diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index 0d69b96eff..87bf9e73eb 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -34,7 +34,52 @@ Depending on the environment the local and remote clusters are deployed on and t
 
 Find the instructions with details on the supported security models and available connection modes for your specific scenario:
 
-- [Remote clusters with {{ech}}](remote-clusters/ec-enable-ccs.md)
-- [Remote clusters with {{ece}}](remote-clusters/ece-enable-ccs.md)
-- [Remote clusters with {{eck}}](remote-clusters/eck-remote-clusters.md)
-- [Remote clusters with self-managed installations](remote-clusters/remote-clusters-self-managed.md)
\ No newline at end of file
+- [Remote clusters on {{ech}}](remote-clusters/ec-enable-ccs.md)
+- [Remote clusters on {{ece}}](remote-clusters/ece-enable-ccs.md)
+- [Remote clusters on {{eck}}](remote-clusters/eck-remote-clusters.md)
+- [Remote clusters on self-managed installations](remote-clusters/remote-clusters-self-managed.md)
+
+## Remote clusters and network security [network-security]
+```{applies_to}
+deployment:
+  ece: ga
+  ess: ga
+```
+
+In {{ech}} (ECH) and {{ece}} (ECE), the remote clusters functionality interacts with [network security](/deploy-manage/security/network-security.md) traffic filtering rules in different ways, depending on the [security model](/deploy-manage/remote-clusters/remote-clusters-self-managed.md#remote-clusters-security-models) you use.
+
+* **TLS certificate–based authentication (deprecated):**
+  For remote clusters configured using the TLS certificate–based security model, network security policies or rule sets have no effect on remote clusters functionality. Connections established with this method (mTLS) are already considered secure and are always accepted, regardless of any filtering policies or rule sets applied on the local or remote deployment to restrict other traffic.
+
+* **API key–based authentication (recommended):**
+  When remote clusters use the API key–based authentication model, network security policies or rule sets on the **destination (remote) deployment** do affect remote cluster functionality if enabled. In this case, you can use traffic filters to explicitly control which deployments are allowed to connect to the remote cluster service endpoint.
+
+  ::::{note}
+  Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works):
+    * If network security is disabled, all traffic is allowed by default, and remote clusters work without requiring any specific filtering policy.
+    * If network security is enabled on the remote cluster, apply a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md#create-remote-cluster-filter) to allow incoming connections from the local clusters. Without this filter, the connections are blocked.
+  ::::
+
+This section explains how remote clusters interact with network security when using API key–based authentication, and describes the supported use cases.
+
+### Filter types and supported use cases for remote cluster traffic [use-cases-network-security]
+
+With API key–based authentication, remote clusters require the local cluster (A) to trust the transport SSL certificate presented by the remote cluster server (B). When network security is enabled on the destination cluster (B), it’s also necessary to explicitly allow the incoming traffic from cluster A. This can be achieved using different types of traffic filters:
+
+* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), available exclusively in ECH and ECE. They allow filtering by organization ID or {{es}} cluster ID and are the recommended option, as they combine mTLS with API key authentication for stronger security.
+
+* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges.
+
+The applicable filter type for the remote cluster depends on the local and remote deployment types:
+
+| Remote cluster → <br>Local cluster ↓  | Elastic Cloud Hosted | Elastic Cloud Enterprise | Self-managed / Elastic Cloud on Kubernetes |
+|-------------------------|----------------------|--------------------------|--------------------------------------------|
+| **Elastic Cloud Hosted** | [Remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) or [Kubernetes network policy](/deploy-manage/security/k8s-network-policies.md) |
+| **Elastic Cloud Enterprise** | [IP filter](/deploy-manage/security/ip-filtering.md) | [Remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md) / [IP filter](/deploy-manage/security/ip-filtering.md) (\*) | [IP filter](/deploy-manage/security/ip-filtering.md) or [Kubernetes network policy](/deploy-manage/security/k8s-network-policies.md) |
+| **Self-managed / Elastic Cloud on Kubernetes** | [IP filter](/deploy-manage/security/ip-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) or [Kubernetes network policy](/deploy-manage/security/k8s-network-policies.md) |
+
+(*) For ECE, remote cluster filters apply when both clusters are in the **same environment**. Use IP filters when the clusters belong to **different environments**.
+
+::::{note}
+When using self-managed security mechanisms (such as firewalls), keep in mind that remote clusters with API key–based authentication use port `9443` by default. Specify this port if a destination port is required.
+::::
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 2ad1b04165..dc69804aa1 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -19,6 +19,10 @@ You can configure an {{ech}} deployment to either connect to remote clusters or
 * A deployment in an {{eck}} installation
 * A self-managed installation.
 
+::::{note}
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security policies and the implications for your deployments.
+::::
+
 
 ## Prerequisites [ec-ccs-ccr-prerequisites]
 
@@ -51,20 +55,6 @@ The steps, information, and authentication method required to configure CCS and
     * [From a self-managed cluster](remote-clusters-self-managed.md)
     * [From an ECK environment](ec-enable-ccs-for-eck.md)
 
-
 ## Remote clusters and network security [ec-ccs-ccr-network-security]
 
-::::{note}
-[Network security](../security/network-security.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
-::::
-
-You can use [network security policies](../security/network-security.md) to restrict access to deployments used as a local or remote cluster, without impacting cross-cluster search or cross-cluster replication.
-
-Network security for remote clusters supports the following methods:
-
-* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-filtering.md)
-* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
-
-::::{note}
-When setting up network security policies for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
-::::
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index 8241b4544c..2b7cb6e9bd 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -14,6 +14,10 @@ products:
 
 This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ECE}} (ECE) environment.
 
+::::{note}
+If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure an [IP filter](/deploy-manage/security/ip-filtering-ece.md) to allow traffic from [{{ecloud}} IP addresses](/deploy-manage/security/elastic-cloud-static-ips.md#ec-egress). For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
+
 ## Allow the remote connection [ec_allow_the_remote_connection_3]
 
 Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
@@ -143,7 +147,7 @@ A deployment can be configured to trust all or specific deployments in a remote
 
 7. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment’s **Security** page.
 8. Select **Create trust** to complete the configuration.
-9. Configure the corresponding deployments of the ECE environment to [trust this deployment](/deploy-manage/remote-clusters/ece-enable-ccs.md). You will only be able to connect two deployments successfully when both of them trust each other.
+9. Configure the corresponding deployments of the ECE environment to [trust this deployment](/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md#ece-trust-ec). You will only be able to connect two deployments successfully when both of them trust each other.
 
 ::::{note}
 The environment ID and cluster IDs must be entered fully and correctly. For security reasons, verification of the IDs is not possible. If cross-environment trust does not appear to be working, double-checking the IDs is a good place to start.
@@ -212,6 +216,11 @@ On the local cluster, add the remote cluster using {{kib}} or the {{es}} API.
 
     * **Server name**: This value can be found on the **Security** page of the {{ece}} deployment you want to use as a remote.
 
+      :::{image} /deploy-manage/images/cloud-enterprise-ce-copy-remote-cluster-parameters.png
+      :alt: Remote Cluster Parameters in Deployment
+      :screenshot:
+      :::
+
       ::::{note}
       If you’re having issues establishing the connection and the remote cluster is part of an {{ece}} environment with a private certificate, make sure that the proxy address and server name match with the the certificate information. For more information, refer to [Administering endpoints in {{ece}}](/deploy-manage/deploy/cloud-enterprise/change-endpoint-urls.md).
       ::::
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
index 443425aa28..17fb26bf50 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
@@ -14,7 +14,7 @@ products:
 This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ecloud}} organization.
 
 ::::{note}
-If network security policies are applied to the remote cluster, the remote cluster administrator must configure a private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
 ::::
 
 ## Allow the remote connection [ec_allow_the_remote_connection_2]
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
index cbaa1ebe23..f91b3343cc 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
@@ -14,7 +14,7 @@ products:
 This section explains how to configure a deployment to connect remotely to clusters belonging to the same {{ecloud}} organization.
 
 ::::{note}
-If network security is enabled on the remote cluster, the remote cluster administrator must configure a private connection policy of type **Remote cluster**, specifying either the organization ID or the Elasticsearch cluster ID. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
 ::::
 
 ## Allow the remote connection [ec_allow_the_remote_connection]
diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md
index c6be78040a..79c7b8214e 100644
--- a/deploy-manage/remote-clusters/ece-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ece-enable-ccs.md
@@ -19,6 +19,9 @@ You can configure an {{ece}} deployment to either connect to remote clusters or
 * A deployment running on an {{eck}} installation
 * A self-managed installation
 
+::::{note}
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security filters and the implications for your deployments.
+::::
 
 ## Prerequisites [ece-ccs-ccr-prerequisites]
 
@@ -57,21 +60,6 @@ The steps, information, and authentication method required to configure CCS and
     * [From a self-managed cluster](/deploy-manage/remote-clusters/remote-clusters-self-managed.md)
     * [From an ECK environment](ece-enable-ccs-for-eck.md)
 
-
 ## Remote clusters and network security [ece-ccs-ccr-network-security]
 
-::::{note}
-Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
-::::
-
-
-For remote clusters configured using TLS certificate authentication, [network security](../security/network-security.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
-
-Traffic filtering for remote clusters supports two methods:
-
-* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-filtering-ece.md)
-* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Platform** > **Security** page of your environment or using the [{{ece}} API](https://www.elastic.co/docs/api/doc/cloud-enterprise) and apply it from each deployment’s **Security** page.
-
-::::{note}
-When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. This applies regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
-::::
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
index cdd30aa9f7..d02ec683ab 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
@@ -12,7 +12,11 @@ products:
 
 # Connect {{ece}} deployments to an {{ecloud}} organization [ece-remote-cluster-ece-ess]
 
-This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
+This section explains how to configure an {{ece}} (ECE) deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
+
+::::{note}
+If network security filters are applied to the remote cluster on {{ecloud}}, the remote cluster administrator must configure an [IP filter](/deploy-manage/security/ip-filtering-cloud.md) to allow connections from the IP addresses (or CIDR ranges) of the local ECE allocator hosts. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
 
 ## Allow the remote connection [ece_allow_the_remote_connection_3]
 
@@ -147,22 +151,13 @@ On the local cluster, add the remote cluster using {{kib}} or the {{es}} API.
     * **Name**: This *cluster alias* is a unique identifier that represents the connection to the remote cluster and is used to distinguish local and remote indices.
 
       When using API key authentication, this alias must match the **Remote cluster name** you configured when adding the API key in the Cloud UI.
-    * **Proxy address**: This value can be found on the **Security** page of the {{ece}} deployment you want to use as a remote.<br>
+    * **Proxy address**: This value can be found on the **Security** page of the {{ech}} deployment you want to use as a remote.<br>
 
       ::::{tip}
       If you’re using API keys as security model, change the port into `9443`.
       ::::
 
-    * **Server name**: This value can be found on the **Security** page of the {{ece}} deployment you want to use as a remote.
-
-      :::{image} /deploy-manage/images/cloud-enterprise-ce-copy-remote-cluster-parameters.png
-      :alt: Remote Cluster Parameters in Deployment
-      :screenshot:
-      :::
-
-      ::::{note}
-      If you’re having issues establishing the connection and the remote cluster is part of an {{ece}} environment with a private certificate, make sure that the proxy address and server name match with the the certificate information. For more information, refer to [Administering endpoints in {{ece}}](/deploy-manage/deploy/cloud-enterprise/change-endpoint-urls.md).
-      ::::
+    * **Server name**: This value can be found on the **Security** page of the {{ech}} deployment you want to use as a remote.
 
 4. Click **Next**.
 5. Click **Add remote cluster** (you have already established trust in a previous step).
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
index 76403b8590..566281d8d7 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
@@ -13,6 +13,9 @@ products:
 
 This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ece}} environment.
 
+::::{note}
+If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure an [IP filter](/deploy-manage/security/ip-filtering-ece.md) to allow connections from the IP addresses (or CIDR ranges) of the local ECE allocator hosts. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
 
 ## Allow the remote connection [ece_allow_the_remote_connection_2]
 
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md b/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
index ca745ae312..41edb63242 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
@@ -13,6 +13,9 @@ products:
 
 This section explains how to configure a deployment to connect remotely to clusters belonging to the same {{ece}} environment.
 
+::::{note}
+If network security filters are applied to the remote cluster, the remote cluster administrator must configure a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md), using either the ECE environment ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
 
 ## Allow the remote connection [ece_allow_the_remote_connection]
 
diff --git a/deploy-manage/security/_snippets/associate-filter-ece.md b/deploy-manage/security/_snippets/associate-filter-ece.md
new file mode 100644
index 0000000000..269fca8e60
--- /dev/null
+++ b/deploy-manage/security/_snippets/associate-filter-ece.md
@@ -0,0 +1,4 @@
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, select **Apply filter**.
+4. Choose the filter you want to apply and select **Apply filter**.
diff --git a/deploy-manage/security/_snippets/detach-filter-ece.md b/deploy-manage/security/_snippets/detach-filter-ece.md
new file mode 100644
index 0000000000..c577935957
--- /dev/null
+++ b/deploy-manage/security/_snippets/detach-filter-ece.md
@@ -0,0 +1,4 @@
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, choose the filter you want to detach and select the **X** icon in the **Actions** column.
+4. In the confirmation dialog, select **Remove filter**.
diff --git a/deploy-manage/security/ip-filtering-ece.md b/deploy-manage/security/ip-filtering-ece.md
index b536e3c266..d54b681151 100644
--- a/deploy-manage/security/ip-filtering-ece.md
+++ b/deploy-manage/security/ip-filtering-ece.md
@@ -57,9 +57,8 @@ To create a rule set:
 
 After you’ve created the rule set, you’ll need to associate it with your deployment:
 
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
+:::{include} _snippets/associate-filter-ece.md
+:::
 
 At this point, the IP filtering rule set is active. You can remove or edit it at any time.
 
@@ -67,8 +66,8 @@ At this point, the IP filtering rule set is active. You can remove or edit it at
 
 If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
 
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Remove**.
+:::{include} _snippets/detach-filter-ece.md
+:::
 
 ## Edit an IP filtering rule set
 
diff --git a/deploy-manage/security/network-security.md b/deploy-manage/security/network-security.md
index 43a1f9b0ba..ef9ec31cc9 100644
--- a/deploy-manage/security/network-security.md
+++ b/deploy-manage/security/network-security.md
@@ -44,6 +44,7 @@ You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-c
 | Filter type | Description | Applicable deployment types |
 | --- | --- | --- |
 | [IP filters](ip-filtering.md) | Filter traffic from the public internet by allowlisting specific IP addresses and Classless Inter-Domain Routing (CIDR) masks.<br><br>• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)<br><br>• [In ECE](/deploy-manage/security/ip-filtering-ece.md)<br><br>• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
+| [Remote cluster filters](./remote-cluster-filtering.md) | Filter incoming remote cluster traffic by validating the client certificate against its `organization_id` and `cluster_id`.<br><br>Only applicable with the API key–based authentication model.<br><br>Not supported for ECE → ECH traffic. | ECH and ECE, limited to [these use cases](/deploy-manage/remote-clusters.md#use-cases-network-security) |
 | [Private connectivity and VPC filtering](/deploy-manage/security/private-connectivity.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPC filtering. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/private-connectivity-aws.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/private-connectivity-azure.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/private-connectivity-gcp.md) | {{ech}} only |
 | [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |
 
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
new file mode 100644
index 0000000000..1b60bbcd15
--- /dev/null
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -0,0 +1,238 @@
+---
+applies_to:
+  deployment:
+    ess: ga
+    ece: ga
+navigation_title: "Remote cluster filters"
+sub:
+  policy-type: "Private connection"
+---
+
+# Remote cluster filtering
+
+In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication.
+
+::::{note} about terminology
+In the case of remote clusters, the {{es}} cluster or deployment initiating the connection and requests is often referred to as the **local cluster**, while the {{es}} cluster or deployment receiving the requests is referred to as the **remote cluster**.
+::::
+
+These filters are supported only when the local and remote clusters run on the same platform (both on the same ECE environment, or both on ECH), as they rely on the certificates and proxy mechanisms provided by these environments.
+
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information about the remote clusters functionality, its relationship to network security, and the supported [use cases](/deploy-manage/remote-clusters.md#use-cases-network-security).
+
+
+## How remote cluster filters work
+
+Remote cluster filters operate at the proxy level, allowing incoming connections based on the organization ID or {{es}} cluster ID of the local cluster that initiates the connection to the remote cluster service endpoint (default port `9443`).
+
+::::{note}
+In {{ece}}, the equivalent of the organization ID in {{ech}} is the **environment ID**, which serves the same purpose for remote cluster filtering.
+::::
+
+Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works), these filters are only relevant when network security is enabled on the remote cluster.
+* If network security is disabled, all traffic is allowed by default and remote clusters work without any filtering policy.
+* If network security is enabled, all traffic is blocked unless explicitly allowed. In this case, you must add a remote cluster filter in the remote cluster to permit remote cluster connections from the local clusters.
+
+To apply a filter to a deployment, you must first create a security policy at the organization or platform level, and then apply it to your deployment.
+
+This guide covers the following remote cluster filtering tasks:
+
+* [Create a remote cluster filter](#create-remote-cluster-filter)
+* [Associate a remote cluster filter with your deployment](#apply-remote-cluster-filter)
+* [Remove a filter association from your deployment](#remove-association)
+* [Edit a remote cluster filter](#edit-remote-cluster-filter)
+* [Delete a remote cluster filter](#delete-remote-cluster-filter)
+
+## Create a remote cluster filter [create-remote-cluster-filter]
+
+:::::{tab-set}
+:group: deployment
+::::{tab-item} {{ech}}
+:sync: ech
+Remote cluster filters are presented in {{ecloud}} as a type of Private Connection filter. To create a remote cluster filter:
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Select **Create** > **Private connection**.
+5. Select the cloud provider and region for the remote cluster filter. 
+   
+    :::{note}
+    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    :::
+
+6. Under **Connectivity**, select **Remote cluster**.
+7. Add a meaningful name and description for the filter.
+8. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the {{ecloud}} deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
+
+    ::::{tip}
+    You can find the organization ID on the organization page in the top-right menu, and the {{es}} cluster ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
+    ::::
+
+9.  Optional: Under **Apply to resources**, associate the new filter with one or more deployments. After you associate the filter with a deployment, it will allow remote cluster traffic coming from the organization or {{es}} IDs defined in the rules.
+
+    :::{note}
+    You can apply multiple policies to a single deployment. For {{ech}} deployments, you can apply both IP filter policies and private connection policies. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+
+    [Learn more about how network security policies affect your deployment](network-security-policies.md).
+    :::
+
+8.  To automatically attach this filter to new deployments, select **Apply by default**.
+9.   Click **Create**.
+::::
+
+::::{tab-item} {{ece}}
+:sync: ece
+
+To create a remote cluster filter:
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Select **Create filter**.
+4. Select **Remote cluster rule set** as the filter type.
+5. Add a meaningful name and description for the rule set.
+6. In the **Organization ID** and **{{es}} ID** fields, enter the ECE environment ID or cluster ID of the deployments from which you want to allow traffic.
+   * Use the **ECE environment ID** as the organization ID to allow traffic from all deployments in that environment.
+   * Use the **{{es}} cluster ID** to allow traffic only from specific deployments.
+
+   Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
+
+    ::::{tip}
+    You can find the ECE environment ID under **Platform → Trust Management → Trust parameters**, and the {{es}} cluster ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
+    ::::
+
+7. Select if this rule set should be automatically attached to new deployments.
+8. Select **Create filter** to create the remote cluster filter.
+
+::::
+
+:::::
+
+## Associate a remote cluster filter with your deployment [apply-remote-cluster-filter]
+
+After you've created the network security policy or rule set, you'll need to associate it with your deployment. To do that:
+
+:::::::{tab-set}
+:group: deployment
+
+::::::{tab-item} {{ech}}
+:sync: ech
+
+#### From a deployment
+
+:::{include} _snippets/associate-filter.md
+:::
+
+#### From the policy settings
+
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
+7. Click **Update** to save your changes.
+::::::
+
+::::::{tab-item} {{ece}}
+:sync: ece
+:::{include} _snippets/associate-filter-ece.md
+:::
+
+::::::
+
+:::::::
+
+## Remove a filter association from your deployment [remove-association]
+
+To remove a network security policy or rule set association from your deployment:
+
+:::::::{tab-set}
+:group: deployment
+
+::::::{tab-item} {{ech}}
+:sync: ech
+
+You can remove associations from your deployments directly from the policy settings or from the deployment security page.
+
+#### From your deployment security page
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Hosted deployments** page, select your deployment.
+3. Select the **Security** tab on the left-hand side menu bar.
+4. Under **Network security**, find the security policy you want to disconnect.
+5. Under **Actions**, click the **Delete** icon.
+
+#### From the network security policy settings
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the remote cluster policy you want to edit, then select the **Edit** {icon}`pencil` button.
+5. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+6. Click **Update** to save your changes.
+
+
+::::::
+
+::::::{tab-item} {{ece}}
+:sync: ece
+
+:::{include} _snippets/detach-filter-ece.md
+:::
+
+::::::
+
+:::::::
+
+## Edit a remote cluster filter [edit-remote-cluster-filter]
+
+You can edit a remote cluster filter policy name or change the list of allowed Organization IDs and {{es}} cluster IDs. To do that:
+
+:::::::{tab-set}
+:group: deployment
+
+::::::{tab-item} {{ech}}
+:sync: ech
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the remote cluster policy you want to edit, then select the **Edit** {icon}`pencil` button.
+5. Select **Update** to save your changes.
+::::::
+
+::::::{tab-item} {{ece}}
+:sync: ece
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Find the rule set you want to edit.
+4. Select the **Edit** {icon}`pencil` button.
+5. Click **Update** to save your changes.
+::::::
+
+:::::::
+
+## Delete a remote cluster filter [delete-remote-cluster-filter]
+
+If you need to remove a remote cluster filter policy, you must first [remove any associations](#remove-association) with deployments.
+
+To delete a filter:
+
+:::::::{tab-set}
+:group: deployment
+
+::::::{tab-item} {{ech}}
+:sync: ech
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the rule set you want to edit, then select the **Delete** {icon}`trash` button. The icon is inactive if there are deployments associated with the filter.
+::::::
+
+::::::{tab-item} {{ece}}
+:sync: ece
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Find the rule set you want to edit.
+4. Click the **Delete** {icon}`trash` button. The button is inactive if there are deployments assigned to the rule set.
+::::::
+
+:::::::
+
+
diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index dd51844754..abdae564db 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -495,6 +495,7 @@ toc:
                   - file: security/ip-filtering-cloud.md
                   - file: security/ip-filtering-ece.md
                   - file: security/ip-filtering-basic.md
+              - file: security/remote-cluster-filtering.md
               - file: security/private-connectivity.md
                 children:
                   - file: security/private-connectivity-aws.md