DOC-1652 change from VPC peering to PSC

[micheleRP]

Description

This pull request updates the networking doc to add how to switch from VPC peering to PrivateLink or Private Service Connect.

• Added new "Switch from VPC peering to PrivateLink" and "Switch from VPC peering to Private Service Connect" sections in AWS and GCP BYOC and Dedicated guides, describing a staged DNS switchover process to avoid client disruption. [1] [2] [3] [4]

• Updated warnings for enabling PrivateLink and Private Service Connect to recommend staged approaches and reference relevant new sections for safe migration. [1] [2] [3] [4]

• Refined instructions for creating peering connections in AWS, GCP, and Azure, including more accurate UI labels and steps, and clarified reciprocal peering requirements for GCP. [1] [2] [3]

Resolves https://redpandadata.atlassian.net/browse/DOC-1652, https://redpandadata.atlassian.net/browse/DOC-1481, https://redpandadata.atlassian.net/browse/DOC-26
Review deadline:

Page previews

DOC-652 (switch from VPC peering to PSC/PrivateLink)

• VPC Peering on GPC BYOC
• Configure PSC BYOC
• VPC Peering on GPC Dedicated
• Configure PSC Dedicated
• VPC Peering on AWS BYOC
• VPC Peering on AWS Dedicated
• Configure PrivateLink

DOC-1481 (make specific to GCP)
Create the reciprocal peering connection

DOC-26 (finish step 7)
Accept peering connection, step 7

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	26de7b1
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/68bb06d7e7a72b0008e5c4bd
😎 Deploy Preview	https://deploy-preview-408--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

Adds a new partial modules/networking/partials/switch-to-psc.adoc that documents a controlled procedure to switch from VPC peering to GCP Private Service Connect (PSC) using a staged DNS cutover. The partial is included into multiple GCP networking docs (BYOC VPC peering, Dedicated VPC peering, GCP PSC overview, Dedicated PSC via API). Also adds a short introductory paragraph defining VPC peering in the BYOC GCP VPC peering page. All changes are documentation-only.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Admin as Customer Admin
  participant Docs as switch-to-psc (Docs)
  participant Cloud as Redpanda Cloud
  participant GCP as Customer GCP

  Note over Docs: Procedure: provision PSC, stage DNS, cutover

  Admin->>Docs: Read procedure
  Admin->>Cloud: Enable PSC on existing cluster
  Cloud-->>Admin: PSC endpoint details

  rect rgb(235,245,255)
    Note over Admin,GCP: Phase 1 — Provision PSC (no DNS change)
    Admin->>GCP: Create PSC consumer resources & endpoints
    Admin--xGCP: Do NOT create private DNS records yet
  end

  rect rgb(240,255,240)
    Note over Admin,GCP: Phase 2 — DNS switchover (planned window)
    Admin->>GCP: Create private DNS zone & records pointing to PSC
    GCP-->>Cloud: Traffic now resolves to PSC
  end

  alt Verified
    Admin->>GCP: Remove VPC peering (optional)
  else Rollback
    Admin->>GCP: Revert DNS to peering targets
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Document a procedure to change from VPC peering to GCP Private Service Connect (DOC-1652)	✅
Document a procedure to change from VPC peering to AWS PrivateLink (DOC-1652)	❌	No AWS/PrivateLink guidance provided or referenced in the changes.

Possibly related PRs

• DOC-1487 apply coderabbit cloud-docs suggestions #348 — Edits same Dedicated GCP PSC API doc and may overlap where the new partial is included.
• DOC-1457 separate Dedicate PSC docs #334 — Modifies PSC and VPC peering docs in the same area; likely adjacent restructuring.
• Update gcp-private-service-connect.adoc - Add more steps for BYOC #220 — Updates the GCP PSC overview page where the partial is also included.

Suggested reviewers

• paulzhang97
• c4milo
• david-yu

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DOC-1652-Document-a-procedure-for-changing-from-VPC-peering-to-PSC-PL

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

modules/networking/pages/gcp-private-service-connect.adoc (1)

301-301: Good include placement; add a forward reference near the CAUTION.

Including the switchover guidance after “Disable Private Service Connect” is fine. To prevent users from missing the staged cutover advice, add a short NOTE under the CAUTION in “Enable … on an existing BYOC or BYOVPC cluster” that links to this new section.

Apply:

 CAUTION: As soon as Private Service Connect is available on your VPC, all communication on existing Redpanda bootstrap server and  broker ports is interrupted due to the change on the private DNS resolution. Make sure all applications running in your VPC are ready to start using the corresponding Private Service Connect ports.
+NOTE: To avoid disruption, you can perform a controlled DNS switchover. See <<Switch from VPC peering to Private Service Connect>> below.

modules/networking/partials/switch-to-psc.adoc (2)

3-4: Clarify DNS behavior and terminology.

“Same seed endpoints (connection URLs)” can be misread. Suggest explicitly stating that the DNS names remain the same but resolve to PSC after the cutover.

Apply:

-VPC peering and Private Service Connect use the same seed endpoints (connection URLs) to connect to the Redpanda cluster. When Private Service Connect is enabled, these endpoints get resolved through DNS, potentially breaking existing VPC peering connections.  
+VPC peering and Private Service Connect use the same DNS hostnames (seed endpoints). After you complete the PSC DNS configuration, those hostnames resolve to PSC endpoints, which can interrupt existing VPC peering-based connections if clients aren’t ready.

---

11-11: Add an explicit DNS cutover cross-reference.

Link directly to the DNS configuration subsection if available, or name the tasks explicitly.

Apply:

-See xref:networking:gcp-private-service-connect.adoc#enable-private-service-connect-on-an-existing-byoc-or-byovpc-cluster[Enable Private Service Connect on an existing cluster].
+See xref:networking:gcp-private-service-connect.adoc#enable-private-service-connect-on-an-existing-byoc-or-byovpc-cluster[Enable Private Service Connect on an existing cluster]. After enabling PSC, proceed to the Private DNS configuration steps in that page to complete the cutover.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a99723a and ce8538e.

📒 Files selected for processing (5)

• modules/networking/pages/byoc/gcp/vpc-peering-gcp.adoc (2 hunks)
• modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc (1 hunks)
• modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc (1 hunks)
• modules/networking/pages/gcp-private-service-connect.adoc (1 hunks)
• modules/networking/partials/switch-to-psc.adoc (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#377
File: modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc:35-71
Timestamp: 2025-08-07T16:36:45.111Z
Learning: In Redpanda Cloud documentation, NAT subnet and firewall rule creation commands for GCP Private Service Connect are producer-side infrastructure steps that only BYOC (Bring Your Own Cloud) customers need to perform, since they manage their own VPC. Dedicated cluster customers don't need these steps because Redpanda manages the infrastructure for them. The ifdef::env-byoc[] guard correctly hides these commands from Dedicated users.

📚 Learning: 2025-08-07T16:36:45.111Z

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#377
File: modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc:35-71
Timestamp: 2025-08-07T16:36:45.111Z
Learning: In Redpanda Cloud documentation, NAT subnet and firewall rule creation commands for GCP Private Service Connect are producer-side infrastructure steps that only BYOC (Bring Your Own Cloud) customers need to perform, since they manage their own VPC. Dedicated cluster customers don't need these steps because Redpanda manages the infrastructure for them. The ifdef::env-byoc[] guard correctly hides these commands from Dedicated users.

Applied to files:

• modules/networking/pages/byoc/gcp/vpc-peering-gcp.adoc
• modules/networking/pages/gcp-private-service-connect.adoc
• modules/networking/partials/switch-to-psc.adoc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - rp-cloud
• GitHub Check: Header rules - rp-cloud
• GitHub Check: Pages changed - rp-cloud

🔇 Additional comments (4)

modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc (1)

46-48: Section break is OK; verify heading level renders as intended.

The include starts with ==, which creates a new top-level subsection immediately after a numbered step. That’s acceptable, but confirm the Table of Contents and step numbering aren’t affected.

modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc (1)

159-161: Code block closure looks correct.

The ---- fence is properly closed before the include. No action needed.

modules/networking/pages/byoc/gcp/vpc-peering-gcp.adoc (2)

5-6: Intro paragraph LGTM.

Clear and accurate definition of VPC peering.

---

45-45: Nice reuse via partial include.

Good to centralize the migration guidance to avoid divergence across pages.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[micheleRP]

@paulzhang97 If this looks correct for GCP, should I do a similar update for AWS?

[asimms41]

The intro to Switch from VPC peering to Private Service Connect tripped me up a bit. My edits are just suggestions.

[paulzhang97]

The procedure is also applicable to AWS and Azure, switching from VPC peering to Private Link. Can we add it to AWS and Azure peering sections?

[micheleRP]

@paulzhang97 we do not document VNet peering for Azure.
cc @david-yu, as we still need resolution on this!

[micheleRP]

@paulzhang97 please see the added AWS sections!

[asimms41]

LGTM!