DOC-1871: Add client VPC and security group setup to dedicated Privat…

[micheleRP]

The BYOC/Dedicated AWS PrivateLink Cloud UI doc was missing the entire client-side VPC and security group setup section, including the critical per-broker port ranges (32000-32500 for Kafka API, 35000-35500 for HTTP Proxy).

• Create shared partial for VPC setup steps used by both UI and API docs
• Add "Configure PrivateLink connection" section to the BYOC/dedicated UI doc (similar but not identical to our Serverless private networking docs)
• Replace inline VPC setup in the API doc with the shared partial

Description

Resolves https://redpandadata.atlassian.net/browse/DOC-1871
Review deadline:

Page previews

Configure AWS PrivateLink in the Cloud Console
Configure AWS PrivateLink with the Cloud API

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	6166b0f
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/6994f233f12ce60008016776
😎 Deploy Preview	https://deploy-preview-504--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request consolidates AWS PrivateLink documentation by extracting common VPC setup procedures into a reusable shared partial file (private-links-aws-client-vpc-setup.adoc), which is then referenced across multiple documentation pages. The changes reorganize the aws-privatelink page to replace inline VPC creation steps with includes, expand guidance for both new and existing cluster PrivateLink enablement workflows, and introduce cross-region PrivateLink support. The configure-privatelink-in-cloud-ui page is enhanced with a new subsection that derives cluster domain from bootstrap URLs and includes the shared VPC setup partial, addressing missing security group configuration details previously absent from the Cloud UI flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• #480: Both PRs add and expand cross-region AWS PrivateLink support with region-specific guidance and configuration updates.
• #407: Both PRs modify AWS PrivateLink VPC setup documentation to include security group rule configuration details.
• #425: Both PRs enhance PrivateLink documentation with DNS domain guidance and introduce shared DNS-related documentation partials.

Suggested reviewers

• c4milo
• paulzhang97
• paulohtb6
• Feediver1

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding client VPC and security group setup guidance to the dedicated PrivateLink documentation.
Linked Issues check	✅ Passed	The PR fulfills all DOC-1871 objectives: adds security group and VPC setup details to the UI doc, includes per-broker port ranges, and ensures consistent documentation between UI and API flows.
Out of Scope Changes check	✅ Passed	All changes directly address DOC-1871 requirements: the new partial, UI doc updates, and API doc refactoring are all within the scope of adding PrivateLink setup guidance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description provides clear context, links the related Jira issue (DOC-1871), includes page preview links, and explicitly details the changes made (creating a shared partial, adding configuration section to UI docs, replacing inline setup in API docs).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DOC-1871-AWS-Private-Link-Cloud-UI-flow-docs-missing-security-group-setup-details

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/networking/partials/private-links-aws-client-vpc-setup.adoc`:
- Around line 98-104: The example for creating a subnet uses an AZ ID value
("usw2-az1") with the --availability-zone parameter which expects an AZ name
(e.g., "us-west-2a"); update the snippet around the aws ec2 create-subnet
example so the AZ format and flag match: either replace the example AZ value
with an AZ name (us-west-2a) when using --availability-zone, or change the flag
to --availability-zone-id when keeping the AZ ID example (usw2-az1); ensure the
surrounding text clarifies which format is required and keep references to
REGION, PROFILE, CLIENT_VPC_ID and the resulting subnet_id/create-subnet command
consistent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

AWS CLI ec2 create-subnet --availability-zone vs --availability-zone-id parameter documentation

💡 Result:

In aws ec2 create-subnet, the two parameters map to the same concept (which zone the subnet is created in), but use different identifiers:

• --availability-zone (AZ name / zone code): “The Availability Zone or Local Zone for the subnet” (for example us-west-2a, or a Local Zone ID like us-west-2-lax-1a). AWS can also choose one if you omit it. [1][2]
• --availability-zone-id (AZ ID / stable zone identifier): “The AZ ID or the Local Zone ID of the subnet” (for example use1-az1). AZ IDs are consistent across AWS accounts, whereas AZ names like us-east-1a can map to different physical locations in different accounts. [1][2][3][4]

To look up AZ names ↔ AZ IDs, use describe-availability-zones (it returns ZoneName and ZoneId). [5][4]

aws ec2 describe-availability-zones \
  --query "AvailabilityZones[].{Name:ZoneName,ID:ZoneId}" --output table

Sources: [1] AWS CLI create-subnet reference, [2] EC2 API CreateSubnet reference, [3] EC2 “AZ ID API support” announcement (Dec 18, 2025), [4] AWS “AZ IDs” documentation, [5] AWS CLI describe-availability-zones reference.

---

🌐 Web query:

AWS availability zone ID format usw2-az1 AZ name us-west-2a

💡 Result:

• AZ ID format: An AZ ID is a stable, account-independent identifier and is formatted as: first 3 letters of the Region code + the Region’s number + -az + a number (e.g., usw2-az1, usw2-az2). [1]
• AZ name vs AZ ID mapping: us-west-2a (AZ name) is not guaranteed to correspond to usw2-az1 (AZ ID)—AZ names like us-west-2a/b/c can be mapped differently per AWS account, while AZ IDs always refer to the same physical zone across accounts. [2][3]
• How to confirm in your account (authoritative):
  aws ec2 describe-availability-zones --region us-west-2 --query "AvailabilityZones[].{Name:ZoneName,ID:ZoneId}" --output table [2]

Sources
[1] AWS Docs – AWS Availability Zones (AZ ID format) (docs.aws.amazon.com)
[2] AWS Docs – AZ IDs (name/ID mapping + CLI) (docs.aws.amazon.com)
[3] AWS Prescriptive Guidance – cross-account AZ name randomization and mapping to AZ IDs (docs.aws.amazon.com)

Citations:

• 1: https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-availability-zones.html?utm_source=openai
• 2: https://docs.aws.amazon.com/global-infrastructure/latest/regions/az-ids.html?utm_source=openai
• 3: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-consistent-availability-zones-in-vpcs-across-different-aws-accounts.html?utm_source=openai

---

Fix AZ example format or parameter to prevent CLI errors.

The example shows usw2-az1 (an Availability Zone ID format) with the --availability-zone parameter, which expects an AZ name like us-west-2a. This mismatch will cause the command to fail. Use one of these approaches:

1. Change the example to an AZ name: Replace usw2-az1 with us-west-2a
2. Change the parameter to match the AZ ID format: Use --availability-zone-id instead of --availability-zone

The AZ ID format (usw2-az1) is account-independent and stable, whereas AZ names (us-west-2a) vary per account. Choose based on your use case and document clearly which format users should provide.

Suggested documentation fix (choose one)

Option 1: Update example to AZ name

-Run the following command, specifying the subnet availability zone (for example, `usw2-az1`):
+Run the following command, specifying the subnet availability zone (for example, `us-west-2a`):

Option 2: Update parameter and description for AZ ID

-Run the following command, specifying the subnet availability zone (for example, `usw2-az1`):
+Run the following command, specifying the subnet availability zone ID (for example, `usw2-az1`):
...
-    --availability-zone <zone> \
+    --availability-zone-id <zone_id> \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/networking/partials/private-links-aws-client-vpc-setup.adoc` around
lines 98 - 104, The example for creating a subnet uses an AZ ID value
("usw2-az1") with the --availability-zone parameter which expects an AZ name
(e.g., "us-west-2a"); update the snippet around the aws ec2 create-subnet
example so the AZ format and flag match: either replace the example AZ value
with an AZ name (us-west-2a) when using --availability-zone, or change the flag
to --availability-zone-id when keeping the AZ ID example (usw2-az1); ensure the
surrounding text clarifies which format is required and keep references to
REGION, PROFILE, CLIENT_VPC_ID and the resulting subnet_id/create-subnet command
consistent.