DOC-1684 update config client connections

[micheleRP]

Description

This pull request updates the documentation for configuring connection limits by client IP in Redpanda, clarifying how the kafka_connections_max_per_ip property works and adding guidance for handling attacks from multiple IPs.

• Added a note explaining that when under attack from many IPs, kafka_connections_max_per_ip may not be sufficient, and suggested using kafka_connections_max_overrides to exempt known legitimate client IPs from the limit.
• Added a See also reference to the cluster configuration in RP doc.

Resolves https://redpandadata.atlassian.net/browse/DOC-1684
Review deadline:

Page previews

Configure Client Connections

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	d57906a
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/68d4603c62844b0008ec7aa6
😎 Deploy Preview	https://deploy-preview-1364--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The PR updates documentation in modules/manage/pages/cluster-maintenance/configure-availability.adoc. It revises wording for configuring kafka_connections_max_per_ip, adds a cross-reference to config-cluster.adoc, inserts notes about multi-IP attacks and using kafka_connections_max_overrides, and expands the workflow with explicit monitoring steps. New monitoring guidance includes setting up monitoring and checking redpanda_rpc_active_connections, with a code snippet and Grafana example. The Limitations section remains functionally the same, with added context aligning to the new notes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• DOC-1643 single source client connections in docs #1357 — Also edits the same Configure Client Connections doc, touching kafka_connections_max_per_ip and kafka_connections_max_overrides with similar cautionary guidance.

Suggested reviewers

• c4milo
• mattschumpert
• paulohtb6

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "DOC-1684 update config client connections" directly references the Jira ticket and succinctly summarizes the primary change—updating client connection configuration documentation—so it accurately reflects the changeset and is clear for repository history scanning.
Linked Issues Check	✅ Passed	The changes implement the objectives in DOC-1684 by clarifying kafka_connections_max_per_ip behavior, adding guidance for multi-IP attack scenarios with a recommendation to use kafka_connections_max_overrides, and adding the requested cross-reference, so the documentation updates align with the linked issue's goals.
Out of Scope Changes Check	✅ Passed	All edits are confined to modules/manage/pages/cluster-maintenance/configure-availability.adoc and are directly related to updating client connection configuration guidance for DOC-1684, with no unrelated or out-of-scope files changed.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The PR description follows the repository template: it contains the "Description" section with a concise change summary and Jira link, a "Page previews" entry with a preview URL, and the "Checks" checklist marking "Content gap." The "Review deadline" field is present but left blank, which is non-critical. Overall the description is sufficiently complete and matches the required template structure.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

modules/manage/pages/cluster-maintenance/configure-availability.adoc (2)

38-39: Add link text and verify xref target.

Provide descriptive link text and confirm the xref path resolves at build time.

Apply:

-See also: xref:manage:cluster-maintenance/config-cluster.adoc[].
+See also: xref:manage:cluster-maintenance/config-cluster.adoc[Cluster configuration].

To verify the reference resolves, run the docs build/link-check pipeline or search the repo for the target file and anchors. If helpful, I can supply a script to locate the target and check for broken xrefs.

---

56-56: Avoid brittle “step 3” reference.

Referencing numbered steps can drift with edits. Rephrase to be self-contained.

Apply:

-. Set the `kafka_connections_max_per_ip` value based on your analysis. Use the upper bound of normal connections from step 3, or use a lower value if you know how many connections per client IP are being opened. 
+. Set the `kafka_connections_max_per_ip` value based on your analysis. Use the upper bound of the normal connection range observed above, or a lower value if you know how many connections each client IP opens.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1cf0117 and 141126f.

📒 Files selected for processing (1)

• modules/manage/pages/cluster-maintenance/configure-availability.adoc (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - redpanda-docs-preview
• GitHub Check: Header rules - redpanda-docs-preview
• GitHub Check: Pages changed - redpanda-docs-preview

🔇 Additional comments (2)

modules/manage/pages/cluster-maintenance/configure-availability.adoc (2)

34-34: LGTM on intent and placement.

Clear directive and correctly names the property.

---

60-60: Clarify overrides semantics; “exclude” can mislead

Redpanda docs are inconsistent: kafka_connections_max_overrides is shown with ip:limit examples but described as an exemption list, and there’s no documented '-1' sentinel for unlimited. Update the note to avoid implying a pure “exclude” behavior or claiming '-1' support.

Suggested wording: NOTE: When facing attacks from multiple IP addresses, kafka_connections_max_per_ip alone may be insufficient. If offending IPs outnumber legitimate client IPs, you may need a low global per‑IP limit that risks impacting legitimate clients. Use kafka_connections_max_overrides to provide per‑IP overrides or to exempt known legitimate client IPs from the global limit — verify whether Redpanda accepts host:limit mappings (like Kafka) or only host entries, and whether an explicit '-1' for unlimited is supported before documenting specific syntax.

[c4milo]

I wouldn't say "attacks" since it is not always "attacks" and more commonly for our case just accidents

[kbatuigas]

One clarifying question, but looks good otherwise. Please let me know if another review is needed!

[kbatuigas]

Suggested change

NOTE: If you find a high load of unexpected connections from multiple IP addresses, `kafka_connections_max_per_ip` alone may be insufficient. If offending IPs outnumber legitimate client IPs, you may need to set `kafka_connections_max_per_ip` so low that it affects legitimate clients. If this is the case, use `kafka_connections_max_overrides` to exempt known legitimate client IPs from the connection limit.

NOTE: If you find a high load of unexpected connections from multiple IP addresses, `kafka_connections_max_per_ip` alone may be insufficient. If offending IPs outnumber legitimate client IPs, you may need to set `kafka_connections_max_per_ip` so low that it affects legitimate clients. In this case, also use `kafka_connections_max_overrides` to exempt known legitimate client IPs from the connection limit.

Do I understand correctly that "affects legitimate clients" means those clients are completely blocked from connecting to the broker?

[micheleRP]

yes, they could be

[c4milo]

It looks great @micheleRP, thank you!