From bd729d76771687df9ceae9c63eaae04e7d82d698 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 11 Nov 2025 16:04:06 -0700 Subject: [PATCH 01/46] DOC-1743 Document feature Private Networking Phase 1 # Conflicts: # modules/get-started/pages/cluster-types/serverless.adoc --- modules/get-started/pages/cloud-overview.adoc | 3 +-- .../get-started/pages/cluster-types/serverless.adoc | 10 +++++++--- .../networking/pages/dedicated/aws/vpc-peering.adoc | 2 +- .../pages/dedicated/gcp/vpc-peering-gcp.adoc | 2 +- modules/networking/partials/vnet-peering.adoc | 2 +- 5 files changed, 11 insertions(+), 8 deletions(-) diff --git a/modules/get-started/pages/cloud-overview.adoc b/modules/get-started/pages/cloud-overview.adoc index 9e03a35b8..c9e964637 100644 --- a/modules/get-started/pages/cloud-overview.adoc +++ b/modules/get-started/pages/cloud-overview.adoc @@ -59,7 +59,7 @@ Redpanda Cloud offers three fully-managed cloud deployment options, each designe | 20 (default), 32 (max) | *Private networking* -| ✗ +| ✓ | ✓ | ✓ @@ -177,7 +177,6 @@ Serverless clusters are a good fit for the following use cases: Consider BYOC or Dedicated if you need more control over the deployment or if you have workloads with consistently-high throughput. BYOC and Dedicated clusters offer the following features: -* Private networking * Multiple availability zones (AZs). A multi-AZ cluster provides higher resiliency in the event of a failure in one of the zones. * Role-based access control (RBAC) in the data plane * Kafka Connect diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index c720133e4..57e5cb093 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -50,9 +50,13 @@ To create a Serverless cluster: . Select a cloud provider and xref:reference:tiers/serverless-regions.adoc[region]. For best performance, select the region closest to your applications. Redpanda expects your applications to be deployed in the same cloud provider and region as your Serverless cluster. + -Serverless clusters are not guaranteed to be pinned to a particular availability zone within the selected region. +Serverless clusters are available in the regions listed in xref:reference:tiers/serverless-regions.adoc[Serverless regions]. Redpanda expects your applications to be deployed in the same region. For best performance, select the region closest to your applications. Serverless is not guaranteed to be pinned to a particular availability zone within that region. ++ +Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled, although there is an additional charge for private networking. You can later enable or disable access on the cluster's *Settings* page. + +. Click **Create cluster**. -. Add team members and grant them access with glossterm:ACL[,access control lists (ACLs)] on the *Security* page. +. To start working with your cluster, go to the *Topics* page to create a topic. Under the *Actions* dropdown, you can produce messages to it. Add team members and grant them access with ACLs on the *Security* page. == Interact with your cluster @@ -89,7 +93,7 @@ Explore the rest of the UI: Not all features included in BYOC clusters are available in Serverless. For example, the following features are not supported: * HTTP Proxy API -* Private networking (VPC peering or AWS PrivateLink) +* Ability to export metrics to a third-party monitoring system * Multiple availability zones (AZs) * RBAC in the data plane and mTLS authentication for Kafka API clients * Kafka Connect diff --git a/modules/networking/pages/dedicated/aws/vpc-peering.adoc b/modules/networking/pages/dedicated/aws/vpc-peering.adoc index 8882f1d01..aae4eb4e6 100644 --- a/modules/networking/pages/dedicated/aws/vpc-peering.adoc +++ b/modules/networking/pages/dedicated/aws/vpc-peering.adoc @@ -22,7 +22,7 @@ To create a peering connection between your VPC and Redpanda's VPC: . In the Redpanda Cloud UI, go to the *Overview* page for your cluster. . In the Details section, click the name of the Redpanda network. -. On the Networks page, click *VPC peering walkthrough*. +. On the Networking page, click *VPC peering walkthrough*. . For *Connection name*, enter a name. For example, the name might refer to the VPC ID of the VPC you created in AWS. . For *AWS account number*, enter the account number associated with the VPC you want to connect to. . For *AWS VPC ID*, enter the VPC ID by copying it from the AWS VPC Console. diff --git a/modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc b/modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc index cba79c27c..e2365ffe1 100644 --- a/modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc +++ b/modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc @@ -21,7 +21,7 @@ A peering becomes active after both Redpanda and GCP create a peering that targe . In the Redpanda Cloud UI, go to the *Overview* page for your cluster. . In the Details section, click the name of the Redpanda network. -. On the Networks page for your cluster, click *VPC peering walkthrough*. +. On the Networking page for your cluster, click *VPC peering walkthrough*. . For *Connection name*, enter a name for the connection. + For example, the name might refer to the VPC ID of the VPC you created in GCP. diff --git a/modules/networking/partials/vnet-peering.adoc b/modules/networking/partials/vnet-peering.adoc index e190edffc..6ffce0fde 100644 --- a/modules/networking/partials/vnet-peering.adoc +++ b/modules/networking/partials/vnet-peering.adoc @@ -27,7 +27,7 @@ To create a peering connection between your Azure VNet and Redpanda VPC: . In the Redpanda Cloud UI, go to the *Overview* page for your cluster. . In the Details section, click the name of the *Redpanda network*. -. On the Networks page for your cluster, click *VPC peering walkthrough*. +. On the Networking page for your cluster, click *VPC peering walkthrough*. . For *Connection name*, enter a name. For example, the name could refer to your Azure VNet ID. . For *Azure account number*, enter the account number associated with the VNet you want to connect to. . For *Azure VNet ID*, enter the VNet ID. From ee7b3063bac98d91dde849ccae10f3b7d22c3e99 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 11 Nov 2025 17:22:56 -0700 Subject: [PATCH 02/46] set up nav --- modules/ROOT/nav.adoc | 4 ++++ modules/get-started/pages/cluster-types/serverless.adoc | 2 +- modules/networking/pages/serverless/AWS/index.adoc | 3 +++ modules/networking/pages/serverless/index.adoc | 3 +++ 4 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 modules/networking/pages/serverless/AWS/index.adoc create mode 100644 modules/networking/pages/serverless/index.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 6d7e7812e..d0b68c638 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -26,6 +26,10 @@ * xref:networking:index.adoc[Networking] ** xref:networking:cloud-security-network.adoc[] ** xref:networking:cidr-ranges.adoc[] +** xref:networking:serverless/index.adoc[Serverless] +*** xref:networking:byoc/aws/index.adoc[AWS] +**** xref:networking:serverless/aws/privatelink.adoc[Configure PrivateLink in the Cloud UI] +**** xref:networking:serverless/aws/privatelink.adoc[Configure PrivateLink with the Cloud API] ** xref:networking:byoc/index.adoc[BYOC] *** xref:networking:byoc/aws/index.adoc[AWS] **** xref:networking:byoc/aws/vpc-peering-aws.adoc[Add a Peering Connection] diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index 57e5cb093..fc8ee00b0 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -52,7 +52,7 @@ To create a Serverless cluster: + Serverless clusters are available in the regions listed in xref:reference:tiers/serverless-regions.adoc[Serverless regions]. Redpanda expects your applications to be deployed in the same region. For best performance, select the region closest to your applications. Serverless is not guaranteed to be pinned to a particular availability zone within that region. + -Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled, although there is an additional charge for private networking. You can later enable or disable access on the cluster's *Settings* page. +Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled, although there is an additional charge for private networking. You can enable or disable private access at any time from the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail, but the PrivateLink endpoint remains available. This approach provides flexibility to use public access when needed and private access when required. . Click **Create cluster**. diff --git a/modules/networking/pages/serverless/AWS/index.adoc b/modules/networking/pages/serverless/AWS/index.adoc new file mode 100644 index 000000000..d6b6210db --- /dev/null +++ b/modules/networking/pages/serverless/AWS/index.adoc @@ -0,0 +1,3 @@ += AWS +:description: Learn how to configure private networking for Serverless clusters on AWS. +:page-layout: index \ No newline at end of file diff --git a/modules/networking/pages/serverless/index.adoc b/modules/networking/pages/serverless/index.adoc new file mode 100644 index 000000000..8c63441c2 --- /dev/null +++ b/modules/networking/pages/serverless/index.adoc @@ -0,0 +1,3 @@ += Networking: Serverless +:description: Learn how to configure private networking with AWS PrivateLink. +:page-layout: index \ No newline at end of file From 3b984ebd059ae61c1151885d5f23bc74268c86b9 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 13 Jan 2026 19:52:22 -0700 Subject: [PATCH 03/46] fix nav --- modules/ROOT/nav.adoc | 1 - modules/networking/pages/serverless/AWS/privatelink.adoc | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 modules/networking/pages/serverless/AWS/privatelink.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index d0b68c638..52beb93fc 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -28,7 +28,6 @@ ** xref:networking:cidr-ranges.adoc[] ** xref:networking:serverless/index.adoc[Serverless] *** xref:networking:byoc/aws/index.adoc[AWS] -**** xref:networking:serverless/aws/privatelink.adoc[Configure PrivateLink in the Cloud UI] **** xref:networking:serverless/aws/privatelink.adoc[Configure PrivateLink with the Cloud API] ** xref:networking:byoc/index.adoc[BYOC] *** xref:networking:byoc/aws/index.adoc[AWS] diff --git a/modules/networking/pages/serverless/AWS/privatelink.adoc b/modules/networking/pages/serverless/AWS/privatelink.adoc new file mode 100644 index 000000000..d3a246b70 --- /dev/null +++ b/modules/networking/pages/serverless/AWS/privatelink.adoc @@ -0,0 +1,3 @@ += Configure AWS PrivateLink with the Cloud API +:description: Set up AWS PrivateLink with the Cloud API. + From 84cd51cd5c9af183e6f591e9bba8d8c9a9bf25ca Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 13 Jan 2026 20:07:06 -0700 Subject: [PATCH 04/46] fix: rename AWS directory to lowercase aws for case-sensitive builds Linux build servers are case-sensitive, so the xref paths in nav.adoc need to match the actual file paths exactly. Co-Authored-By: Claude Opus 4.5 --- modules/networking/pages/serverless/{AWS => aws}/index.adoc | 0 modules/networking/pages/serverless/{AWS => aws}/privatelink.adoc | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename modules/networking/pages/serverless/{AWS => aws}/index.adoc (100%) rename modules/networking/pages/serverless/{AWS => aws}/privatelink.adoc (100%) diff --git a/modules/networking/pages/serverless/AWS/index.adoc b/modules/networking/pages/serverless/aws/index.adoc similarity index 100% rename from modules/networking/pages/serverless/AWS/index.adoc rename to modules/networking/pages/serverless/aws/index.adoc diff --git a/modules/networking/pages/serverless/AWS/privatelink.adoc b/modules/networking/pages/serverless/aws/privatelink.adoc similarity index 100% rename from modules/networking/pages/serverless/AWS/privatelink.adoc rename to modules/networking/pages/serverless/aws/privatelink.adoc From 79cb427f7d7fcb38182e6155cedb8f4847b5641b Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 14 Jan 2026 15:33:17 -0700 Subject: [PATCH 05/46] add GA to what's new # Conflicts: # modules/get-started/pages/whats-new-cloud.adoc --- modules/get-started/pages/whats-new-cloud.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 512f3cf8c..5a1b1f426 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -8,10 +8,15 @@ This page lists new features added to Redpanda Cloud. == January 2026 +=== Serverless on AWS: GA + +xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This GA release includes private networking with AWS PrivateLink and the ability to view and export metrics from Serverless clusters to third-party monitoring systems. + === Redpanda Connect and Roles in Terraform provider The xref:manage:terraform-provider.adoc[Redpanda Terraform provider] now supports managing roles and Redpanda Connect pipelines. Use the provider to create and manage role-based access control and data pipelines in Redpanda Cloud. + == December 2025 === Remote MCP: GA From 74b0ba25b0dd38311b0504fd84fa3027a4cd3f1a Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 14 Jan 2026 16:34:06 -0700 Subject: [PATCH 06/46] fix unsupported feature list --- modules/get-started/pages/cluster-types/serverless.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index fc8ee00b0..4e058c90d 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -93,7 +93,6 @@ Explore the rest of the UI: Not all features included in BYOC clusters are available in Serverless. For example, the following features are not supported: * HTTP Proxy API -* Ability to export metrics to a third-party monitoring system * Multiple availability zones (AZs) * RBAC in the data plane and mTLS authentication for Kafka API clients * Kafka Connect From 517a049ec6f3bc77201d54cf3c55cc6058b7e228 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 15 Jan 2026 16:13:31 -0700 Subject: [PATCH 07/46] add networking in UI/API --- modules/ROOT/nav.adoc | 15 +- modules/get-started/pages/cloud-overview.adoc | 2 - .../pages/cluster-types/serverless.adoc | 5 +- .../pages/azure-private-link-in-ui.adoc | 8 +- .../networking/pages/azure-private-link.adoc | 10 +- .../configure-privatelink-in-cloud-ui.adoc | 10 +- .../dedicated/gcp/configure-psc-in-api.adoc | 4 +- .../dedicated/gcp/configure-psc-in-ui.adoc | 8 +- .../pages/serverless/aws/privatelink-api.adoc | 296 ++++++++++++++++++ .../pages/serverless/aws/privatelink-ui.adoc | 59 ++++ .../pages/serverless/aws/privatelink.adoc | 3 - 11 files changed, 386 insertions(+), 34 deletions(-) create mode 100644 modules/networking/pages/serverless/aws/privatelink-api.adoc create mode 100644 modules/networking/pages/serverless/aws/privatelink-ui.adoc delete mode 100644 modules/networking/pages/serverless/aws/privatelink.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 52beb93fc..397424b00 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -27,12 +27,13 @@ ** xref:networking:cloud-security-network.adoc[] ** xref:networking:cidr-ranges.adoc[] ** xref:networking:serverless/index.adoc[Serverless] -*** xref:networking:byoc/aws/index.adoc[AWS] -**** xref:networking:serverless/aws/privatelink.adoc[Configure PrivateLink with the Cloud API] +*** xref:networking:serverless/aws/index.adoc[AWS] +**** xref:networking:serverless/aws/privatelink-ui.adoc[Configure PrivateLink in the Cloud Console] +**** xref:networking:serverless/aws/privatelink-api.adoc[Configure PrivateLink with the Cloud API] ** xref:networking:byoc/index.adoc[BYOC] *** xref:networking:byoc/aws/index.adoc[AWS] **** xref:networking:byoc/aws/vpc-peering-aws.adoc[Add a Peering Connection] -**** xref:networking:configure-privatelink-in-cloud-ui.adoc[Configure PrivateLink in the Cloud UI] +**** xref:networking:configure-privatelink-in-cloud-ui.adoc[Configure PrivateLink in the Cloud Console] **** xref:networking:aws-privatelink.adoc[Configure PrivateLink with the Cloud API] **** xref:networking:byoc/aws/transit-gateway.adoc[Add a Transit Gateway] *** xref:networking:byoc/azure/index.adoc[Azure] @@ -40,20 +41,20 @@ **** xref:networking:azure-private-link.adoc[] *** xref:networking:byoc/gcp/index.adoc[GCP] **** xref:networking:byoc/gcp/vpc-peering-gcp.adoc[Add a Peering Connection] -**** xref:networking:configure-private-service-connect-in-cloud-ui.adoc[Configure Private Service Connect in the Cloud UI] +**** xref:networking:configure-private-service-connect-in-cloud-ui.adoc[Configure Private Service Connect in the Cloud Console] **** xref:networking:gcp-private-service-connect.adoc[Configure Private Service Connect with the Cloud API] **** xref:networking:byoc/gcp/enable-global-access.adoc[Enable Global Access] ** xref:networking:dedicated/index.adoc[Dedicated] *** xref:networking:dedicated/aws/index.adoc[AWS] **** xref:networking:dedicated/aws/vpc-peering.adoc[Add a Peering Connection] -**** xref:networking:configure-privatelink-in-cloud-ui.adoc[Configure PrivateLink in the Cloud UI] +**** xref:networking:configure-privatelink-in-cloud-ui.adoc[Configure PrivateLink in the Cloud Console] **** xref:networking:aws-privatelink.adoc[] *** xref:networking:dedicated/azure/index.adoc[Azure] -**** xref:networking:azure-private-link-in-ui.adoc[] +**** xref:networking:azure-private-link-in-ui.adoc[Configure Private Link in the Cloud Console] **** xref:networking:azure-private-link.adoc[] *** xref:networking:dedicated/gcp/index.adoc[GCP] **** xref:networking:dedicated/gcp/vpc-peering-gcp.adoc[Add a Peering Connection] -**** xref:networking:dedicated/gcp/configure-psc-in-ui.adoc[Configure Private Service Connect in the Cloud UI] +**** xref:networking:dedicated/gcp/configure-psc-in-ui.adoc[Configure Private Service Connect in the Cloud Console] **** xref:networking:dedicated/gcp/configure-psc-in-api.adoc[Configure Private Service Connect with the Cloud API] * xref:security:index.adoc[Security] diff --git a/modules/get-started/pages/cloud-overview.adoc b/modules/get-started/pages/cloud-overview.adoc index c9e964637..57b85e371 100644 --- a/modules/get-started/pages/cloud-overview.adoc +++ b/modules/get-started/pages/cloud-overview.adoc @@ -118,7 +118,6 @@ Serverless is the fastest and easiest way to start data streaming. With Serverle [NOTE] ==== -* Serverless on AWS is currently in a glossterm:LA[,limited availability (LA)] release. * Serverless on GCP is currently in a glossterm:beta[] release. ==== @@ -381,7 +380,6 @@ Features in limited availability are production-ready and are covered by Redpand The following features are currently in limited availability in Redpanda Cloud: -* Serverless * Dedicated for Azure == Features in beta diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index 4e058c90d..e977cdc40 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -7,7 +7,6 @@ Serverless is the fastest and easiest way to start data streaming. With Serverle [NOTE] ==== -* Serverless on AWS is currently in a glossterm:LA[,limited availability (LA)] release. * Serverless on GCP is currently in a glossterm:beta[] release. ==== @@ -52,7 +51,9 @@ To create a Serverless cluster: + Serverless clusters are available in the regions listed in xref:reference:tiers/serverless-regions.adoc[Serverless regions]. Redpanda expects your applications to be deployed in the same region. For best performance, select the region closest to your applications. Serverless is not guaranteed to be pinned to a particular availability zone within that region. + -Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled, although there is an additional charge for private networking. You can enable or disable private access at any time from the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail, but the PrivateLink endpoint remains available. This approach provides flexibility to use public access when needed and private access when required. +Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled. Enabling private access incurs additional charges. If you select private access, you can either create a new PrivateLink, or, if you have PrivateLinks for other Serverless clusters in this same resource group, you can use an existing PrivateLink. ++ +You can enable or disable private access at any time from the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail. However, the PrivateLink endpoint remains provisioned and continues to incur charges until you explicitly delete it from your AWS account. . Click **Create cluster**. diff --git a/modules/networking/pages/azure-private-link-in-ui.adoc b/modules/networking/pages/azure-private-link-in-ui.adoc index 912e075a9..c9fbdfdb2 100644 --- a/modules/networking/pages/azure-private-link-in-ui.adoc +++ b/modules/networking/pages/azure-private-link-in-ui.adoc @@ -1,7 +1,7 @@ -= Configure Azure Private Link in the Cloud UI -:description: Set up Azure Private Link in the Redpanda Cloud UI. += Configure Azure Private Link in the Cloud Console +:description: Set up Azure Private Link in the Redpanda Cloud Console. -NOTE: This guide is for configuring new clusters with Azure Private Link using the Redpanda Cloud UI. To configure and manage Private Link on an existing cluster, you must use the xref:networking:azure-private-link.adoc[Cloud API]. +NOTE: This guide is for configuring new clusters with Azure Private Link using the Redpanda Cloud Console. To configure and manage Private Link on an existing cluster, you must use the xref:networking:azure-private-link.adoc[Cloud API]. The Redpanda Azure Private Link service provides secure access to Redpanda Cloud from your own VNet. Traffic over Private Link does not go through the public internet because these connections are treated as their own private Azure service. While your VNet has access to the Redpanda virtual network, Redpanda cannot access your VNet. @@ -19,7 +19,7 @@ TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 se == Enable endpoint service for new clusters -. In the Redpanda Cloud UI, create a new cluster. +. In the Redpanda Cloud Console, create a new cluster. . On the *Networking* page: .. For *Connection type*, select *Private*. .. For *Azure Private Link*, select *Enabled*. diff --git a/modules/networking/pages/azure-private-link.adoc b/modules/networking/pages/azure-private-link.adoc index 8fc7e6780..d0038c179 100644 --- a/modules/networking/pages/azure-private-link.adoc +++ b/modules/networking/pages/azure-private-link.adoc @@ -1,7 +1,7 @@ = Configure Azure Private Link with the Cloud API :description: Set up Azure Private Link with the Cloud API. -NOTE: For UI-based configuration of Azure Private Link on new clusters, see xref:networking:azure-private-link-in-ui.adoc[Configure Azure Private Link in the Cloud UI]. +NOTE: For UI-based configuration of Azure Private Link on new clusters, see xref:networking:azure-private-link-in-ui.adoc[Configure Azure Private Link in the Cloud Console]. The Redpanda Azure Private Link service provides secure access to Redpanda Cloud from your own virtual network. Traffic over Azure Private Link does not go through the public internet, but instead through Microsoft's backbone network. While clients can initiate connections against the Redpanda Cloud cluster endpoints, Redpanda Cloud services cannot access your virtual networks directly. @@ -52,7 +52,7 @@ If you have not yet created a cluster in Redpanda Cloud, <> or <> using `rpk` or cURL. +. In the Redpanda Cloud Console, go to https://cloud.redpanda.com/users?tab=users[**Users**^] and create a new user to authenticate the Private Link endpoint connections with the service. You will need the username and password to <> or <> using `rpk` or cURL. . Call the link:/api/doc/cloud-controlplane/operation/operation-clusterservice_getcluster[`GET /v1/clusters/\{id}`] endpoint to check the service status and retrieve the service ID, DNS name, and Redpanda Console URL to use. + @@ -288,7 +288,7 @@ az network private-dns record-set a add-record \ == Connect to Redpanda services through Private Link endpoints -After you enable Private Link for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud UI. +After you enable Private Link for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 88fa75806..873b5fc52 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -1,8 +1,8 @@ -= Configure AWS PrivateLink in the Cloud UI -:description: Set up AWS PrivateLink in the Redpanda Cloud UI. += Configure AWS PrivateLink in the Cloud Console +:description: Set up AWS PrivateLink in the Redpanda Cloud Console. :page-aliases: deploy:deployment-option/cloud/configure-privatelink-in-cloud-ui.adoc -NOTE: This guide is for configuring AWS PrivateLink using the Redpanda Cloud UI. To configure and manage PrivateLink on an existing public cluster, you must use the xref:networking:aws-privatelink.adoc[Redpanda Cloud API]. +NOTE: This guide is for configuring AWS PrivateLink using the Redpanda Cloud Console. To configure and manage PrivateLink on an existing public cluster, you must use the xref:networking:aws-privatelink.adoc[Redpanda Cloud API]. The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because these connections are treated as their own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. @@ -29,7 +29,7 @@ include::networking:partial$dns_resolution.adoc[] == Enable endpoint service for existing clusters -. In the Redpanda Cloud UI, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. +. In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. . For AWS PrivateLink, click *Enable*. . On the Enable PrivateLink page, for Allowed principal ARNs, click *Add*, and enter the Amazon Resource Names (ARNs) for each AWS principal allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam:::root`. See the AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details. . Click *Add* after entering each ARN, and when finished, click *Enable*. @@ -39,7 +39,7 @@ NOTE: For help with issues when enabling PrivateLink, contact https://support.re == Access Redpanda services through VPC endpoint -After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud UI. +After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] diff --git a/modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc b/modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc index 1b0a773ee..c65430803 100644 --- a/modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc +++ b/modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc @@ -6,7 +6,7 @@ include::networking:partial$psc-api.adoc[] == Create a new cluster with Private Service Connect -. In the https://cloud.redpanda.com/[Redpanda Cloud UI], go to **Resource groups** and select the resource group in which you want to create a cluster. +. In the https://cloud.redpanda.com/[Redpanda Cloud Console], go to **Resource groups** and select the resource group in which you want to create a cluster. + Copy and store the resource group ID (UUID) from the URL in the browser. + @@ -104,7 +104,7 @@ Enabling Private Service Connect on your VPC interrupts all communication on exi To avoid disruption, consider using a staged approach. See: xref:networking:dedicated/gcp/vpc-peering-gcp.adoc#switch-from-vpc-peering-to-private-service-connect[Switch from VPC peering to Private Service Connect]. ==== -. In the Redpanda Cloud UI, go to the cluster overview and copy the cluster ID from the **Details** section. +. In the Redpanda Cloud Console, go to the cluster overview and copy the cluster ID from the **Details** section. + [,bash] ---- diff --git a/modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc b/modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc index 85af2f836..b2b8125d3 100644 --- a/modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc +++ b/modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc @@ -1,11 +1,11 @@ -= Configure GCP Private Service Connect in the Cloud UI -:description: Set up GCP Private Service Connect in the Redpanda Cloud UI. += Configure GCP Private Service Connect in the Cloud Console +:description: Set up GCP Private Service Connect in the Redpanda Cloud Console. :env-dedicated: true [NOTE] ==== -* This guide is for configuring GCP Private Service Connect using the Redpanda Cloud UI. To configure and manage Private Service Connect on an existing cluster with *public* networking, you must use the xref:networking:gcp-private-service-connect.adoc[Cloud API for BYOC] or the xref:networking:dedicated/gcp/configure-psc-in-api.adoc[Cloud API for Dedicated]. +* This guide is for configuring GCP Private Service Connect using the Redpanda Cloud Console. To configure and manage Private Service Connect on an existing cluster with *public* networking, you must use the xref:networking:gcp-private-service-connect.adoc[Cloud API for BYOC] or the xref:networking:dedicated/gcp/configure-psc-in-api.adoc[Cloud API for Dedicated]. * The latest version of Redpanda GCP Private Service Connect (available March, 2025) supports AZ affinity. This allows requests from Private Service Connect endpoints to stay within the same availability zone, avoiding additional networking costs. * DEPRECATION: The original Redpanda GCP Private Service Connect is deprecated and will be removed in a future release. For more information, see xref:manage:maintenance.adoc#deprecated-features[Deprecated features]. ==== @@ -30,7 +30,7 @@ Consider using Private Service Connect if you have multiple VPC networks and cou == Enable Private Service Connect for existing clusters -. In the Redpanda Cloud UI, open your https://cloud.redpanda.com/clusters[cluster^], and click **Cluster settings**. +. In the Redpanda Cloud Console, open your https://cloud.redpanda.com/clusters[cluster^], and click **Cluster settings**. . Under Private Service Connect, click **Enable**. ifdef::env-byoc[] . For xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters], you need a NAT subnet with `purpose` set to `PRIVATE_SERVICE_CONNECT`. You also need to create VPC network firewall rules to allow Private Service Connect traffic. You can use the `gcloud` CLI: diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc new file mode 100644 index 000000000..34626894f --- /dev/null +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -0,0 +1,296 @@ += Configure AWS PrivateLink with the Cloud API +:description: Set up AWS PrivateLink with the Cloud API for Serverless clusters. + +NOTE: This guide is for configuring AWS PrivateLink on Serverless clusters using the Redpanda Cloud API. To configure and manage PrivateLink on an existing public cluster, you must use the Cloud API. See xref:networking:serverless/aws/privatelink-ui.adoc[Configure PrivateLink in the Redpanda Cloud Console] if you want to set up the endpoint service using the Redpanda Cloud Console. + +The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because a PrivateLink connection is treated as its own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. + +Consider using the PrivateLink endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. + +[NOTE] +==== +* Each client VPC can have one endpoint connected to the PrivateLink service. +* PrivateLink allows overlapping xref:networking:cidr-ranges.adoc[CIDR ranges] in VPC networks. +* PrivateLink does not add extra connection limits. However, VPC peering is limited to 125 connections. See https://aws.amazon.com/privatelink/faqs/[How scalable is AWS PrivateLink?^] +* You control which AWS principals are allowed to connect to the endpoint service. +==== + +After <>, you can <>, or you can <>. + +== Requirements + +* Install `rpk`. +* Your Redpanda Serverless cluster and <> must be in the same region. +* This guide uses the link:/api/doc/cloud-controlplane/topic/topic-cloud-api-overview[Redpanda Cloud API] to enable the Redpanda endpoint service for your Serverless clusters. Follow the steps below to <>. +* Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI^] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. + +TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. + +NOTE: Enabling PrivateLink changes private DNS behavior for your cluster. Before configuring connections, review <>. + +== Get a Cloud API access token + +include::networking:partial$private-links-api-access-token.adoc[] + +== Create new cluster with PrivateLink endpoint service enabled + +. In the https://cloud.redpanda.com/[Redpanda Cloud Console^], go to **Resource groups** and select the resource group in which you want to create a cluster. ++ +Copy and store the resource group ID (UUID) from the URL in the browser. ++ +[,bash] +---- +export RESOURCE_GROUP_ID= +---- + +. Create a new Serverless cluster with the endpoint service enabled by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_createserverlesscluster[`POST /v1/serverless-clusters`]. ++ +In the example below, make sure to set your own values for the following fields: ++ +-- +- `name` +- `serverless_region`: for example, `"pro-us-east-1"` +- `connect_console`: Whether to enable connections to Redpanda Console (boolean) +- `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +-- ++ +[,bash] +---- +SERVERLESS_REGION= + +CLUSTER_POST_BODY=`cat << EOF +{ + "serverless_cluster": { + "name": "", + "resource_group_id": "$RESOURCE_GROUP_ID", + "serverless_region": "$SERVERLESS_REGION", + "aws_private_link": { + "enabled": true, + "connect_console": true, + "allowed_principals": ["",""] + } + } +} +EOF` + +CLUSTER_ID=`curl -vv -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $AUTH_TOKEN" \ + -d "$CLUSTER_POST_BODY" $PUBLIC_API_ENDPOINT/v1/serverless-clusters | jq -r .operation.metadata.cluster_id` + +echo $CLUSTER_ID +---- + +== Enable PrivateLink endpoint service for existing clusters + +[CAUTION] +==== +Enabling PrivateLink on your VPC interrupts all communication on existing Redpanda bootstrap server and broker ports due to the change of private DNS resolution. + +To avoid disruption, consider using a staged approach to enable PrivateLink. +==== + +. In the Redpanda Cloud Console, go to the cluster overview and copy the cluster ID from the **Details** section. ++ +[,bash] +---- +CLUSTER_ID= +---- + +. Make a link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_updateserverlesscluster[`PATCH /v1/serverless-clusters/{cluster.id}`] request to update the cluster with the Redpanda PrivateLink Endpoint Service enabled. ++ +In the example below, make sure to set your own value for the following field: ++ +-- +- `connect_console`: Whether to enable connections to Redpanda Console (boolean) +- `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +-- ++ +[,bash] +---- +CLUSTER_PATCH_BODY=`cat << EOF +{ + "aws_private_link": { + "enabled": true, + "connect_console": true, + "allowed_principals": ["",""] + } +} +EOF` + +curl -vv -X PATCH \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $AUTH_TOKEN" \ + -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/serverless-clusters/$CLUSTER_ID +---- + +. Before proceeding, check the state of the Update Cluster operation by calling link:/api/doc/cloud-controlplane/operation/operation-operationservice_getoperation[`GET /v1/operations/\{id}`], and passing the operation ID returned from Update Cluster call. When the state is `STATE_READY`, proceed to the next step. + +. Check the service state by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_getserverlesscluster[`GET /v1/serverless-clusters/\{id}`]. The `service_state` in the `aws_private_link.status` response object must be `Available` for you to <>. ++ +[,bash] +---- +curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $AUTH_TOKEN" \ + $PUBLIC_API_ENDPOINT/v1/serverless-clusters/$CLUSTER_ID | jq '.cluster.aws_private_link.status | {service_name, service_state}' +---- + +== DNS resolution with PrivateLink + +include::networking:partial$dns_resolution.adoc[] + +== Configure PrivateLink connection to Redpanda Cloud + +When you have a PrivateLink-enabled cluster, you can create an endpoint to connect your VPC and your cluster. + +=== Get cluster domain + +Get the domain (`cluster_domain`) of the cluster from the cluster details in the Redpanda Cloud Console. + +For example, if the bootstrap server URL is: `seed-3da65a4a.cki01qgth38kk81ard3g.eu-west-1.aw.priv.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.eu-west-1.aw.priv.cloud.redpanda.com`. + +[,bash] +---- +CLUSTER_DOMAIN= +---- + +NOTE: Use `` as the domain you target with your DNS conditional forward (optionally also `*.` if your DNS platform requires a wildcard). + +=== Get name of PrivateLink endpoint service + +The service name is required to <>. Run the following command to get the service name: + +[,bash] +---- +PL_SERVICE_NAME=`curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $AUTH_TOKEN" \ + $PUBLIC_API_ENDPOINT/v1/serverless-clusters/$CLUSTER_ID | jq -r .cluster.aws_private_link.status.service_name` +---- + +=== Create client VPC + +If you are not using an existing VPC, you must create a new one. + +The VPC region must be the same region where the Redpanda cluster is deployed. To create the VPC, run: + +[,bash] +---- +# See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html for +# information on profiles and credential files +PROFILE= + +aws ec2 create-vpc --region $REGION --profile $PROFILE --cidr-block 10.0.0.0/20 + +# Store the client VPC ID from the command output +CLIENT_VPC_ID= +---- + +You can also use an existing VPC. You need the VPC ID to <>. + +=== Modify VPC DNS attributes + +To modify the VPC attributes, run: + +[,bash] +---- +aws ec2 modify-vpc-attribute --region $REGION --profile $PROFILE --vpc-id $CLIENT_VPC_ID \ + --enable-dns-hostnames "{\"Value\":true}" + +aws ec2 modify-vpc-attribute --region $REGION --profile $PROFILE --vpc-id $CLIENT_VPC_ID \ + --enable-dns-support "{\"Value\":true}" +---- + +These commands enable DNS hostnames and resolution for instances in the VPC. + +=== Create security group + +You need the security group ID `security_group_id` from the command output to <>. To create a security group, run: + +[,bash] +---- +aws ec2 create-security-group --region $REGION --profile $PROFILE --vpc-id $CLIENT_VPC_ID \ + --description "Redpanda endpoint service client security group" \ + --group-name "${CLUSTER_ID}-sg" +SECURITY_GROUP_ID= +---- + +=== Add security group rules + +The following example adds security group rules that work for any broker count by opening the documented per-broker port ranges. + +NOTE: For PrivateLink, clients connect to individual ports for each broker in ranges 32000-32500 (Kafka API) and 35000-35500 (HTTP Proxy). Opening only a few ports by broker count can break producers/consumers for topics with many partitions. See xref:networking:cloud-security-network.adoc#private-service-connectivity-network-ports[Private service connectivity network ports]. + +[,bash] +---- +# Allow Kafka API bootstrap (seed) +aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ + --group-id $SECURITY_GROUP_ID --protocol tcp --port 30292 --cidr 0.0.0.0/0 + +# Allow Schema Registry +aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ + --group-id $SECURITY_GROUP_ID --protocol tcp --port 30081 --cidr 0.0.0.0/0 + +# Allow HTTP Proxy bootstrap +aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ + --group-id $SECURITY_GROUP_ID --protocol tcp --port 30282 --cidr 0.0.0.0/0 + +# Allow Redpanda Cloud Data Plane API / Prometheus (if needed) +aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ + --group-id $SECURITY_GROUP_ID --protocol tcp --port 443 --cidr 0.0.0.0/0 + +# Private service connectivity broker port pools +# Kafka API per-broker ports +aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ + --group-id $SECURITY_GROUP_ID \ + --ip-permissions 'IpProtocol=tcp,FromPort=32000,ToPort=32500,IpRanges=[{CidrIp=0.0.0.0/0}]' + +# HTTP Proxy per-broker ports +aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ + --group-id $SECURITY_GROUP_ID \ + --ip-permissions 'IpProtocol=tcp,FromPort=35000,ToPort=35500,IpRanges=[{CidrIp=0.0.0.0/0}]' +---- + +=== Create VPC subnet + +You need the subnet ID `subnet_id` from the command output to <>. Run the following command, specifying the subnet availability zone (for example, `usw2-az1`): + +[,bash] +---- +aws ec2 create-subnet --region $REGION --profile $PROFILE --vpc-id $CLIENT_VPC_ID \ + --availability-zone \ + --cidr-block 10.0.1.0/24 +SUBNET_ID= +---- + +=== Create VPC endpoint + +[,bash] +---- +aws ec2 create-vpc-endpoint \ + --region $REGION --profile $PROFILE \ + --vpc-id $CLIENT_VPC_ID \ + --vpc-endpoint-type "Interface" \ + --ip-address-type "ipv4" \ + --service-name $PL_SERVICE_NAME \ + --subnet-ids $SUBNET_ID \ + --security-group-ids $SECURITY_GROUP_ID \ + --private-dns-enabled +---- + +== Access Redpanda services through VPC endpoint + +After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. + +include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] + +== Test the connection + +You can test the PrivateLink connection from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL: + +include::networking:partial$private-links-test-connection.adoc[] + +include::shared:partial$suggested-reading.adoc[] + +* link:/api/doc/cloud-controlplane/topic/topic-cloud-api-overview[Cloud API Overview] diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc new file mode 100644 index 000000000..e6ab65048 --- /dev/null +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -0,0 +1,59 @@ += Configure AWS PrivateLink in the Cloud Console +:description: Set up AWS PrivateLink in the Redpanda Cloud Console for Serverless clusters. + +NOTE: This guide is for configuring AWS PrivateLink on Serverless clusters using the Redpanda Cloud Console. To configure and manage PrivateLink on an existing public cluster, you must use the xref:networking:serverless/aws/privatelink-api.adoc[Redpanda Cloud API]. + +The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because these connections are treated as their own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. + +Consider using the endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. + +[NOTE] +==== +* Each client VPC can have one endpoint connected to the PrivateLink service. +* PrivateLink allows overlapping xref:networking:cidr-ranges.adoc[CIDR ranges] in VPC networks. +* PrivateLink does not add extra connection limits. However, VPC peering is limited to 125 connections. See https://aws.amazon.com/privatelink/faqs/[How scalable is AWS PrivateLink?^] +* You control which AWS principals are allowed to connect to the endpoint service. +==== + +== Requirements + +* Your Redpanda Serverless cluster and VPC must be in the same region. +* Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. + +TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. + +== DNS resolution with PrivateLink + +include::networking:partial$dns_resolution.adoc[] + +== Enable endpoint service for existing clusters + +. In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. +. For AWS PrivateLink, click *Enable*. +. On the Enable PrivateLink page, for Allowed principal ARNs, click *Add*, and enter the Amazon Resource Names (ARNs) for each AWS principal allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam:::root`. See the AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details. +. Click *Add* after entering each ARN, and when finished, click *Enable*. +. It may take several minutes for your cluster to update. When the update is complete, the AWS PrivateLink status on the Cluster settings page changes to *Enabled*. + +NOTE: For help with issues when enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. + +== Access Redpanda services through VPC endpoint + +After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. + +include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] + +== Test the connection + +You can test the connection to the endpoint service from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL: + +include::networking:partial$private-links-test-connection.adoc[] + +== Disable endpoint service + +On the Cluster settings page for the cluster, click *Disable* for PrivateLink. Existing connections are closed after the AWS PrivateLink service is disabled. + +NOTE: Disabling private access in Redpanda Cloud does not delete the PrivateLink endpoint in your AWS account. The endpoint remains provisioned and continues to incur charges until you explicitly delete it from your AWS account. + +include::shared:partial$suggested-reading.adoc[] + +* xref:networking:serverless/aws/privatelink-api.adoc[] diff --git a/modules/networking/pages/serverless/aws/privatelink.adoc b/modules/networking/pages/serverless/aws/privatelink.adoc deleted file mode 100644 index d3a246b70..000000000 --- a/modules/networking/pages/serverless/aws/privatelink.adoc +++ /dev/null @@ -1,3 +0,0 @@ -= Configure AWS PrivateLink with the Cloud API -:description: Set up AWS PrivateLink with the Cloud API. - From 0afa5319968ba5ab63c9b4586f0540fce8208d1a Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:11:37 -0700 Subject: [PATCH 08/46] Update modules/networking/pages/serverless/aws/privatelink-ui.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index e6ab65048..a2a5f7142 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -1,7 +1,6 @@ = Configure AWS PrivateLink in the Cloud Console :description: Set up AWS PrivateLink in the Redpanda Cloud Console for Serverless clusters. -NOTE: This guide is for configuring AWS PrivateLink on Serverless clusters using the Redpanda Cloud Console. To configure and manage PrivateLink on an existing public cluster, you must use the xref:networking:serverless/aws/privatelink-api.adoc[Redpanda Cloud API]. The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because these connections are treated as their own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. From 6fb58668517f3ded5a07eae35363283e6b831a32 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:12:34 -0700 Subject: [PATCH 09/46] Update modules/networking/pages/serverless/aws/privatelink-ui.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index a2a5f7142..a253ac9c6 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -29,7 +29,6 @@ include::networking:partial$dns_resolution.adoc[] . In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. . For AWS PrivateLink, click *Enable*. -. On the Enable PrivateLink page, for Allowed principal ARNs, click *Add*, and enter the Amazon Resource Names (ARNs) for each AWS principal allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam:::root`. See the AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details. . Click *Add* after entering each ARN, and when finished, click *Enable*. . It may take several minutes for your cluster to update. When the update is complete, the AWS PrivateLink status on the Cluster settings page changes to *Enabled*. From 09cd3f1e174a4768d43375dbda9b0adaf864607e Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:12:43 -0700 Subject: [PATCH 10/46] Update modules/networking/pages/serverless/aws/privatelink-ui.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index a253ac9c6..106a830b6 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -29,7 +29,6 @@ include::networking:partial$dns_resolution.adoc[] . In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. . For AWS PrivateLink, click *Enable*. -. Click *Add* after entering each ARN, and when finished, click *Enable*. . It may take several minutes for your cluster to update. When the update is complete, the AWS PrivateLink status on the Cluster settings page changes to *Enabled*. NOTE: For help with issues when enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. From 355624adf8366a47de56eae8ea74575e8b2eb1bb Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:13:58 -0700 Subject: [PATCH 11/46] Update modules/networking/pages/serverless/aws/privatelink-ui.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 106a830b6..9d864da46 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -29,7 +29,6 @@ include::networking:partial$dns_resolution.adoc[] . In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. . For AWS PrivateLink, click *Enable*. -. It may take several minutes for your cluster to update. When the update is complete, the AWS PrivateLink status on the Cluster settings page changes to *Enabled*. NOTE: For help with issues when enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. From c19e73a2b403fe355da90b5de14d86ba50811bdd Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:16:57 -0700 Subject: [PATCH 12/46] Update modules/networking/pages/serverless/aws/privatelink-ui.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 9d864da46..97ca56b19 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -46,7 +46,7 @@ include::networking:partial$private-links-test-connection.adoc[] == Disable endpoint service -On the Cluster settings page for the cluster, click *Disable* for PrivateLink. Existing connections are closed after the AWS PrivateLink service is disabled. +On the Cluster Settings page, deselect **Private Access**. Existing connections are closed after the AWS PrivateLink service is disabled. NOTE: Disabling private access in Redpanda Cloud does not delete the PrivateLink endpoint in your AWS account. The endpoint remains provisioned and continues to incur charges until you explicitly delete it from your AWS account. From 28f85b4c3f217992add7032f31d9e2081717eca9 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:17:27 -0700 Subject: [PATCH 13/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- .../networking/pages/serverless/aws/privatelink-api.adoc | 6 ------ 1 file changed, 6 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 34626894f..64eff6e54 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -83,12 +83,6 @@ echo $CLUSTER_ID == Enable PrivateLink endpoint service for existing clusters -[CAUTION] -==== -Enabling PrivateLink on your VPC interrupts all communication on existing Redpanda bootstrap server and broker ports due to the change of private DNS resolution. - -To avoid disruption, consider using a staged approach to enable PrivateLink. -==== . In the Redpanda Cloud Console, go to the cluster overview and copy the cluster ID from the **Details** section. + From bf6044a6205f918d22f7663e18ee9ecf64ab2262 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:18:42 -0700 Subject: [PATCH 14/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- .../networking/pages/serverless/aws/privatelink-api.adoc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 64eff6e54..810a29aa9 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -104,11 +104,10 @@ In the example below, make sure to set your own value for the following field: ---- CLUSTER_PATCH_BODY=`cat << EOF { - "aws_private_link": { - "enabled": true, - "connect_console": true, - "allowed_principals": ["",""] - } + "networking_config": { + "private": "STATE_ENABLED" + }, + "private_link_id": "$SERVERLESS_PRIVATE_LINK_ID" } EOF` From eee31be6db9ae16050d59b5d0f809fcc0382a0ab Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:19:03 -0700 Subject: [PATCH 15/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- .../networking/pages/serverless/aws/privatelink-api.adoc | 9 --------- 1 file changed, 9 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 810a29aa9..a763b80df 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -119,15 +119,6 @@ curl -vv -X PATCH \ . Before proceeding, check the state of the Update Cluster operation by calling link:/api/doc/cloud-controlplane/operation/operation-operationservice_getoperation[`GET /v1/operations/\{id}`], and passing the operation ID returned from Update Cluster call. When the state is `STATE_READY`, proceed to the next step. -. Check the service state by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_getserverlesscluster[`GET /v1/serverless-clusters/\{id}`]. The `service_state` in the `aws_private_link.status` response object must be `Available` for you to <>. -+ -[,bash] ----- -curl -X GET \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer $AUTH_TOKEN" \ - $PUBLIC_API_ENDPOINT/v1/serverless-clusters/$CLUSTER_ID | jq '.cluster.aws_private_link.status | {service_name, service_state}' ----- == DNS resolution with PrivateLink From ee6a9b72d9fe7b21efb68935bc836559a8c96b81 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:19:13 -0700 Subject: [PATCH 16/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index a763b80df..b4b251c65 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -216,9 +216,6 @@ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ --group-id $SECURITY_GROUP_ID --protocol tcp --port 30081 --cidr 0.0.0.0/0 -# Allow HTTP Proxy bootstrap -aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ - --group-id $SECURITY_GROUP_ID --protocol tcp --port 30282 --cidr 0.0.0.0/0 # Allow Redpanda Cloud Data Plane API / Prometheus (if needed) aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ From ccfc89637506fe9fc4080c93facf4f1594b5d80c Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:19:24 -0700 Subject: [PATCH 17/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- .../pages/serverless/aws/privatelink-api.adoc | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index b4b251c65..7be4dcfe3 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -221,17 +221,6 @@ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ --group-id $SECURITY_GROUP_ID --protocol tcp --port 443 --cidr 0.0.0.0/0 -# Private service connectivity broker port pools -# Kafka API per-broker ports -aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ - --group-id $SECURITY_GROUP_ID \ - --ip-permissions 'IpProtocol=tcp,FromPort=32000,ToPort=32500,IpRanges=[{CidrIp=0.0.0.0/0}]' - -# HTTP Proxy per-broker ports -aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ - --group-id $SECURITY_GROUP_ID \ - --ip-permissions 'IpProtocol=tcp,FromPort=35000,ToPort=35500,IpRanges=[{CidrIp=0.0.0.0/0}]' ----- === Create VPC subnet From a6257ea490d7e229252f548983fe0790ef7dea1b Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:31:33 -0700 Subject: [PATCH 18/46] Update modules/networking/pages/serverless/aws/privatelink-ui.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 97ca56b19..2ece8e714 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -28,7 +28,7 @@ include::networking:partial$dns_resolution.adoc[] == Enable endpoint service for existing clusters . In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. -. For AWS PrivateLink, click *Enable*. +. Under Networking, select **Private Access** and then select an existing private link. NOTE: For help with issues when enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. From 158ba7160e0dc3491bb3706f62f01421216f0171 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:32:34 -0700 Subject: [PATCH 19/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 7be4dcfe3..4dd8200d4 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -1,7 +1,7 @@ = Configure AWS PrivateLink with the Cloud API :description: Set up AWS PrivateLink with the Cloud API for Serverless clusters. -NOTE: This guide is for configuring AWS PrivateLink on Serverless clusters using the Redpanda Cloud API. To configure and manage PrivateLink on an existing public cluster, you must use the Cloud API. See xref:networking:serverless/aws/privatelink-ui.adoc[Configure PrivateLink in the Redpanda Cloud Console] if you want to set up the endpoint service using the Redpanda Cloud Console. +NOTE: This guide is for configuring AWS PrivateLink on Serverless clusters using the Redpanda Cloud API. See xref:networking:serverless/aws/privatelink-ui.adoc[Configure PrivateLink in the Redpanda Cloud Console] if you want to set up the endpoint service using the Redpanda Cloud Console. The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because a PrivateLink connection is treated as its own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. From 406229cfda05d1746435518bde689c0cd0d0bdfd Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:48:09 -0700 Subject: [PATCH 20/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 4dd8200d4..465af717b 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -214,7 +214,7 @@ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ # Allow Schema Registry aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ - --group-id $SECURITY_GROUP_ID --protocol tcp --port 30081 --cidr 0.0.0.0/0 + --group-id $SECURITY_GROUP_ID --protocol tcp --port 8081 --cidr 0.0.0.0/0 # Allow Redpanda Cloud Data Plane API / Prometheus (if needed) From 83e73e96adee447ad31182adbc3dc3a924487a23 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 20 Jan 2026 20:49:15 -0700 Subject: [PATCH 21/46] incorporate review comments --- .../pages/serverless/aws/privatelink-api.adoc | 22 +++++++- .../pages/serverless/aws/privatelink-ui.adoc | 20 ++++++- ...te-links-access-rp-service-serverless.adoc | 55 +++++++++++++++++++ 3 files changed, 92 insertions(+), 5 deletions(-) create mode 100644 modules/networking/partials/private-links-access-rp-service-serverless.adoc diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 465af717b..c51e98fda 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -122,7 +122,23 @@ curl -vv -X PATCH \ == DNS resolution with PrivateLink -include::networking:partial$dns_resolution.adoc[] +PrivateLink changes how DNS resolution works for your cluster. When you query cluster hostnames outside the VPC that contains your PrivateLink endpoint, DNS may return private IP addresses that aren't reachable from your location. + +To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using Route 53 Resolver: + +. In the VPC that contains your PrivateLink endpoint, create a Route 53 Resolver inbound endpoint. ++ +Ensure that the inbound endpoint's security group allows inbound UDP/TCP port 53 from each VPC or on-prem network that will forward queries. + +. In each other VPC that must resolve the cluster domain, create a Resolver outbound endpoint and a forwarding rule for `` that targets the inbound endpoint IPs from the previous step. Associate the rule to those VPCs. ++ +The cluster domain is the suffix after the seed hostname. For example, if your bootstrap server URL is: cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092, then `cluster_domain` is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. +. For on-premises DNS, create a conditional forwarder for `` that forwards to the inbound endpoint IPs from the earlier step (over VPN/Direct Connect). ++ +[IMPORTANT] +==== +Do not configure forwarding rules to target the VPC's Amazon-provided DNS resolver (VPC base CIDR + 2). Rules must target the IP addresses of Route 53 Resolver endpoints. +==== == Configure PrivateLink connection to Redpanda Cloud @@ -210,7 +226,7 @@ NOTE: For PrivateLink, clients connect to individual ports for each broker in ra ---- # Allow Kafka API bootstrap (seed) aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ - --group-id $SECURITY_GROUP_ID --protocol tcp --port 30292 --cidr 0.0.0.0/0 + --group-id $SECURITY_GROUP_ID --protocol tcp --port 9092 --cidr 0.0.0.0/0 # Allow Schema Registry aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ @@ -253,7 +269,7 @@ aws ec2 create-vpc-endpoint \ After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. -include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] +include::networking:partial$private-links-access-rp-services-serverless.adoc[] == Test the connection diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 2ece8e714..9700f9e18 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -23,7 +23,23 @@ TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 se == DNS resolution with PrivateLink -include::networking:partial$dns_resolution.adoc[] +PrivateLink changes how DNS resolution works for your cluster. When you query cluster hostnames outside the VPC that contains your PrivateLink endpoint, DNS may return private IP addresses that aren't reachable from your location. + +To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using Route 53 Resolver: + +. In the VPC that contains your PrivateLink endpoint, create a Route 53 Resolver inbound endpoint. ++ +Ensure that the inbound endpoint's security group allows inbound UDP/TCP port 53 from each VPC or on-prem network that will forward queries. + +. In each other VPC that must resolve the cluster domain, create a Resolver outbound endpoint and a forwarding rule for `` that targets the inbound endpoint IPs from the previous step. Associate the rule to those VPCs. ++ +The cluster domain is the suffix after the seed hostname. For example, if your bootstrap server URL is: cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092, then `cluster_domain` is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. +. For on-premises DNS, create a conditional forwarder for `` that forwards to the inbound endpoint IPs from the earlier step (over VPN/Direct Connect). ++ +[IMPORTANT] +==== +Do not configure forwarding rules to target the VPC's Amazon-provided DNS resolver (VPC base CIDR + 2). Rules must target the IP addresses of Route 53 Resolver endpoints. +==== == Enable endpoint service for existing clusters @@ -36,7 +52,7 @@ NOTE: For help with issues when enabling PrivateLink, contact https://support.re After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. -include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] +include::networking:partial$private-links-access-rp-services-serverless.adoc[] == Test the connection diff --git a/modules/networking/partials/private-links-access-rp-service-serverless.adoc b/modules/networking/partials/private-links-access-rp-service-serverless.adoc new file mode 100644 index 000000000..bdc20a617 --- /dev/null +++ b/modules/networking/partials/private-links-access-rp-service-serverless.adoc @@ -0,0 +1,55 @@ +You can access Redpanda services such as Schema Registry and HTTP Proxy from the client VPC or virtual network; for example, from a compute instance in the VPC or network. + +The bootstrap server hostname is unique to each cluster. The service attachment exposes a set of bootstrap ports for access to Redpanda services. These ports load balance requests among brokers. Make sure you use the following ports for initiating a connection from a consumer: + +|=== +| Redpanda service | Default bootstrap port + +| Kafka API | 9092 +| HTTP Proxy | 30282 +| Schema Registry | 8081 +|=== + +=== Access Kafka API seed service + +Use port `9092` to access the Kafka API seed service. + +[,bash] +---- +export RPK_BROKERS=':9092' +rpk cluster info -X tls.enabled=true -X user= -X pass= +---- + +When successful, the `rpk` output should look like the following: + +[,bash,role=no-copy] +---- +CLUSTER +======= +redpanda.rp-cki01qgth38kk81ard3g + +BROKERS +======= +ID HOST PORT RACK +0* 0-3da65a4a-0532364.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 9092 use2-az1 +1 1-3da65a4a-63b320c.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 9093 use2-az1 +2 2-3da65a4a-36068dc.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 9094 use2-az1 +---- + +=== Access Schema Registry seed service + +Use port `8081` to access the Schema Registry seed service. + +[,bash] +---- +curl -vv -u : -H "Content-Type: application/vnd.schemaregistry.v1+json" --sslv2 --http2 :8081/subjects +---- + +=== Access HTTP Proxy seed service + +Use port `30282` to access the Redpanda HTTP Proxy seed service. + +[,bash] +---- +curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+json" --sslv2 --http2 :30282/topics +---- From 4b50ecb6eb757b79e6e8ab7987e6dfe993cdcad3 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:52:00 -0700 Subject: [PATCH 22/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index c51e98fda..ca33c37c1 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -76,7 +76,7 @@ EOF` CLUSTER_ID=`curl -vv -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ - -d "$CLUSTER_POST_BODY" $PUBLIC_API_ENDPOINT/v1/serverless-clusters | jq -r .operation.metadata.cluster_id` + -d "$CLUSTER_POST_BODY" $PUBLIC_API_ENDPOINT/v1/serverless/clusters | jq -r .operation.metadata.cluster_id` echo $CLUSTER_ID ---- From a3fa5e4abf47dda49ea270350d3789ffdc1a987e Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:52:22 -0700 Subject: [PATCH 23/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index ca33c37c1..57e6e6f0e 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -114,7 +114,7 @@ EOF` curl -vv -X PATCH \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ - -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/serverless-clusters/$CLUSTER_ID + -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/serverless/clusters/$CLUSTER_ID ---- . Before proceeding, check the state of the Update Cluster operation by calling link:/api/doc/cloud-controlplane/operation/operation-operationservice_getoperation[`GET /v1/operations/\{id}`], and passing the operation ID returned from Update Cluster call. When the state is `STATE_READY`, proceed to the next step. From 610ebfa02d3fa6f36173e3a44518d8ab15343787 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:52:42 -0700 Subject: [PATCH 24/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 57e6e6f0e..def7c60f4 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -148,7 +148,7 @@ When you have a PrivateLink-enabled cluster, you can create an endpoint to conne Get the domain (`cluster_domain`) of the cluster from the cluster details in the Redpanda Cloud Console. -For example, if the bootstrap server URL is: `seed-3da65a4a.cki01qgth38kk81ard3g.eu-west-1.aw.priv.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.eu-west-1.aw.priv.cloud.redpanda.com`. +For example, if the bootstrap server URL is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.eu-west-1.aw.priv.cloud.redpanda.com](cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. [,bash] ---- From 60510a2b49cecc1ab2bec8af7b928f7e5637c4fc Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Tue, 20 Jan 2026 20:53:21 -0700 Subject: [PATCH 25/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index def7c60f4..c36c73e52 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -166,7 +166,7 @@ The service name is required to < Date: Tue, 20 Jan 2026 21:14:17 -0700 Subject: [PATCH 26/46] incorporate review comments --- .../pages/cluster-types/serverless.adoc | 4 +- .../pages/serverless/aws/privatelink-api.adoc | 38 +++++++++---------- .../pages/serverless/aws/privatelink-ui.adoc | 7 ++-- ...te-links-access-rp-service-serverless.adoc | 28 +++++--------- ...vate-links-test-connection-serverless.adoc | 31 +++++++++++++++ 5 files changed, 64 insertions(+), 44 deletions(-) create mode 100644 modules/networking/partials/private-links-test-connection-serverless.adoc diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index e977cdc40..5a3251776 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -51,9 +51,9 @@ To create a Serverless cluster: + Serverless clusters are available in the regions listed in xref:reference:tiers/serverless-regions.adoc[Serverless regions]. Redpanda expects your applications to be deployed in the same region. For best performance, select the region closest to your applications. Serverless is not guaranteed to be pinned to a particular availability zone within that region. + -Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled. Enabling private access incurs additional charges. If you select private access, you can either create a new PrivateLink, or, if you have PrivateLinks for other Serverless clusters in this same resource group, you can use an existing PrivateLink. +Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled. Enabling private access incurs additional charges. If you select private access, you can either create a new PrivateLink, or, if you have PrivateLinks for other Serverless clusters in this same resource group, you can use an existing PrivateLink. + -You can enable or disable private access at any time from the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail. However, the PrivateLink endpoint remains provisioned and continues to incur charges until you explicitly delete it from your AWS account. +You can enable or disable private access at any time from the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail. However, the PrivateLink endpoint in your AWS account and the PrivateLink resource in Redpanda Cloud both remain provisioned and continue to incur charges until you explicitly delete them. . Click **Create cluster**. diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index c36c73e52..1af2b2b4e 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -50,26 +50,27 @@ In the example below, make sure to set your own values for the following fields: -- - `name` - `serverless_region`: for example, `"pro-us-east-1"` -- `connect_console`: Whether to enable connections to Redpanda Console (boolean) -- `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +- `private_link_id`: The ID of an existing PrivateLink resource in the same resource group +- `networking_config.private` and `networking_config.public`: Valid values are `STATE_ENABLED` or `STATE_DISABLED`. At least one must be enabled. If neither is specified, `public` defaults to `STATE_ENABLED`. -- + [,bash] ---- SERVERLESS_REGION= +SERVERLESS_PRIVATE_LINK_ID= CLUSTER_POST_BODY=`cat << EOF { - "serverless_cluster": { - "name": "", - "resource_group_id": "$RESOURCE_GROUP_ID", - "serverless_region": "$SERVERLESS_REGION", - "aws_private_link": { - "enabled": true, - "connect_console": true, - "allowed_principals": ["",""] - } + "serverless_cluster": { + "name": "", + "resource_group_id": "$RESOURCE_GROUP_ID", + "serverless_region": "$SERVERLESS_REGION", + "private_link_id": "$SERVERLESS_PRIVATE_LINK_ID", + "networking_config": { + "private": "STATE_ENABLED", + "public": "STATE_ENABLED" } + } } EOF` @@ -93,11 +94,11 @@ CLUSTER_ID= . Make a link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_updateserverlesscluster[`PATCH /v1/serverless-clusters/{cluster.id}`] request to update the cluster with the Redpanda PrivateLink Endpoint Service enabled. + -In the example below, make sure to set your own value for the following field: +In the example below, make sure to set your own value for the following fields: + -- -- `connect_console`: Whether to enable connections to Redpanda Console (boolean) -- `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +- `private_link_id`: The ID of an existing PrivateLink resource in the same resource group +- `networking_config.private`: Set to `STATE_ENABLED` to enable private access -- + [,bash] @@ -117,9 +118,6 @@ curl -vv -X PATCH \ -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/serverless/clusters/$CLUSTER_ID ---- -. Before proceeding, check the state of the Update Cluster operation by calling link:/api/doc/cloud-controlplane/operation/operation-operationservice_getoperation[`GET /v1/operations/\{id}`], and passing the operation ID returned from Update Cluster call. When the state is `STATE_READY`, proceed to the next step. - - == DNS resolution with PrivateLink PrivateLink changes how DNS resolution works for your cluster. When you query cluster hostnames outside the VPC that contains your PrivateLink endpoint, DNS may return private IP addresses that aren't reachable from your location. @@ -148,7 +146,7 @@ When you have a PrivateLink-enabled cluster, you can create an endpoint to conne Get the domain (`cluster_domain`) of the cluster from the cluster details in the Redpanda Cloud Console. -For example, if the bootstrap server URL is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.eu-west-1.aw.priv.cloud.redpanda.com](cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. +For example, if the bootstrap server URL is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. [,bash] ---- @@ -269,13 +267,13 @@ aws ec2 create-vpc-endpoint \ After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. -include::networking:partial$private-links-access-rp-services-serverless.adoc[] +include::networking:partial$private-links-access-rp-service-serverless.adoc[] == Test the connection You can test the PrivateLink connection from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL: -include::networking:partial$private-links-test-connection.adoc[] +include::networking:partial$private-links-test-connection-serverless.adoc[] include::shared:partial$suggested-reading.adoc[] diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 9700f9e18..e3c81b6b0 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -1,6 +1,7 @@ = Configure AWS PrivateLink in the Cloud Console :description: Set up AWS PrivateLink in the Redpanda Cloud Console for Serverless clusters. +Existing serverless clusters can have their network modified by either the Console or the API. The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because these connections are treated as their own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. @@ -52,19 +53,19 @@ NOTE: For help with issues when enabling PrivateLink, contact https://support.re After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. -include::networking:partial$private-links-access-rp-services-serverless.adoc[] +include::networking:partial$private-links-access-rp-service-serverless.adoc[] == Test the connection You can test the connection to the endpoint service from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL: -include::networking:partial$private-links-test-connection.adoc[] +include::networking:partial$private-links-test-connection-serverless.adoc[] == Disable endpoint service On the Cluster Settings page, deselect **Private Access**. Existing connections are closed after the AWS PrivateLink service is disabled. -NOTE: Disabling private access in Redpanda Cloud does not delete the PrivateLink endpoint in your AWS account. The endpoint remains provisioned and continues to incur charges until you explicitly delete it from your AWS account. +NOTE: Disabling private access in Redpanda Cloud does not delete the PrivateLink endpoint in your AWS account or the PrivateLink resource in Redpanda Cloud. Both remain provisioned and continue to incur charges until you explicitly delete them. include::shared:partial$suggested-reading.adoc[] diff --git a/modules/networking/partials/private-links-access-rp-service-serverless.adoc b/modules/networking/partials/private-links-access-rp-service-serverless.adoc index bdc20a617..8ecf64abd 100644 --- a/modules/networking/partials/private-links-access-rp-service-serverless.adoc +++ b/modules/networking/partials/private-links-access-rp-service-serverless.adoc @@ -1,13 +1,12 @@ -You can access Redpanda services such as Schema Registry and HTTP Proxy from the client VPC or virtual network; for example, from a compute instance in the VPC or network. +You can access Redpanda services such as the Kafka API and Schema Registry from the client VPC or virtual network; for example, from a compute instance in the VPC or network. The bootstrap server hostname is unique to each cluster. The service attachment exposes a set of bootstrap ports for access to Redpanda services. These ports load balance requests among brokers. Make sure you use the following ports for initiating a connection from a consumer: -|=== -| Redpanda service | Default bootstrap port +|=== +| Redpanda service | Default bootstrap port -| Kafka API | 9092 -| HTTP Proxy | 30282 -| Schema Registry | 8081 +| Kafka API | 9092 +| Schema Registry | 8081 |=== === Access Kafka API seed service @@ -30,10 +29,10 @@ redpanda.rp-cki01qgth38kk81ard3g BROKERS ======= -ID HOST PORT RACK -0* 0-3da65a4a-0532364.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 9092 use2-az1 -1 1-3da65a4a-63b320c.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 9093 use2-az1 -2 2-3da65a4a-36068dc.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 9094 use2-az1 +ID HOST PORT RACK +0* 0-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 +1 1-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 +2 2-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 ---- === Access Schema Registry seed service @@ -44,12 +43,3 @@ Use port `8081` to access the Schema Registry seed service. ---- curl -vv -u : -H "Content-Type: application/vnd.schemaregistry.v1+json" --sslv2 --http2 :8081/subjects ---- - -=== Access HTTP Proxy seed service - -Use port `30282` to access the Redpanda HTTP Proxy seed service. - -[,bash] ----- -curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+json" --sslv2 --http2 :30282/topics ----- diff --git a/modules/networking/partials/private-links-test-connection-serverless.adoc b/modules/networking/partials/private-links-test-connection-serverless.adoc new file mode 100644 index 000000000..e83ff58e6 --- /dev/null +++ b/modules/networking/partials/private-links-test-connection-serverless.adoc @@ -0,0 +1,31 @@ +. Set the following environment variables. ++ +[,bash] +---- +export RPK_BROKERS=':9092' +export RPK_TLS_ENABLED=true +export RPK_SASL_MECHANISM="" +export RPK_USER= +export RPK_PASS= +---- + +. Create a test topic. ++ +[,bash] +---- +rpk topic create test-topic +---- + +. Produce to the test topic. ++ +[,bash] +---- +echo 'hello world' | rpk topic produce test-topic +---- + +. Consume from the test topic. ++ +[,bash] +---- +rpk topic consume test-topic -n 1 +---- From 7267ea09551bfed37d83a5a8983c5a2f62cace21 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 20 Jan 2026 21:50:42 -0700 Subject: [PATCH 27/46] cleanup & rendering edits --- .../networking/pages/serverless/aws/privatelink-api.adoc | 8 ++------ .../networking/pages/serverless/aws/privatelink-ui.adoc | 4 ++-- .../private-links-access-rp-service-serverless.adoc | 2 -- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 1af2b2b4e..4a4e281b3 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -1,8 +1,6 @@ = Configure AWS PrivateLink with the Cloud API :description: Set up AWS PrivateLink with the Cloud API for Serverless clusters. -NOTE: This guide is for configuring AWS PrivateLink on Serverless clusters using the Redpanda Cloud API. See xref:networking:serverless/aws/privatelink-ui.adoc[Configure PrivateLink in the Redpanda Cloud Console] if you want to set up the endpoint service using the Redpanda Cloud Console. - The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because a PrivateLink connection is treated as its own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. Consider using the PrivateLink endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. @@ -216,9 +214,7 @@ SECURITY_GROUP_ID= === Add security group rules -The following example adds security group rules that work for any broker count by opening the documented per-broker port ranges. - -NOTE: For PrivateLink, clients connect to individual ports for each broker in ranges 32000-32500 (Kafka API) and 35000-35500 (HTTP Proxy). Opening only a few ports by broker count can break producers/consumers for topics with many partitions. See xref:networking:cloud-security-network.adoc#private-service-connectivity-network-ports[Private service connectivity network ports]. +The following example adds security group rules to allow access to Redpanda services. [,bash] ---- @@ -234,7 +230,7 @@ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ # Allow Redpanda Cloud Data Plane API / Prometheus (if needed) aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ --group-id $SECURITY_GROUP_ID --protocol tcp --port 443 --cidr 0.0.0.0/0 - +---- === Create VPC subnet diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index e3c81b6b0..7b6dfe31a 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -1,12 +1,12 @@ = Configure AWS PrivateLink in the Cloud Console :description: Set up AWS PrivateLink in the Redpanda Cloud Console for Serverless clusters. -Existing serverless clusters can have their network modified by either the Console or the API. - The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because these connections are treated as their own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. Consider using the endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. +Existing serverless clusters can have their network modified by either the Console or the API. + [NOTE] ==== * Each client VPC can have one endpoint connected to the PrivateLink service. diff --git a/modules/networking/partials/private-links-access-rp-service-serverless.adoc b/modules/networking/partials/private-links-access-rp-service-serverless.adoc index 8ecf64abd..e77bd0062 100644 --- a/modules/networking/partials/private-links-access-rp-service-serverless.adoc +++ b/modules/networking/partials/private-links-access-rp-service-serverless.adoc @@ -24,11 +24,9 @@ When successful, the `rpk` output should look like the following: [,bash,role=no-copy] ---- CLUSTER -======= redpanda.rp-cki01qgth38kk81ard3g BROKERS -======= ID HOST PORT RACK 0* 0-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 1 1-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 From cfdd19b75da88fddc16b408d522aacad3f9f8451 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 22 Jan 2026 15:15:01 -0700 Subject: [PATCH 28/46] minor edits --- .../pages/cluster-types/serverless.adoc | 16 +++++----------- modules/get-started/pages/whats-new-cloud.adoc | 2 +- .../pages/serverless/aws/privatelink-ui.adoc | 1 + 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index 41c3346cb..b69c967fc 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -7,7 +7,7 @@ Serverless is the fastest and easiest way to start data streaming. With Serverle [NOTE] ==== -* Serverless on GCP is currently in a glossterm:beta[] release. +Serverless on GCP is currently in a glossterm:beta[] release. ==== @@ -45,13 +45,15 @@ To create a Serverless cluster: . In the https://cloud.redpanda.com[Redpanda Cloud UI^], on the **Clusters** page, click **Create cluster**, then click **Create Serverless cluster**. -. Enter a cluster name, then select the resource group. If you don't have an existing resource group, you can create one. Refresh the page to see newly-created resource groups. +. Enter a cluster name, then select the resource group. ++ +If you don't have an existing resource group, you can create one. Refresh the page to see newly-created resource groups. . Select a cloud provider and xref:reference:tiers/serverless-regions.adoc[region]. For best performance, select the region closest to your applications. Redpanda expects your applications to be deployed in the same cloud provider and region as your Serverless cluster. + Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled. Enabling private access incurs additional charges. If you select private access, you can either create a new PrivateLink, or, if you have PrivateLinks for other Serverless clusters in this same resource group, you can use an existing PrivateLink. + -You can enable or disable private access at any time from the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail. However, the PrivateLink endpoint in your AWS account and the PrivateLink resource in Redpanda Cloud both remain provisioned and continue to incur charges until you explicitly delete them. +You can enable or disable private access at any time on the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail. However, the PrivateLink endpoint in your AWS account and the PrivateLink resource in Redpanda Cloud both remain provisioned and continue to incur charges until you explicitly delete them. . Click **Create cluster**. @@ -74,14 +76,6 @@ Follow the steps in the UI to use `rpk` to interact with your cluster from the c NOTE: Redpanda Serverless is opinionated about Kafka configurations. For example, automatic topic creation is disabled. Some systems expect the Kafka service to automatically create topics when a message is produced to a topic that doesn't exist. Create topics on the *Topics* page or with `rpk topic create`. -The *How to connect - Kafka API* tab lists your bootstrap server URL and security settings. This area includes code examples for creating a Kafka client to interact with your cluster. Or, Redpanda can generate a sample application to interact with your cluster. Run xref:reference:rpk/rpk-generate/rpk-generate-app.adoc[`rpk generate app`], and select your preferred programming language. Follow the commands in the terminal to run the application, create a demo topic, produce to the topic, and consume the data back. - -Explore the rest of the UI: - -* Go to the *Topics* page to create new topics for data streams. -* Under the *Actions* dropdown, produce messages to topics. -* Add team members with permissions on the *Security* page. - == Supported features * Redpanda Serverless supports the Kafka API. Serverless clusters work with all Kafka clients. See xref:develop:kafka-clients.adoc[]. diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 5a1b1f426..e72ed584b 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,7 +10,7 @@ This page lists new features added to Redpanda Cloud. === Serverless on AWS: GA -xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This GA release includes private networking with AWS PrivateLink and the ability to view and export metrics from Serverless clusters to third-party monitoring systems. +xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to view and export metrics from Serverless clusters to third-party monitoring systems. === Redpanda Connect and Roles in Terraform provider diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 7b6dfe31a..f5e943797 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -67,6 +67,7 @@ On the Cluster Settings page, deselect **Private Access**. Existing connections NOTE: Disabling private access in Redpanda Cloud does not delete the PrivateLink endpoint in your AWS account or the PrivateLink resource in Redpanda Cloud. Both remain provisioned and continue to incur charges until you explicitly delete them. + include::shared:partial$suggested-reading.adoc[] * xref:networking:serverless/aws/privatelink-api.adoc[] From 3891a5b8658e8a277df54a01faf746b3d79325ba Mon Sep 17 00:00:00 2001 From: micheleRP Date: Fri, 23 Jan 2026 14:50:06 -0700 Subject: [PATCH 29/46] minor edits --- .../pages/cluster-types/serverless.adoc | 15 ++++++++++----- .../pages/serverless/aws/privatelink-api.adoc | 19 +++++++++++++++---- .../pages/serverless/aws/privatelink-ui.adoc | 2 +- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index b69c967fc..2ebaa68ed 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -43,7 +43,7 @@ include::get-started:partial$get-started-serverless.adoc[] To create a Serverless cluster: -. In the https://cloud.redpanda.com[Redpanda Cloud UI^], on the **Clusters** page, click **Create cluster**, then click **Create Serverless cluster**. +. In the https://cloud.redpanda.com[Redpanda Cloud Console^], on the **Clusters** page, click **Create cluster**, then click **Create Serverless cluster**. . Enter a cluster name, then select the resource group. + @@ -51,9 +51,14 @@ If you don't have an existing resource group, you can create one. Refresh the pa . Select a cloud provider and xref:reference:tiers/serverless-regions.adoc[region]. For best performance, select the region closest to your applications. Redpanda expects your applications to be deployed in the same cloud provider and region as your Serverless cluster. + -Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. A Serverless cluster can have both public and private access enabled. Enabling private access incurs additional charges. If you select private access, you can either create a new PrivateLink, or, if you have PrivateLinks for other Serverless clusters in this same resource group, you can use an existing PrivateLink. +Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. + -You can enable or disable private access at any time on the cluster's *Settings* page. After private access is disabled, attempts to reach the private endpoints will fail. However, the PrivateLink endpoint in your AWS account and the PrivateLink resource in Redpanda Cloud both remain provisioned and continue to incur charges until you explicitly delete them. +** A Serverless cluster can have both public and private access enabled. +** You can either create a new PrivateLink or use an existing one from the same resource group. +** You can enable or disable private access at any time on the cluster's *Settings* page. +** Enabling private access incurs additional charges. ++ +NOTE: After private access is disabled, attempts to reach the private endpoints will fail. However, the PrivateLink endpoint in your AWS account and the PrivateLink resource in Redpanda Cloud both remain provisioned and continue to incur charges until you explicitly delete them. . Click **Create cluster**. @@ -67,7 +72,7 @@ The *Overview* page lists your bootstrap server URL and security settings in the Or, Redpanda can generate a sample application to interact with your cluster. Run xref:reference:rpk/rpk-generate/rpk-generate-app.adoc[`rpk generate app`], and select Go as the language. Follow the commands in the terminal to run the application, create a demo topic, produce to the topic, and consume the data back. -Follow the steps in the UI to use `rpk` to interact with your cluster from the command line. Here are some helpful commands: +Follow the steps in the Console to use `rpk` to interact with your cluster from the command line. Here are some helpful commands: * xref:reference:rpk/rpk-cloud/rpk-cloud-login.adoc[`rpk cloud login`]: Use this to log in to Redpanda Cloud or to refresh the session. * xref:reference:rpk/rpk-topic.adoc[`rpk topic`]: Use this to manage topics, produce data, and consume data. @@ -79,7 +84,7 @@ NOTE: Redpanda Serverless is opinionated about Kafka configurations. For example == Supported features * Redpanda Serverless supports the Kafka API. Serverless clusters work with all Kafka clients. See xref:develop:kafka-clients.adoc[]. -* Serverless clusters support all major Apache Kafka messages for managing topics, producing/consuming data (including transactions), managing groups, managing offsets, and managing ACLs. (User management is available in the Redpanda Cloud UI or with `rpk security acl`.) +* Serverless clusters support all major Apache Kafka messages for managing topics, producing/consuming data (including transactions), managing groups, managing offsets, and managing ACLs. (User management is available in the Redpanda Cloud Console or with `rpk security acl`.) === Unsupported features diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 4a4e281b3..26a4fb56c 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -41,20 +41,23 @@ Copy and store the resource group ID (UUID) from the URL in the browser. export RESOURCE_GROUP_ID= ---- -. Create a new Serverless cluster with the endpoint service enabled by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_createserverlesscluster[`POST /v1/serverless-clusters`]. +. Create a new Serverless cluster with the endpoint service enabled by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_createserverlesscluster[`POST /v1/serverless/clusters`]. + In the example below, make sure to set your own values for the following fields: + -- - `name` -- `serverless_region`: for example, `"pro-us-east-1"` -- `private_link_id`: The ID of an existing PrivateLink resource in the same resource group +- `serverless_region`: for example, `"us-east-1"` +- `private_link_id`: The ID of an existing PrivateLink resource in the same resource group. You can find this in the cluster overview page in the Redpanda Cloud Console. - `networking_config.private` and `networking_config.public`: Valid values are `STATE_ENABLED` or `STATE_DISABLED`. At least one must be enabled. If neither is specified, `public` defaults to `STATE_ENABLED`. -- + [,bash] ---- +# Set the serverless region (for example, us-east-1) SERVERLESS_REGION= + +# Set the PrivateLink ID SERVERLESS_PRIVATE_LINK_ID= CLUSTER_POST_BODY=`cat << EOF @@ -90,7 +93,14 @@ echo $CLUSTER_ID CLUSTER_ID= ---- -. Make a link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_updateserverlesscluster[`PATCH /v1/serverless-clusters/{cluster.id}`] request to update the cluster with the Redpanda PrivateLink Endpoint Service enabled. +. Get the PrivateLink ID from the cluster overview page in the Redpanda Cloud Console. ++ +[,bash] +---- +SERVERLESS_PRIVATE_LINK_ID= +---- + +. Make a link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_updateserverlesscluster[`PATCH /v1/serverless/clusters/{cluster.id}`] request to update the cluster with the Redpanda PrivateLink Endpoint Service enabled. + In the example below, make sure to set your own value for the following fields: + @@ -175,6 +185,7 @@ The VPC region must be the same region where the Redpanda cluster is deployed. T ---- # See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html for # information on profiles and credential files +REGION= PROFILE= aws ec2 create-vpc --region $REGION --profile $PROFILE --cidr-block 10.0.0.0/20 diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index f5e943797..f50683355 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -5,7 +5,7 @@ The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Consider using the endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. -Existing serverless clusters can have their network modified by either the Console or the API. +You can create a new Serverless cluster with PrivateLink enabled, or enable PrivateLink for existing clusters using either the Console or the API. [NOTE] ==== From e5fe10057e1ffc5c6f05d3f8e46279ce2c857dd1 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Mon, 26 Jan 2026 14:14:02 -0700 Subject: [PATCH 30/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 26a4fb56c..7d4836068 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -138,7 +138,7 @@ Ensure that the inbound endpoint's security group allows inbound UDP/TCP port 53 . In each other VPC that must resolve the cluster domain, create a Resolver outbound endpoint and a forwarding rule for `` that targets the inbound endpoint IPs from the previous step. Associate the rule to those VPCs. + -The cluster domain is the suffix after the seed hostname. For example, if your bootstrap server URL is: cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092, then `cluster_domain` is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. +The cluster domain is the suffix after the seed hostname. For example, if your bootstrap server URL is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. . For on-premises DNS, create a conditional forwarder for `` that forwards to the inbound endpoint IPs from the earlier step (over VPN/Direct Connect). + [IMPORTANT] From 769ea64c8f98c63787a5bb6c296d151d6d483d90 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Mon, 26 Jan 2026 14:14:11 -0700 Subject: [PATCH 31/46] Update modules/networking/partials/private-links-access-rp-service-serverless.adoc Co-authored-by: Sarah Haskins --- .../private-links-access-rp-service-serverless.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/networking/partials/private-links-access-rp-service-serverless.adoc b/modules/networking/partials/private-links-access-rp-service-serverless.adoc index e77bd0062..53e82671e 100644 --- a/modules/networking/partials/private-links-access-rp-service-serverless.adoc +++ b/modules/networking/partials/private-links-access-rp-service-serverless.adoc @@ -28,9 +28,9 @@ redpanda.rp-cki01qgth38kk81ard3g BROKERS ID HOST PORT RACK -0* 0-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 -1 1-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 -2 2-cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9092 use1-az1 +0* cki01qgth38kk81ard3g-0.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9093 use1-az1 +1 cki01qgth38kk81ard3g-1.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9094 use1-az1 +2 cki01qgth38kk81ard3g-2.any.us-east-1.aw.priv.prd.cloud.redpanda.com 9095 use1-az1 ---- === Access Schema Registry seed service From 854f76b674f5f59b54e1a53e72ba364eba3df386 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Mon, 26 Jan 2026 14:14:19 -0700 Subject: [PATCH 32/46] Update modules/networking/pages/serverless/aws/privatelink-ui.adoc Co-authored-by: Sarah Haskins --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index f50683355..3c2960b06 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -34,7 +34,7 @@ Ensure that the inbound endpoint's security group allows inbound UDP/TCP port 53 . In each other VPC that must resolve the cluster domain, create a Resolver outbound endpoint and a forwarding rule for `` that targets the inbound endpoint IPs from the previous step. Associate the rule to those VPCs. + -The cluster domain is the suffix after the seed hostname. For example, if your bootstrap server URL is: cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092, then `cluster_domain` is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. +The cluster domain is the suffix after the seed hostname. For example, if your bootstrap server URL is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.any.us-east-1.aw.priv.prd.cloud.redpanda.com`. . For on-premises DNS, create a conditional forwarder for `` that forwards to the inbound endpoint IPs from the earlier step (over VPN/Direct Connect). + [IMPORTANT] From f3dc5bec0bfbecf4ecb805aec7f664aae07350f9 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Mon, 26 Jan 2026 14:45:25 -0700 Subject: [PATCH 33/46] Resolve PR review comments for serverless privatelink-api.adoc Add PrivateLink resource creation API example, improve JSON formatting, add rpk cluster select documentation, and clean up whitespace. Co-Authored-By: Claude Sonnet 4.5 --- .../pages/serverless/aws/privatelink-api.adoc | 74 +++++++++++++------ 1 file changed, 51 insertions(+), 23 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 7d4836068..b4b2f6f9e 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -30,9 +30,11 @@ NOTE: Enabling PrivateLink changes private DNS behavior for your cluster. Before include::networking:partial$private-links-api-access-token.adoc[] -== Create new cluster with PrivateLink endpoint service enabled +== Create a PrivateLink resource + +Before you can create a Serverless cluster with PrivateLink enabled, you must first create a PrivateLink resource in your resource group. -. In the https://cloud.redpanda.com/[Redpanda Cloud Console^], go to **Resource groups** and select the resource group in which you want to create a cluster. +. In the https://cloud.redpanda.com/[Redpanda Cloud Console^], go to **Resource groups** and select the resource group in which you want to create a PrivateLink resource. + Copy and store the resource group ID (UUID) from the URL in the browser. + @@ -41,37 +43,63 @@ Copy and store the resource group ID (UUID) from the URL in the browser. export RESOURCE_GROUP_ID= ---- -. Create a new Serverless cluster with the endpoint service enabled by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_createserverlesscluster[`POST /v1/serverless/clusters`]. +. Set the Serverless region where you want to create the PrivateLink resource (for example, `us-east-1`). + -In the example below, make sure to set your own values for the following fields: +[,bash] +---- +export SERVERLESS_REGION= +---- + +. Create a new PrivateLink resource by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessprivatelinkservice_createserverlessprivatelink[`POST /v1/serverless/private-links`]. ++ +[,bash] +---- +PL_POST_BODY=`cat << EOF +{ + "serverless_private_link": { + "resource_group_id": "$RESOURCE_GROUP_ID", + "serverless_region": "$SERVERLESS_REGION" + } +} +EOF` + +SERVERLESS_PRIVATE_LINK_ID=`curl -vv -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $AUTH_TOKEN" \ + -d "$PL_POST_BODY" $PUBLIC_API_ENDPOINT/v1/serverless/private-links | jq -r .operation.metadata.serverless_private_link_id` + +echo $SERVERLESS_PRIVATE_LINK_ID +---- + +Store the PrivateLink ID for use in the following steps. + +== Create new cluster with PrivateLink endpoint service enabled + +Using the `RESOURCE_GROUP_ID` and `SERVERLESS_PRIVATE_LINK_ID` from the previous step, create a new Serverless cluster with the endpoint service enabled by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_createserverlesscluster[`POST /v1/serverless/clusters`]. + +In the example below, make sure to set your own values for the following fields: + -- - `name` - `serverless_region`: for example, `"us-east-1"` -- `private_link_id`: The ID of an existing PrivateLink resource in the same resource group. You can find this in the cluster overview page in the Redpanda Cloud Console. +- `private_link_id`: The ID of the PrivateLink resource created in the previous step - `networking_config.private` and `networking_config.public`: Valid values are `STATE_ENABLED` or `STATE_DISABLED`. At least one must be enabled. If neither is specified, `public` defaults to `STATE_ENABLED`. -- -+ + [,bash] ---- -# Set the serverless region (for example, us-east-1) -SERVERLESS_REGION= - -# Set the PrivateLink ID -SERVERLESS_PRIVATE_LINK_ID= - CLUSTER_POST_BODY=`cat << EOF { - "serverless_cluster": { - "name": "", - "resource_group_id": "$RESOURCE_GROUP_ID", - "serverless_region": "$SERVERLESS_REGION", - "private_link_id": "$SERVERLESS_PRIVATE_LINK_ID", - "networking_config": { - "private": "STATE_ENABLED", - "public": "STATE_ENABLED" + "serverless_cluster": { + "name": "", + "resource_group_id": "$RESOURCE_GROUP_ID", + "serverless_region": "$SERVERLESS_REGION", + "private_link_id": "$SERVERLESS_PRIVATE_LINK_ID", + "networking_config": { + "private": "STATE_ENABLED", + "public": "STATE_ENABLED" + } } - } } EOF` @@ -85,7 +113,6 @@ echo $CLUSTER_ID == Enable PrivateLink endpoint service for existing clusters - . In the Redpanda Cloud Console, go to the cluster overview and copy the cluster ID from the **Details** section. + [,bash] @@ -237,7 +264,6 @@ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ --group-id $SECURITY_GROUP_ID --protocol tcp --port 8081 --cidr 0.0.0.0/0 - # Allow Redpanda Cloud Data Plane API / Prometheus (if needed) aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \ --group-id $SECURITY_GROUP_ID --protocol tcp --port 443 --cidr 0.0.0.0/0 @@ -282,6 +308,8 @@ You can test the PrivateLink connection from any VM or container in the consumer include::networking:partial$private-links-test-connection-serverless.adoc[] +NOTE: If both public and private access are enabled for your cluster, `rpk cloud cluster select` will prompt you to choose between public or private connectivity when you select the cluster. + include::shared:partial$suggested-reading.adoc[] * link:/api/doc/cloud-controlplane/topic/topic-cloud-api-overview[Cloud API Overview] From 552b86f34e676af4db6dbe8bd9e70592b7cd1914 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 28 Jan 2026 11:26:29 -0700 Subject: [PATCH 34/46] update create private link in api --- .../get-started/pages/whats-new-cloud.adoc | 2 +- .../pages/serverless/aws/privatelink-api.adoc | 39 ++++++++++++++++--- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index e72ed584b..17c2dc967 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,7 +10,7 @@ This page lists new features added to Redpanda Cloud. === Serverless on AWS: GA -xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to view and export metrics from Serverless clusters to third-party monitoring systems. +xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to view and export metrics from Serverless clusters to third-party monitoring systems. Serverless is the easiest and fastest way to begin streaming data with Redpanda. Start small and iterate on a budget, with full confidence that your Redpanda code will scale to production. === Redpanda Connect and Roles in Terraform provider diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index b4b2f6f9e..43bc160ca 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -56,19 +56,46 @@ export SERVERLESS_REGION= ---- PL_POST_BODY=`cat << EOF { - "serverless_private_link": { - "resource_group_id": "$RESOURCE_GROUP_ID", - "serverless_region": "$SERVERLESS_REGION" - } + "serverless_private_link": { + "name": "", + "resource_group_id": "$RESOURCE_GROUP_ID", + "serverless_region": "$SERVERLESS_REGION", + "cloudprovider": "CLOUD_PROVIDER_AWS", + "aws_config": { + "allowed_principals": [ + "arn:aws:iam:::root" + ] + } + } } EOF` -SERVERLESS_PRIVATE_LINK_ID=`curl -vv -X POST \ +PL_ID=`curl -vv -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$PL_POST_BODY" $PUBLIC_API_ENDPOINT/v1/serverless/private-links | jq -r .operation.metadata.serverless_private_link_id` -echo $SERVERLESS_PRIVATE_LINK_ID +echo $PL_ID +---- ++ +You can also update private links to add or remove allowed principals. ++ +[,bash] +---- +PL_PATCH_BODY=`cat << EOF +{ + "aws_config": { + "allowed_principals": [ + "arn:aws:iam:::root" + ] + } +} +EOF` + +curl -vv -X PATCH \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $AUTH_TOKEN" \ + -d "$PL_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/serverless/private-links/$PL_ID ---- + Store the PrivateLink ID for use in the following steps. From 2c2344081ae1f23313eb495ecb8c6bd80d37e52e Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 28 Jan 2026 11:47:35 -0700 Subject: [PATCH 35/46] add prereq to create PL on Networking if necessary --- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 3c2960b06..33eb1e05d 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -44,10 +44,12 @@ Do not configure forwarding rules to target the VPC's Amazon-provided DNS resolv == Enable endpoint service for existing clusters -. In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. +If you do not already have a PrivateLink resource for your cluster's resource group and region, create one at the organization level on the *Networking* page. For Serverless clusters, click **Create private link**. + +. Select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. . Under Networking, select **Private Access** and then select an existing private link. -NOTE: For help with issues when enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. +NOTE: For help with issues enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. == Access Redpanda services through VPC endpoint From c93e1f2558f3dd2773758882381c21eb2f18d2eb Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 29 Jan 2026 15:01:04 -0700 Subject: [PATCH 36/46] minor edit --- modules/get-started/pages/whats-new-cloud.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 17c2dc967..7f8167cb9 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,7 +10,7 @@ This page lists new features added to Redpanda Cloud. === Serverless on AWS: GA -xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to view and export metrics from Serverless clusters to third-party monitoring systems. Serverless is the easiest and fastest way to begin streaming data with Redpanda. Start small and iterate on a budget, with full confidence that your Redpanda code will scale to production. +xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to view and export metrics to third-party monitoring systems. Serverless is the easiest and fastest way to begin streaming data with Redpanda. Start small and iterate on a budget, with confidence that your Redpanda code will scale to production. === Redpanda Connect and Roles in Terraform provider From 171fcc4e2fb044d19a2fa0b99262ff22b73cd396 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 29 Jan 2026 15:26:36 -0700 Subject: [PATCH 37/46] minor edit --- modules/get-started/pages/whats-new-cloud.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index a0bd6eb6c..0a4aef3b9 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -6,11 +6,13 @@ This page lists new features added to Redpanda Cloud. -== January 2026 +== February 2026 === Serverless on AWS: GA -xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to view and export metrics to third-party monitoring systems. Serverless is the easiest and fastest way to begin streaming data with Redpanda. Start small and iterate on a budget, with confidence that your Redpanda code will scale to production. +xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to export metrics to third-party monitoring systems. Serverless is the easiest and fastest way to begin streaming data with Redpanda. Start small and iterate on a budget, with confidence that your Redpanda code will scale to production. + +== January 2026 === Redpanda Connect updates From b1f5211c6785858747fd7f248a77cda2d0ab9ff9 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Sun, 1 Feb 2026 18:10:35 -0700 Subject: [PATCH 38/46] edit for Create button --- .../pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc | 2 +- .../cluster-types/byoc/azure/create-byoc-cluster-azure.adoc | 2 +- .../pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc | 2 +- .../pages/cluster-types/create-dedicated-cloud-cluster.adoc | 2 +- modules/get-started/pages/cluster-types/serverless.adoc | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc b/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc index 318fdb04d..cfaef49a8 100644 --- a/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc +++ b/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc @@ -25,7 +25,7 @@ To verify access, you should be able to successfully run `aws sts get-caller-ide == Create a BYOC cluster . Log in to https://cloud.redpanda.com[Redpanda Cloud^]. -. On the Clusters page, click *Create cluster*, then click *Create BYOC cluster*. +. On the Clusters page, click *Create cluster*, then click *Create* for BYOC. . Enter a cluster name, then select the resource group, provider (AWS), xref:reference:tiers/byoc-tiers.adoc[region, tier], availability, and Redpanda version. + [NOTE] diff --git a/modules/get-started/pages/cluster-types/byoc/azure/create-byoc-cluster-azure.adoc b/modules/get-started/pages/cluster-types/byoc/azure/create-byoc-cluster-azure.adoc index 8e4e823b9..107ae814b 100644 --- a/modules/get-started/pages/cluster-types/byoc/azure/create-byoc-cluster-azure.adoc +++ b/modules/get-started/pages/cluster-types/byoc/azure/create-byoc-cluster-azure.adoc @@ -149,7 +149,7 @@ If you see restrictions, https://learn.microsoft.com/en-us/troubleshoot/azure/ge To create a Redpanda cluster in your Azure VNet, follow the <> then follow the instructions in the Redpanda Cloud UI. The UI contains the parameters necessary to successfully run `rpk cloud byoc apply`. . Log in to https://cloud.redpanda.com[Redpanda Cloud^]. -. On the Clusters page, click *Create cluster*, then click *Create BYOC cluster*. +. On the Clusters page, click *Create cluster*, then click *Create* for BYOC. . Enter a cluster name, then select the resource group, provider (Azure), xref:reference:tiers/byoc-tiers.adoc[region, tier], availability, and Redpanda version. + [NOTE] diff --git a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc index bf50f740d..cf86bf6b5 100644 --- a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc +++ b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc @@ -15,7 +15,7 @@ include::partial$gpq-quotas.adoc[] == Create a BYOC cluster . Log in to https://cloud.redpanda.com[Redpanda Cloud^]. -. On the Clusters page, click *Create cluster*, then click *Create BYOC cluster*. +. On the Clusters page, click *Create cluster*, then click *Create* for BYOC. + Enter a cluster name, then select the resource group, provider (GCP), xref:reference:tiers/byoc-tiers.adoc[region, tier], availability, and Redpanda version. + diff --git a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc index c433a880a..106f43ecc 100644 --- a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc +++ b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc @@ -6,7 +6,7 @@ After you log in to https://cloud.redpanda.com[Redpanda Cloud^], you land on the == Create a Dedicated cluster -. On the Clusters page, click *Create cluster*, then click *Create Dedicated cluster*. +. On the Clusters page, click *Create cluster*, then click *Create* for Dedicated. + Enter a cluster name, then select the resource group, cloud provider (AWS, GCP, or Azure), xref:reference:tiers/dedicated-tiers.adoc[region, tier], availability, and Redpanda version. + diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index 2ebaa68ed..c489b5444 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -43,7 +43,7 @@ include::get-started:partial$get-started-serverless.adoc[] To create a Serverless cluster: -. In the https://cloud.redpanda.com[Redpanda Cloud Console^], on the **Clusters** page, click **Create cluster**, then click **Create Serverless cluster**. +. In the https://cloud.redpanda.com[Redpanda Cloud Console^], on the **Clusters** page, click **Create cluster**, then click **Create** for Serverless. . Enter a cluster name, then select the resource group. + From cfdde9408bc83fe0fdec85b4c40c453b26a888be Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Sun, 1 Feb 2026 18:13:00 -0700 Subject: [PATCH 39/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 43bc160ca..1f52ebfdc 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -104,7 +104,7 @@ Store the PrivateLink ID for use in the following steps. Using the `RESOURCE_GROUP_ID` and `SERVERLESS_PRIVATE_LINK_ID` from the previous step, create a new Serverless cluster with the endpoint service enabled by calling link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_createserverlesscluster[`POST /v1/serverless/clusters`]. -In the example below, make sure to set your own values for the following fields: +In the following example, make sure to set your own values for the following fields: -- - `name` From ca01ea01d017d8207b292f5c57d2a0da9934685c Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Sun, 1 Feb 2026 18:13:14 -0700 Subject: [PATCH 40/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 1f52ebfdc..4e8766979 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -140,7 +140,7 @@ echo $CLUSTER_ID == Enable PrivateLink endpoint service for existing clusters -. In the Redpanda Cloud Console, go to the cluster overview and copy the cluster ID from the **Details** section. +. In the Redpanda Cloud Console, go to the cluster Overview and copy the cluster ID from the **Details** section. + [,bash] ---- From 6d6ae4b111705c251db91496f96bbd4eb4dc120e Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Sun, 1 Feb 2026 18:13:22 -0700 Subject: [PATCH 41/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 4e8766979..974a98a09 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -147,7 +147,7 @@ echo $CLUSTER_ID CLUSTER_ID= ---- -. Get the PrivateLink ID from the cluster overview page in the Redpanda Cloud Console. +. Get the PrivateLink ID from the cluster Overview page in the Redpanda Cloud Console. + [,bash] ---- From d6dc886720cf153fb6850d12fedd24c77cd4bd25 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Sun, 1 Feb 2026 18:13:30 -0700 Subject: [PATCH 42/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 974a98a09..9acefb402 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -156,7 +156,7 @@ SERVERLESS_PRIVATE_LINK_ID= . Make a link:/api/doc/cloud-controlplane/operation/operation-serverlessclusterservice_updateserverlesscluster[`PATCH /v1/serverless/clusters/{cluster.id}`] request to update the cluster with the Redpanda PrivateLink Endpoint Service enabled. + -In the example below, make sure to set your own value for the following fields: +In the following example, make sure to set your own value for the following fields: + -- - `private_link_id`: The ID of an existing PrivateLink resource in the same resource group From 95e43e56f51d175772a4455892d06bb084f95252 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Sun, 1 Feb 2026 18:16:12 -0700 Subject: [PATCH 43/46] Update modules/networking/pages/serverless/aws/privatelink-api.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/networking/pages/serverless/aws/privatelink-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 9acefb402..27dc8f31b 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -22,7 +22,7 @@ After <>, you can <>. * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI^] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. -TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. +TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds (350000 ms). NOTE: Enabling PrivateLink changes private DNS behavior for your cluster. Before configuring connections, review <>. From 9af8386e4941b5aa8b18e37b8b69ff25735144d3 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Mon, 2 Feb 2026 08:09:40 -0700 Subject: [PATCH 44/46] incorporate doc review comments --- modules/get-started/pages/cluster-types/serverless.adoc | 4 ++-- modules/get-started/partials/get-started-serverless.adoc | 6 +++--- .../networking/pages/serverless/aws/privatelink-api.adoc | 2 +- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 6 +++--- modules/networking/partials/dns_resolution.adoc | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index c489b5444..3e792ba7b 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -62,7 +62,7 @@ NOTE: After private access is disabled, attempts to reach the private endpoints . Click **Create cluster**. -. To start working with your cluster, go to the *Topics* page to create a topic. Under the *Actions* dropdown, you can produce messages to it. Add team members and grant them access with ACLs on the *Security* page. +. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members and grant them access with ACLs on the *Security* page. == Interact with your cluster @@ -84,7 +84,7 @@ NOTE: Redpanda Serverless is opinionated about Kafka configurations. For example == Supported features * Redpanda Serverless supports the Kafka API. Serverless clusters work with all Kafka clients. See xref:develop:kafka-clients.adoc[]. -* Serverless clusters support all major Apache Kafka messages for managing topics, producing/consuming data (including transactions), managing groups, managing offsets, and managing ACLs. (User management is available in the Redpanda Cloud Console or with `rpk security acl`.) +* Serverless clusters support all major Apache Kafka messages for managing topics, producing/consuming data (including transactions), managing groups, managing offsets, and managing ACLs. (User management is available in the https://cloud.redpanda.com[Redpanda Cloud Console^] or with `rpk security acl`.) === Unsupported features diff --git a/modules/get-started/partials/get-started-serverless.adoc b/modules/get-started/partials/get-started-serverless.adoc index 47bff879b..f9e0d24d8 100644 --- a/modules/get-started/partials/get-started-serverless.adoc +++ b/modules/get-started/partials/get-started-serverless.adoc @@ -5,15 +5,15 @@ Free trial:: -- A https://www.redpanda.com/try-redpanda[free trial on AWS^] is the fastest way to get started with Serverless. Each free-trial customer qualifies for $100 (USD) in credits to spend in the first 14 days. This should be enough to run Redpanda with reasonable throughput. No credit card is required. To continue using Serverless after your trial expires, you can enter a credit card and pay as you go. Any remaining credit balance is used before you are charged. -When either the credits expire or the days in the trial expire, the clusters move into a suspended state, and you won't be able to access your data in either the Redpanda Cloud UI or with the Kafka API. There is a seven-day grace period following the end of the trial. After that, the data is permanently deleted. For questions about the trial, use the *#serverless* https://redpandacommunity.slack.com/[Community Slack^] channel. +When either the credits expire or the days in the trial expire, the clusters move into a suspended state, and you won't be able to access your data in either the Redpanda Cloud Console or with the Kafka API. There is a seven-day grace period following the end of the trial. After that, the data is permanently deleted. For questions about the trial, use the *#serverless* https://redpandacommunity.slack.com/[Community Slack^] channel. After you start a trial, Redpanda instantly prepares an account for you. Your account includes a `welcome` cluster with a `hello-world` demo topic you can explore. It includes sample data so you can see how real-time messaging works before sending your own data. -xref:get-started:cluster-types/serverless.adoc#interact-with-your-cluster[Get started] by following the wizard to create a Redpanda Connect glossterm:pipeline[], or by following the steps in the UI to use `rpk` to interact with your cluster from the command line: +xref:get-started:cluster-types/serverless.adoc#interact-with-your-cluster[Get started] by following the wizard to create a Redpanda Connect glossterm:pipeline[], or by following the steps in the Console to use `rpk` to interact with your cluster from the command line: . Log in with `rpk cloud login`. . Consume from the `hello-world` topic with `rpk topic consume hello-world`. -. In the https://cloud.redpanda.com[Redpanda Cloud UI^], navigate to the *Topics* page and open the `hello-world` topic to see the included messages. +. In the https://cloud.redpanda.com[Redpanda Cloud Console^], navigate to the *Topics* page and open the `hello-world` topic to see the included messages. -- Redpanda Sales:: diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index 27dc8f31b..ce1f53c62 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -184,7 +184,7 @@ curl -vv -X PATCH \ PrivateLink changes how DNS resolution works for your cluster. When you query cluster hostnames outside the VPC that contains your PrivateLink endpoint, DNS may return private IP addresses that aren't reachable from your location. -To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using Route 53 Resolver: +To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html[Route 53 Resolver^]: . In the VPC that contains your PrivateLink endpoint, create a Route 53 Resolver inbound endpoint. + diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index 33eb1e05d..ec8f2fb94 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -26,7 +26,7 @@ TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 se PrivateLink changes how DNS resolution works for your cluster. When you query cluster hostnames outside the VPC that contains your PrivateLink endpoint, DNS may return private IP addresses that aren't reachable from your location. -To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using Route 53 Resolver: +To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html[Route 53 Resolver^]: . In the VPC that contains your PrivateLink endpoint, create a Route 53 Resolver inbound endpoint. + @@ -44,10 +44,10 @@ Do not configure forwarding rules to target the VPC's Amazon-provided DNS resolv == Enable endpoint service for existing clusters -If you do not already have a PrivateLink resource for your cluster's resource group and region, create one at the organization level on the *Networking* page. For Serverless clusters, click **Create private link**. +If you do not already have a PrivateLink resource for your cluster's resource group and region, create one at the organization level on the *Networking* page. For Serverless clusters, click **Create PrivateLink**. . Select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. -. Under Networking, select **Private Access** and then select an existing private link. +. Under Networking, select **Private Access** and then select an existing PrivateLink. NOTE: For help with issues enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. diff --git a/modules/networking/partials/dns_resolution.adoc b/modules/networking/partials/dns_resolution.adoc index cb0761b6c..49e33e1df 100644 --- a/modules/networking/partials/dns_resolution.adoc +++ b/modules/networking/partials/dns_resolution.adoc @@ -1,6 +1,6 @@ PrivateLink changes how DNS resolution works for your cluster. When you query cluster hostnames outside the VPC that contains your PrivateLink endpoint, DNS may return private IP addresses that aren't reachable from your location. -To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using Route 53 Resolver: +To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html[Route 53 Resolver^]: . In the VPC that contains your PrivateLink endpoint, create a Route 53 Resolver inbound endpoint. + From 8732a27c2a65b429449339c6afdb1080ac8b24e8 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Mon, 2 Feb 2026 15:31:26 -0700 Subject: [PATCH 45/46] incorporate Towfiqa's feedback --- modules/get-started/pages/cluster-types/serverless.adoc | 4 ++-- modules/get-started/pages/whats-new-cloud.adoc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index 3e792ba7b..261a428a7 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -51,9 +51,9 @@ If you don't have an existing resource group, you can create one. Refresh the pa . Select a cloud provider and xref:reference:tiers/serverless-regions.adoc[region]. For best performance, select the region closest to your applications. Redpanda expects your applications to be deployed in the same cloud provider and region as your Serverless cluster. + -Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure ingress traffic. +Clusters on AWS can enable private access between their VPC and Redpanda, so data does not traverse the public internet. Private connectivity is implemented using AWS PrivateLink for secure traffic. + -** A Serverless cluster can have both public and private access enabled. +** When you enable both public access and private access on the cluster, you can choose between the public address or the private address. When the public address is used the data flows over the public internet. ** You can either create a new PrivateLink or use an existing one from the same resource group. ** You can enable or disable private access at any time on the cluster's *Settings* page. ** Enabling private access incurs additional charges. diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 0a4aef3b9..dbb1e996f 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,7 +10,7 @@ This page lists new features added to Redpanda Cloud. === Serverless on AWS: GA -xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to export metrics to third-party monitoring systems. Serverless is the easiest and fastest way to begin streaming data with Redpanda. Start small and iterate on a budget, with confidence that your Redpanda code will scale to production. +xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now generally available (GA). This release includes private networking with AWS PrivateLink and the ability to export metrics to third-party monitoring systems. Serverless is the easiest and fastest way to begin streaming data with Redpanda. Start small and iterate on a budget, with confidence that your cluster can scale to production. == January 2026 From 26078019fe4ed6cb6b451b4ab0b0e90caaf73896 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Mon, 2 Feb 2026 16:11:14 -0700 Subject: [PATCH 46/46] incorporate review feedback --- modules/get-started/partials/get-started-serverless.adoc | 2 +- modules/networking/pages/serverless/aws/privatelink-api.adoc | 3 ++- modules/networking/pages/serverless/aws/privatelink-ui.adoc | 5 ++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/get-started/partials/get-started-serverless.adoc b/modules/get-started/partials/get-started-serverless.adoc index f9e0d24d8..fea7e8848 100644 --- a/modules/get-started/partials/get-started-serverless.adoc +++ b/modules/get-started/partials/get-started-serverless.adoc @@ -5,7 +5,7 @@ Free trial:: -- A https://www.redpanda.com/try-redpanda[free trial on AWS^] is the fastest way to get started with Serverless. Each free-trial customer qualifies for $100 (USD) in credits to spend in the first 14 days. This should be enough to run Redpanda with reasonable throughput. No credit card is required. To continue using Serverless after your trial expires, you can enter a credit card and pay as you go. Any remaining credit balance is used before you are charged. -When either the credits expire or the days in the trial expire, the clusters move into a suspended state, and you won't be able to access your data in either the Redpanda Cloud Console or with the Kafka API. There is a seven-day grace period following the end of the trial. After that, the data is permanently deleted. For questions about the trial, use the *#serverless* https://redpandacommunity.slack.com/[Community Slack^] channel. +When either the credits expire or the days in the trial expire, the clusters move into a suspended state, and you won't be able to access your data in either the Redpanda Cloud Console or with the Kafka API. There is a seven-day grace period following the end of the trial when you can add your credit card and restore service. After that, the data is permanently deleted. For questions about the trial, use the *#serverless* https://redpandacommunity.slack.com/[Community Slack^] channel. After you start a trial, Redpanda instantly prepares an account for you. Your account includes a `welcome` cluster with a `hello-world` demo topic you can explore. It includes sample data so you can see how real-time messaging works before sending your own data. diff --git a/modules/networking/pages/serverless/aws/privatelink-api.adoc b/modules/networking/pages/serverless/aws/privatelink-api.adoc index ce1f53c62..a302e1789 100644 --- a/modules/networking/pages/serverless/aws/privatelink-api.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-api.adoc @@ -1,9 +1,10 @@ = Configure AWS PrivateLink with the Cloud API :description: Set up AWS PrivateLink with the Cloud API for Serverless clusters. +:page-personas: platform_admin The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because a PrivateLink connection is treated as its own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. -Consider using the PrivateLink endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. +Consider using the PrivateLink endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. You can create a new Serverless cluster with PrivateLink enabled, or enable PrivateLink for existing clusters using either the Console or the API. [NOTE] ==== diff --git a/modules/networking/pages/serverless/aws/privatelink-ui.adoc b/modules/networking/pages/serverless/aws/privatelink-ui.adoc index ec8f2fb94..4bfea8007 100644 --- a/modules/networking/pages/serverless/aws/privatelink-ui.adoc +++ b/modules/networking/pages/serverless/aws/privatelink-ui.adoc @@ -1,11 +1,10 @@ = Configure AWS PrivateLink in the Cloud Console :description: Set up AWS PrivateLink in the Redpanda Cloud Console for Serverless clusters. +:page-personas: platform_admin The Redpanda AWS PrivateLink endpoint service provides secure access to Redpanda Cloud from your own VPC. Traffic over PrivateLink does not go through the public internet because these connections are treated as their own private AWS service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC. -Consider using the endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. - -You can create a new Serverless cluster with PrivateLink enabled, or enable PrivateLink for existing clusters using either the Console or the API. +Consider using the PrivateLink endpoint service if you have multiple VPCs and could benefit from a more simplified approach to network management. You can create a new Serverless cluster with PrivateLink enabled, or enable PrivateLink for existing clusters using either the Console or the API. [NOTE] ====