PrivateLink and Private Service Connect in Cloud UI #516
Conversation
✅ Deploy Preview for redpanda-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
...pages/deployment-option/cloud/configure-privatelink-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
| * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. | ||
| GCP:: | ||
| + | ||
| * Use https://cloud.google.com/sdk/docs/install[gcloud^] to create the consumer-side resources, such as a VPC and forwarding rule, or modify an existing one to use the Private Service Connect service attachment created for your cluster. |
There was a problem hiding this comment.
"VPC" is kind of ambiguous here. If it refers to the Redpanda VPC, then yes, it must be in the same region. If it refers to a VPC where consumer resources will be deployed (i.e. Redpanda clients), then it must be in the same region unless Global Access is enabled for PSC (this knob is only available through the API right now)
There was a problem hiding this comment.
@0x5d I'll add the same region requirement to this doc for now, and specify that it's the client VPC.
| + | ||
| See the official GCP documentation for https://cloud.google.com/vpc/docs/configure-private-service-connect-producer#add-subnet-psc[creating a subnet for Private Service Connect^]. | ||
| . For the accepted consumers list, you need the GCP project IDs from which incoming connections will be accepted. | ||
| . It may take several minutes for your cluster to update. When the update is complete, the Private Service Connect status in **Cluster settings** changes from **In progress** to **Enabled**. |
There was a problem hiding this comment.
@0x5d In the Figma design for GCP, there is a sidebar that opens up to instructions to create the PSC endpoint, DNS zone, and DNS record. Could you confirm that these are supposed to be carried by the customer in their own GCP VPC console, and should we still document those steps on this page? Also, I couldn't figure out if these steps were included in the existing PSC doc. There isn't any mention of the attachment URL or DNS resources in that doc. Does that mean that these steps don't apply to users who are using the API to set this up?
There was a problem hiding this comment.
Hm. You're right, I missed this on the other docs. For both the UI and API workflows, the user needs to perform the same steps after they've enabled PSC in their Redpanda cloud cluster.
...pages/deployment-option/cloud/configure-privatelink-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
...pages/deployment-option/cloud/configure-privatelink-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
| * Use https://cloud.google.com/sdk/docs/install[gcloud^] to create the consumer-side resources, such as a VPC and forwarding rule, or modify an existing one to use the Private Service Connect service attachment created for your cluster. | ||
| ==== | ||
|
|
||
| == Enable endpoint service for existing clusters |
There was a problem hiding this comment.
@0x5d @paulzhang97 The Figma designs include a screen for errors in the cluster update to enable the service. Is there anything there we need to document? e.g. any specific errors to expect, how to troubleshoot/fix?
There was a problem hiding this comment.
Oof. A handful, at least for PSC haha. I need to think about this. For the moment, let's have them contact support.
There was a problem hiding this comment.
Agree with contact support.
|
|
||
| The Redpanda AWS PrivateLink and GCP Private Service Connect services provide secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink and Private Service Connect do not go through the public internet because these connections are treated as their own private AWS and GCP services. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. | ||
|
|
||
| Consider using the endpoint services if you have multiple VPCs and could benefit from a more simplified approach to network management: |
There was a problem hiding this comment.
@0x5d @paulzhang97 Terminology question: AWS uses "endpoint services" whereas GCP seems to just use "service". I'll run this by the docs team as well, but do you have any thoughts on whether it's ok to refer to both collectively as "services" or "endpoint services"? I think I lean towards "endpoint service" since that more easily distinguishes it from a "Redpanda service" (such as HTTP Proxy).
There was a problem hiding this comment.
We should probably run this by GCP customers. If "endpoint services" is the term in AWS, I don't see anyone being confused over it if they're on AWS. However, I don't remember seeing this in GCP docs, which is my frame of reference (and likely other customers', like DnB or Moov).
For example, I'm having a hard time inferring what "endpoint services" would translate to here on the GCP side. Is it the service attachment? Is it the PSC endpoint?
There was a problem hiding this comment.
Endpoint Service is AWS term. How about Consider using AWS PrivateLink or GCP Private Service Connect service?
There was a problem hiding this comment.
@0x5d @paulzhang97 I've separated these out into two different docs. I think that makes the terminology a bit less confusing as I was trying to use one term/phrase to describe both PL and PSC.
|
|
||
| include::shared:partial$feature-flag.adoc[] | ||
|
|
||
| NOTE: This guide is for configuring AWS PrivateLink and GCP Private Service Connect using the Redpanda Cloud UI. See xref:deploy:deployment-option/cloud/aws-privatelink.adoc[Configure AWS PrivateLink for Redpanda Cloud] or xref:deploy:deployment-option/cloud/gcp-private-service-connect.adoc[Configure GCP Private Service Connect for BYOC] if you want to set up these services using the API. |
There was a problem hiding this comment.
I think it would be better to keep them separate. The overlap in process, requirements & terminology is almost none between GCP & AWS, and Azure Private Link (notice the space, differing from AWS's PrivateLink) is underway.
Having 3 guides combined into one seems like a lot.
There was a problem hiding this comment.
@0x5d separated into two docs, thank you!
|
|
||
| The Redpanda AWS PrivateLink and GCP Private Service Connect services provide secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink and Private Service Connect do not go through the public internet because these connections are treated as their own private AWS and GCP services. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. | ||
|
|
||
| Consider using the endpoint services if you have multiple VPCs and could benefit from a more simplified approach to network management: |
There was a problem hiding this comment.
We should probably run this by GCP customers. If "endpoint services" is the term in AWS, I don't see anyone being confused over it if they're on AWS. However, I don't remember seeing this in GCP docs, which is my frame of reference (and likely other customers', like DnB or Moov).
For example, I'm having a hard time inferring what "endpoint services" would translate to here on the GCP side. Is it the service attachment? Is it the PSC endpoint?
...pages/deployment-option/cloud/configure-privatelink-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
| * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. | ||
| GCP:: | ||
| + | ||
| * Use https://cloud.google.com/sdk/docs/install[gcloud^] to create the consumer-side resources, such as a VPC and forwarding rule, or modify an existing one to use the Private Service Connect service attachment created for your cluster. |
There was a problem hiding this comment.
"VPC" is kind of ambiguous here. If it refers to the Redpanda VPC, then yes, it must be in the same region. If it refers to a VPC where consumer resources will be deployed (i.e. Redpanda clients), then it must be in the same region unless Global Access is enabled for PSC (this knob is only available through the API right now)
| * Use https://cloud.google.com/sdk/docs/install[gcloud^] to create the consumer-side resources, such as a VPC and forwarding rule, or modify an existing one to use the Private Service Connect service attachment created for your cluster. | ||
| ==== | ||
|
|
||
| == Enable endpoint service for existing clusters |
There was a problem hiding this comment.
Oof. A handful, at least for PSC haha. I need to think about this. For the moment, let's have them contact support.
| + | ||
| See the official GCP documentation for https://cloud.google.com/vpc/docs/configure-private-service-connect-producer#add-subnet-psc[creating a subnet for Private Service Connect^]. | ||
| . For the accepted consumers list, you need the GCP project IDs from which incoming connections will be accepted. | ||
| . It may take several minutes for your cluster to update. When the update is complete, the Private Service Connect status in **Cluster settings** changes from **In progress** to **Enabled**. |
There was a problem hiding this comment.
Hm. You're right, I missed this on the other docs. For both the UI and API workflows, the user needs to perform the same steps after they've enabled PSC in their Redpanda cloud cluster.
|
|
||
| NOTE: For help with issues with enabling Private Service Connect, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. | ||
|
|
||
| === Deploy consumer-side resources |
There was a problem hiding this comment.
@0x5d I put together this section based on the Figma design as well as these original set of docs: https://github.com/redpanda-data/cloudv2/pull/12933/files#diff-b4884caa55c76586fff9375cb88a5e644b0f73f15bf9aa9b5f5d84b4e0fc1292R337 could you confirm if these steps are correct, and if they should also be added to the API guide? In that case, we should probably single source this section to share it across both guides.
| + | ||
| [,bash] | ||
| ---- | ||
| gcloud |
There was a problem hiding this comment.
@0x5d Are we able to provide the required gcloud commands? Or perhaps at least links to the official GCP docs for more guidance? I'm not sure if these are the correct links, or if we need to point readers to specific subsections:
https://cloud.google.com/dns/docs/zones
https://cloud.google.com/dns/docs/records
Also, I couldn't easily find the relevant doc for the service attachment URL step.
modules/deploy/pages/deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-private-service-connect-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
modules/deploy/pages/deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc
Outdated
Show resolved
Hide resolved
…-service-connect-in-cloud-ui.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
…-service-connect-in-cloud-ui.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
…-service-connect-in-cloud-ui.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
…-service-connect-in-cloud-ui.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
…link-in-cloud-ui.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
|
@paulzhang97, @0x5d, @bpraseed: This is ready for your final review! |
|
PL changes: LGTM |
|
Merging with Juan's approval in slack! |
Co-authored-by: Michele Cyran <michele@redpanda.com> Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Description
Resolves https://github.com/redpanda-data/documentation-private/issues/2239
This PR also updates some links in the existing PrivateLink and Private Service Connect docs as we recently published official cloud API docs for beta.
Review deadline: 24 May 2024
Page previews
Deploy preview: PrivateLink
Deploy preview: Private Service Connect
Checks