diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index db4d78403..5551f84ec 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -6,6 +6,12 @@ This page lists new features added to Redpanda Cloud. +== February 2026 + +=== Cross-region AWS PrivateLink + +AWS PrivateLink now supports cross-region connectivity, allowing clients in different AWS regions to connect to your Redpanda cluster through PrivateLink. Configure supported regions in the xref:networking:configure-privatelink-in-cloud-ui.adoc#cross-region-privatelink[Cloud UI] or using the xref:networking:aws-privatelink.adoc#cross-region-privatelink[Cloud API] to specify which regions can establish PrivateLink connections. This feature requires multi-AZ cluster deployments. + == January 2026 === Redpanda Connect updates diff --git a/modules/manage/pages/terraform-provider.adoc b/modules/manage/pages/terraform-provider.adoc index d3a759d52..ffe98f20b 100644 --- a/modules/manage/pages/terraform-provider.adoc +++ b/modules/manage/pages/terraform-provider.adoc @@ -354,6 +354,7 @@ resource "redpanda_cluster" "test" { enabled = true connect_console = true allowed_principals = ["arn:aws:iam::123456789024:root"] + supported_regions = ["us-east-1", "us-west-2"] # Optional: Enable cross-region PrivateLink } tags = { "environment" = "dev" diff --git a/modules/networking/pages/aws-privatelink.adoc b/modules/networking/pages/aws-privatelink.adoc index 039dfc58a..8e12f495a 100644 --- a/modules/networking/pages/aws-privatelink.adoc +++ b/modules/networking/pages/aws-privatelink.adoc @@ -19,10 +19,10 @@ Consider using the PrivateLink endpoint service if you have multiple VPCs and co After <>, you can <>, or you can <>. -== Requirements +== Prerequisites * Install `rpk`. -* Your Redpanda cluster and <> must be in the same region. +* Your Redpanda cluster and <> must be in the same region, unless you configure <>. * In this guide, you use the link:/api/doc/cloud-controlplane/topic/topic-cloud-api-overview[Redpanda Cloud API] to enable the Redpanda endpoint service for your clusters. Follow the steps below to <>. * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI^] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. @@ -93,6 +93,7 @@ In the example below, make sure to set your own values for the following fields: - `name` - `connect_console`: Whether to enable connections to Redpanda Console (boolean) - `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +- `supported_regions`: (Optional) List of AWS regions from which PrivateLink endpoints can connect to Redpanda. Required only for <>. For example, `["us-east-1", "us-west-2"]`. -- + [,bash] @@ -112,7 +113,8 @@ CLUSTER_POST_BODY=`cat << EOF "aws_private_link": { "enabled": true, "connect_console": true, - "allowed_principals": ["",""] + "allowed_principals": ["",""], + "supported_regions": ["",""] } } } @@ -158,6 +160,7 @@ In the example below, make sure to set your own value for the following field: -- - `connect_console`: Whether to enable connections to Redpanda Console (boolean) - `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +- `supported_regions`: (Optional) List of AWS regions from which PrivateLink endpoints can connect to Redpanda. Required only for <>. For example, `["us-east-1", "us-west-2"]`. -- + [,bash] @@ -167,7 +170,8 @@ CLUSTER_PATCH_BODY=`cat << EOF "aws_private_link": { "enabled": true, "connect_console": true, - "allowed_principals": ["",""] + "allowed_principals": ["",""], + "supported_regions": ["",""] } } EOF` @@ -234,7 +238,7 @@ xref:networking:byoc/aws/vpc-peering-aws.adoc[VPC peering] and PrivateLink will VPC peering and PrivateLink can both be used at the same time if Kafka clients are connecting from distinct VPCs. For example, in a private Redpanda cluster, you can connect your internal Kafka clients over VPC peering, and enable PrivateLink for external services. ==== -The VPC region must be the same region where the Redpanda cluster is deployed. To create the VPC, run: +The client VPC must be in the same region as your Redpanda cluster, unless you have configured <>. To create the VPC, run: [,bash] ---- @@ -346,6 +350,61 @@ After you have enabled PrivateLink for your cluster, your connection URLs are av include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] +== Cross-region PrivateLink + +By default, AWS PrivateLink only allows connections from VPCs in the same region as the endpoint service. Cross-region PrivateLink enables clients in different AWS regions to connect to your Redpanda cluster through PrivateLink. + +For more information about AWS cross-region PrivateLink support, see the https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html#endpoint-service-cross-region[AWS documentation^]. + +=== Requirements + +* The Redpanda cluster must be deployed across multiple availability zones (multi-AZ). This is an AWS limitation for cross-region PrivateLink. +* Cross-region PrivateLink is configured through the `supported_regions` field in the `aws_private_link` configuration. This field only appears in the API response for multi-AZ clusters. +* For BYOC clusters, the Redpanda agent IAM role must have `vpce:AllowMultiRegion` and `elasticloadbalancing:DescribeListenerAttributes` permissions. + +=== Configure cross-region PrivateLink + +To enable cross-region PrivateLink, add the `supported_regions` field to your `aws_private_link` configuration when <> or <>. + +The `supported_regions` field accepts a list of AWS region identifiers where you want to allow PrivateLink connections from. For example: + +[,json] +---- +"aws_private_link": { + "enabled": true, + "connect_console": true, + "allowed_principals": ["arn:aws:iam::123456789012:root"], + "supported_regions": ["us-east-1", "us-west-2", "eu-west-1"] +} +---- + +With this configuration, clients in VPCs located in `us-east-1`, `us-west-2`, and `eu-west-1` can create PrivateLink endpoints that connect to your Redpanda cluster, regardless of which region the cluster is deployed in. + +=== Create a cross-region VPC endpoint + +When creating a VPC endpoint in a different region than your Redpanda cluster, use the same process as <>, but specify both the client VPC's region and the service region where your Redpanda cluster is deployed. + +NOTE: The `--service-region` option requires AWS CLI version 2.22.0 or later. Run `aws --version` to check your version and https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html[update if necessary^]. + +[,bash] +---- +# CLIENT_REGION is the region where your client VPC is located +# SERVICE_REGION is the region where your Redpanda cluster is deployed +CLIENT_REGION= +SERVICE_REGION= + +aws ec2 create-vpc-endpoint \ + --region $CLIENT_REGION --profile $PROFILE \ + --service-region $SERVICE_REGION \ + --vpc-id $CLIENT_VPC_ID \ + --vpc-endpoint-type "Interface" \ + --ip-address-type "ipv4" \ + --service-name $PL_SERVICE_NAME \ + --subnet-ids $SUBNET_ID \ + --security-group-ids $SECURITY_GROUP_ID \ + --private-dns-enabled +---- + == Test the connection You can test the PrivateLink connection from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL: diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 88fa75806..83362917d 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -18,7 +18,7 @@ Consider using the endpoint service if you have multiple VPCs and could benefit == Requirements -* Your Redpanda cluster and VPC must be in the same region. +* Your Redpanda cluster and VPC must be in the same region, unless you configure <>. * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. @@ -31,8 +31,9 @@ include::networking:partial$dns_resolution.adoc[] . In the Redpanda Cloud UI, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. . For AWS PrivateLink, click *Enable*. -. On the Enable PrivateLink page, for Allowed principal ARNs, click *Add*, and enter the Amazon Resource Names (ARNs) for each AWS principal allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam:::root`. See the AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details. -. Click *Add* after entering each ARN, and when finished, click *Enable*. +. On the Enable PrivateLink page, for Allowed principal ARNs, click *Add*, and enter the Amazon Resource Names (ARNs) for each AWS principal allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam:::root`. See the AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details. +. Click *Add* after entering each ARN, and when finished, click *Enable*. +. (Optional) To enable cross-region PrivateLink, add supported regions. See <>. . It may take several minutes for your cluster to update. When the update is complete, the AWS PrivateLink status on the Cluster settings page changes from *In progress* to *Enabled*. NOTE: For help with issues when enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. @@ -49,6 +50,31 @@ You can test the connection to the endpoint service from any VM or container in include::networking:partial$private-links-test-connection.adoc[] +== Cross-region PrivateLink + +By default, AWS PrivateLink only allows connections from VPCs in the same region as the endpoint service. Cross-region PrivateLink enables clients in different AWS regions to connect to your Redpanda cluster through PrivateLink. + +For more information about AWS cross-region PrivateLink support, see the https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html#endpoint-service-cross-region[AWS documentation^]. + +=== Prerequisites + +* The Redpanda cluster must be deployed across multiple availability zones (multi-AZ). This is an AWS limitation for cross-region PrivateLink. + +=== Configure supported regions + +NOTE: The *Supported regions* option only appears in the UI for multi-AZ clusters. + +. In the Redpanda Cloud UI, select your https://cloud.redpanda.com/clusters[cluster^], and go to the cluster settings page. +. In the AWS PrivateLink section, click *Edit* (or *Enable* if PrivateLink is not yet enabled). +. In the *Supported regions* section, click *Add* to add a region from which PrivateLink endpoints can connect to your cluster. +. Select an AWS region from the dropdown. The cluster's home region is automatically included and not shown in the list. +. Repeat to add additional regions as needed. +. Click *Save* (or *Enable*) to apply the changes. + +After saving, the *Supported regions* row on the cluster settings page displays your configured regions. + +Clients in VPCs located in the supported regions can now create PrivateLink endpoints that connect to your Redpanda cluster. + == Disable endpoint service On the Cluster settings page for the cluster, click *Disable* for PrivateLink. Existing connections are closed after the AWS PrivateLink service is disabled. To connect using PrivateLink again, you must re-enable the service.