redpanda-data · micheleRP · May 14, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
@@ -452,6 +452,8 @@
 **** xref:networking:configure-privatelink-in-cloud-ui.adoc[Configure PrivateLink in the Cloud Console]
 **** xref:networking:aws-privatelink.adoc[Configure PrivateLink with the Cloud API]
 **** xref:networking:byoc/aws/transit-gateway.adoc[Add a Transit Gateway]
+**** xref:networking:byoc/aws/nat-free-egress.adoc[Configure Centralized Egress]
+**** xref:networking:byoc/aws/aws-hub-egress.adoc[Create an AWS Hub for Centralized Egress]
 *** xref:networking:byoc/azure/index.adoc[Azure]
 **** xref:networking:azure-private-link-in-ui.adoc[]
 **** xref:networking:azure-private-link.adoc[]

@@ -43,6 +43,11 @@ Optionally, click *Advanced settings* to specify up to five key-value custom tag
 ** Clusters with private networking include a setting for API Gateway network access. Public access exposes endpoints for Redpanda Console, the Data Plane API, and the MCP Server API, but they remain protected by your authentication and authorization controls. Private access restricts endpoint access to your VPC only.
 +
 NOTE: After the cluster is created, you can change the API Gateway access on the Dataplane settings page. If you change from public to private access, users without VPN access to the Redpanda VPC will lose access to these services.
++
+[TIP]
+====
+To route all cluster egress through your own AWS Transit Gateway and hub VPC instead of a per-VPC NAT Gateway, set the *Transit Gateway ID* field on this page. The field is only available on clusters with a private connection type, and is only visible if centralized egress is enabled for your organization. This option is in beta. See xref:networking:byoc/aws/nat-free-egress.adoc[].
+====
 . Click *Next*.
 . On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent.
 +

@@ -111,7 +111,7 @@ module "redpanda_byovpc" {
 
 [NOTE]
 ====
-* To send telemetry back to the Redpanda control plane, the cluster needs outbound internet access. You can provide this through at least one public subnet, or through network peering or a transit gateway to another VPC that routes traffic through a public subnet. The example configuration includes multiple public subnets to allow for future scaling.
+* To send telemetry back to the Redpanda control plane, the cluster needs outbound internet access. You can provide this through at least one public subnet, or through network peering or a transit gateway to another VPC that routes traffic through a public subnet. The example configuration includes multiple public subnets to allow for future scaling. Standard BYOC clusters can also route egress through a customer-owned hub VPC and Transit Gateway, eliminating the per-VPC NAT Gateway entirely. See xref:networking:byoc/aws/nat-free-egress.adoc[].
 * The example creates an Internet Gateway and an associated Route Table rule that routes traffic into the VPC, which allows the Redpanda control plane to access the cluster. To disable creation of the Internet Gateway, either remove the configuration and value for `create_internet_gateway` or set `"create_internet_gateway": false`.
 * When using a pre-existing VPC, at least one public subnet must already exist in that VPC. Setting `public_subnet_cidrs = []` only prevents the module from creating new ones.
 ====

@@ -8,6 +8,10 @@ This page lists new features added to Redpanda Cloud.
 
 == May 2026
 
+=== Centralized egress for BYOC on AWS (beta)
+
+You can route all BYOC cluster egress through your own AWS Transit Gateway and hub VPC instead of a per-VPC NAT Gateway, so outbound traffic exits through your centralized inspection point. This is useful for regulated environments that prohibit per-VPC NAT Gateways and for consolidating egress behind a single, predictable public IP for outbound allowlisting. Centralized egress is in beta and is enabled per organization. Contact your account team for access. See xref:networking:byoc/aws/nat-free-egress.adoc[Configure Centralized Egress with AWS Transit Gateway].
+
 === Schema Registry Authorization enabled by default
 
 Schema Registry Authorization is now enabled automatically on all new BYOC and Dedicated clusters. The xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`] cluster property is set to `true` at provisioning, and the predefined Admin, Writer, and Reader roles include Schema Registry permissions for the `subject` and `registry` ACL resource types. You can use ACLs and RBAC roles to grant fine-grained access to schemas and subjects without any additional setup. See xref:manage:schema-reg/schema-reg-authorization.adoc[Schema Registry Authorization] and xref:security:authorization/rbac/rbac.adoc#predefined-roles[Predefined roles].

@@ -125,11 +125,40 @@ curl -d \
     "region": "us-west1"
   }
 }' -H "Content-Type: application/json" \
--H "Authorization: Bearer <token>" -X POST https://api.redpanda.com/v1/networks 
+-H "Authorization: Bearer <token>" -X POST https://api.redpanda.com/v1/networks
+----
+// The AWS BYOC network example adds `egress_spec.aws.transit_gateway_id`
+// to route all cluster egress through a customer-owned Transit Gateway.
+// It is gated behind `:show-preview-api:` while the field is in preview.
+// To enable, set the attribute in the playbook or in this page header.
+ifdef::show-preview-api[]
+
+To route all cluster egress through your own AWS Transit Gateway and hub VPC instead of a per-VPC NAT Gateway, set `egress_spec.aws.transit_gateway_id` on an AWS BYOC network. Centralized egress is in beta. The Transit Gateway ID is immutable after the network is created. Before calling this endpoint, provision the hub VPC and Transit Gateway and share the Transit Gateway with the Redpanda cluster account. See xref:networking:byoc/aws/aws-hub-egress.adoc[Create an AWS Hub for Centralized Egress] and xref:networking:byoc/aws/nat-free-egress.adoc[Configure Centralized Egress with AWS Transit Gateway].
+
+[,bash]
 ----
+curl -d \
+'{
+  "network": {
+    "cidr_block": "10.10.0.0/20",
+    "cloud_provider": "CLOUD_PROVIDER_AWS",
+    "cluster_type": "TYPE_BYOC",
+    "name": "<network-name>",
+    "resource_group_id": "<resource-group-id>",
+    "region": "us-east-2",
+    "egress_spec": {
+      "aws": {
+        "transit_gateway_id": "tgw-0b629c5b4fb6e364b"
+      }
+    }
+  }
+}' -H "Content-Type: application/json" \
+-H "Authorization: Bearer <token>" -X POST https://api.redpanda.com/v1/networks
+----
+endif::[]
 endif::[]
 
-This endpoint returns a <<lro,long-running operation>>. 
+This endpoint returns a <<lro,long-running operation>>.
 
 === Create a new cluster