum encryption that connects servers, laptops, phones, and AI agents into a single unified network — without VPNs, bastion hosts, or the usual headaches of exposing services to the public internet.
What is Cloudflare Mesh
Cloudflare Mesh is a rebrand and significant expansion of what was previously known as WARP Connector. Every enrolled device or server receives a private IP address from the 100.96.0.0/12 range — what Cloudflare calls a Mesh IP — and can reach any other participant on that network bidirectionally over TCP, UDP, or ICMP. All traffic routes through Cloudflare's global edge, which spans 330+ cities.
The distinction from Cloudflare Tunnel is deliberate: Tunnel is unidirectional and designed for publishing specific services by hostname. Mesh is a full many-to-many network, meaning any node can reach any other node by private IP without each resource needing its own tunnel configuration.
Why Agents Change Everything
Three real-world workflows pushed the need for this: a developer's local coding agent (Claude Code, Cursor, Codex) trying to query a private staging database; a personal AI assistant like OpenClaw running on a home Mac mini that needs to be reached securely from a phone; and production agents built on Cloudflare Workers that need to call internal APIs without credentials leaking into the open internet.
Traditional tools fail here. VPNs require interactive login. SSH tunnels need manual setup. And publicly exposing these services, even behind a password, leaves the door open for misconfiguration.
The Technical Setup
Getting a node online requires two commands on a supported Linux server (Ubuntu 22.04/24.04, Debian 12/13, RHEL/CentOS 8, Fedora 34/35).
The client runs warp-cli in headless mode, advertises its routes, and joins the mesh. Client devices — laptops and phones — install the Cloudflare One Client with a UI. The dashboard setup wizard walks you through the entire process in minutes.
For developers building on Cloudflare Workers, Mesh now integrates directly with Workers VPC Network bindings. A single wrangler.jsonc entry using the cf1:network keyword gives Workers, Durable Objects, and agents built on the Agents SDK access to every resource on the mesh via a simple fetch() call — no pre-registration of individual hosts required.
Security controls aren't an add-on. Because Mesh runs on Cloudflare One, Gateway network policies, DNS filtering, DLP (data loss prevention), device posture checks, and access rules apply to every Mesh connection automatically.
What's Free and What's Coming
The free tier covers 50 nodes and 50 users per account — enough for a full team and a staging environment. High availability is supported through active-passive replica nodes that advertise the same IP routes and automatically fail over.
On the roadmap for later this year: Mesh DNS (automatic internal hostnames like postgres-staging.mesh), hostname-based routing so you stop managing IP lists, identity-aware routing for agents that carry their own principal/scope identities through the network, and a Docker image for sidecar deployments in containerized and CI/CD environments.
Getting Started
Existing Cloudflare One customers don't need to migrate anything — former WARP Connectors are now Mesh nodes, and all existing deployments continue working. New users can find Cloudflare Mesh under Networking > Mesh in the Cloudflare dashboard.