diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 1231b4d3..78dec305 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -16,6 +16,10 @@ xref:get-started:cluster-types/serverless.adoc[Serverless] on AWS is now general You can now enable xref:manage:schema-reg/schema-id-validation.adoc[schema ID validation] by xref:manage:cluster-maintenance/config-cluster.adoc[configuring the `enable_schema_id_validation` cluster property]. This controls whether or not Redpanda validates schema IDs in records and which topic properties are enforced. Use caution when enabling this property, because it could cause decompression across topics and increase CPU load. +=== Cross-region AWS PrivateLink + +AWS PrivateLink now supports cross-region connectivity, allowing clients in different AWS regions to connect to your Redpanda cluster through PrivateLink. Configure supported regions in the xref:networking:configure-privatelink-in-cloud-ui.adoc#cross-region-privatelink[Cloud UI] or using the xref:networking:aws-privatelink.adoc#cross-region-privatelink[Cloud API] to specify which regions can establish PrivateLink connections. This feature requires multi-AZ cluster deployments. + == January 2026 === Redpanda Connect updates diff --git a/modules/manage/pages/terraform-provider.adoc b/modules/manage/pages/terraform-provider.adoc index 9f7b9c42..4944d093 100644 --- a/modules/manage/pages/terraform-provider.adoc +++ b/modules/manage/pages/terraform-provider.adoc @@ -355,6 +355,7 @@ resource "redpanda_cluster" "test" { enabled = true connect_console = true allowed_principals = ["arn:aws:iam::123456789024:root"] + supported_regions = ["us-east-1", "us-west-2"] # Optional: Enable cross-region PrivateLink } tags = { "environment" = "dev" diff --git a/modules/networking/pages/aws-privatelink.adoc b/modules/networking/pages/aws-privatelink.adoc index 039dfc58..8e12f495 100644 --- a/modules/networking/pages/aws-privatelink.adoc +++ b/modules/networking/pages/aws-privatelink.adoc @@ -19,10 +19,10 @@ Consider using the PrivateLink endpoint service if you have multiple VPCs and co After <>, you can <>, or you can <>. -== Requirements +== Prerequisites * Install `rpk`. -* Your Redpanda cluster and <> must be in the same region. +* Your Redpanda cluster and <> must be in the same region, unless you configure <>. * In this guide, you use the link:/api/doc/cloud-controlplane/topic/topic-cloud-api-overview[Redpanda Cloud API] to enable the Redpanda endpoint service for your clusters. Follow the steps below to <>. * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI^] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. @@ -93,6 +93,7 @@ In the example below, make sure to set your own values for the following fields: - `name` - `connect_console`: Whether to enable connections to Redpanda Console (boolean) - `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +- `supported_regions`: (Optional) List of AWS regions from which PrivateLink endpoints can connect to Redpanda. Required only for <>. For example, `["us-east-1", "us-west-2"]`. -- + [,bash] @@ -112,7 +113,8 @@ CLUSTER_POST_BODY=`cat << EOF "aws_private_link": { "enabled": true, "connect_console": true, - "allowed_principals": ["",""] + "allowed_principals": ["",""], + "supported_regions": ["",""] } } } @@ -158,6 +160,7 @@ In the example below, make sure to set your own value for the following field: -- - `connect_console`: Whether to enable connections to Redpanda Console (boolean) - `allowed_principals`: Amazon Resource Names (ARNs) for the AWS principals allowed to access the endpoint service. For example, for all principals in an account, use `"arn:aws:iam::account_id:root"`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[Configure an endpoint service^] for details. +- `supported_regions`: (Optional) List of AWS regions from which PrivateLink endpoints can connect to Redpanda. Required only for <>. For example, `["us-east-1", "us-west-2"]`. -- + [,bash] @@ -167,7 +170,8 @@ CLUSTER_PATCH_BODY=`cat << EOF "aws_private_link": { "enabled": true, "connect_console": true, - "allowed_principals": ["",""] + "allowed_principals": ["",""], + "supported_regions": ["",""] } } EOF` @@ -234,7 +238,7 @@ xref:networking:byoc/aws/vpc-peering-aws.adoc[VPC peering] and PrivateLink will VPC peering and PrivateLink can both be used at the same time if Kafka clients are connecting from distinct VPCs. For example, in a private Redpanda cluster, you can connect your internal Kafka clients over VPC peering, and enable PrivateLink for external services. ==== -The VPC region must be the same region where the Redpanda cluster is deployed. To create the VPC, run: +The client VPC must be in the same region as your Redpanda cluster, unless you have configured <>. To create the VPC, run: [,bash] ---- @@ -346,6 +350,61 @@ After you have enabled PrivateLink for your cluster, your connection URLs are av include::networking:partial$private-links-access-rp-services-through-vpc.adoc[] +== Cross-region PrivateLink + +By default, AWS PrivateLink only allows connections from VPCs in the same region as the endpoint service. Cross-region PrivateLink enables clients in different AWS regions to connect to your Redpanda cluster through PrivateLink. + +For more information about AWS cross-region PrivateLink support, see the https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html#endpoint-service-cross-region[AWS documentation^]. + +=== Requirements + +* The Redpanda cluster must be deployed across multiple availability zones (multi-AZ). This is an AWS limitation for cross-region PrivateLink. +* Cross-region PrivateLink is configured through the `supported_regions` field in the `aws_private_link` configuration. This field only appears in the API response for multi-AZ clusters. +* For BYOC clusters, the Redpanda agent IAM role must have `vpce:AllowMultiRegion` and `elasticloadbalancing:DescribeListenerAttributes` permissions. + +=== Configure cross-region PrivateLink + +To enable cross-region PrivateLink, add the `supported_regions` field to your `aws_private_link` configuration when <> or <>. + +The `supported_regions` field accepts a list of AWS region identifiers where you want to allow PrivateLink connections from. For example: + +[,json] +---- +"aws_private_link": { + "enabled": true, + "connect_console": true, + "allowed_principals": ["arn:aws:iam::123456789012:root"], + "supported_regions": ["us-east-1", "us-west-2", "eu-west-1"] +} +---- + +With this configuration, clients in VPCs located in `us-east-1`, `us-west-2`, and `eu-west-1` can create PrivateLink endpoints that connect to your Redpanda cluster, regardless of which region the cluster is deployed in. + +=== Create a cross-region VPC endpoint + +When creating a VPC endpoint in a different region than your Redpanda cluster, use the same process as <>, but specify both the client VPC's region and the service region where your Redpanda cluster is deployed. + +NOTE: The `--service-region` option requires AWS CLI version 2.22.0 or later. Run `aws --version` to check your version and https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html[update if necessary^]. + +[,bash] +---- +# CLIENT_REGION is the region where your client VPC is located +# SERVICE_REGION is the region where your Redpanda cluster is deployed +CLIENT_REGION= +SERVICE_REGION= + +aws ec2 create-vpc-endpoint \ + --region $CLIENT_REGION --profile $PROFILE \ + --service-region $SERVICE_REGION \ + --vpc-id $CLIENT_VPC_ID \ + --vpc-endpoint-type "Interface" \ + --ip-address-type "ipv4" \ + --service-name $PL_SERVICE_NAME \ + --subnet-ids $SUBNET_ID \ + --security-group-ids $SECURITY_GROUP_ID \ + --private-dns-enabled +---- + == Test the connection You can test the PrivateLink connection from any VM or container in the consumer VPC. If configuring a client isn't possible right away, you can do these checks using `rpk` or cURL: diff --git a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc index 873b5fc5..73301d67 100644 --- a/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc +++ b/modules/networking/pages/configure-privatelink-in-cloud-ui.adoc @@ -18,7 +18,7 @@ Consider using the endpoint service if you have multiple VPCs and could benefit == Requirements -* Your Redpanda cluster and VPC must be in the same region. +* Your Redpanda cluster and VPC must be in the same region, unless you configure <>. * Use the https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html[AWS CLI] to create a new client VPC or modify an existing one to use the PrivateLink endpoint. TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. @@ -31,8 +31,9 @@ include::networking:partial$dns_resolution.adoc[] . In the Redpanda Cloud Console, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page. . For AWS PrivateLink, click *Enable*. -. On the Enable PrivateLink page, for Allowed principal ARNs, click *Add*, and enter the Amazon Resource Names (ARNs) for each AWS principal allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam:::root`. See the AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details. -. Click *Add* after entering each ARN, and when finished, click *Enable*. +. On the Enable PrivateLink page, for Allowed principal ARNs, click *Add*, and enter the Amazon Resource Names (ARNs) for each AWS principal allowed to access the endpoint service. For example, for all principals in a specific account, use `arn:aws:iam:::root`. See the AWS documentation on https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permission[configuring an endpoint service^] for details. +. Click *Add* after entering each ARN, and when finished, click *Enable*. +. (Optional) To enable cross-region PrivateLink, add supported regions. See <>. . It may take several minutes for your cluster to update. When the update is complete, the AWS PrivateLink status on the Cluster settings page changes from *In progress* to *Enabled*. NOTE: For help with issues when enabling PrivateLink, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^]. @@ -49,6 +50,31 @@ You can test the connection to the endpoint service from any VM or container in include::networking:partial$private-links-test-connection.adoc[] +== Cross-region PrivateLink + +By default, AWS PrivateLink only allows connections from VPCs in the same region as the endpoint service. Cross-region PrivateLink enables clients in different AWS regions to connect to your Redpanda cluster through PrivateLink. + +For more information about AWS cross-region PrivateLink support, see the https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html#endpoint-service-cross-region[AWS documentation^]. + +=== Prerequisites + +* The Redpanda cluster must be deployed across multiple availability zones (multi-AZ). This is an AWS limitation for cross-region PrivateLink. + +=== Configure supported regions + +NOTE: The *Supported regions* option only appears in the UI for multi-AZ clusters. + +. In the Redpanda Cloud UI, select your https://cloud.redpanda.com/clusters[cluster^], and go to the cluster settings page. +. In the AWS PrivateLink section, click *Edit* (or *Enable* if PrivateLink is not yet enabled). +. In the *Supported regions* section, click *Add* to add a region from which PrivateLink endpoints can connect to your cluster. +. Select an AWS region from the dropdown. The cluster's home region is automatically included and not shown in the list. +. Repeat to add additional regions as needed. +. Click *Save* (or *Enable*) to apply the changes. + +After saving, the *Supported regions* row on the cluster settings page displays your configured regions. + +Clients in VPCs located in the supported regions can now create PrivateLink endpoints that connect to your Redpanda cluster. + == Disable endpoint service On the Cluster settings page for the cluster, click *Disable* for PrivateLink. Existing connections are closed after the AWS PrivateLink service is disabled. To connect using PrivateLink again, you must re-enable the service.