DOC-1615 Document feature Private Console Networking (#431)

micheleRP · web-flow · commit b0277db4d756 · 2025-10-10T16:22:36.000-06:00
* DOC-1615 Document feature Private Console Networking

* coderabbit suggestion

* Update for private networking only + on Dedicated

* incorporate Paul's feedback

* incorporate Camilo's feedback

* users without VPN access to the Redpanda VPC will lose access to these services

* update note about kubectl
diff --git a/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc b/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc
@@ -37,9 +37,12 @@ To verify access, you should be able to successfully run `aws sts get-caller-ide
 Optionally, click *Advanced settings* to specify up to five key-value custom tags. After the cluster is created, the tags are applied to all AWS resources associated with this cluster. For more information, see the https://docs.aws.amazon.com/mediaconnect/latest/ug/tagging-restrictions.html[AWS documentation^]. After the cluster is created, you can <<manage-custom-tags,specify more tags with the Cloud API>>.
 
 . Click *Next*.
-. On the Network page, enter the connection type: either *Public* or *Private*. For BYOC clusters, *Private* is best-practice.
+. On the Network page, select the connection type: either public or private. For BYOC clusters, private is best-practice.
 ** Your network name is used to identify this network.
 ** For a xref:networking:cidr-ranges.adoc[CIDR range], choose one that does not overlap with your existing VPCs or your Redpanda network.
+** Clusters with private networking include a setting for API Gateway network access. Public access exposes endpoints for Redpanda Console, the Data Plane API, and the MCP Server API, but they remain protected by your authentication and authorization controls. Private access restricts endpoint access to your VPC only.
++
+NOTE: After the cluster is created, you can change the API Gateway access on the cluster settings page. If you change from public to private access, users without VPN access to the Redpanda VPC will lose access to these services.
 . Click *Next*.
 . On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent.
 +
diff --git a/modules/get-started/pages/cluster-types/byoc/azure/create-byoc-cluster-azure.adoc b/modules/get-started/pages/cluster-types/byoc/azure/create-byoc-cluster-azure.adoc
@@ -161,9 +161,14 @@ To create a Redpanda cluster in your Azure VNet, follow the <<prerequisites,prer
 Optionally, click *Advanced settings* to specify up to five key-value custom tags. After the cluster is created, the tags are applied to all Azure resources associated with this cluster. For details, see the https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources[Microsoft documentation^]. After the cluster is created, you can <<manage-custom-tags,specify more tags with the Cloud API>>. 
 
 . Click *Next*.
-. On the Network page, enter the connection type: either *Public* or *Private*. For BYOC clusters, *Private* using Azure Private Link is best-practice. 
+. On the Network page, select the connection type: either public or private. For BYOC clusters, private using Azure Private Link is best-practice.
 ** Your network name is used to identify this network.
 ** For a xref:networking:cidr-ranges.adoc[CIDR range], choose one that does not overlap with your existing VPCs or your Redpanda network.
+** Clusters with private networking include a setting for API Gateway network access. Public access exposes endpoints for Redpanda Console, the Data Plane API, and the MCP Server API, but they remain protected by your authentication and authorization controls. Private access restricts endpoint access to your VNet only.
++
+Private access incurs an additional cost, since it involves deploying two network load balancers, instead of one. 
++
+NOTE: After the cluster is created, you can change the API Gateway access on the cluster settings page. If you change from public to private access, users without VPN access to the Redpanda VPC will lose access to these services.
 . Click *Next*.
 . On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent.
 +
diff --git a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc
@@ -27,9 +27,12 @@ Enter a cluster name, then select the resource group, provider (GCP), xref:refer
 +
 Optionally, click *Advanced settings* to specify up to five key-value custom GCP labels. If a label key starts with `gcp.network-tag.<tag>`, then the agent interprets it as a request to apply the `<tag>` https://cloud.google.com/vpc/docs/add-remove-network-tags[network tag^] to GCE instances in the cluster. Use labels for organization/metadata; use network tags to target firewall rules and routes. After the cluster is created, labels are applied to applicable GCP resources (for example, instances and disks), and network tags are applied to instances. For more information, see the https://cloud.google.com/compute/docs/labeling-resources[GCP documentation^]. After the cluster is created, you can <<manage-custom-resource-labels-and-network-tags,specify more labels with the Cloud API>>. 
 . Click *Next*.
-. On the Network page, enter the connection type: either *Public* or *Private*. For BYOC clusters, *Private* is best-practice.
+. On the Network page, select the connection type: either public or private. For BYOC clusters, private is best-practice.
 ** Your network name is used to identify this network.
 ** For a xref:networking:cidr-ranges.adoc[CIDR range], choose one that does not overlap with your existing VPCs or your Redpanda network.
+** Clusters with private networking include a setting for API Gateway network access. Public access exposes endpoints for Redpanda Console, the Data Plane API, but they remain protected by your authentication and authorization controls. Private access restricts endpoint access to your VPC only.
++
+NOTE: After the cluster is created, you can change the API Gateway access on the cluster settings page. If you change from public to private access, users without VPN access to the Redpanda VPC will lose access to these services.
 . Click *Next*.
 . On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent.
 +
diff --git a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc
@@ -17,11 +17,16 @@ Enter a cluster name, then select the resource group, cloud provider (AWS, GCP,
 ====
 
 . Click *Next*.
-. On the Network page, enter the connection type: *Public* or *Private*. For private networks:
+. On the Network page, enter the connection type: public or private. For private networks:
 ** Your network name is used to identify this network.
 ** For a xref:networking:cidr-ranges.adoc[CIDR range], choose one that does not overlap with your existing VPCs or your Redpanda network.
 +
 Private networks require either a VPC peering connection or a private connectivity service, such as xref:networking:configure-privatelink-in-cloud-ui.adoc[AWS PrivateLink], xref:networking:configure-private-service-connect-in-cloud-ui.adoc[GCP Private Service Connect], or xref:networking:azure-private-link.adoc[Azure Private Link]. 
+** Clusters with private networking include a setting for API Gateway network access. Public access exposes endpoints for Redpanda Console, the Data Plane API, and the MCP Server API, but they remain protected by your authentication and authorization controls. Private access restricts endpoint access to your VPC/VNet only.
++
+On Azure, private access incurs an additional cost, since it involves deploying two network load balancers, instead of one.
++
+NOTE: After the cluster is created, you can change the API Gateway access on the cluster settings page. If you change from public to private access, users without VPN access to the Redpanda VPC will lose access to these services.
 
 . Click *Create*.
 +
diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc
@@ -8,11 +8,22 @@ This page lists new features added to Redpanda Cloud.
 
 == October 2025
 
-=== CyborgDB connector
+=== API Gateway access
+
+BYOC and Dedicated clusters with private networking now allow control of API Gateway network access, independent of the Redpanda cluster. When you create a cluster, you can choose either public or private access for the API Gateway:
+
+* Public access exposes Redpanda Console, Data Plane API, and MCP Server API endpoints over the internet, although they remain protected by your authentication and authorization controls.
+* Private access restricts endpoint access to your private network (VPC or VNet) only.
+
+After the cluster is created, you can change the API Gateway access on the cluster settings page. If you change from public to private access, users without VPN access to the Redpanda VPC will lose access to these services.
+
+=== Redpanda Connect updates
 
 The xref:develop:connect/components/outputs/cyborgdb.adoc[CyborgDB output connector] allows you to write vectors to a CyborgDB encrypted index. CyborgDB provides
 end-to-end encrypted vector storage with automatic dimension detection and index optimization.
 
+For detailed information about recent component updates, see xref:redpanda-connect:ROOT:whats_new_rpcn.adoc[What's New in Redpanda Connect].
+
 == September 2025
 
 === Multi-factor authentication
@@ -88,7 +99,7 @@ xref:develop:connect/about.adoc[Redpanda Connect] is now generally available (GA
 
 === Redpanda Connect updates
 
-Redpanda Connect includes the following updates for Redpanda Cloud:         
+Redpanda Connect includes the following updates:
 
 * The xref:develop:connect/components/inputs/gcp_spanner_cdc.adoc[GCP Spanner CDC] component lets you capture changes from Google Cloud Spanner and stream them into Redpanda. You can use it to ingest data from GCP Spanner databases, enabling real-time data processing and analytics.
 * The xref:develop:connect/components/outputs/slack_reaction.adoc[Slack Reaction] component lets you send messages to a Slack channel in response to events in Redpanda. You can use it to create alerts, notifications, or other automated responses based on data changes in Redpanda. 
diff --git a/modules/get-started/partials/no-access.adoc b/modules/get-started/partials/no-access.adoc
@@ -1 +1 @@
-NOTE: Redpanda Cloud does not support customer access to the Kubernetes control plane with `kubectl`. This restriction allows Redpanda Data to manage all configuration changes internally to ensure a 99.99% service level agreement (SLA) for BYOC clusters.
+NOTE: Redpanda Cloud does not support customer access or modifications to any of the internal data plane resources. This restriction allows Redpanda Data to manage all configuration changes internally to ensure a 99.99% service level agreement (SLA) for BYOC clusters.

Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,12 @@ Enter a cluster name, then select the resource group, provider (GCP), xref:refer`
`27`	`27`	`+`
`28`	`28`	Optionally, click Advanced settings to specify up to five key-value custom GCP labels. If a label key starts with `gcp.network-tag.<tag>`, then the agent interprets it as a request to apply the `<tag>` https://cloud.google.com/vpc/docs/add-remove-network-tags[network tag^] to GCE instances in the cluster. Use labels for organization/metadata; use network tags to target firewall rules and routes. After the cluster is created, labels are applied to applicable GCP resources (for example, instances and disks), and network tags are applied to instances. For more information, see the https://cloud.google.com/compute/docs/labeling-resources[GCP documentation^]. After the cluster is created, you can <<manage-custom-resource-labels-and-network-tags,specify more labels with the Cloud API>>.
`29`	`29`	`. Click Next.`
`30`		`-. On the Network page, enter the connection type: either Public or Private. For BYOC clusters, Private is best-practice.`
	`30`	`+. On the Network page, select the connection type: either public or private. For BYOC clusters, private is best-practice.`
`31`	`31`	`** Your network name is used to identify this network.`
`32`	`32`	`** For a xref:networking:cidr-ranges.adoc[CIDR range], choose one that does not overlap with your existing VPCs or your Redpanda network.`
	`33`	`+** Clusters with private networking include a setting for API Gateway network access. Public access exposes endpoints for Redpanda Console, the Data Plane API, but they remain protected by your authentication and authorization controls. Private access restricts endpoint access to your VPC only.`
	`34`	`++`
	`35`	`+NOTE: After the cluster is created, you can change the API Gateway access on the cluster settings page. If you change from public to private access, users without VPN access to the Redpanda VPC will lose access to these services.`
`33`	`36`	`. Click Next.`
`34`	`37`	`. On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent.`
`35`	`38`	`+`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-NOTE: Redpanda Cloud does not support customer access to the Kubernetes control plane with `kubectl`. This restriction allows Redpanda Data to manage all configuration changes internally to ensure a 99.99% service level agreement (SLA) for BYOC clusters.
	`1`	`+NOTE: Redpanda Cloud does not support customer access or modifications to any of the internal data plane resources. This restriction allows Redpanda Data to manage all configuration changes internally to ensure a 99.99% service level agreement (SLA) for BYOC clusters.`