redpanda-data · micheleRP · May 30, 2024 · May 23, 2024 · May 23, 2024 · May 23, 2024
@@ -88,8 +88,10 @@
 **** xref:deploy:deployment-option/cloud/vpc-peering-aws.adoc[]
 **** xref:deploy:deployment-option/cloud/vpc-peering-gcp.adoc[]
 **** xref:deploy:deployment-option/cloud/vpc-peering.adoc[]
-**** xref:deploy:deployment-option/cloud/aws-privatelink.adoc[AWS PrivateLink]
-**** xref:deploy:deployment-option/cloud/gcp-private-service-connect.adoc[GCP Private Service Connect]
+**** xref:deploy:deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc[Configure AWS PrivateLink in the UI]
+**** xref:deploy:deployment-option/cloud/aws-privatelink.adoc[Configure AWS PrivateLink with the Cloud API]
+**** xref:deploy:deployment-option/cloud/configure-private-service-connect-in-cloud-ui.adoc[Configure GCP Private Service Connect in the UI]
+**** xref:deploy:deployment-option/cloud/gcp-private-service-connect.adoc[Configure GCP Private Service Connect with the Cloud API]
 *** xref:deploy:deployment-option/cloud/monitor-cloud.adoc[]
 *** xref:deploy:deployment-option/cloud/managed-connectors/index.adoc[Managed Connectors]
 **** xref:deploy:deployment-option/cloud/managed-connectors/converters-and-serialization.adoc[Converters and serialization]

@@ -4,6 +4,8 @@
 
 include::shared:partial$feature-flag.adoc[]
 
+NOTE: This guide is for configuring AWS PrivateLink using the Redpanda Cloud API. See xref:deploy:deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc[Configure PrivateLink in the Cloud UI] if you want to set up the endpoint service using the UI.
+
 The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because a PrivateLink connection is treated as its own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC.
 
 Consider using the PrivateLink endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management:
@@ -19,7 +21,7 @@ TIP: Make sure to replace the variable values in the code examples on this page
 
 * Install `rpk`.
 * Your Redpanda cluster and <<create-client-vpc,VPC>> must be in the same region.
-* You must use the Redpanda Cloud API to enable the Redpanda endpoint service for your clusters. Follow the steps below to <<get-an-access-token,get an access token>>.
+* In this guide, you use the xref:deploy:deployment-option/cloud/api/cloud-api-overview.adoc[Redpanda Cloud API] to enable the Redpanda endpoint service for your clusters. Follow the steps below to <<get-an-access-token,get an access token>>.
 * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI] to create a new client VPC or modify an existing one to use the PrivateLink endpoint.
 
 == Get a Cloud API access token
@@ -46,7 +48,7 @@ Copy and store the client ID and secret.
 +
 [,bash]
 ----
-CLOUD_CLIENT_ID=<client-ID>
+CLOUD_CLIENT_ID=<client-id>
 CLOUD_CLIENT_SECRET=<client-secret>
 ----
 
@@ -67,7 +69,7 @@ You must send the API token in the `Authorization` header when making requests t
 
 == Create new cluster with PrivateLink endpoint service enabled
 
-. Call https://docs.api.redpanda.com/#post-/v1beta2/networks[`POST /v1beta2/networks`] to create a network.
+. Call xref:api:ROOT:cloud-api.adoc#post-/v1beta2/networks[`POST /v1beta2/networks`] to create a network.
 +
 Make sure to supply your own values in the example request below. Store the network ID (`network_id`) after the network is created in order to check whether you can proceed to cluster creation.
 +
@@ -100,9 +102,9 @@ NETWORK_ID=`curl -vv -X POST \
 echo $NETWORK_ID
 ----
 +
-Wait for the network to be ready before creating the cluster in the next step. You can check the state of the network creation by calling https://docs.api.redpanda.com/#get-/v1beta2/networks/-id-[`GET /v1beta2/networks/\{id}`]. You can create the cluster when the state is `STATE_READY`.
+Wait for the network to be ready before creating the cluster in the next step. You can check the state of the network creation by calling xref:api:ROOT:cloud-api.adoc#get-/v1beta2/networks/-id-[`GET /v1beta2/networks/\{id}`]. You can create the cluster when the state is `STATE_READY`.
 
-. Create a new cluster with the endpoint service enabled by calling https://docs.api.redpanda.com/#post-/v1beta2/clusters[`POST /v1beta2/clusters`].
+. Create a new cluster with the endpoint service enabled by calling xref:api:ROOT:cloud-api.adoc##post-/v1beta2/clusters[`POST /v1beta2/clusters`].
 +
 In the example below, make sure to set your own values for the following fields:
 +
@@ -142,7 +144,7 @@ CLUSTER_ID=`curl -vv -X POST \
 echo $CLUSTER_ID
 ----
 +
-**BYOC clusters:** Check that the cluster operation is completed by calling https://docs.api.redpanda.com/#get-/v1beta2/operations/-id-[`GET /v1beta2/operations/\{id}`], and passing the operation ID returned from the Create Cluster call.
+**BYOC clusters:** Check that the cluster operation is completed by calling xref:api:ROOT:cloud-api.adoc#get-/v1beta2/operations/-id-[`GET /v1beta2/operations/\{id}`], and passing the operation ID returned from the Create Cluster call.
 +
 When the Create Cluster operation is completed (`STATE_COMPLETED`), run the following `rpk cloud` command to finish setting up your BYOC cluster:
 +
@@ -160,7 +162,7 @@ rpk cloud byoc aws apply --redpanda-id=$CLUSTER_ID
 CLUSTER_ID=<cluster_id>
 ----
 
-. Make a https://docs.api.redpanda.com/#patch-/v1beta2/clusters/-cluster.id-[`PATCH /v1beta2/clusters/{cluster.id}`] request to update the cluster with the Redpanda Private Link Endpoint Service enabled.
+. Make a xref:api:ROOT:cloud-api.adoc#patch-/v1beta2/clusters/-cluster.id-[`PATCH /v1beta2/clusters/{cluster.id}`] request to update the cluster with the Redpanda Private Link Endpoint Service enabled.
 +
 In the example below, make sure to set your own value for the following field:
 +
@@ -185,9 +187,9 @@ curl -vv -X PATCH \
   -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1beta2/clusters/$CLUSTER_ID
 ----
 
-. Before proceeding, check the state of the Update Cluster operation by calling https://docs.api.redpanda.com/#get-/v1beta2/operations/-id-[`GET /v1beta2/operations/\{id}`], and passing the operation ID returned from Update Cluster call. When the state is `STATE_READY`, proceed to the next step.
+. Before proceeding, check the state of the Update Cluster operation by calling xref:api:ROOT:cloud-api.adoc#get-/v1beta2/operations/-id-[`GET /v1beta2/operations/\{id}`], and passing the operation ID returned from Update Cluster call. When the state is `STATE_READY`, proceed to the next step.
 
-. Check the service state by calling https://docs.api.redpanda.com/#get-/v1beta2/clusters/-id-[`GET /v1beta2/clusters/\{id}`]. The `service_state` in the `aws_private_link.status` response object must be `Available` for you to <<connect-to-privatelink-endpoint-service,connect to the service>>.
+. Check the service state by calling xref:api:ROOT:cloud-api.adoc#get-/v1beta2/clusters/-id-[`GET /v1beta2/clusters/\{id}`]. The `service_state` in the `aws_private_link.status` response object must be `Available` for you to <<connect-to-privatelink-endpoint-service,connect to the service>>.
 +
 [,bash]
 ----
@@ -355,5 +357,6 @@ include::deploy:partial$cloud/private-links-test-connection.adoc[]
 
 include::shared:partial$suggested-reading.adoc[]
 
+* xref:deploy:deployment-option/cloud/api/cloud-api-overview.adoc[]
 * xref:./vpc-peering.adoc[]
 * xref:./vpc-peering-aws.adoc[]
@@ -0,0 +1,97 @@
+= Configure GCP Private Service Connect in the Cloud UI
+:description: Set up GCP Private Service Connect in the Redpanda Cloud UI.
+:page-cloud: true
+
+include::shared:partial$feature-flag.adoc[]
+
+NOTE: This guide is for configuring GCP Private Service Connect using the Redpanda Cloud UI. See xref:deploy:deployment-option/cloud/gcp-private-service-connect.adoc[] if you want to set up this service using the API.
+
+The Redpanda GCP Private Service Connect service provides secure access to Redpanda Cloud from your own VPC. Traffic over Private Service Connect does not go through the public internet because these connections are treated as their own private GCP service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC.
+
+Consider using the endpoint services if you have multiple VPCs and could benefit from a more simplified approach to network management:
+
+* Private Service Connect allows overlapping xref:./cidr-ranges.adoc[CIDR ranges] in VPC networks.
+* Private Service Connect does not limit the number of connections using the service.
+* You control which GCP projects are allowed to connect to the service.
+
+== Requirements
+
+* Use https://cloud.google.com/sdk/docs/install[gcloud^] to create the consumer-side resources, such as a client VPC and forwarding rule, or modify existing resources to use the Private Service Connect service attachment created for your cluster.
+* The client VPC must be in the same region as your Redpanda cluster.
+
+== Enable endpoint service for existing clusters
+
+. In the Redpanda Cloud UI, open your https://cloud.redpanda.com/clusters[cluster^], and click **Cluster settings**.
+. Under Private Service Connect, click **Enable**. 
+. For xref:deploy:deployment-option/cloud/vpc-byo-gcp.adoc[BYOC clusters with customer-managed VPC], you need a NAT subnet with the *Purpose* set to `PRIVATE_SERVICE_CONNECT`. You can create the subnet using the `gcloud` command-line interface (CLI):
++
+[,bash]
+----
+gcloud compute networks subnets create <subnet-name> \
+    --project=<project> \
+    --network=<network-name> \
+    --region=<region> \
+    --range=<subnet-range> \
+    --purpose=PRIVATE_SERVICE_CONNECT
+----
++
+Provide your values for the following placeholders:
++
+- `<subnet-name>`: The name of the NAT subnet.
+- `<project>`: The **host** GCP project ID.
+- `<network-name>`: The name of the VPC being used for your Redpanda Cloud cluster.
+- `<region>`: The region of the Redpanda Cloud cluster.
+- `<subnet-range>`: The CIDR range of the subnet. The mask should be at least `/29`. Each Private Service Connect connection takes up one IP address from the NAT subnet, so the CIDR must be able to accommodate all projects from which connections to the service attachment will be issued.
++
+See the official GCP documentation for https://cloud.google.com/vpc/docs/configure-private-service-connect-producer#add-subnet-psc[creating a subnet for Private Service Connect^].
+. For the accepted consumers list, you need the GCP project IDs from which incoming connections will be accepted.
+. It may take several minutes for your cluster to update. When the update is complete, the Private Service Connect status in **Cluster settings** changes from **In progress** to **Enabled**.
+
+NOTE: For help with issues with enabling Private Service Connect, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^].
+
+=== Deploy consumer-side resources
+
+For each VPC network, make sure you also complete the following steps to successfully connect to the service and use Kafka API and other Redpanda services such as HTTP Proxy.
+
+. In **Cluster settings**, copy the **Service attachment URL** under **Private Service Connect**. Use this URL to create the Private Service Connect endpoint in GCP. 
++
+[,bash]
+----
+gcloud 
+----
+
+. Create a private DNS zone. Use the cluster **DNS zone** value as the DNS name. 
++
+[,bash]
+----
+gcloud
+----
+
+. In the newly-created DNS zone, create a wildcard DNS record using the cluster **DNS record** value. 
++
+[,bash]
+----
+gcloud
+----
+
+. Make sure your GCP VPC firewall allows traffic to and from the Private Service Connect forwarding rule IP address, on the expected ports.
+
+== Access Redpanda services through VPC endpoint
+
+After you have enabled Private Service Connect for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud UI.
+
+include::deploy:partial$cloud/private-links-access-rp-services-through-vpc.adoc[]
+
+== Test the connection
+
+You can test the connection to the endpoint service from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL:
+
+include::deploy:partial$cloud/private-links-test-connection.adoc[]
+
+== Disable endpoint service
+
+In **Cluster settings**, click **Disable**. Existing connections are closed immediately. To connect via Private Service Connect again, you'll have to re-enable the service.
+
+include::shared:partial$suggested-reading.adoc[]
+
+* xref:deploy:deployment-option/cloud/gcp-private-service-connect.adoc[]
@@ -0,0 +1,49 @@
+= Configure AWS PrivateLink in the Cloud UI
+:description: Set up AWS PrivateLink in the Redpanda Cloud UI.
+:page-cloud: true
+
+include::shared:partial$feature-flag.adoc[]
+
+NOTE: This guide is for configuring AWS PrivateLink using the Redpanda Cloud UI. See xref:deploy:deployment-option/cloud/aws-privatelink.adoc[Configure AWS PrivateLink for Redpanda Cloud] if you want to set up the endpoint service using the API.
+
+The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because these connections are treated as their own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC.
+
+Consider using the endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management:
+
+* PrivateLink allows overlapping xref:./cidr-ranges.adoc[CIDR ranges] in VPC networks.
+* PrivateLink does not limit the number of connections that use the endpoint service.
+* You control which AWS principals are allowed to connect to the endpoint service.
+
+== Requirements
+
+* Your Redpanda cluster and VPC must be in the same region.
+* Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI] to create a new client VPC or modify an existing one to use the PrivateLink endpoint.
+
+== Enable endpoint service for existing clusters
+
+. In the Redpanda Cloud UI, open your https://cloud.redpanda.com/clusters[cluster^], and click **Cluster settings**.
+. Under AWS PrivateLink, click **Enable**. 
+. You need the Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam::<account-id>:root`. See the official AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details.
+. It may take several minutes for your cluster to update. When the update is complete, the AWS PrivateLink status in **Cluster settings** changes from **In progress** to **Enabled**.
+
+NOTE: For help with issues with enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^].
+
+== Access Redpanda services through VPC endpoint
+
+After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud UI.
+
+include::deploy:partial$cloud/private-links-access-rp-services-through-vpc.adoc[]
+
+== Test the connection
+
+You can test the connection to the endpoint service from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL:
+
+include::deploy:partial$cloud/private-links-test-connection.adoc[]
+
+== Disable endpoint service
+
+In **Cluster settings**, click **Disable**. Existing connections are closed immediately. To connect via PrivateLink again, you'll have to re-enable the service.
+
+include::shared:partial$suggested-reading.adoc[]
+
+* xref:deploy:deployment-option/cloud/aws-privatelink.adoc[]