DOC-1678 DNS forwarding

[micheleRP]

Description

This pull request adds doc about DNS resolution when using AWS PrivateLink with Redpanda Cloud clusters. The changes clarify how PrivateLink affects DNS behavior and provide step-by-step guidance for configuring DNS forwarding, ensuring reliable cluster connectivity.

• Added a new section, DNS resolution with PrivateLink, to both the AWS PrivateLink and Cloud UI configuration guides, explaining how PrivateLink changes DNS behavior and the need to review DNS setup before connecting clients. [1] [2]
• Introduced a reusable partial, dns_resolution.adoc, detailing how to identify your cluster domain, locate the Amazon-provided DNS resolver, and configure Route 53 forwarding rules for cross-VPC or on-premises access.

Resolves https://redpandadata.atlassian.net/browse/DOC-1678
Review deadline:

Page previews

Configure AWS PrivateLink in the Cloud UI
Configure AWS PrivateLink with the Cloud API

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	2d390fe
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/68e9510f67160e000872b67d
😎 Deploy Preview	https://deploy-preview-425--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

Adds a new DNS resolution section for AWS PrivateLink and a new partial file modules/networking/partials/dns_resolution.adoc describing how PrivateLink affects DNS for cluster hostnames. Documents using cluster_domain and the Amazon-provided resolver address (the .2 address in the endpoint subnet), conditional forwarding and Route 53 inbound resolver setups for cross-VPC and on‑prem resolution, and examples/commands for enabling PrivateLink on new and existing clusters (including BIYOC-specific VPC notes). The new DNS section is included into configure-privatelink-in-cloud-ui.adoc before the existing "Enable endpoint service for existing clusters" section.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor User as Client (outside endpoint subnet)
    participant MainDNS as Main DNS (corp/VPC DNS)
    participant Fwd as Conditional Forwarder (cluster_domain)
    participant AWSR53 as Amazon-provided DNS (endpoint subnet .2)
    participant PL as PrivateLink Endpoint -> Redpanda Cluster

    Note over User,PL: DNS resolution with PrivateLink

    User->>MainDNS: Resolve broker.seed.cluster_domain
    alt forwarder exists
        MainDNS->>Fwd: Forward query for cluster_domain
        Fwd->>AWSR53: Query forwarded to Amazon resolver
        AWSR53-->>Fwd: Return endpoint-specific IPs
        Fwd-->>MainDNS: Response
        MainDNS-->>User: Endpoint IPs
        User->>PL: Connect to endpoint IPs
        PL-->>User: Connection established
    else no forwarder
        MainDNS-->>User: Returns private broker IPs (non-routable)
        User-xPL: Connection fails
    end

    Note right of Fwd: Configure conditional forward to AWS resolver (.2) for cluster_domain

Loading

sequenceDiagram
    autonumber
    actor OnPrem as On‑prem Client
    participant OnPremDNS as On‑prem DNS
    participant R53Inbound as Route 53 Inbound Resolver (endpoint VPC)
    participant Assoc as VPC Associations / Forwarding Rules
    participant PL as PrivateLink Endpoint -> Redpanda

    Note over OnPrem,PL: Cross-network resolution via Route 53 inbound resolver

    OnPrem->>OnPremDNS: Resolve *.cluster_domain
    OnPremDNS->>R53Inbound: Forward per forwarding rule / peering
    R53Inbound-->>OnPremDNS: Return endpoint-specific targets (.2 responses)
    OnPremDNS-->>OnPrem: Targets returned
    OnPrem->>PL: Connect to PrivateLink endpoint
    PL-->>OnPrem: Connection established

    Note right of Assoc: Associate forwarding rules with target VPCs or on‑prem networks

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• c4milo
• paulzhang97
• david-yu
• Feediver1

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The current title “DOC-1678 DNS forwarding” references the issue number and the general concept of DNS forwarding but is overly generic and does not clearly convey that the changes specifically introduce DNS resolution and conditional forwarding guidance for AWS PrivateLink in Redpanda Cloud documentation.	Please update the title to concisely specify the main change and its context, for example: “Add DNS resolution and conditional forwarding guidance for AWS PrivateLink.”
Description Check	⚠️ Warning	The description includes the required “## Description,” “Resolves,” “Review deadline,” “## Page previews,” and “## Checks” sections, but it links to a JIRA issue rather than the repository’s GitHub issue URL and leaves the “Review deadline” blank, which deviates from the template’s requirements.	Link the pull request to the correct GitHub issue (e.g., https://github.com/redpanda-data/documentation-private/issues/1678) under “Resolves” and provide an actual date for the “Review deadline” field.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues Check	✅ Passed	The documentation additions fully implement the objectives of DOC-1678 by explaining how AWS PrivateLink endpoints are registered in internal DNS, clarifying that off-subnet lookups return unreachable private IPs, instructing customers to configure conditional forwarding for the cluster domain, and providing the actionable resolver address pattern (a.b.c.2) matching the subnet’s base address.
Out of Scope Changes Check	✅ Passed	All changes are directly related to DNS resolution and forwarding in the context of AWS PrivateLink and conform to the linked issue’s scope, with no unrelated or extraneous modifications introduced.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5d5deed and a05c229.

📒 Files selected for processing (3)

• modules/networking/pages/aws-privatelink.adoc (3 hunks)
• modules/networking/pages/configure-privatelink-in-cloud-ui.adoc (1 hunks)
• modules/networking/partials/dns_resolution.adoc (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - rp-cloud
• GitHub Check: Header rules - rp-cloud
• GitHub Check: Pages changed - rp-cloud

🔇 Additional comments (1)

modules/networking/pages/configure-privatelink-in-cloud-ui.adoc (1)

26-29: Nice placement for the shared DNS guidance.

Dropping the reusable partial here keeps the UI guide in sync with the API doc without duplicating text.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[paulzhang97]

LGTM. Thank you.