Introducing Remote cluster filters in the docs

deploy-manage/remote-clusters.md

@@ -64,23 +64,43 @@ This section explains how remote clusters interact with network security when us
 
 ### Filter types for remote clusters traffic
 
-Network security for remote cluster incoming connections using API key authentication supports two types of filters:
+With API key–based authentication, remote clusters require the local cluster (A) to trust the transport SSL certificate presented by the remote cluster server (B). When network security is enabled on the destination cluster (B), it’s also necessary to explicitly allow the incoming traffic from cluster A. This can be achieved using different types of traffic filters:
+
+* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
+
+  Use IP filters when the local cluster is self-managed.
 
-* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.  
 * [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
 
+  Use remote cluster filters when the local cluster is also on ECH or ECE, as these filters are specific to {{ecloud}} and ECE platforms.
+
 ### Use cases for remote clusters and network security [use-cases-network-security]
 
-Network security is supported to control remote cluster traffic in the following scenarios:
+[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) are supported to control remote cluster traffic in the following scenarios:
+  * Local and remote clusters are {{ech}} deployments in the same organization
+  * Local and remote clusters are {{ech}} deployments in different organizations 
+  * Local and remote clusters are {{ece}} deployments in the same ECE environment
+  * Local and remote clusters are {{ece}} deployments in different ECE environments
+  * The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+    ::::{note}
+    Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+    ::::
+
+[IP filters](/deploy-manage/security/ip-filtering.md) are the only option for applying network security when the local deployment is a self-managed or an {{eck}} cluster, and the remote is on {{ece}} or {{ech}}.
 
-* Local and remote clusters are {{ech}} deployments in the same organization
-* Local and remote clusters are {{ech}} deployments in different organizations 
-* Local and remote clusters are {{ece}} deployments in the same ECE environment
-* Local and remote clusters are {{ece}} deployments in different ECE environments
-* The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+### (option 2) Use cases for remote clusters and network security [use-cases-network-security2]
+
+Network security can be used to control remote cluster traffic in the following scenarios. The supported filter depends on the deployment types involved:
+
+| Scenario                                                                                  | Supported filter                                                                 |
+|-------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------|
+| Local and remote clusters are ECH deployments in the same organization                | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)     |
+| Local and remote clusters are ECH deployments in different organizations              | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)     |
+| Local and remote clusters are ECE deployments in the same environment                 | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)     |
+| Local and remote clusters are ECE deployments in different environments               | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)     |
+| The local deployment is on ECH and the remote deployment is on an ECE environment | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)     |
+| Local deployment is self-managed or orchestrated by ECK                               | [IP filters](/deploy-manage/security/ip-filtering.md)                             |
 
 ::::{note}
 Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
 ::::
-
-Refer to [Remote cluster filtering](/deploy-manage/security/remote-cluster-filtering.md) for instructions on creating and applying remote cluster filters in ECH or ECE.

deploy-manage/remote-clusters/ec-enable-ccs.md

@@ -57,4 +57,4 @@ The steps, information, and authentication method required to configure CCS and
 
 ## Remote clusters and network security [ec-ccs-ccr-network-security]
 
-If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).

deploy-manage/remote-clusters/ece-enable-ccs.md

@@ -62,4 +62,4 @@ The steps, information, and authentication method required to configure CCS and
 
 ## Remote clusters and network security [ece-ccs-ccr-network-security]
 
-If you have [network security filters](/deploy-manage/security/ece-filter-rules.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).

deploy-manage/security/remote-cluster-filtering.md

@@ -51,7 +51,7 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
     Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
     :::
 
-6. Under**Connectivity**, select **Remote cluster**.
+6. Under **Connectivity**, select **Remote cluster**.
 7. Add a meaningful name and description for the filter.
 8. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the {{ecloud}} deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.