Cloudflare Mesh vs. Tunnel

Cloudflare has two distinct products for connecting private infrastructure to its network. One is a Tailscale competitor. The other is the official on-ramp for serverless-to-private-database. Do not confuse them.

Cloudflare Mesh — The Tailscale Competitor

Mesh is peer-to-peer private networking over Cloudflare’s edge. Every enrolled device or server gets a private Mesh IP in the 100.96.0.0/12 CGNAT range. Laptops, phones, and Linux servers can reach each other by IP over TCP, UDP, or ICMP — no bastion hosts, no VPN concentrators.

Connector: warp-cli running in headless mode on Linux nodes; GUI client on Mac/Windows/iOS/Android.
Encryption: Post-quantum. All traffic passes through Cloudflare’s network, so Gateway policies and device posture checks apply.
Traffic direction: Bidirectional — any participant can initiate a connection.
Addressing: Mesh IPs assigned on enrollment. Nodes can advertise CIDR routes to subnets.
Best for: Developer laptop → private EC2; CI runner → internal API; database replication between regions; SAP/ERP sessions that need stable long-lived TCP.

MacBook ↔ Cloudflare network ↔ EC2 node (warp-cli) ↔ AWS RDS (private subnet)

Cloudflare Tunnel — The Serverless On-Ramp

Tunnel is inbound service publishing from your private network to Cloudflare. You run cloudflared inside your VPC; it creates an outbound WebSocket to Cloudflare. Cloudflare can then route public or internal traffic back through that tunnel to specific hostnames, IPs, or ports.

Connector: cloudflared running as a daemon in your VPC.
Traffic direction: Inbound to origin — clients connect to published services; the origin does not initiate outward.
Addressing: No Mesh IPs. Routes by public hostname, IP, or Workers VPC Service ID.
Best for: Exposing internal APIs to Workers; connecting Hyperdrive to private RDS; routing Zero Trust Access policies to private apps.

Cloudflare Worker / Hyperdrive → Workers VPC Service → Cloudflare Tunnel → AWS RDS (private subnet)

Head-to-Head

Dimension	Cloudflare Mesh	Cloudflare Tunnel
What it is	Mesh VPN (Tailscale alternative)	Outbound tunnel for service publishing
Connector	`warp-cli`	`cloudflared`
Traffic direction	Bidirectional	Inbound to origin
Addressing	Mesh IPs (100.96.0.0/12)	Hostname / IP / Service ID
Protocol layer	L3/L4 (raw TCP/UDP/ICMP)	Proxied over WebSocket (HTTP/S, TCP, SSH, RDP)
Hyperdrive support	Not documented / not supported	Officially supported
Best use case	Dev tools, replication, SSH, RDP	Serverless → private database / API

So Which One for Hyperdrive → AWS RDS?

Use Tunnel (cloudflared), not Mesh.

Hyperdrive is a managed service running on Cloudflare’s edge. It does not enroll as a Mesh participant and it does not receive a private Mesh IP. The only documented, supported path from Hyperdrive to a private database is through Workers VPC → Cloudflare Tunnel.

What you run in AWS: A single cloudflared daemon (small EC2, ECS Fargate task, or EKS pod) in a subnet that can reach your RDS security group. It needs outbound HTTPS to Cloudflare and inbound access to the DB port (5432 / 3306). No public IP required on either the tunnel host or the database.

When Mesh is useful in the same architecture

Mesh does not replace Tunnel for Hyperdrive, but it complements it for human or non-serverless access:

Developer laptop: Use Mesh to connect directly to the private RDS instance for ad-hoc queries, schema migrations, or debugging — without opening the database to the public internet or managing SSH bastions.
CI/CD runners: A GitHub Actions self-hosted runner or Buildkite agent enrolled in Mesh can reach internal APIs and databases securely.
Cross-region replication: If you run a read replica in a second AWS region, Mesh nodes in both VPCs can maintain stable, encrypted L4 replication traffic.

The Practical Setup

For Hyperdrive (required)

npx wrangler vpc service create my-rds \
  --type tcp --tcp-port 5432 \
  --app-protocol postgresql \
  --tunnel-id <TUNNEL_ID> \
  --ipv4 <RDS_PRIVATE_IP>

npx wrangler hyperdrive create my-hd-config \
  --service-id <VPC_SERVICE_ID> \
  --database <DB_NAME> --user <USER> --password <PASS> \
  --scheme postgresql

For developer access (optional — Mesh)

# On your laptop
brew install --cask cloudflare-warp
# Or download Cloudflare One Client
# Enroll with your team’s Cloudflare Zero Trust org
# Your laptop receives a Mesh IP and can reach the RDS node directly

Do not swap the connectors. Running warp-cli in your VPC will not create a path that Hyperdrive can use. Workers VPC requires a cloudflared tunnel. Mesh is a separate control plane.

Sources: Cloudflare Mesh docs · Workers VPC docs · Hyperdrive private DB guide