DOC-1435 Add gcloud commands for firewall rules for PSC consumer

[micheleRP]

Description

This pull request updates the documentation for configuring GCP Private Service Connect.

Step-by-Step Setup Enhancements:

• Expanded the consumer-side setup instructions to include explicit steps for creating PSC IP addresses, forwarding rules, and egress firewall rules, with corresponding gcloud CLI commands.
• Updated the DNS configuration steps to provide detailed gcloud commands for creating private DNS zones and wildcard DNS records, improving reproducibility.

Firewall and Resource Naming:

• Updated firewall rule creation commands to use more descriptive names (e.g., redpanda-psc-ingress and redpanda-psc-egress) and clarified which networks and resources are involved.

Placeholder and Variable Naming:

• Clarified placeholder descriptions, ensuring users understand which values to substitute, especially regarding VPC network names.

Terminology and Clarity:

• Standardized terminology throughout the guide, replacing references to "VPC" with "VPC network" and "endpoint service" with "Private Service Connect" or "service attachment" for greater accuracy and clarity.
• Clarified that each consumer VPC network can have one PSC endpoint connected to the Redpanda service attachment, and updated requirements to specify "consumer VPC network" and related resources.
• Replaced or removed duplicated partials (such as psc-api2.adoc), consolidating disable instructions and ensuring all guides point to the correct, updated partials. [1] [2] [3]
• Corrected parameter naming in API example payloads for accuracy (e.g., consumer_accept_list).

Resolves https://redpandadata.atlassian.net/browse/DOC-1435
Resolves https://redpandadata.atlassian.net/browse/DOC-1136
Resolves https://redpandadata.atlassian.net/browse/DOC-1489
Review deadline:

Page previews

Configure PSC with UI: BYOC
Configure PSC with API:BYOC
Configure PSC with UI: Dedicated
Configure PSC with API: Dedicated

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	638e86f
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/6895069236122600086f3737
😎 Deploy Preview	https://deploy-preview-377--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

This set of changes primarily restructures and expands documentation related to Iceberg catalog integrations and GCP Private Service Connect (PSC) in Redpanda Cloud. The "Iceberg" documentation navigation is reorganized to introduce a REST catalog grouping, with new pages for AWS Glue, Databricks Unity Catalog, and Snowflake/Open Catalog, and corresponding navigation updates. Several networking documentation files are extensively revised to provide detailed, step-by-step instructions for configuring PSC via both UI and API, clarify terminology, update placeholders and command examples, and add new sections on disabling PSC. Some redundant or outdated partial documentation files are removed or consolidated.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Redpanda Cloud UI
    participant GCP (gcloud CLI)
    participant Redpanda Cluster

    User->>Redpanda Cloud UI: Initiate PSC configuration
    Redpanda Cloud UI->>User: Provide Service Attachment and DNS info
    User->>GCP (gcloud CLI): Create PSC IP, forwarding rule, firewall (EGRESS)
    User->>GCP (gcloud CLI): Create private DNS zone and record
    User->>Redpanda Cloud UI: Update accepted consumer projects
    Redpanda Cloud UI->>Redpanda Cluster: Enable PSC
    Note over User,Redpanda Cluster: User can now access Redpanda via PSC endpoint

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15–25 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Add gcloud commands for creating firewall rules for PSC consumer (DOC-1435)	✅
Consolidate and clarify documentation for creating consumer-side resources for PSC (DOC-1136)	✅
Update instructions to consistently use correct variable/placeholder names and clarify DNS/forwarding rule steps	✅
Remove deprecated/redundant instructions and consolidate partials as per requirements (DOC-1435, DOC-1136)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Iceberg catalog navigation restructuring and new AWS Glue docs (modules/ROOT/nav.adoc, modules/manage/pages/iceberg/iceberg-topics-aws-glue.adoc, modules/manage/pages/iceberg/rest-catalog/index.adoc, modules/get-started/pages/whats-new-cloud.adoc)	These changes relate to Iceberg catalog documentation, not to PSC or consumer-side networking objectives.
Reference tags update for cluster properties (modules/reference/pages/properties/cluster-properties.adoc)	This update is unrelated to PSC or consumer-side resource documentation.

Possibly related PRs

• Add Glue doc to Cloud #363: Directly related as it modifies the same Iceberg navigation and documentation structure.
• Add Iceberg Snowflake doc to Cloud #302: Related through Iceberg catalog documentation changes, though with a different scope and structure.
• Fix heading for AWS Glue entry #380: Related by touching AWS Glue documentation, though focused on a different aspect (heading level).

Suggested reviewers

• paulzhang97

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DOC-1435-Add-gcloud-commands-for-creating-firewall-rules-for-PSC-consumer

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[paulzhang97]

At https://deploy-preview-377--rp-cloud.netlify.app/redpanda-cloud/networking/gcp-private-service-connect/#enable-private-service-connect-on-an-existing-byoc-or-byovpc-cluster, Step 3 (Make a request to the PATCH /v1/clusters/{cluster.id} endpoint to update the cluster....) is only applicable to BYOVPC, how about change it to Step 3. **For a BYOVPC cluster only**, make a request to ......?

The rest LGTM. Thank you @micheleRP

[micheleRP]

At https://deploy-preview-377--rp-cloud.netlify.app/redpanda-cloud/networking/gcp-private-service-connect/#enable-private-service-connect-on-an-existing-byoc-or-byovpc-cluster, Step 3 (Make a request to the PATCH /v1/clusters/{cluster.id} endpoint to update the cluster....) is only applicable to BYOVPC, how about change it to Step 3. **For a BYOVPC cluster only**, make a request to ......?

The rest LGTM. Thank you @micheleRP

Thanks @paulzhang97! I moved this into the BYOVPC section: https://deploy-preview-377--rp-cloud.netlify.app/redpanda-cloud/networking/gcp-private-service-connect/#enable-private-service-connect-on-an-existing-byoc-or-byovpc-cluster

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (2)

modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc (1)

80-84: Trailing comma breaks JSON in CLUSTER_POST_BODY
The comma after the closing brace of "gcp_private_service_connect" makes the example invalid JSON because no further fields follow.

-        "consumer_accept_list": <consumer-accept-list>
-    },
+        "consumer_accept_list": <consumer-accept-list>
+    }

modules/networking/pages/gcp-private-service-connect.adoc (1)

131-139: Trailing comma inside customer_managed_resources.gcp block
"tiered_storage_bucket" is the last key in the object but is followed by a comma, rendering the JSON invalid.

-            "tiered_storage_bucket": { "name" : "<byovpc-tiered-storage-bucket>" },
+            "tiered_storage_bucket": { "name" : "<byovpc-tiered-storage-bucket>" }

🧹 Nitpick comments (4)

modules/manage/pages/iceberg/rest-catalog/index.adoc (1)

1-3: Index page is empty – readers get no guidance.

The file defines only metadata. Consider adding a short introductory paragraph (even two‐three sentences) that explains what a “REST Catalog” is and links out to the child pages. This prevents a blank page or an abrupt jump in navigation.

modules/networking/partials/psc-api.adoc (1)

24-26: Add region-scope requirement for consumer VPC
The UI-based guide explicitly states that the consumer VPC network must be in the same region as the cluster, but this prerequisite is missing here. Readers following only the API guide may overlook the limitation and create endpoints in the wrong region.

modules/networking/pages/gcp-private-service-connect.adoc (1)

25-30: Minor formatting glitch in subnet command
The back-slash after --range=<psc-nat-subnet-range> is preceded by no whitespace, which can cause AsciiDoc rendering issues in some themes.

-    --range=<psc-nat-subnet-range>\
+    --range=<psc-nat-subnet-range> \

modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc (1)

8-10: Avoid hard-coding time-sensitive wording
“(available March, 2025)” will age quickly and require future edits. Prefer a relative phrasing such as “introduced in March 2025” or omit the date entirely.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ae820b5 and ba18788.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (12)

• modules/ROOT/nav.adoc (1 hunks)
• modules/get-started/pages/whats-new-cloud.adoc (1 hunks)
• modules/manage/pages/iceberg/iceberg-topics-aws-glue.adoc (1 hunks)
• modules/manage/pages/iceberg/rest-catalog/index.adoc (1 hunks)
• modules/networking/pages/configure-private-service-connect-in-cloud-ui.adoc (1 hunks)
• modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc (6 hunks)
• modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc (1 hunks)
• modules/networking/pages/gcp-private-service-connect.adoc (11 hunks)
• modules/networking/partials/psc-api.adoc (1 hunks)
• modules/networking/partials/psc-api2.adoc (0 hunks)
• modules/networking/partials/psc-ui.adoc (1 hunks)
• modules/reference/pages/properties/cluster-properties.adoc (1 hunks)

💤 Files with no reviewable changes (1)

• modules/networking/partials/psc-api2.adoc

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#361
File: modules/networking/pages/cloud-security-network.adoc:193-196
Timestamp: 2025-07-21T21:53:37.731Z
Learning: In Redpanda Cloud documentation, field names and labels should match exactly what appears in the UI, even if the terminology might seem technically inconsistent. For example, the NAT gateway IP address field is labeled "Internet gateway" in the UI, so documentation should use "Internet gateway" to help users locate the correct field.

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#361
File: modules/networking/pages/cloud-security-network.adoc:176-179
Timestamp: 2025-07-21T21:52:17.061Z
Learning: In Redpanda Cloud documentation, BYOVPC and BYOVNet are different product names for different cloud providers: BYOVPC is used for AWS and GCP, while BYOVNet is used for Azure. When documentation sections cover multiple cloud providers, the combined notation "BYOVPC/BYOVNet" is correct and should not be changed to use only one term.

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#267
File: modules/manage/pages/maintenance.adoc:91-92
Timestamp: 2025-04-25T01:41:57.162Z
Learning: The notification timeline for Redpanda Cloud deprecations has been deliberately removed from the documentation, even though the PR summary mentioned a 180-day advance notice period.

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#267
File: modules/manage/pages/maintenance.adoc:63-64
Timestamp: 2025-04-25T01:42:09.318Z
Learning: The timeline for major upgrade notifications (180 days in advance) was intentionally removed from the Redpanda Cloud maintenance documentation, even though it was mentioned in the PR objectives.

Learnt from: asimms41
PR: redpanda-data/cloud-docs#291
File: modules/develop/pages/connect/components/processors/google_drive_download.adoc:1-1
Timestamp: 2025-05-13T13:20:39.044Z
Learning: In Redpanda Cloud documentation, component titles (particularly processors) follow a standard naming convention that uses underscores (like "google_drive_download") rather than human-readable titles. This convention should be maintained for consistency across all component documentation.

📚 Learning: in redpanda cloud documentation, field names and labels should match exactly what appears in the ui,...

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#361
File: modules/networking/pages/cloud-security-network.adoc:193-196
Timestamp: 2025-07-21T21:53:37.731Z
Learning: In Redpanda Cloud documentation, field names and labels should match exactly what appears in the UI, even if the terminology might seem technically inconsistent. For example, the NAT gateway IP address field is labeled "Internet gateway" in the UI, so documentation should use "Internet gateway" to help users locate the correct field.

Applied to files:

• modules/networking/pages/gcp-private-service-connect.adoc
• modules/networking/pages/configure-private-service-connect-in-cloud-ui.adoc
• modules/networking/partials/psc-ui.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc
• modules/get-started/pages/whats-new-cloud.adoc
• modules/networking/partials/psc-api.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc

📚 Learning: in redpanda cloud documentation, byovpc and byovnet are different product names for different cloud ...

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#361
File: modules/networking/pages/cloud-security-network.adoc:176-179
Timestamp: 2025-07-21T21:52:17.061Z
Learning: In Redpanda Cloud documentation, BYOVPC and BYOVNet are different product names for different cloud providers: BYOVPC is used for AWS and GCP, while BYOVNet is used for Azure. When documentation sections cover multiple cloud providers, the combined notation "BYOVPC/BYOVNet" is correct and should not be changed to use only one term.

Applied to files:

• modules/networking/pages/gcp-private-service-connect.adoc
• modules/networking/pages/configure-private-service-connect-in-cloud-ui.adoc
• modules/networking/partials/psc-ui.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc
• modules/networking/partials/psc-api.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc

📚 Learning: in the redpanda cloud documentation system, cross-reference anchors using the format `#patch-/v1/clu...

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#334
File: modules/networking/partials/psc-api2.adoc:15-16
Timestamp: 2025-06-18T21:02:38.074Z
Learning: In the Redpanda Cloud documentation system, cross-reference anchors using the format `#patch-/v1/clusters/-cluster.id-` work correctly for referencing API endpoints, even with dashes instead of curly braces around parameter names.

Applied to files:

• modules/networking/pages/gcp-private-service-connect.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc
• modules/networking/partials/psc-api.adoc

📚 Learning: in redpanda cloud documentation, component titles (particularly processors) follow a standard naming...

Learnt from: asimms41
PR: redpanda-data/cloud-docs#291
File: modules/develop/pages/connect/components/processors/google_drive_download.adoc:1-1
Timestamp: 2025-05-13T13:20:39.044Z
Learning: In Redpanda Cloud documentation, component titles (particularly processors) follow a standard naming convention that uses underscores (like "google_drive_download") rather than human-readable titles. This convention should be maintained for consistency across all component documentation.

Applied to files:

• modules/networking/pages/gcp-private-service-connect.adoc
• modules/networking/partials/psc-api.adoc

📚 Learning: user david-yu indicated that the standard azure zones format using plain numbers like "1", "2", "3" ...

Learnt from: david-yu
PR: redpanda-data/cloud-docs#338
File: modules/get-started/pages/cluster-types/byoc/azure/vnet-azure.adoc:74-75
Timestamp: 2025-06-24T03:31:29.345Z
Learning: User david-yu indicated that the standard Azure zones format using plain numbers like "1", "2", "3" is not valid for their specific Azure BYOVNet setup, suggesting there may be specific tooling or API requirements that expect region-prefixed zone names like "centralus-az1".

Applied to files:

• modules/networking/pages/gcp-private-service-connect.adoc

📚 Learning: the notification timeline for redpanda cloud deprecations has been deliberately removed from the doc...

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#267
File: modules/manage/pages/maintenance.adoc:91-92
Timestamp: 2025-04-25T01:41:57.162Z
Learning: The notification timeline for Redpanda Cloud deprecations has been deliberately removed from the documentation, even though the PR summary mentioned a 180-day advance notice period.

Applied to files:

• modules/networking/pages/configure-private-service-connect-in-cloud-ui.adoc
• modules/networking/partials/psc-ui.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc
• modules/get-started/pages/whats-new-cloud.adoc
• modules/networking/partials/psc-api.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc

📚 Learning: the timeline for major upgrade notifications (180 days in advance) was intentionally removed from th...

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#267
File: modules/manage/pages/maintenance.adoc:63-64
Timestamp: 2025-04-25T01:42:09.318Z
Learning: The timeline for major upgrade notifications (180 days in advance) was intentionally removed from the Redpanda Cloud maintenance documentation, even though it was mentioned in the PR objectives.

Applied to files:

• modules/networking/partials/psc-ui.adoc
• modules/get-started/pages/whats-new-cloud.adoc
• modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc

📚 Learning: in the redpanda cloud documentation system using asciidoctor, glossary cross-references with spaces ...

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#350
File: modules/get-started/pages/cloud-overview.adoc:55-56
Timestamp: 2025-07-16T21:11:59.964Z
Learning: In the Redpanda Cloud documentation system using Asciidoctor, glossary cross-references with spaces in the ID (like `glossterm:data plane[]`) work correctly and do not need to be changed to hyphenated forms. The existing syntax is functional and should not be modified.

Applied to files:

• modules/get-started/pages/whats-new-cloud.adoc
• modules/networking/partials/psc-api.adoc

📚 Learning: in the redpanda cloud documentation system using asciidoctor, glossary cross-references with leading...

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#370
File: modules/security/pages/cloud-authentication.adoc:74-76
Timestamp: 2025-08-01T16:53:12.919Z
Learning: In the Redpanda Cloud documentation system using Asciidoctor, glossary cross-references with leading commas in the attribute list (like `glossterm:ACL[,access control lists (ACLs)]`) work correctly and should not be modified. The leading comma syntax is intentional and functional.

Applied to files:

• modules/networking/partials/psc-api.adoc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - rp-cloud
• GitHub Check: Header rules - rp-cloud
• GitHub Check: Pages changed - rp-cloud

🔇 Additional comments (7)

modules/reference/pages/properties/cluster-properties.adoc (1)

11-11: Confirm that property tag rename is reflected everywhere.

iceberg_rest_catalog_prefix was replaced by iceberg_rest_catalog_warehouse. Please double-check that:

1. The corresponding property name in the product was really renamed.
2. All existing docs, examples, and configuration snippets were updated accordingly.

A stale tag here will break Antora’s include processing and surface as broken references.

modules/get-started/pages/whats-new-cloud.adoc (1)

10-17: Nice concise announcement.

The new “Iceberg topics with AWS Glue” entry reads clearly, links correctly, and matches naming conventions. No issues spotted.

modules/ROOT/nav.adoc (1)

418-422: Navigation update looks consistent.

The new rest-catalog subsection and child entries are wired correctly and alphabetically placed. Good job keeping the nav coherent.

modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc (1)

143-162: Disable section LGTM – clear, syntactically correct example and mirrors the enable flow.

modules/networking/partials/psc-ui.adoc (2)

14-15: Verify --addresses flag usage
gcloud compute addresses create usually requires either no --addresses (auto-assign) or --addresses=<IP> only for internal reserved addresses. Please confirm this flag combination is accepted for your scenario.

---

28-34: Port list inconsistency (30081 vs 30181)
Ingress rules elsewhere use 30181, whereas the egress rule here lists 30081. Double-check which port is correct for consumer access to HTTP Proxy to avoid unreachable service.

modules/networking/pages/configure-private-service-connect-in-cloud-ui.adoc (1)

53-61: Ingress rule looks good and matches producer-side spec – naming, ranges, and CIDR sources are consistent with prior conventions.

[david-yu]

LGTM

[paulohtb6]

are these fixed? if no, we should add them as replaceable snippet and provide these values as an example.