DOC-2267: Document BYOC GCP centralized egress with VPC Peering

[ppanagiotis]

Description

Resolves https://redpandadata.atlassian.net/browse/DOC-2267

Documents centralized egress for BYOC clusters on GCP (beta), the GCP counterpart to the AWS Transit Gateway egress feature. Centralized egress lets customers route all BYOC cluster internet traffic through their own GCP hub VPC and NAT VM instead of a per-cluster Cloud NAT, so outbound traffic exits through a single, predictable public IP for inspection and allowlisting.

This PR adds:

• Create a GCP Hub for Centralized Egress — a how-to for provisioning the customer-side hub VPC, NAT VM, routes, firewall rule, and VPC Network Peering, with Console and CLI steps plus a Terraform alternative.
• Configure Centralized Egress with GCP VPC Peering — a how-to for enabling centralized egress at cluster creation, including the shared responsibility model, required internet endpoints, and troubleshooting.
• A TIP on the GCP create-cluster page and a What's New entry pointing to the new guides.
• A "Features in beta" entry on the Cloud overview page (covers AWS and GCP).
• Navigation entries under Networking > BYOC > GCP.

Audience: platform administrators. Mirrors the structure of the AWS centralized egress pages.

Preview pages

• Create a GCP Hub for Centralized Egress (new)
• Configure Centralized Egress with GCP VPC Peering (new)
• Create a BYOC Cluster on GCP (updated)
• What's New in Redpanda Cloud (updated)
• Redpanda Cloud Overview (updated)

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	7ee4f12
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/6a3d0413ccffc9000894ab59
😎 Deploy Preview	https://deploy-preview-624--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 428bd8c1-38b6-47d8-a035-059b4ef63cc4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds documentation for a new beta feature: centralized egress for BYOC clusters on GCP. It introduces two new pages — nat-free-egress.adoc (208 lines) covering the egress model, prerequisites, shared responsibility, UI setup, verification, and troubleshooting, and gcp-hub-egress.adoc (504 lines) providing step-by-step CLI instructions for creating the hub VPC, NAT VM, routes, firewall, MIG, and peering. Supporting changes include a tip callout in the BYOC cluster creation guide, a June 2026 What's New entry, and two navigation links.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• redpanda-data/cloud-docs#587: Adds the same centralized egress beta documentation pattern (nav entries, tip callout, What's New entry, hub creation guide, and configuration how-to) for AWS Transit Gateway, mirroring this PR's structure for GCP.

Suggested reviewers

• david-yu
• paulzhang97
• Feediver1

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main content: documenting BYOC GCP centralized egress with VPC Peering. However, it references DOC-2267, which is correct for this GCP feature, so the title properly identifies the primary change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description follows the required template with all key sections present: a detailed description of changes, explicit links to preview pages, and proper check selection. Issue tracking and comprehensive context are included.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DOC-2267-byoc-gcp-nat-free-egress

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[micheleRP]

PR Review: Document BYOC GCP centralized egress with VPC Peering (#624)

Files reviewed: 2 new pages + 3 edits (nav, create-cluster, What's New)
Standards checked: style guide, terminology, content architecture, introduction patterns, content-design principles, learning objectives, Antora conventions.
Overall: Strong PR with close parity to the AWS centralized-egress pages. No broken xrefs or breaking AsciiDoc. Findings are mostly style/standards polish; the one to fix before merge is the PR title's Jira key.

What this PR does

Adds two GCP how-to pages: provisioning a customer hub VPC + NAT VM (gcp-hub-egress.adoc), and enabling centralized egress on a BYOC cluster (nat-free-egress.adoc), plus nav entries, a create-cluster TIP, and a What's New entry. Mirrors the AWS Transit Gateway equivalent (PR #587). Audience: platform admins.

Jira alignment

• PR title uses DOC-1613, which is the AWS ticket (Transit Gateway) and is already Done.
• PR body + branch use DOC-2267 (GCP VPC Hub egress, In Review): the correct ticket.
• Fix: rename the PR title to DOC-2267.

Should-fix

1. Em dashes (style guide: no em dashes). Replace with commas/periods/parentheses or reword:
   • gcp-hub-egress.adoc: "...must not have a local 0.0.0.0/0 route — if one exists..."; "This is expected — proceed to create the cluster..."; "Default values" table uses — as an empty Notes placeholder (leave blank).
   • nat-free-egress.adoc: troubleshooting "Correct — this is the centralized egress design."
2. "via" is on the do-not-use list: use "through" or "by using". Several spots on both pages ("exportable routes via VPC Network Peering", "GCP exports routes... via peering", "forwards it back... via the VPC peering connection").
3. gcp-hub-egress.adoc intro is self-referential and long. How-to intros are 1-2 sentences / ~30-50 words, imperative, no implementation (introduction-patterns). Current opens "Use this guide to provision..." (an explicit anti-pattern) and runs ~75 words. Rewrite to lead with the outcome, for example: "Provision a hub VPC and NAT VM so one or more BYOC clusters route internet egress through a single public IP. After this procedure you have the hub VPC name and project ID needed to configure your BYOC network."
4. Directional / temporal references (style guide bans "earlier", "later", "next", "previous", "following" for location). On gcp-hub-egress.adoc: "reserved earlier", "created in the next step", "in the previous step", "you will need it in the following steps". Use descriptive references or section anchors.

Suggestions (minor / polish)

• nat-free-egress.adoc intro's second sentence repeats the import_custom_routes/NAT-VM mechanism that the "How it works" section covers: how-to intros exclude implementation. Consider trimming.
• Future tense "you will need it" -> "you need it to create the route and instance template" (also fixes the directional reference in gha: use aws sm #4).
• Heading "Create the Managed Instance Group" -> sentence case "Create the managed instance group" (GCP writes it lowercase).
• Learning-objective lead-in "After reading this page, you will be able to:": how-to convention is "After completing these steps, you will be able to:" (matches AWS siblings either way; optional).
• GCP not spelled out as "Google Cloud Platform (GCP)" on first mention (terminology rule; house style usually treats GCP as established, so optional).
• Prerequisite bullet starts with code: "gcloud CLI configured..." (style guide: don't start a sentence with code).

Impact on other files

• What's New, nav, and create-cluster TIP are present and match the AWS pattern. But the What's New entry is inconsistent with its AWS sibling on the same page: GCP uses === ... (beta) + "is in beta"; AWS uses === ...: beta + "is in a glossterm:beta[] release". Match the AWS format (: beta heading + glossterm:beta[]).
• AWS documents its Cloud API egress field in modules/manage/partials/controlplane-api.adoc (egress_spec.aws.transit_gateway_id); GCP egress here is UI-only. Confirm whether a GCP Cloud API path exists and needs documenting for parity, or UI-only is intentional.
• Index pages (byoc/gcp/index.adoc, byoc/index.adoc) are nav-driven and don't enumerate children, so no update needed. No moved/renamed files, so no stale xrefs.

Doc Detective

Not a practical automated-test candidate: the gcloud steps and curl verification need live GCP infrastructure and a running BYOC cluster.

What works well

• All xrefs use full module IDs and every anchor resolves (#collect-values, #internet-endpoints, #automated-alternative, #prerequisites).
• Strong parity with AWS: shared-responsibility model, troubleshooting tables, learning objectives (3 max, action verbs, checkbox format, no trailing periods).
• :page-beta: true on both pages; [,bash] language specifiers; bidirectional cross-linking + Next steps; good operational depth (Terraform alternative, HA guidance, egress-IP verification, and the GCP-specific local-route-beats-imported-route gotcha).

CodeRabbit

No CodeRabbit review or comments posted yet.

[micheleRP]

@ppanagiotis one open question from the review: AWS documents its Cloud API egress field in modules/manage/partials/controlplane-api.adoc (egress_spec.aws.transit_gateway_id), but the GCP pages here document the UI path only. Does GCP centralized egress have a Cloud API path (for example a egress_spec.gcp field for the hub VPC name and project ID) that we should document for parity, or is UI-only intentional for this beta?

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

modules/networking/pages/byoc/gcp/nat-free-egress.adoc (1)

17-17: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider "After completing these steps" for how-to convention alignment.

Line 17 reads "After reading this page, you will be able to:" which is typical for reference pages. Since this page is marked :page-topic-type: how-to and includes procedural steps (lines 123–129), consider aligning the learning objective lead-in with how-to conventions: "After completing these steps, you will be able to:". This is a minor polish improvement for consistency with Redpanda's how-to guide standards.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/networking/pages/byoc/gcp/nat-free-egress.adoc` at line 17, The
learning objectives lead-in on line 17 currently reads "After reading this page,
you will be able to:" which is typical for reference pages. Since this page is
marked as a how-to guide (`:page-topic-type: how-to`) and contains procedural
steps, change the text to "After completing these steps, you will be able to:"
to align with Redpanda's how-to documentation standards.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc`:
- Around line 48-52: The cross-reference
xref:networking:byoc/gcp/nat-free-egress.adoc[] on line 51 is missing link text
within the square brackets. For Antora cross-references to be accessible and
readable, you must provide descriptive link text. Add the destination page title
as the link text between the square brackets of the xref syntax, replacing the
empty brackets with the appropriate descriptive text for the NAT free egress
documentation page.

In `@modules/networking/pages/byoc/gcp/gcp-hub-egress.adoc`:
- Line 12: The learning objectives lead-in text uses "After reading this page"
which does not match the how-to page convention. Change the text "After reading
this page, you will be able to:" to "After completing these steps, you will be
able to:" to properly reflect the procedural nature of the how-to guide and
align with the established page type conventions.
- Around line 362-376: The gcloud compute instance-templates create command in
the hub-nat-template creation block contains the `--address=$NAT_PUBLIC_IP` flag
which is not supported by instance template creation commands. Remove this flag
entirely from the command since instance templates cannot assign specific static
IP addresses. External IP assignment must be handled separately at instance
creation time through the managed instance group, not at template definition
time.

---

Nitpick comments:
In `@modules/networking/pages/byoc/gcp/nat-free-egress.adoc`:
- Line 17: The learning objectives lead-in on line 17 currently reads "After
reading this page, you will be able to:" which is typical for reference pages.
Since this page is marked as a how-to guide (`:page-topic-type: how-to`) and
contains procedural steps, change the text to "After completing these steps, you
will be able to:" to align with Redpanda's how-to documentation standards.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 80bcd634-4edf-467a-bc59-a70b5e453f70

📥 Commits

Reviewing files that changed from the base of the PR and between af1bf88 and 5fa0dd7.

📒 Files selected for processing (5)

• modules/ROOT/nav.adoc
• modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc
• modules/get-started/pages/whats-new-cloud.adoc
• modules/networking/pages/byoc/gcp/gcp-hub-egress.adoc
• modules/networking/pages/byoc/gcp/nat-free-egress.adoc

[coderabbitai]

🩺 Stability & Availability | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the gcloud instance-templates create syntax and parameters
# Check the official gcloud documentation or test the command

gcloud compute instance-templates create --help | grep -A 5 "address"

Repository: redpanda-data/cloud-docs

Length of output: 202

---

🌐 Web query:

gcloud compute instance-templates create --address parameter documentation

💡 Result:

The gcloud compute instance-templates create command does not support a top-level --address flag [1][2]. The documentation for gcloud compute instance-templates create does not list --address as a valid parameter for configuring network interfaces in an instance template [1][2]. While some other gcloud commands (such as gcloud compute instances create) allow you to assign a specific external IP address using an --address flag [1], this flag is not applicable to instance templates. Instance templates are blueprints for creating instances; because instance templates are meant to be reusable for many instances, they cannot reserve or assign a specific static IP address to the instances created from them. If you are attempting to configure network settings for an instance template, you may use other network-related flags provided by the command, such as --network, --subnet, or --network-tier, to define the network environment that instances will use [1][2].

Citations:

• 1: https://cloud.google.com/sdk/gcloud/reference/compute/instance-templates/create
• 2: https://docs.cloud.google.com/sdk/gcloud/reference/compute/instance-templates/create

---

Remove the --address=$NAT_PUBLIC_IP flag from the instance template creation command.

The --address parameter is not supported by gcloud compute instance-templates create [1]. Instance templates are reusable blueprints and cannot reserve or assign specific static IP addresses. Attempting to use this flag will cause the command to fail.

External IP assignment must occur at instance creation time through the managed instance group, not at template definition time. Remove line 375 entirely, or configure external IPs after the MIG creates instances from this template using a separate step or resource.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/networking/pages/byoc/gcp/gcp-hub-egress.adoc` around lines 362 -
376, The gcloud compute instance-templates create command in the
hub-nat-template creation block contains the `--address=$NAT_PUBLIC_IP` flag
which is not supported by instance template creation commands. Remove this flag
entirely from the command since instance templates cannot assign specific static
IP addresses. External IP assignment must be handled separately at instance
creation time through the managed instance group, not at template definition
time.

[micheleRP]

Partly correct, but the suggested fix would break the feature, so I've resolved it differently in commit 846c234.

What's right: --address is not a valid flag for gcloud compute instance-templates create (it's for gcloud compute instances create), so the command as written would fail. Good catch on the flag.

What's not: removing the flag (or relying on the MIG's --stateful-external-ip, which only preserves an existing IP rather than assigning a specific reserved one) would leave the NAT VM with an ephemeral public IP. That defeats the entire purpose of centralized egress: a single, predictable public IP for outbound allowlisting.

A reserved static external IP can be pinned in an instance template, on the network interface. The tested reference for this guide — the redpanda-data/cloud-examples/gcp-hub-egress Terraform — does exactly this:

network_interface {
  network    = google_compute_network.hub.self_link
  subnetwork = google_compute_subnetwork.hub.self_link
  network_ip = google_compute_address.nat_internal.address
  access_config {
    nat_ip = google_compute_address.nat.address
  }
}

Fix applied: consolidated the four separate network flags into a single --network-interface flag with address=, which is the gcloud equivalent of the Terraform access_config.nat_ip and keeps the single reserved egress IP:

-  --network=$VPC_NAME \
-  --subnet=$SUBNET_NAME \
-  --private-network-ip=$NAT_INTERNAL_IP \
-  --address=$NAT_PUBLIC_IP \
+  --network-interface=network=$VPC_NAME,subnet=$SUBNET_NAME,private-network-ip=$NAT_INTERNAL_IP,address=$NAT_PUBLIC_IP \

The Console step (set the external IPv4 address to hub-nat-ip) is unchanged and still valid.

@ppanagiotis I couldn't run gcloud locally to validate this exact invocation. Could you confirm --network-interface=...,address=$NAT_PUBLIC_IP works against your tested setup / matches the Terraform, before we merge? If your tested command differs, let me know and I'll match it.

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[micheleRP]

PR Review: BYOC GCP centralized egress (#624)

Files reviewed: 7 (.adoc) · Assessment: Strong PR that closely mirrors the AWS centralized egress pages. Nav, What's New, Cloud overview, and the create-cluster TIP are all wired up. One internal contradiction to reconcile.

Jira alignment: DOC-2267 ("BYOC support for alternate internet egress... routing through a VPC Hub"). Fully addressed for GCP.

Critical

1. egress_spec immutability contradicts itself within this PR. Commit 5 removed the immutability claim from the AWS API entry in controlplane-api.adoc ("storage layer confirms egress_spec is updatable"), and the new GCP API entry omits any immutability claim. But nat-free-egress.adoc still asserts the opposite three times:

   • L111: "The hub VPC name and project fields are immutable after the network is created."
   • L116: "You cannot change it on an existing network."
   • L120: "To switch back to Cloud NAT egress, create a new network... then migrate your data."

   If egress_spec is updatable, these claims and the migration workaround are wrong. Either soften/remove them, or re-add a matching note to the API entry. The API partial and the how-to should not disagree.

Suggestions

1. AWS follow-up (out of scope): aws/nat-free-egress.adoc (L133, L137) still calls the Transit Gateway ID immutable, even though this PR removed that claim from the AWS API entry. Same contradiction on the AWS side. Worth a follow-up ticket so AWS and GCP stay consistent.
2. Duplicate Cloud API example: the GCP egress_spec curl now lives both in the API partial and in a new :show-preview-api:-gated section in nat-free-egress.adoc. Both are gated, so neither renders today. Confirm the duplication is intentional.
3. Commit metadata: commit 1's subject says "DOC-1613"; the PR resolves DOC-2267. Cosmetic if the merge uses the PR title, but worth a squash-message cleanup.

Impact on other files

No missing wiring detected. What's New entry added, nav entries for both pages (order matches AWS), Cloud overview "Features in beta" updated, create-cluster TIP added, and all xref targets and anchors resolve. Only concern is the AWS immutability follow-up above.

CodeRabbit triage

All three findings already resolved:

• Empty xref on create-byoc-cluster-gcp.adoc kept intentionally (Antora resolves to page title); CodeRabbit withdrew.
• "After reading this page" vs "After completing these steps" kept for consistency with AWS pages; CodeRabbit withdrew and recorded the convention.
• Invalid --address flag on gcloud compute instance-templates create fixed in commit 846c234.

What works well

• Faithful mirror of the AWS structure (hub + configure pages, shared-responsibility and troubleshooting tables, Terraform alternative).
• Precise Console/CLI tabs and routing-priority notes; the "local routes beat imported peering routes" gotcha is explained well.
• Style fixes already applied in-branch: no em dashes, glossterm:beta[] in What's New, sentence-case headings, :page-beta:, personas, and 3 checkbox learning objectives per page.