redpanda-data · micheleRP · Aug 7, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 5, 2025
@@ -3,4 +3,78 @@
 :page-aliases: deploy:deployment-option/cloud/configure-private-service-connect-in-cloud-ui.adoc
 :env-byoc: true
 
-include::networking:partial$psc-ui.adoc[]
+[NOTE]
+====
+
+* This guide is for configuring GCP Private Service Connect using the Redpanda Cloud UI. To configure and manage Private Service Connect on an existing cluster with *public* networking, you must use the xref:networking:gcp-private-service-connect.adoc[Cloud API for BYOC] or the xref:networking:dedicated/gcp/configure-psc-in-api.adoc[Cloud API for Dedicated].
+* The latest version of Redpanda GCP Private Service Connect (available March, 2025) supports AZ affinity. This allows requests from Private Service Connect endpoints to stay within the same availability zone, avoiding additional networking costs. 
+* DEPRECATION: The original Redpanda GCP Private Service Connect is deprecated and will be removed in a future release. For more information, see xref:manage:maintenance.adoc#deprecated-features[Deprecated features].
+==== 
+
+
+The Redpanda GCP Private Service Connect service provides secure access to Redpanda Cloud from your own VPC network. Traffic over Private Service Connect does not go through the public internet because these connections are treated as their own private GCP service. While your VPC network has access to the Redpanda VPC network, Redpanda cannot access your VPC network.
+
+Consider using Private Service Connect if you have multiple VPC networks and could benefit from a more simplified approach to network management.
+
+[NOTE]
+====
+* Each consumer VPC network can have one Private Service Connect endpoint connected to the Redpanda service attachment.
+* Private Service Connect allows overlapping xref:networking:cidr-ranges.adoc[CIDR ranges] in VPC networks.
+* The number of connections is limited only by your Redpanda usage tier. Private Service Connect does not add extra connection limits. 
+* You control from which GCP projects connections are allowed.
+====
+
+== Requirements
+
+* Use the https://cloud.google.com/sdk/docs/install[gcloud^] command-line interface (CLI) to create the consumer-side resources, such as a consumer VPC network and forwarding rule, or to modify existing resources to use the Private Service Connect service attachment created for your cluster.
+* The consumer VPC network must be in the same region as your Redpanda cluster.
+
+== Enable Private Service Connect for existing clusters
+
+. In the Redpanda Cloud UI, open your https://cloud.redpanda.com/clusters[cluster^], and click **Cluster settings**.
+. Under Private Service Connect, click **Enable**. 
+ifdef::env-byoc[]
+. For xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters], you need a PSC subnet with `purpose` set to `PRIVATE_SERVICE_CONNECT`. You also need to create VPC network firewall rules to allow Private Service Connect traffic. You can use the `gcloud` CLI:
++
+NOTE: The firewall rules support up to 20 Redpanda brokers. If you have more than 20 brokers, or for help enabling Private Service Connect, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^].
++
+[source,bash]
+----
+gcloud compute networks subnets create <subnet-name> \
+    --project=<host-project-id> \
+    --network=<shared-vpc-name> \
+    --region=<region> \
+    --range=<subnet-range> \
+    --purpose=PRIVATE_SERVICE_CONNECT
+----
++
+[source,bash]
+----
+gcloud compute firewall-rules create redpanda-psc-ingress \
+  --description="Allow access to Redpanda PSC endpoints" \
+  --network="<shared-vpc-name>" \
+  --project="<host-project-id>" \
+  --direction="INGRESS" \
+  --target-tags="redpanda-node" \
+  --source-ranges="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10" \
+  --allow="tcp:30181,tcp:30282,tcp:30292,tcp:31004,tcp:31082-31101,tcp:31182-31201,tcp:31282-31301,tcp:32092-32111,tcp:32192-32211,tcp:32292-32311"
+----
++
+Provide your values for the following placeholders:
++
+- `<subnet-name>`: The name of the PSC subnet.
+- `<host-project-id>`: The host GCP project ID.
+- `<shared-vpc-name>`: The name of the VPC network being used for your Redpanda Cloud cluster.
+- `<region>`: The region of the Redpanda Cloud cluster.
+- `<subnet-range>`: The CIDR range of the subnet. The mask should be at least `/29`. Each Private Service Connect connection takes up one IP address from the PSC subnet, so the CIDR must be able to accommodate all projects from which connections to the service attachment will be issued.
++
+See the GCP documentation for https://cloud.google.com/vpc/docs/configure-private-service-connect-producer#add-subnet-psc[creating a subnet for Private Service Connect^]. 
+endif::[]
+. For the accepted consumers list, you need the GCP project IDs from which incoming connections will be accepted.
+. It may take several minutes for your cluster to update. When the update is complete, the Private Service Connect status in **Cluster settings** changes from **In progress** to **Enabled**.
+
+include::networking:partial$psc-ui.adoc[]
+
+== Disable Private Service Connect
+
+In **Cluster settings**, click **Disable**. Existing connections are closed after it is disabled. To connect using Private Service Connect again, you must re-enable it.
@@ -133,7 +133,7 @@ CLUSTER_PATCH_BODY=`cat << EOF
 {
     "gcp_private_service_connect": {
         "enabled": true,
-         "consumer_accept_list": <accept-list>
+         "consumer_accept_list": <consumer-accept-list>
     }
 }
 EOF`
@@ -155,4 +155,23 @@ gcloud compute service-attachments list --project '<service-project-id>'
 ----
 
 
-include::networking:partial$psc-api2.adoc[]
+include::networking:partial$psc-ui.adoc[]
+
+== Disable Private Service Connect
+
+Make a xref:api:ROOT:cloud-controlplane-api.adoc#patch-/v1/clusters/-cluster.id-[`PATCH /v1/clusters/{cluster.id}`] request to update the cluster to disable Private Service Connect.
+
+[,bash]
+----
+CLUSTER_PATCH_BODY=`cat << EOF
+{
+    "gcp_private_service_connect": {
+        "enabled": false
+    }
+}
+EOF`
+curl -v -X PATCH \
+-H "Content-Type: application/json" \
+-H "Authorization: Bearer $AUTH_TOKEN" \
+-d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/clusters/$CLUSTER_ID
+----
@@ -2,4 +2,78 @@
 :description: Set up GCP Private Service Connect in the Redpanda Cloud UI.
 :env-dedicated: true
 
-include::networking:partial$psc-ui.adoc[]
+[NOTE]
+====
+
+* This guide is for configuring GCP Private Service Connect using the Redpanda Cloud UI. To configure and manage Private Service Connect on an existing cluster with *public* networking, you must use the xref:networking:gcp-private-service-connect.adoc[Cloud API for BYOC] or the xref:networking:dedicated/gcp/configure-psc-in-api.adoc[Cloud API for Dedicated].
+* The latest version of Redpanda GCP Private Service Connect (available March, 2025) supports AZ affinity. This allows requests from Private Service Connect endpoints to stay within the same availability zone, avoiding additional networking costs. 
+* DEPRECATION: The original Redpanda GCP Private Service Connect is deprecated and will be removed in a future release. For more information, see xref:manage:maintenance.adoc#deprecated-features[Deprecated features].
+==== 
+
+
+The Redpanda GCP Private Service Connect service provides secure access to Redpanda Cloud from your own VPC network. Traffic over Private Service Connect does not go through the public internet because these connections are treated as their own private GCP service. While your VPC network has access to the Redpanda VPC network, Redpanda cannot access your VPC network.
+
+Consider using Private Service Connect if you have multiple VPC networks and could benefit from a more simplified approach to network management.
+
+[NOTE]
+====
+* Each consumer VPC network can have one Private Service Connect endpoint connected to the Redpanda service attachment.
+* Private Service Connect allows overlapping xref:networking:cidr-ranges.adoc[CIDR ranges] in VPC networks.
+* The number of connections is limited only by your Redpanda usage tier. Private Service Connect does not add extra connection limits. 
+* You control from which GCP projects connections are allowed.
+====
+
+== Requirements
+
+* Use the https://cloud.google.com/sdk/docs/install[gcloud^] command-line interface (CLI) to create the consumer-side resources, such as a consumer VPC network and forwarding rule, or to modify existing resources to use the Private Service Connect service attachment created for your cluster.
+* The consumer VPC network must be in the same region as your Redpanda cluster.
+
+== Enable Private Service Connect for existing clusters
+
+. In the Redpanda Cloud UI, open your https://cloud.redpanda.com/clusters[cluster^], and click **Cluster settings**.
+. Under Private Service Connect, click **Enable**. 
+ifdef::env-byoc[]
+. For xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters], you need a NAT subnet with `purpose` set to `PRIVATE_SERVICE_CONNECT`. You also need to create VPC network firewall rules to allow Private Service Connect traffic. You can use the `gcloud` CLI:
++
+NOTE: The firewall rules support up to 20 Redpanda brokers. If you have more than 20 brokers, or for help enabling Private Service Connect, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda support^].
++
+[,bash]
+----
+gcloud compute networks subnets create <subnet-name> \
+    --project=<host-project-id> \
+    --network=<shared-vpc-name> \
+    --region=<region> \
+    --range=<subnet-range> \
+    --purpose=PRIVATE_SERVICE_CONNECT
+----
++
+[,bash]
+----
+gcloud compute firewall-rules create redpanda-psc-ingress \
+  --description="Allow access to Redpanda PSC endpoints" \
+  --network="<shared-vpc-name>" \
+  --project="<host-project-id>" \
+  --direction="INGRESS" \
+  --target-tags="redpanda-node" \
+  --source-ranges="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10" \
+  --allow="tcp:30181,tcp:30282,tcp:30292,tcp:31004,tcp:31082-31101,tcp:31182-31201,tcp:31282-31301,tcp:32092-32111,tcp:32192-32211,tcp:32292-32311"
+----
++
+Provide your values for the following placeholders:
++
+- `<subnet-name>`: The name of the NAT subnet.
+- `<host-project-id>`: The host GCP project ID.
+- `<shared-vpc-name>`: The name of the VPC network being used for your Redpanda Cloud cluster.
+- `<region>`: The region of the Redpanda Cloud cluster.
+- `<subnet-range>`: The CIDR range of the subnet. The mask should be at least `/29`. Each Private Service Connect connection takes up one IP address from the NAT subnet, so the CIDR must be able to accommodate all projects from which connections to the service attachment will be issued.
++
+See the GCP documentation for https://cloud.google.com/vpc/docs/configure-private-service-connect-producer#add-subnet-psc[creating a subnet for Private Service Connect^]. 
+endif::[]
+. For the accepted consumers list, you need the GCP project IDs from which incoming connections will be accepted.
+. It may take several minutes for your cluster to update. When the update is complete, the Private Service Connect status in **Cluster settings** changes from **In progress** to **Enabled**.
+
+include::networking:partial$psc-ui.adoc[]
+
+== Disable Private Service Connect
+
+In **Cluster settings**, click **Disable**. Existing connections are closed after GCP Private Service Connect is disabled. To connect using Private Service Connect again, you must re-enable the service.
@@ -257,5 +257,24 @@ Wait for the cluster to apply the new configuration (around 15 minutes). The Pri
 gcloud compute service-attachments list --project '<service-project-id>'
 ----
 
-include::networking:partial$psc-api2.adoc[]
+include::networking:partial$psc-ui.adoc[]
+
+== Disable Private Service Connect
+
+Make a xref:api:ROOT:cloud-controlplane-api.adoc#patch-/v1/clusters/-cluster.id-[`PATCH /v1/clusters/{cluster.id}`] request to update the cluster to disable Private Service Connect.
+
+[,bash]
+----
+CLUSTER_PATCH_BODY=`cat << EOF
+{
+    "gcp_private_service_connect": {
+        "enabled": false
+    }
+}
+EOF`
+curl -v -X PATCH \
+-H "Content-Type: application/json" \
+-H "Authorization: Bearer $AUTH_TOKEN" \
+-d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/clusters/$CLUSTER_ID
+----
 
@@ -1,18 +1,19 @@
 [NOTE]
 ====
 
-* This guide is for configuring GCP Private Service Connect using the Redpanda Cloud API. To configure and manage Private Service Connect on an existing *public* cluster, you must use the Cloud API. See xref:networking:configure-private-service-connect-in-cloud-ui.adoc[Configure Private Service Connect in the Cloud UI] to set up the endpoint service using the Redpanda Cloud UI.
+* This guide is for configuring GCP Private Service Connect using the Redpanda Cloud API. To configure and manage Private Service Connect on an existing cluster with *public* networking, you must use the Cloud API. See xref:networking:configure-private-service-connect-in-cloud-ui.adoc[Configure Private Service Connect in the Cloud UI] to set up the endpoint service using the Redpanda Cloud UI.
 * The latest version of Redpanda GCP Private Service Connect (available March, 2025) supports AZ affinity. This allows requests from Private Service Connect endpoints to stay within the same availability zone, avoiding additional networking costs. 
 * DEPRECATION: The original Redpanda GCP Private Service Connect is deprecated and will be removed in a future release. For more information, see xref:manage:maintenance.adoc#deprecated-features[Deprecated features].
 ==== 
 
-The Redpanda GCP Private Service Connect service provides secure access to Redpanda Cloud from your own VPC. Traffic over Private Service Connect does not go through the public internet because a Private Service Connect connection is treated as its own private GCP service. While your VPC has access to the Redpanda VPC, Redpanda cannot access your VPC.
 
-Consider using Private Service Connect if you have multiple VPCs and could benefit from a more simplified approach to network management.
+The Redpanda GCP Private Service Connect service provides secure access to Redpanda Cloud from your own VPC network. Traffic over Private Service Connect does not go through the public internet because these connections are treated as their own private GCP service. While your VPC network has access to the Redpanda VPC network, Redpanda cannot access your VPC network.
+
+Consider using Private Service Connect if you have multiple VPC networks and could benefit from a more simplified approach to network management.
 
 [NOTE]
 ====
-* Each client VPC can have one endpoint connected to Private Service Connect.
+* Each consumer VPC network can have one Private Service Connect endpoint connected to the Redpanda service attachment.
 * Private Service Connect allows overlapping xref:networking:cidr-ranges.adoc[CIDR ranges] in VPC networks.
 * The number of connections is limited only by your Redpanda usage tier. Private Service Connect does not add extra connection limits. 
 * You control from which GCP projects connections are allowed.