From a21ca36adbeb5250f64fd95e3abee24714201e64 Mon Sep 17 00:00:00 2001
From: Michele Cyran <michele@redpanda.com>
Date: Fri, 13 Dec 2024 12:23:26 -0700
Subject: [PATCH] DOC-486 Azure VPC peering (#129)

* DOC-486 Azure VPC peering

* minor edit

* Update modules/get-started/pages/whats-new-cloud.adoc

Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>

* Update modules/networking/pages/dedicated/azure/vnet-peering.adoc

Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>

* Update modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc

Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>

* Update modules/networking/pages/dedicated/azure/vnet-peering.adoc

Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>

* Update modules/networking/pages/dedicated/azure/vnet-peering.adoc

Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>

* minor edits

* use env variables for examples

* change VNet to VPC in title

* minor edit

* edit TOC

---------

Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
---
 modules/ROOT/nav.adoc                         |  7 +-
 .../get-started/pages/whats-new-cloud.adoc    |  4 +
 .../networking/pages/dedicated/aws/index.adoc |  2 +-
 .../dedicated/{ => aws}/vpc-peering.adoc      | 11 +--
 .../pages/dedicated/azure/index.adoc          |  4 +
 .../pages/dedicated/azure/vnet-peering.adoc   | 99 +++++++++++++++++++
 .../networking/pages/dedicated/gcp/index.adoc |  2 +-
 .../pages/dedicated/gcp/vpc-peering-gcp.adoc  | 48 +++++++++
 8 files changed, 166 insertions(+), 11 deletions(-)
 rename modules/networking/pages/dedicated/{ => aws}/vpc-peering.adoc (81%)
 create mode 100644 modules/networking/pages/dedicated/azure/index.adoc
 create mode 100644 modules/networking/pages/dedicated/azure/vnet-peering.adoc
 create mode 100644 modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc

diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
index bb59de34..2a36a192 100644
--- a/modules/ROOT/nav.adoc
+++ b/modules/ROOT/nav.adoc
@@ -38,12 +38,15 @@
 **** xref:networking:configure-private-service-connect-in-cloud-ui.adoc[Configure Private Service Connect in the Cloud UI]
 **** xref:networking:gcp-private-service-connect.adoc[Configure Private Service Connect with the Cloud API]
 ** xref:networking:dedicated/index.adoc[Dedicated]
-*** xref:networking:dedicated/vpc-peering.adoc[Add a Peering Connection]
 *** xref:networking:dedicated/aws/index.adoc[AWS]
+**** xref:networking:dedicated/aws/vpc-peering.adoc[Add a Peering Connection]
 **** xref:networking:configure-privatelink-in-cloud-ui.adoc[Configure PrivateLink in the Cloud UI]
 **** xref:networking:aws-privatelink.adoc[]
-*** xref:networking:azure-private-link.adoc[Azure (Private Link)]
+*** xref:networking:dedicated/azure/index.adoc[Azure]
+**** xref:networking:dedicated/azure/vnet-peering.adoc[Add a Peering Connection]
+**** xref:networking:azure-private-link.adoc[]
 *** xref:networking:dedicated/gcp/index.adoc[GCP]
+**** xref:networking:dedicated/gcp/vpc-peering-gcp.adoc[Add a Peering Connection]
 **** xref:networking:configure-private-service-connect-in-cloud-ui.adoc[Configure Private Service Connect in the Cloud UI]
 **** xref:networking:gcp-private-service-connect.adoc[Configure Private Service Connect with the Cloud API]
 
diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc
index 2d642c3a..57e836ba 100644
--- a/modules/get-started/pages/whats-new-cloud.adoc
+++ b/modules/get-started/pages/whats-new-cloud.adoc
@@ -9,6 +9,10 @@ This page lists new features added in Redpanda Cloud.
 
 == December 2024
 
+=== VPC peering for Dedicated clusters on Azure
+
+Redpanda now supports xref:networking:dedicated/azure/vnet-peering.adoc[virtual network (VNet) peering] for Dedicated clusters on Azure.
+
 === Support for additional regions
 
 For xref:reference:tiers/byoc-tiers.adoc#byoc-supported-regions[BYOC clusters], Redpanda added support for the following regions:
diff --git a/modules/networking/pages/dedicated/aws/index.adoc b/modules/networking/pages/dedicated/aws/index.adoc
index 218197b3..12d5b260 100644
--- a/modules/networking/pages/dedicated/aws/index.adoc
+++ b/modules/networking/pages/dedicated/aws/index.adoc
@@ -1,4 +1,4 @@
 = AWS
-:description: Learn how to configure networking for Dedicated clusters on AWS. 
+:description: Learn how to configure private networking for Dedicated clusters on AWS. 
 :page-layout: index
 :page-categories: Networking
\ No newline at end of file
diff --git a/modules/networking/pages/dedicated/vpc-peering.adoc b/modules/networking/pages/dedicated/aws/vpc-peering.adoc
similarity index 81%
rename from modules/networking/pages/dedicated/vpc-peering.adoc
rename to modules/networking/pages/dedicated/aws/vpc-peering.adoc
index b2153883..632dc8ca 100644
--- a/modules/networking/pages/dedicated/vpc-peering.adoc
+++ b/modules/networking/pages/dedicated/aws/vpc-peering.adoc
@@ -1,6 +1,6 @@
 = Add a Dedicated VPC Peering Connection
 :description: Use the Redpanda Cloud UI to set up VPC peering.
-:page-aliases: cloud:vpc-peering.adoc, deploy:deployment-option/cloud/vpc-peering.adoc
+:page-aliases: cloud:vpc-peering.adoc, deploy:deployment-option/cloud/vpc-peering.adoc, networking:dedicated/vpc-peering.adoc
 
 A VPC peering connection is a networking connection between two VPCs. This connection allows the VPCs to communicate with each other as if they were within the same network. A route table routes traffic between the two VPCs using private IPv4 addresses.
 
@@ -10,7 +10,7 @@ When you select a network for deploying your Redpanda Dedicated cluster, you hav
 
 == Prerequisites
 
-* *VPC network*: VPC peering is supported in AWS and GCP. This page describes the steps for AWS. Before you set up a peering connection in the Redpanda Cloud UI, you must have a VPC in your own account for Redpanda's VPC to connect to. If you do not already have a VPC, log in to the AWS VPC Console and create one.
+* *VPC network*: Before you set up a peering connection in the Redpanda Cloud UI, you must have a VPC in your own account for Redpanda's VPC to connect to. If you do not already have a VPC, log in to the AWS VPC Console and create one.
 * *Matching region*: VPC peering connections can only be established between networks created in the *same region*. Redpanda Cloud does not support inter-region VPC peering connections.
 * *Non-overlapping CIDR blocks*: The CIDR block for your VPC network cannot match or overlap with the CIDR block for the Redpanda Cloud VPC.
 
@@ -22,11 +22,8 @@ To create a peering connection between your VPC and Redpanda's VPC:
 
 . In the Redpanda Cloud UI, go to the *Overview* page for your cluster.
 . In the Details section, click the name of the Redpanda network.
-. On the *Network* page, click *+Add peering connection*.
-. In *Connection name*, enter a name for the connection.
-+
-For example, the name might refer to the VPC ID of the VPC you created in AWS.
-
+. On the *Network* page, click *+ Add peering connection*.
+. In *Connection name*, enter a name. For example, the name might refer to the VPC ID of the VPC you created in AWS.
 . In *AWS account number*, enter the account number associated with the VPC you want to connect to.
 . In *AWS VPC ID*, enter the VPC ID by copying it from the AWS VPC Console.
 . Click *Create peering connection*.
diff --git a/modules/networking/pages/dedicated/azure/index.adoc b/modules/networking/pages/dedicated/azure/index.adoc
new file mode 100644
index 00000000..e3972df3
--- /dev/null
+++ b/modules/networking/pages/dedicated/azure/index.adoc
@@ -0,0 +1,4 @@
+= Azure
+:description: Learn how to configure private networking for Dedicated clusters on Azure. 
+:page-layout: index
+:page-categories: Networking
\ No newline at end of file
diff --git a/modules/networking/pages/dedicated/azure/vnet-peering.adoc b/modules/networking/pages/dedicated/azure/vnet-peering.adoc
new file mode 100644
index 00000000..255bf510
--- /dev/null
+++ b/modules/networking/pages/dedicated/azure/vnet-peering.adoc
@@ -0,0 +1,99 @@
+= Add a Dedicated VPC Peering Connection
+:description: Use the Redpanda Cloud UI to set up VNet peering.
+
+When you deploy a Dedicated cluster, you have the option to select private networking. Virtual network (VNet) peering connects your Azure VNet to the Redpanda Cloud VPC, allowing them to communicate with each other as if they were within the same network. 
+
+NOTE: With VNet peering, traffic is _not_ routed over the public internet.
+
+Because Azure does not allow you to initiate a peering against another tenant without having delegated access to that tenant, Redpanda must first create a multi-tenant Entra ID Enterprise application with a service principal attached to that application in Redpanda's tenant. The Redpanda Cloud UI provides this application ID. You must create a service principal on your tenant with that application ID, and attach a role to that service principal. Redpanda can then initiate the peering.
+
+Creating a VNet peering involves the following steps:
+
+. Create a peering connection in the Redpanda Cloud UI.
+. Create a service principal with the provided application ID in Azure Cloud Shell.
+. Assign a set of roles to the service principal in Azure Cloud Shell.
+
+== Prerequisites
+
+* *Azure VNet*: Before setting up a peering connection in the Redpanda Cloud UI, you must have an Azure VNet in your own account for Redpanda's VPC to connect to. 
+* *Matching region*: Peering connections can only be established between networks created in the *same region*. Redpanda Cloud does not support inter-region peering connections.
+* *Non-overlapping CIDR blocks*: The CIDR block (address space) for your VNet cannot match or overlap with the CIDR block for the Redpanda Cloud VPC.
++
+TIP: Consider adding `rp` at the beginning of the VNet name to indicate that this VNet is for deploying a Redpanda cluster.
+
+== Create a peering connection in Redpanda Cloud
+
+To create a peering connection between your Azure VNet and Redpanda VPC:
+
+. In the Redpanda Cloud UI, go to the *Overview* page for your cluster.
+. In the Details section, click the name of the *Redpanda network*.
+. On the *Network* page for your cluster, click *+ Add peering connection*.
+. For *Connection name*, enter a name. For example, the name could refer to your Azure VNet ID.
+. For *Azure account number*, enter the account number associated with the VNet you want to connect to.
+. For *Azure VNet ID*, enter the VNet ID.
+. Click *Create peering connection*.
+
+NOTE: In the Redpanda Cloud UI, Redpanda provides the *application ID* for the multi-tenant application it created with a service principal attached to it in Redpanda's tenant. 
+
+== Create a service principal in Azure Cloud Shell
+
+Create a service principal on your tenant tied to the *application ID*. This is public across tenants.
+
+In the Azure Cloud Shell:
+
+. Create a service principal with the provided application ID.
+. Assign a set of roles to the service principal. 
++
+Redpanda creates the service principal with a role assignment that allows it Network Contributor access to the Redpanda tenant and subscription scoped to the cluster's network, but you may choose a custom role that is less broad, and scoped to your network.
++
+Example for Network Contributor role:
++
+```bash
+# Set environment variables.
+export RP_RESOURCE_GROUP_ID=<Retrieve resource group ID from Redpanda Cloud URL>
+export AZURE_VNET_ID=<Retrieve Azure VNET ID from Azure VNET UI>
+
+# Create service principal and get its ID.
+> spid=$(az ad sp create –id <application-id> --query "id" -o tsv
+
+# Assign the role to the service principal using the environment variables.
+# The assignee is the ID created above.
+> az role assignment create \
+        –-assignee $spid \
+	    --role "Network Contributor"
+        --scope /subscriptions/<subscription-id>/resourceGroups/$RP_RESOURCE_GROUP_ID/providers/Microsoft.Network/virtualNetworks/$AZURE_VNET_ID
+```
++
+Example for custom role with scoped permissions for peering:
++
+```bash
+# Set environment variables.
+export RP_RESOURCE_GROUP_ID=<Retrieve resource group ID from Redpanda Cloud URL>
+export AZURE_VNET_ID=<Retrieve Azure VNET ID from Azure VNET UI>
+
+# Create service principal and get its ID.
+> spid=$(az ad sp create –id <application-id> --query "id" -o tsv)
+
+# Create custom role definition for Redpanda peering role and get its ID.
+> rdid=$(az role definition create --role-definition '{
+    "Name": "Redpanda Peering Role",
+    "Description": "Peers networks to Redpanda networks.",
+    "Actions": [
+"Microsoft.Network/virtualNetworks/peer/action",
+"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
+"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
+"Microsoft.ClassicNetwork/virtualNetworks/peer/action”,
+"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete"	
+    ],
+    "AssignableScopes": ["/subscriptions/<subscription-id>/..."]
+}' --query "name" -o tsv)
+
+# Assign the role to the service principal using the environment variables.
+# The assignee is the ID created above.
+> az role assignment create \
+        --assignee $spid \
+        --role $rdid  \
+        --scope /subscriptions/<subscription-id>/resourceGroups/$RP_RESOURCE_GROUP_ID/providers/Microsoft.Network/virtualNetworks/$AZURE_VNET_ID
+```
+
+Redpanda polls with the application to try to access the customer tenant. When access is available, it initiates the peering API calls. After you create the service principal, the API calls use the application to create the peering on the Redpanda network and then the peering on the Azure network. 
diff --git a/modules/networking/pages/dedicated/gcp/index.adoc b/modules/networking/pages/dedicated/gcp/index.adoc
index 3ccf0b9f..660175bc 100644
--- a/modules/networking/pages/dedicated/gcp/index.adoc
+++ b/modules/networking/pages/dedicated/gcp/index.adoc
@@ -1,4 +1,4 @@
 = GCP
-:description: Learn how to configure networking for Dedicated clusters on GCP. 
+:description: Learn how to configure private networking for Dedicated clusters on GCP. 
 :page-layout: index
 :page-categories: Networking
\ No newline at end of file
diff --git a/modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc b/modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc
new file mode 100644
index 00000000..8a300deb
--- /dev/null
+++ b/modules/networking/pages/dedicated/gcp/vpc-peering-gcp.adoc
@@ -0,0 +1,48 @@
+= Add a Dedicated VPC Peering Connection
+:description: Use the Redpanda Cloud UI to set up VPC peering.
+
+*Update for GCP*
+
+A VPC peering connection is a networking connection between two VPCs. This connection allows the VPCs to communicate with each other as if they were within the same network. A route table routes traffic between the two VPCs using private IPv4 addresses.
+
+NOTE: Traffic is _not_ routed over the public internet.
+
+When you select a network for deploying your Redpanda Dedicated cluster, you have the option to select a private connection with VPC peering. The VPC peering connection connects your VPC to the Redpanda Cloud VPC.
+
+== Prerequisites
+
+* *VPC network*:Before setting up a peering connection in the Redpanda Cloud UI, you must have a VPC in your own account for Redpanda's VPC to connect to. 
+* *Matching region*: VPC peering connections can only be established between networks created in the *same region*. Redpanda Cloud does not support inter-region VPC peering connections.
+* *Non-overlapping CIDR blocks*: The CIDR block for your VPC network cannot match or overlap with the CIDR block for the Redpanda Cloud VPC.
+
+TIP: Consider adding `rp` at the beginning of the VPC name to indicate that this VPC is for deploying a Redpanda cluster.
+
+== Create a peering connection
+
+To create a peering connection between your VPC and Redpanda's VPC:
+
+. In the Redpanda Cloud UI, go to the *Overview* page for your cluster.
+. In the Details section, click the name of the Redpanda network.
+. On the *Network* page, click *+ Add peering connection*.
+. In *Connection name*, enter a name for the connection.
++
+For example, the name might refer to the VPC ID of the VPC you created in GCP.
+
+. In *GCP account number*, enter the account number associated with the VPC you want to connect to.
+. In *GCP VPC ID*, enter the VPC ID.
+. Click *Create peering connection*.
+
+== Accept the peering connection request
+
+Redpanda sends a peering request to the GCP. You must accept the request from the Redpanda VPC to set up the peering connection.
+
+. Log in to GCP.
+. Select the region where the VPC was created.
+. From the navigation menu, select *Peering Connections*.
+. Under *Requester VPC*, select the VPC you created for use with Redpanda.
++
+The status should say "Pending acceptance".
+
+. Open the *Actions* menu and select *Accept Request*.
+. In the confirmation dialog box, verify that the requester owner ID corresponds to the Redpanda account, and select *Yes, Accept*.
+. In the next confirmation dialog box, select *Modify my route tables now*.
\ No newline at end of file