DOC-1613: Document BYOC AWS centralized egress with Transit Gateway#587
DOC-1613: Document BYOC AWS centralized egress with Transit Gateway#587micheleRP wants to merge 20 commits into
Conversation
Add two new pages under networking/byoc/aws for the beta NAT Gateway-free egress feature: a concept + how-to page for configuring centralized egress on a BYOC cluster, and a hub-side setup guide for the customer's Transit Gateway, NAT Gateway, and AWS RAM share. Update nav and link from the existing BYOC create and BYOVPC pages. The Cloud API path is gated behind ifdef::show-preview-api[] while egress_spec is in PREVIEW. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for rp-cloud ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThis pull request adds comprehensive documentation for a new beta feature: centralized egress for BYOC clusters on AWS. The change introduces two new how-to guides—one for provisioning a customer-managed Transit Gateway hub and one for configuring BYOC clusters to route traffic through it—alongside updates to the product's what's-new page, navigation tree, and existing cluster setup documentation. The feature enables customers to consolidate egress from multiple Redpanda clusters through a single hub VPC and NAT gateway instead of deploying per-cluster NAT resources. Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Hello. I updated this document with everything related to Transit Gateway for AWS BYOC clusters: Feel free to use it. |
… API Document `egress_spec.aws.transit_gateway_id` on AWS BYOC networks in the Control Plane API partial behind `:show-preview-api:`, and cross-link the full API workflow from the centralized-egress page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Centralized egress is only available on AWS BYOC clusters with a private connection type. Add the constraint to the Prerequisites list on the centralized-egress page and to the Transit Gateway TIP callout on the create-cluster page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Trim the IMPORTANT callout to keep only the actionable instruction (create new network + cluster, then migrate data), since the "immutable" point is already covered in the Limitations section. Reassign the RAM share invitation acceptance to the Customer owner. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Redpanda does not accept the Transit Gateway RAM share -- the customer accepts the invitation in the BYOC AWS account before creating the cluster (auto-accepted within an AWS Organization). Correct the Prerequisites bullet, the Console procedure step, and both troubleshooting rows that previously implied Redpanda accepts the share. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add a NOTE next to the Transit Gateway ID UI step clarifying that the CIDR block customers enter on the Network page is the Redpanda spoke CIDR, and that a matching static route must exist on the hub public route table for reply traffic to reach the cluster. The Transit Gateway's own route table picks up the spoke CIDR via propagation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous six-row table mixed customer-observable symptoms with internal framings (agent logs, packets in the Redpanda VPC) that customers cannot inspect. Replace it with two rows whose symptoms are visible in the Cloud UI or the customer's own AWS account, and fold the four hub misconfiguration causes into a single "cluster creation does not complete" checklist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@micheleRP I updated my document based on @david-yu’s comments. Please take a look if you think anything else should be added. Other than that, it looks good to me. |
Feediver1
left a comment
Feediver1
left a comment
There was a problem hiding this comment.
Reviewed against the Redpanda style guide and verified all xrefs. No broken links, no cross-repo single-source issues, CI is green. Findings are minor style polish.
Verified:
- All 5 xref targets in the new pages resolve in cloud-docs
main(aws-hub-egress,nat-free-egress,create-byoc-cluster-aws,cloud-byoc-controlplane-api,transit-gateway). The new pages reference each other; that resolves once the PR merges. - In-page anchors
[#internet-endpoints]and[#automated-alternative]match their<<…>>references. - No files in this PR are single-sourced from
redpanda-data/docs.modules/manage/partials/controlplane-api.adocis only included by three cloud-docs pages. - All Bash code blocks have
[,bash]language tags; bare----blocks are intentional ASCII diagrams. - 3 measurable learning objectives per page, using observable Bloom verbs.
ifdef::show-preview-api[]gating is correctly nested incontrolplane-api.adoc(two consecutiveendif::[]close the inner then outer ifdefs).
Style nits inline. The only one I'd push on is sentence-case for the page titles (Redpanda convention; sub-headings on both pages already follow it). The rest is optional polish.
Out of scope but called out for visibility: the test plan's TIP-in-numbered-list check is worth eyeballing on the Netlify preview because the list-continuation pattern is non-trivial — see comment on create-byoc-cluster-aws.adoc.
The page assumed the customer knew their existing Transit Gateway would auto-accept the Redpanda spoke attachment. Spell out both cases in Prerequisites and split the conflated troubleshooting row that mislabeled a pendingAcceptance attachment as a RAM share issue. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
| // To enable, set the attribute in the playbook or in this page header. | ||
| ifdef::show-preview-api[] | ||
|
|
||
| To route all cluster egress through your own AWS Transit Gateway and hub VPC instead of a per-VPC NAT Gateway, set `egress_spec.aws.transit_gateway_id` on an AWS BYOC network. Centralized egress is in beta, and the field is in preview on AWS BYOC networks only. The Transit Gateway ID is immutable after the network is created. Before you call this endpoint, provision the hub VPC and Transit Gateway and share the Transit Gateway with the Redpanda cluster account. See xref:networking:byoc/aws/aws-hub-egress.adoc[Create an AWS Hub for Centralized Egress] and xref:networking:byoc/aws/nat-free-egress.adoc[Configure Centralized Egress with AWS Transit Gateway]. |
There was a problem hiding this comment.
Maybe link to a description/defn of "preview" here?
There was a problem hiding this comment.
I'll remove that clause about "preview"
|
|
||
| [WARNING] | ||
| ==== | ||
| Hub and spoke VPC CIDRs must not overlap. AWS allows Transit Gateway attachments with overlapping CIDRs, but the hub VPC's local route always wins over the spoke CIDR return route, which silently blackholes reply traffic. Plan your CIDRs before you start. |
There was a problem hiding this comment.
I think a link to https://docs.redpanda.com/redpanda-cloud/networking/cidr-ranges/#what-are-cidrs would be helpful here
| ====== | ||
|
|
||
| == Create private subnets | ||
|
|
There was a problem hiding this comment.
Need text here. Many of these sections say what the tasks are, but do not explain why users must complete them. It's sort of like blind faith. Ideally, users walk away from each step/task understanding why it is there in the first place.
| ---- | ||
| ====== | ||
|
|
||
| == Create the Internet Gateway |
There was a problem hiding this comment.
Same as last comment here
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
- Add an xref to "What are CIDRs?" from the hub-and-spoke CIDR overlap warning. - Explain why the hub needs private subnets and an Internet Gateway in the two sections that previously jumped straight from heading to tabs. - Drop the "in preview on AWS BYOC networks only" qualifier from the centralized-egress API note, since there is no central definition of "preview" to link to. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 participants
Summary
networking/byoc/aws/documenting the beta NAT Gateway-Free Egress feature for BYOC AWS clusters: a concept + how-to page for configuring centralized egress at network creation, and a how-to for provisioning the customer-side hub VPC, Transit Gateway, and AWS RAM share.create-byoc-cluster-aws.adoc) and BYOVPC page (vpc-byo-aws.adoc) so customers can discover the new option.ifdef::show-preview-api[]while thenetwork.egress_spec.aws.transit_gateway_idfield is in PREVIEW. A preview-gated section is added onnat-free-egress.adoc, and a matching AWS BYOC network example is added to thecontrolplane-api.adocpartial (rendered oncloud-byoc-controlplane-api.adoc). Setting:show-preview-api:re-enables both in a future PR.Context
enable-transit-gateway-egress(LaunchDarkly, org-targeted)Open items before publishing
These don't block review of the content, but PM/Eng sign-off is needed before the PR moves out of draft:
egress_specsection be enabled at publish, or stay hidden until the field graduates from PREVIEW? Currently hidden.Preview pages
Test plan
nat-free-egress(it's gated behindifdef::show-preview-api[]).cloud-byoc-controlplane-api.adocdoes not render by default (also gated behindifdef::show-preview-api[]).nat-free-egressandaws-hub-egressresolve in both directions.nat-free-egressrenders, and its xref toaws-hub-egressresolves.nat-free-egressjumps to the "Internet endpoints" section.create-byoc-cluster-aws(TIP on the Network wizard step) renders correctly.vpc-byo-awslinks tonat-free-egress.🤖 Generated with Claude Code