PATTERN Cited by 1 source

Outbound Worker proxy for agent egress

Pattern

Place a Cloudflare Worker in the outbound network path of every agent sandbox, so that every HTTP request the agent makes is intercepted, policied, and optionally rewritten before leaving the operator's perimeter.

The Worker:

1. Inspects the outbound request (URL, headers, body).
2. Decides under operator-defined policy whether to allow, deny, modify, or audit it.
3. Injects credentials server-side (e.g. an Authorization header sourced from a Cloudflare-side secrets store) so the agent never sees the credential.
4. Routes allowed requests — either to the public Internet, or via Cloudflare Mesh / Workers VPC to a private internal service, or back to the agent with a synthesised response.
5. Audits the request (logs / SIEM / dashboards) for compliance.

Canonical disclosure

The pattern was named in Cloudflare's Claude Managed Agents launch post (2026-05-19), quoted directly:

"sandboxed workloads on Cloudflare can use an outbound proxy for fully dynamic, customizable, and zero-trust authentication between sandboxes and external services. This lets you inject secrets into requests outside the sandbox, so the agent never has access to them. This protects against exfiltration attacks."

"You can define egress policies that expose only the services you choose to the agent sandboxes that you choose. You can allowlist specific endpoints, perform zero-trust injection of encrypted credentials, access private services via Cloudflare Mesh, and even write custom proxy middleware."

"You're able to apply policies per tenant, per agent, or based on whatever metadata is useful. This gives you full control over how your agents connect to external services."

(Source: sources/2026-05-19-cloudflare-announcing-claude-managed-agents-on-cloudflare.)

Architecture (textual)

┌──────────────────────────┐                ┌───────────────────────────────┐
│ Agent sandbox            │                │ Outbound Worker (the proxy)   │
│ (Container / Dyn Worker) │ ──fetch───────▶│ • policy: per-tenant / agent  │
│                          │                │ • auth: inject credential     │
│ [no credentials,         │                │ • route: Internet / Mesh /    │
│  no ambient outbound]    │ ◀──response────│           Workers VPC         │
└──────────────────────────┘                │ • audit: ship to SIEM         │
                                            │ • middleware: custom hooks    │
                                            └───────────┬───────────────────┘
                                                        │
                                ┌───────────────────────┼───────────────────────┐
                                ▼                       ▼                       ▼
                       Public Internet (allowlist)  Cloudflare Mesh        Private VPC via
                                                    tunnel                 Workers VPC

Implementation surface

The pattern leverages what Cloudflare Workers already provides:

• Per-Worker secret bindings — the credential lives in the Worker's encrypted secrets, not in the sandbox.
• Custom routing — the Worker chooses outbound destination per request (Mesh, VPC, public Internet).
• First-class observability — Workers logs / Logpush ship outbound calls to Datadog / Splunk / SIEM tools.
• Middleware composition — the Worker is JS / TS / Rust code, so policy can be arbitrary (rate limiting, prompt- injection content scans, header rewrites, body redaction).

Composition

• With concepts/outbound-proxy-credential-injection — the proxy is the deployment shape; the credential-injection property is what the proxy implements.
• With concepts/agent-brain-hands-decoupling — only works because the agent's hands run on operator-controlled compute; Anthropic's brain side never sees the proxy or the credentials.
• With concepts/capability-based-sandbox — the Dynamic- Workers-tier sandbox starts with no ambient authority (globalOutbound: null), so the only outbound capability the agent can possibly use is the proxy. The capability model is what makes the proxy the only path.
• With Mesh / Workers VPC — the proxy is the trust boundary the operator extends into private networks; the agent never gets a connection to a private service.
• Generalises patterns/credentialed-proxy-sandbox — Agent Lee (2026-04-15) canonicalised credentialed proxy at the read-vs-write user-permission altitude (writes require elicitation; reads pass through). This pattern extends the same shape to every outbound request, not just user- account writes.
• Generalises patterns/agent-sandbox-with-gateway-only-egress — Redpanda ADP (2026-04-14) canonicalised gateway-only egress at the data-plane altitude (the only egress is the ADP gateway). This pattern is the cross-vendor-Cloudflare instantiation: the only egress is the operator's outbound Worker.
• Sibling of patterns/central-proxy-choke-point — same central-chokepoint discipline, applied specifically to the Cloudflare-Workers substrate as the proxy implementation.

Trade-offs

• + Single chokepoint for all agent egress — one place to audit, throttle, allowlist, redact.
• + Secret never enters the sandbox — exfiltration of long-lived credentials is structurally impossible from the agent.
• + Per-tenant / per-agent / per-metadata policy — programmatic policy, not static allowlists; supports multi-tenant deployments without per-tenant infrastructure duplication.
• + Composes with private-service connectivity — adding private-VPC reach is just adding a binding in the proxy.
• − Latency tax on every outbound call — every request pays the Worker's processing time. For most agent workloads this is comfortably absorbed, but pathological tool-call fan-outs may notice.
• − Operator must run the proxy — an additional Cloudflare Worker to deploy and version; the Cloudflare default deployment template bundles a working starter.

Seen in

• sources/2026-05-19-cloudflare-announcing-claude-managed-agents-on-cloudflare — canonical wiki entry. The launch post for Claude Managed Agents on Cloudflare. The outbound-Worker shape is the load-bearing security primitive of the integration; it composes with private-VPC connectivity (Mesh / Workers VPC), per-tenant policy, custom middleware, and zero-trust credential injection.

Related

• Concept: concepts/outbound-proxy-credential-injection
• Sibling patterns: patterns/credentialed-proxy-sandbox / patterns/agent-sandbox-with-gateway-only-egress / patterns/central-proxy-choke-point
• Substrate: systems/cloudflare-workers / systems/claude-managed-agents / systems/cloudflare-containers / systems/dynamic-workers / systems/cloudflare-mesh / systems/cloudflare-workers-vpc
• Adjacent concepts: concepts/agent-brain-hands-decoupling / concepts/capability-based-sandbox
• Companies: companies/cloudflare