From d60e8684de1d0ba6075e386b0a16745797472b04 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 19 May 2026 20:53:55 -0700 Subject: [PATCH 1/9] docs(networking): document Console access over AWS PrivateLink Adds a Console row to the PrivateLink services table and a new "Access Redpanda Console" subsection in the shared partial. Engineering confirmed that DNS for the Console hostname is auto-resolved by the verified private DNS name on the endpoint service, so consumers do not need to create a private hosted zone or override DNS. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../configure-privatelink-in-cloud-ui.adoc | 2 +- ...-links-access-rp-services-through-vpc.adoc | 29 +++++++++++++++---- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index b84c0847f..962bd2309 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -70,7 +70,7 @@ include::networking:partial$private-links-aws-client-vpc-setup.adoc[] == Access Redpanda services through VPC endpoint -After you have enabled PrivateLink for your cluster, your connection URLs are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. +After you have enabled PrivateLink for your cluster, your connection URLs for the Kafka API, Schema Registry, HTTP Proxy, and Redpanda Console are available in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] diff --git a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc index 3a57232c2..775774318 100644 --- a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc +++ b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc @@ -1,13 +1,14 @@ -You can access Redpanda services such as Schema Registry and HTTP Proxy from the client VPC or virtual network; for example, from a compute instance in the VPC or network. +You can access Redpanda services such as Redpanda Console, Schema Registry, and HTTP Proxy from the client VPC or virtual network; for example, from a compute instance in the VPC or network. The bootstrap server hostname is unique to each cluster. The service attachment exposes a set of bootstrap ports for access to Redpanda services. These ports load balance requests among brokers. Make sure you use the following ports for initiating a connection from a consumer: -|=== -| Redpanda service | Default bootstrap port +|=== +| Redpanda service | Default port -| Kafka API | 30292 -| HTTP Proxy | 30282 -| Schema Registry | 30081 +| Kafka API | 30292 +| HTTP Proxy | 30282 +| Schema Registry | 30081 +| Redpanda Console | 443 |=== === Access Kafka API seed service @@ -53,3 +54,19 @@ Use port `30282` to access the Redpanda HTTP Proxy seed service. ---- curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+json" --sslv2 --http2 :30282/topics ---- + +=== Access Redpanda Console + +From a host in the client VPC, browse to Redpanda Console over HTTPS at: + +`https://console.` + +For example, if `cluster_domain` is `cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com`, Redpanda Console is reachable at `https://console.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com`. + +[NOTE] +==== +* DNS resolution for the Redpanda Console hostname is handled automatically by the PrivateLink endpoint service. You don't need to create a private hosted zone or override DNS in the client VPC. +* The Redpanda Console hostname follows the same `cluster_domain` shown in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. +* The security group attached to your VPC endpoint must allow inbound TCP on port `443`. +* If the cluster's API gateway access is set to `PRIVATE`, Redpanda Console is reachable only through PrivateLink (or another private route into the cluster VPC). If set to `PUBLIC`, Redpanda Console remains reachable on the public internet as well. +==== From cc4243c3dc95c7544686ca3753af8d8ac8c8a004 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 19 May 2026 22:50:14 -0700 Subject: [PATCH 2/9] docs(networking): add step-by-step verify for Console over PrivateLink Verified end-to-end against a private BYOC cluster with a PrivateLink endpoint in a consumer VPC: - Cluster DNS publicly returns service-side LB IPs (10.0.x.x). - From inside the consumer VPC, dig returns the endpoint's ENI private IP (e.g. 172.31.0.97) via the verified private DNS name `*.` registered on the endpoint service. - curl returns HTTP 200 with title "Redpanda Console" served over HTTPS through the endpoint. Corrects the Console URL form from `console.` to `console-.` (the random per-cluster id suffix the control plane assigns), and points to the *How to Connect* section as the authoritative source. Co-Authored-By: Claude Opus 4.7 (1M context) --- ...-links-access-rp-services-through-vpc.adoc | 37 +++++++++++++++++-- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc index 775774318..c529cd55c 100644 --- a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc +++ b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc @@ -57,16 +57,45 @@ curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+js === Access Redpanda Console -From a host in the client VPC, browse to Redpanda Console over HTTPS at: +You can access Redpanda Console from any host in the client VPC. The Redpanda Console URL is shown in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. -`https://console.` +The URL is served on port `443` (HTTPS) and follows the form: -For example, if `cluster_domain` is `cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com`, Redpanda Console is reachable at `https://console.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com`. +`https://console-.` + +For example: `https://console-65e0163a.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com` + +To verify reachability from a host in the client VPC, confirm that DNS resolves the Redpanda Console hostname to a private IP on the PrivateLink endpoint: + +[,bash] +---- +dig +short console-. +---- + +The response is a private IP from the client VPC's CIDR range. For example: + +[,bash,role=no-copy] +---- +172.31.0.97 +---- + +Then confirm Redpanda Console responds over HTTPS through the endpoint: + +[,bash] +---- +curl -sS -o /dev/null -w "%{http_code}\n" https://console-./ +---- + +Expected output: + +[,bash,role=no-copy] +---- +200 +---- [NOTE] ==== * DNS resolution for the Redpanda Console hostname is handled automatically by the PrivateLink endpoint service. You don't need to create a private hosted zone or override DNS in the client VPC. -* The Redpanda Console hostname follows the same `cluster_domain` shown in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. * The security group attached to your VPC endpoint must allow inbound TCP on port `443`. * If the cluster's API gateway access is set to `PRIVATE`, Redpanda Console is reachable only through PrivateLink (or another private route into the cluster VPC). If set to `PUBLIC`, Redpanda Console remains reachable on the public internet as well. ==== From cfe53842fd79fa5e65a9b1165e799c94cf2e0ee1 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 19 May 2026 23:38:53 -0700 Subject: [PATCH 3/9] docs(networking): add workstation access via AWS Client VPN Adds a new section to the Cloud UI page describing how to access Redpanda Console for a private BYOC cluster from a workstation outside the client VPC. Verified against a real cluster. Key points captured: - Cluster Console for a private BYOC cluster is not browsable directly; the SPA loads but has no standalone login form. Authentication is handed off from Redpanda Cloud Console. - The cluster Overview page on cloud.redpanda.com is served by the control plane and works without a VPN. - The cluster's left navigation (Topics, Brokers, Consumer groups) is served by Redpanda Console behind PrivateLink, so it only loads when the workstation has a VPN session into the client VPC. - AWS Client VPN settings specific to PrivateLink: client CIDR must not overlap VPC CIDR, DNS server IPs must point at the VPC's resolver (so Console hostnames resolve via the endpoint ENI), split-tunnel enabled. Softens the partial's Console section from "browse to the URL" to a network-path verification, with a forward reference to the workstation flow on the Cloud UI page. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../configure-privatelink-in-cloud-ui.adoc | 63 +++++++++++++++++++ ...-links-access-rp-services-through-vpc.adoc | 16 ++--- 2 files changed, 69 insertions(+), 10 deletions(-) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 962bd2309..822f1949c 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -74,6 +74,69 @@ After you have enabled PrivateLink for your cluster, your connection URLs for th include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] +[#access-redpanda-console-from-a-workstation] +== Access Redpanda Console from a workstation + +For a private BYOC cluster, Redpanda Console is exposed only through the PrivateLink endpoint, so a workstation outside the client VPC cannot resolve or reach the Console URL directly. To open Redpanda Console from a laptop, first connect the workstation to the client VPC over a VPN, then sign in to Redpanda Cloud Console and navigate to the cluster. + +Common VPN options: + +* AWS Client VPN attached to the client VPC (described below). +* A corporate VPN configured with a DNS forwarder that resolves `` against the client VPC's DNS resolver. +* An SSH SOCKS5 proxy through a bastion host in the client VPC. + +=== Set up AWS Client VPN + +For full setup instructions, see the https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html[AWS Client VPN Administrator Guide^]. The settings specific to Redpanda PrivateLink are: + +* *Authentication*: mutual certificate authentication. Generate a CA, server certificate, and client certificate; upload the server certificate and the CA certificate to AWS Certificate Manager (ACM). +* *Client IPv4 CIDR*: a `/22` or larger CIDR that does not overlap the client VPC CIDR. For example: `10.100.0.0/22`. +* *DNS server IP addresses*: the IP of the client VPC's DNS resolver (the second usable IP in the VPC CIDR). For a default VPC with CIDR `172.31.0.0/16`, use `172.31.0.2`. This is what makes PrivateLink hostnames resolve to the endpoint's ENI IPs from connected clients rather than to public DNS. +* *Split-tunnel*: enabled. Only traffic destined for the client VPC CIDR is routed through the VPN; the rest stays on the local internet. +* *VPC ID*: the client VPC where the PrivateLink endpoint lives. +* *Target network association*: associate the endpoint with a subnet in the same VPC as the PrivateLink endpoint. +* *Authorization rule*: allow your client CIDR to reach the client VPC CIDR. + +The Client VPN endpoint takes several minutes to reach the *Available* state after the subnet association is created. + +Allow inbound from the Client VPN security group on the PrivateLink endpoint's security group, on port `443` (Console / Schema Registry) and on the Kafka and HTTP Proxy seed ports (`30000-30999`). + +=== Connect using AWS VPN Client + +. Install the https://aws.amazon.com/vpn/client-vpn-download/[AWS VPN Client^] for macOS or Windows. +. From the AWS Console, download the Client VPN endpoint configuration file (`.ovpn`). Add your client certificate and private key inside `...` and `...` blocks at the bottom of the file. +. Open AWS VPN Client and choose *File* > *Manage Profiles* > *Add Profile*. Select the `.ovpn` file and give the profile a name. +. Select the profile and click *Connect*. The connection establishes in a few seconds. + +To verify, run the following from the workstation: + +[,bash] +---- +dig +short console-. +---- + +The response should be a private IP from the client VPC's CIDR range. For example: + +[,bash,role=no-copy] +---- +172.31.0.97 +---- + +If the response shows a public address (for example, the cluster VPC's internal LB IPs such as `10.x.x.x`), the VPC's DNS resolver was not pushed to the client. Re-check the *DNS server IP addresses* setting on the Client VPN endpoint. + +=== Open Redpanda Console through the Cloud Console left navigation + +With the VPN connected, sign in to the Redpanda Cloud Console at https://cloud.redpanda.com[cloud.redpanda.com^] and select your cluster. + +. The cluster *Overview* page loads as normal; it is served by the Redpanda Cloud control plane and does not depend on the VPN. +. Click any item in the cluster's left navigation (*Topics*, *Brokers*, *Consumer groups*, and so on). These views are served by Redpanda Console at `https://console-.`. With the VPN connected, your browser resolves the hostname to the PrivateLink endpoint's ENI in the client VPC and the views load. +. If the left navigation does not load (the page hangs or returns a network error), confirm the VPN session is connected and that `dig` returns a private IP for the Console hostname. Without an active VPN session, only the cluster *Overview* page is reachable from a workstation outside the client VPC. + +[NOTE] +==== +Redpanda Console does not provide a standalone login form. Do not open `https://console-.` directly in a browser: the SPA loads but cannot complete authentication, because the authentication token is handed off from Redpanda Cloud Console. Always start from https://cloud.redpanda.com[cloud.redpanda.com^]. +==== + == Test the connection You can test the connection to the endpoint service from any VM or container in the client VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL: diff --git a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc index c529cd55c..c391d85b3 100644 --- a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc +++ b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc @@ -55,24 +55,18 @@ Use port `30282` to access the Redpanda HTTP Proxy seed service. curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+json" --sslv2 --http2 :30282/topics ---- -=== Access Redpanda Console +=== Verify the Redpanda Console network path -You can access Redpanda Console from any host in the client VPC. The Redpanda Console URL is shown in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. +The Redpanda Console URL is served on port `443` (HTTPS) and follows the form `https://console-.`. The `` is a per-cluster suffix assigned by the control plane; the full URL is shown in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. -The URL is served on port `443` (HTTPS) and follows the form: - -`https://console-.` - -For example: `https://console-65e0163a.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com` - -To verify reachability from a host in the client VPC, confirm that DNS resolves the Redpanda Console hostname to a private IP on the PrivateLink endpoint: +To verify that the network path to Redpanda Console is open, run the following commands from a host in the client VPC. First, confirm DNS resolves the hostname to a private IP on the PrivateLink endpoint: [,bash] ---- dig +short console-. ---- -The response is a private IP from the client VPC's CIDR range. For example: +The response is a private IP from the client VPC's CIDR range, for example: [,bash,role=no-copy] ---- @@ -93,6 +87,8 @@ Expected output: 200 ---- +A 200 response confirms the network path. The Console UI itself does not expose a standalone login form: sign in to https://cloud.redpanda.com[cloud.redpanda.com^], navigate to the cluster, and use the cluster's left navigation (*Topics*, *Brokers*, *Consumer groups*) to interact with Redpanda Console. See xref:networking:configure-privatelink-in-cloud-ui.adoc#access-redpanda-console-from-a-workstation[Access Redpanda Console from a workstation] for the recommended workflow when connecting from a laptop. + [NOTE] ==== * DNS resolution for the Redpanda Console hostname is handled automatically by the PrivateLink endpoint service. You don't need to create a private hosted zone or override DNS in the client VPC. From b0a46a3ad6cd6429f8fdfcb6c841e774312fb250 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 19 May 2026 23:48:37 -0700 Subject: [PATCH 4/9] =?UTF-8?q?docs(networking):=20add=20workstation=20?= =?UTF-8?q?=E2=86=92=20cluster=20network=20path=20diagram?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ASCII diagram in the workstation access section showing the two-hop flow: Client VPN puts the laptop into the client VPC, then PrivateLink carries the connection to the cluster. Clarifies that Client VPN itself does not use PrivateLink — the VPN is just one of several ways a client can reach the VPC, and PrivateLink is the constant once you're inside. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../configure-privatelink-in-cloud-ui.adoc | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 822f1949c..5e1231b84 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -85,6 +85,26 @@ Common VPN options: * A corporate VPN configured with a DNS forwarder that resolves `` against the client VPC's DNS resolver. * An SSH SOCKS5 proxy through a bastion host in the client VPC. +The following diagram shows the network path from a workstation, through the VPN, into the client VPC, and across PrivateLink to Redpanda Console: + +.... +Workstation + │ (public internet, OpenVPN tunnel, mutual TLS) + ▼ +AWS Client VPN endpoint ← AWS-managed; not PrivateLink + │ (workstation is now logically inside the client VPC) + ▼ +Client VPC subnet + │ (VPC routing; DNS resolved via VPC resolver to a private IP) + ▼ +PrivateLink VPC endpoint ENI ← PrivateLink begins here + │ (AWS PrivateLink service network, not on the public internet) + ▼ +Redpanda cluster VPC → Console load balancer → Redpanda Console +.... + +The Client VPN tunnel itself does not use PrivateLink. The VPN's role is to place the workstation logically inside the client VPC; the private connection to the cluster is always the PrivateLink endpoint. This is true regardless of how a client reaches the client VPC (Client VPN, corporate VPN, peered network, transit gateway, SSH bastion, or an EC2 instance inside the VPC). + === Set up AWS Client VPN For full setup instructions, see the https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html[AWS Client VPN Administrator Guide^]. The settings specific to Redpanda PrivateLink are: From 51c71be8c910fa1f8c10cc9913fa74ea54e9664e Mon Sep 17 00:00:00 2001 From: David Yu Date: Wed, 20 May 2026 10:01:24 -0700 Subject: [PATCH 5/9] docs(networking): address PR review feedback - Drop "only" in the workstation intro; Console is reachable through other private routes too (VPC peering, transit gateway). Per @paulzhang97 review. - Widen the Client VPN inbound port range from 30000-30999 to 30000-35999 to cover both seed and per-broker Kafka API and HTTP Proxy ports. Per @paulzhang97 review. - Tighten partial's port 443 SG guidance to scope inbound to client workload sources (consumer VPC CIDR or specific client security groups) and call out that broad source ranges like 0.0.0.0/0 should be avoided. Per @coderabbitai nitpick. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../networking/pages/configure-privatelink-in-cloud-ui.adoc | 4 ++-- .../private-links-access-rp-services-through-vpc.adoc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 5e1231b84..355f908a9 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -77,7 +77,7 @@ include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] [#access-redpanda-console-from-a-workstation] == Access Redpanda Console from a workstation -For a private BYOC cluster, Redpanda Console is exposed only through the PrivateLink endpoint, so a workstation outside the client VPC cannot resolve or reach the Console URL directly. To open Redpanda Console from a laptop, first connect the workstation to the client VPC over a VPN, then sign in to Redpanda Cloud Console and navigate to the cluster. +For a private BYOC cluster, Redpanda Console is exposed through the PrivateLink endpoint (or through another private route into the cluster VPC, such as VPC peering or a transit gateway), so a workstation outside the client VPC cannot resolve or reach the Console URL directly. To open Redpanda Console from a laptop, first connect the workstation to the client VPC over a VPN, then sign in to Redpanda Cloud Console and navigate to the cluster. Common VPN options: @@ -119,7 +119,7 @@ For full setup instructions, see the https://docs.aws.amazon.com/vpn/latest/clie The Client VPN endpoint takes several minutes to reach the *Available* state after the subnet association is created. -Allow inbound from the Client VPN security group on the PrivateLink endpoint's security group, on port `443` (Console / Schema Registry) and on the Kafka and HTTP Proxy seed ports (`30000-30999`). +Allow inbound from the Client VPN security group on the PrivateLink endpoint's security group, on port `443` (Console / Schema Registry) and on the Kafka API and HTTP Proxy ports (`30000-35999`, covering both the seed and per-broker ports). === Connect using AWS VPN Client diff --git a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc index c391d85b3..43037caef 100644 --- a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc +++ b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc @@ -92,6 +92,6 @@ A 200 response confirms the network path. The Console UI itself does not expose [NOTE] ==== * DNS resolution for the Redpanda Console hostname is handled automatically by the PrivateLink endpoint service. You don't need to create a private hosted zone or override DNS in the client VPC. -* The security group attached to your VPC endpoint must allow inbound TCP on port `443`. +* The security group attached to your VPC endpoint must allow inbound TCP on port `443` from your client workload sources only (for example, the client VPC CIDR or specific client security groups). Avoid broad source ranges such as `0.0.0.0/0`. * If the cluster's API gateway access is set to `PRIVATE`, Redpanda Console is reachable only through PrivateLink (or another private route into the cluster VPC). If set to `PUBLIC`, Redpanda Console remains reachable on the public internet as well. ==== From a91e42eac0613cdf121fe8270910e7c578a417bc Mon Sep 17 00:00:00 2001 From: David Yu Date: Wed, 20 May 2026 16:17:47 -0700 Subject: [PATCH 6/9] docs(networking): address review from @micheleRP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Critical #1: Partial is shared across AWS/Azure/GCP — content must be provider-neutral. Replaced AWS-specifics in the Console verify section: "PrivateLink endpoint" → "cluster's private endpoint", example IP 172.31.0.97 → 10.0.0.42, "client VPC" → "client network", and dropped the xref to the AWS-only workstation section. AWS UI page now has a short forward link to the workstation section immediately after the partial include. Critical #2: Cloud API flow's connect_console requirement was silent. Added a sentence stating that the Cloud API requires connect_console: true and that the Cloud UI sets it automatically. Removed the now- obsolete "Confirm with engineering" item from the PR test plan. Critical #3: "API gateway access PRIVATE/PUBLIC" is not a documented term anywhere in the repo. Dropped the bullet rather than reintroduce a verbose explanation of networking_config out of scope for this PR. Critical #4: Workstation intro contradicted the partial's PUBLIC bullet. Resolved by Critical #3 (PUBLIC bullet is gone); the workstation intro already scopes to private clusters. Suggestion #6: Widened AWS Client VPN client CIDR from "/22 or larger" to "/22 (minimum) to /12 (maximum)" per AWS's documented constraint. Suggestion #5: Console URL opaque note clarified. NOTE block in the partial now also frames inbound rules as cloud-neutral ("AWS security groups, Azure NSGs, or GCP firewall rules") so the guidance is accurate when the partial renders on non-AWS pages. Skipped (with rationale in reply): Suggestion #7 (Mermaid — style only) and Suggestion #8 (page split — bigger refactor for a follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) --- .../configure-privatelink-in-cloud-ui.adoc | 4 +++- ...te-links-access-rp-services-through-vpc.adoc | 17 +++++++++-------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 355f908a9..6bd957a06 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -74,6 +74,8 @@ After you have enabled PrivateLink for your cluster, your connection URLs for th include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] +If you are connecting from a workstation outside the client VPC, see <>. + [#access-redpanda-console-from-a-workstation] == Access Redpanda Console from a workstation @@ -110,7 +112,7 @@ The Client VPN tunnel itself does not use PrivateLink. The VPN's role is to plac For full setup instructions, see the https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html[AWS Client VPN Administrator Guide^]. The settings specific to Redpanda PrivateLink are: * *Authentication*: mutual certificate authentication. Generate a CA, server certificate, and client certificate; upload the server certificate and the CA certificate to AWS Certificate Manager (ACM). -* *Client IPv4 CIDR*: a `/22` or larger CIDR that does not overlap the client VPC CIDR. For example: `10.100.0.0/22`. +* *Client IPv4 CIDR*: a CIDR between `/22` (minimum) and `/12` (maximum) that does not overlap the client VPC CIDR. For example: `10.100.0.0/22`. * *DNS server IP addresses*: the IP of the client VPC's DNS resolver (the second usable IP in the VPC CIDR). For a default VPC with CIDR `172.31.0.0/16`, use `172.31.0.2`. This is what makes PrivateLink hostnames resolve to the endpoint's ENI IPs from connected clients rather than to public DNS. * *Split-tunnel*: enabled. Only traffic destined for the client VPC CIDR is routed through the VPN; the rest stays on the local internet. * *VPC ID*: the client VPC where the PrivateLink endpoint lives. diff --git a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc index 43037caef..21a76c135 100644 --- a/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc +++ b/modules/networking/partials/private-links-access-rp-services-through-vpc.adoc @@ -57,20 +57,22 @@ curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+js === Verify the Redpanda Console network path -The Redpanda Console URL is served on port `443` (HTTPS) and follows the form `https://console-.`. The `` is a per-cluster suffix assigned by the control plane; the full URL is shown in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. +When you configure private connectivity through the Cloud API, set `connect_console: true` on the network configuration to enable Console access through the cluster's private endpoint. The Cloud UI sets this for you when you enable private connectivity. -To verify that the network path to Redpanda Console is open, run the following commands from a host in the client VPC. First, confirm DNS resolves the hostname to a private IP on the PrivateLink endpoint: +The Redpanda Console URL is served on port `443` (HTTPS) and follows the form `https://console-.`. The `` is a per-cluster suffix assigned by the Redpanda control plane and is opaque to you; the full URL is shown in the *How to Connect* section of the cluster overview in the Redpanda Cloud Console. + +To verify that the network path to Redpanda Console is open, run the following commands from a host in the client network. First, confirm DNS resolves the hostname to a private IP on the cluster's private endpoint: [,bash] ---- dig +short console-. ---- -The response is a private IP from the client VPC's CIDR range, for example: +The response is a private IP from your client network's address range, for example: [,bash,role=no-copy] ---- -172.31.0.97 +10.0.0.42 ---- Then confirm Redpanda Console responds over HTTPS through the endpoint: @@ -87,11 +89,10 @@ Expected output: 200 ---- -A 200 response confirms the network path. The Console UI itself does not expose a standalone login form: sign in to https://cloud.redpanda.com[cloud.redpanda.com^], navigate to the cluster, and use the cluster's left navigation (*Topics*, *Brokers*, *Consumer groups*) to interact with Redpanda Console. See xref:networking:configure-privatelink-in-cloud-ui.adoc#access-redpanda-console-from-a-workstation[Access Redpanda Console from a workstation] for the recommended workflow when connecting from a laptop. +A 200 response confirms the network path. The Console UI itself does not expose a standalone login form: sign in to https://cloud.redpanda.com[cloud.redpanda.com^], navigate to the cluster, and use the cluster's left navigation (*Topics*, *Brokers*, *Consumer groups*) to interact with Redpanda Console. [NOTE] ==== -* DNS resolution for the Redpanda Console hostname is handled automatically by the PrivateLink endpoint service. You don't need to create a private hosted zone or override DNS in the client VPC. -* The security group attached to your VPC endpoint must allow inbound TCP on port `443` from your client workload sources only (for example, the client VPC CIDR or specific client security groups). Avoid broad source ranges such as `0.0.0.0/0`. -* If the cluster's API gateway access is set to `PRIVATE`, Redpanda Console is reachable only through PrivateLink (or another private route into the cluster VPC). If set to `PUBLIC`, Redpanda Console remains reachable on the public internet as well. +* DNS resolution for the Redpanda Console hostname is handled automatically by the cluster's private endpoint. You don't need to create a private hosted zone or override DNS in the client network. +* Ensure your network access rules (for example, AWS security groups, Azure NSGs, or GCP firewall rules) on the private endpoint allow inbound TCP on port `443` from your client workload sources only (for example, the client network's CIDR or specific client access groups). Avoid broad source ranges such as `0.0.0.0/0`. ==== From 7bb342308648271b129a00c2d68f379851a81af8 Mon Sep 17 00:00:00 2001 From: David Yu Date: Wed, 20 May 2026 16:33:43 -0700 Subject: [PATCH 7/9] docs(networking): convert workstation network-path diagram to Mermaid MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per @micheleRP suggestion #7, switches the ASCII flow diagram to a Mermaid flowchart using the @sntke/antora-mermaid-extension already configured in local-antora-playbook.yml. Preserves the original flow: five top-to-bottom nodes (Workstation → AWS Client VPN endpoint → Client VPC subnet → PrivateLink VPC endpoint ENI → Redpanda cluster VPC → Console load balancer → Redpanda Console), the same edge labels between them, and the two side annotations ("AWS-managed; not PrivateLink" next to the Client VPN endpoint, "PrivateLink begins here" next to the PrivateLink ENI) as parallelogram note shapes attached with dashed links. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../configure-privatelink-in-cloud-ui.adoc | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 6bd957a06..2c87cb0e9 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -89,20 +89,24 @@ Common VPN options: The following diagram shows the network path from a workstation, through the VPN, into the client VPC, and across PrivateLink to Redpanda Console: +[mermaid] .... -Workstation - │ (public internet, OpenVPN tunnel, mutual TLS) - ▼ -AWS Client VPN endpoint ← AWS-managed; not PrivateLink - │ (workstation is now logically inside the client VPC) - ▼ -Client VPC subnet - │ (VPC routing; DNS resolved via VPC resolver to a private IP) - ▼ -PrivateLink VPC endpoint ENI ← PrivateLink begins here - │ (AWS PrivateLink service network, not on the public internet) - ▼ -Redpanda cluster VPC → Console load balancer → Redpanda Console +flowchart TD + A[Workstation] + B[AWS Client VPN endpoint] + C[Client VPC subnet] + D[PrivateLink VPC endpoint ENI] + E["Redpanda cluster VPC → Console load balancer → Redpanda Console"] + + A -->|"public internet, OpenVPN tunnel, mutual TLS"| B + B -->|"workstation is now logically inside the client VPC"| C + C -->|"VPC routing; DNS resolved via VPC resolver to a private IP"| D + D -->|"AWS PrivateLink service network, not on the public internet"| E + + N1[/"AWS-managed; not PrivateLink"/] + N2[/"PrivateLink begins here"/] + B -.- N1 + D -.- N2 .... The Client VPN tunnel itself does not use PrivateLink. The VPN's role is to place the workstation logically inside the client VPC; the private connection to the cluster is always the PrivateLink endpoint. This is true regardless of how a client reaches the client VPC (Client VPN, corporate VPN, peered network, transit gateway, SSH bastion, or an EC2 instance inside the VPC). From 13cad1ca58601da575a4d1f76e890754576d7bcf Mon Sep 17 00:00:00 2001 From: David Yu Date: Wed, 20 May 2026 16:37:24 -0700 Subject: [PATCH 8/9] Revert "docs(networking): convert workstation network-path diagram to Mermaid" This reverts commit 7bb342308648271b129a00c2d68f379851a81af8. --- .../configure-privatelink-in-cloud-ui.adoc | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 2c87cb0e9..6bd957a06 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -89,24 +89,20 @@ Common VPN options: The following diagram shows the network path from a workstation, through the VPN, into the client VPC, and across PrivateLink to Redpanda Console: -[mermaid] .... -flowchart TD - A[Workstation] - B[AWS Client VPN endpoint] - C[Client VPC subnet] - D[PrivateLink VPC endpoint ENI] - E["Redpanda cluster VPC → Console load balancer → Redpanda Console"] - - A -->|"public internet, OpenVPN tunnel, mutual TLS"| B - B -->|"workstation is now logically inside the client VPC"| C - C -->|"VPC routing; DNS resolved via VPC resolver to a private IP"| D - D -->|"AWS PrivateLink service network, not on the public internet"| E - - N1[/"AWS-managed; not PrivateLink"/] - N2[/"PrivateLink begins here"/] - B -.- N1 - D -.- N2 +Workstation + │ (public internet, OpenVPN tunnel, mutual TLS) + ▼ +AWS Client VPN endpoint ← AWS-managed; not PrivateLink + │ (workstation is now logically inside the client VPC) + ▼ +Client VPC subnet + │ (VPC routing; DNS resolved via VPC resolver to a private IP) + ▼ +PrivateLink VPC endpoint ENI ← PrivateLink begins here + │ (AWS PrivateLink service network, not on the public internet) + ▼ +Redpanda cluster VPC → Console load balancer → Redpanda Console .... The Client VPN tunnel itself does not use PrivateLink. The VPN's role is to place the workstation logically inside the client VPC; the private connection to the cluster is always the PrivateLink endpoint. This is true regardless of how a client reaches the client VPC (Client VPN, corporate VPN, peered network, transit gateway, SSH bastion, or an EC2 instance inside the VPC). From d97360d14e34f4dbcc2fbd2afc17ce1cfd9926f6 Mon Sep 17 00:00:00 2001 From: David Yu Date: Wed, 20 May 2026 18:17:29 -0700 Subject: [PATCH 9/9] =?UTF-8?q?docs(networking):=20lowercase=20descriptor?= =?UTF-8?q?=20"Client"=20=E2=86=92=20"client"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit "Client" should not be capitalized in body text when used as a descriptor (client VPN tunnel, client VPN endpoint, client VPC subnet, etc.). The capitalized form is reserved for proper nouns: - "AWS Client VPN" — AWS service name - "AWS VPN Client" — AWS desktop application name - "Client IPv4 CIDR" — AWS UI field label Seven occurrences updated; the three proper-noun forms are preserved. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../pages/configure-privatelink-in-cloud-ui.adoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 6bd957a06..8d32ebb6b 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -96,7 +96,7 @@ Workstation AWS Client VPN endpoint ← AWS-managed; not PrivateLink │ (workstation is now logically inside the client VPC) ▼ -Client VPC subnet +client VPC subnet │ (VPC routing; DNS resolved via VPC resolver to a private IP) ▼ PrivateLink VPC endpoint ENI ← PrivateLink begins here @@ -105,7 +105,7 @@ PrivateLink VPC endpoint ENI ← PrivateLink begins here Redpanda cluster VPC → Console load balancer → Redpanda Console .... -The Client VPN tunnel itself does not use PrivateLink. The VPN's role is to place the workstation logically inside the client VPC; the private connection to the cluster is always the PrivateLink endpoint. This is true regardless of how a client reaches the client VPC (Client VPN, corporate VPN, peered network, transit gateway, SSH bastion, or an EC2 instance inside the VPC). +The client VPN tunnel itself does not use PrivateLink. The VPN's role is to place the workstation logically inside the client VPC; the private connection to the cluster is always the PrivateLink endpoint. This is true regardless of how a client reaches the client VPC (client VPN, corporate VPN, peered network, transit gateway, SSH bastion, or an EC2 instance inside the VPC). === Set up AWS Client VPN @@ -119,14 +119,14 @@ For full setup instructions, see the https://docs.aws.amazon.com/vpn/latest/clie * *Target network association*: associate the endpoint with a subnet in the same VPC as the PrivateLink endpoint. * *Authorization rule*: allow your client CIDR to reach the client VPC CIDR. -The Client VPN endpoint takes several minutes to reach the *Available* state after the subnet association is created. +The client VPN endpoint takes several minutes to reach the *Available* state after the subnet association is created. -Allow inbound from the Client VPN security group on the PrivateLink endpoint's security group, on port `443` (Console / Schema Registry) and on the Kafka API and HTTP Proxy ports (`30000-35999`, covering both the seed and per-broker ports). +Allow inbound from the client VPN security group on the PrivateLink endpoint's security group, on port `443` (Console / Schema Registry) and on the Kafka API and HTTP Proxy ports (`30000-35999`, covering both the seed and per-broker ports). === Connect using AWS VPN Client . Install the https://aws.amazon.com/vpn/client-vpn-download/[AWS VPN Client^] for macOS or Windows. -. From the AWS Console, download the Client VPN endpoint configuration file (`.ovpn`). Add your client certificate and private key inside `...` and `...` blocks at the bottom of the file. +. From the AWS Console, download the client VPN endpoint configuration file (`.ovpn`). Add your client certificate and private key inside `...` and `...` blocks at the bottom of the file. . Open AWS VPN Client and choose *File* > *Manage Profiles* > *Add Profile*. Select the `.ovpn` file and give the profile a name. . Select the profile and click *Connect*. The connection establishes in a few seconds. @@ -144,7 +144,7 @@ The response should be a private IP from the client VPC's CIDR range. For exampl 172.31.0.97 ---- -If the response shows a public address (for example, the cluster VPC's internal LB IPs such as `10.x.x.x`), the VPC's DNS resolver was not pushed to the client. Re-check the *DNS server IP addresses* setting on the Client VPN endpoint. +If the response shows a public address (for example, the cluster VPC's internal LB IPs such as `10.x.x.x`), the VPC's DNS resolver was not pushed to the client. Re-check the *DNS server IP addresses* setting on the client VPN endpoint. === Open Redpanda Console through the Cloud Console left navigation