# Create a BYOVPC Cluster on GCP > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt) --- title: Create a BYOVPC Cluster on GCP latest-operator-version: v26.1.4 latest-console-tag: v3.7.3 latest-connect-version: 4.93.0 latest-redpanda-tag: v26.1.9 docname: cluster-types/byoc/gcp/vpc-byo-gcp page-component-name: cloud-data-platform page-version: master page-component-version: master page-component-title: Cloud page-relative-src-path: cluster-types/byoc/gcp/vpc-byo-gcp.adoc page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc description: Connect Redpanda Cloud to your existing VPC for additional security. page-git-created-date: "2024-10-24" page-git-modified-date: "2026-04-21" --- > โ— **IMPORTANT** > > BYOVPC/BYOVNet is an add-on feature that requires Premium support. To unlock this feature for your account, contact your Redpanda account team or [Redpanda Sales](https://www.redpanda.com/price-estimator). A Bring Your Own Virtual Private Cloud (BYOVPC) cluster allows you to deploy the Redpanda [data plane](https://docs.redpanda.com/cloud-data-platform/reference/glossary/#data-plane) into your existing VPC and manage the networking lifecycle. Compared to a standard Bring Your Own Cloud (BYOC) setup, where Redpanda manages the networking lifecycle for you, BYOVPC provides more control. See also: [BYOC architecture](https://docs.redpanda.com/cloud-data-platform/get-started/byoc-arch/). When you create a BYOVPC cluster, you specify your VPC and service account. The Redpanda Cloud agent doesnโ€™t create any new resources or alter any settings in your account. With BYOVPC: - You provide your own VPC in your Google Cloud account. - You maintain more control of your Google Cloud account, because Redpanda requires fewer permissions than standard BYOC clusters. - You control your security resources and policies, including subnets, service accounts, IAM roles, firewall rules, and storage buckets. If your clients need to connect from different GCP regions than where your cluster will be deployed, you must enable global access during cluster creation. To create a BYOVPC cluster with global access enabled, see [Enable Global Access](https://docs.redpanda.com/cloud-data-platform/networking/byoc/gcp/enable-global-access/). ## [](#prerequisites)Prerequisites - A standalone GCP project is recommended. If your host project (where your VPC project is created) and your service project (where your Redpanda cluster is created) are in different projects, you must first provision a shared VPC in Google Cloud. For more information, see the [Google shared VPC documentation](https://cloud.google.com/vpc/docs/provisioning-shared-vpc). - Redpanda creates a private Google Kubernetes Engine (GKE) cluster in your VPC. The subnet and secondary IP ranges you provide must allow public internet access. The configuration requires you to provide reserved CIDR ranges for the subnet and GKE Pods, Services, and master IP addresses. See the [GKE service account documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts) and [Configure your VPC](#configure-your-vpc). - Only primary CIDR ranges are supported for the VPC. - Redpanda requires access to certain Google APIs, storage buckets, and service accounts. See [Configure the service project](#configure-the-service-project). ### [](#gcp-quotas)GCP quotas Ensure at least three nodes of headroom in the relevant GCP quotas in the same region as your cluster. During maintenance, Redpanda may temporarily create extra nodes. Quotas such as vCPUs per VM family (for example, N2D) and Local SSD total per VM family (quota key: `LOCAL_SSD_TOTAL_GB_PER_VM_FAMILY`) are listed for each tier on the **Create BYOC cluster** page in the Redpanda Cloud UI. Headroom formulas: - vCPU spare = `3 x (vCPUs per node)` - Local SSD spare (GB) = `3 x (Storage size per node in GB)` For example, with per-node storage **1500 GB** (4 ร— 375 GB Local SSD) and machine type **n2d-standard-4** (4 vCPUs), keep **4500 GB** Local SSD and **12 vCPUs** of spare quota. ## [](#limitations)Limitations - Existing clusters cannot be moved to a BYOVPC cluster. - After creating a BYOVPC cluster, you cannot change to a different VPC. ## [](#configure-your-vpc)Configure your VPC 1. Create the primary and secondary subnets in your VPC using CIDR notation. Redpanda clusters require one subnet, and that subnet should have two secondary IP ranges: - Subnet IP range should be at least /24 CIDR, such as 10.0.0.0/24. - Secondary IP for GKE Pods is a /21 CIDR, such as 10.0.8.0/21. - Secondary IP for GKE Services is a /24 CIDR, such as 10.0.1.0/24. Replace all `` with your own values. ```bash gcloud compute networks subnets create \ --project \ --network \ --range 10.0.0.0/24 \ --region \ --secondary-range =10.0.8.0/21,=10.0.1.0/24 ``` Additionally, a /28 CIDR is required for the GKE master IP addresses. This CIDR is not used in the GCP networking configuration, but is input into the Redpanda UI; for example, 10.0.7.240/28. 2. To enable egress, create a cloud router and NAT at the host project: ```bash gcloud compute routers create \ --project \ --region \ --network gcloud compute addresses create --region gcloud compute routers nats create \ --project \ --router \ --region \ --nat-all-subnet-ip-ranges \ --nat-external-ip-pool \ --enable-endpoint-independent-mapping ``` 3. Create VPC firewall rules. - Redpanda ingress: ```bash gcloud compute firewall-rules create redpanda-ingress \ --description="Allow access to Redpanda cluster" \ --network="" \ --project="" \ --direction="INGRESS" \ --target-tags="redpanda-node" \ --source-ranges="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10" \ --allow="tcp:9092-9094,tcp:30081,tcp:30082,tcp:30092" ``` - Master webhooks: ```bash gcloud compute firewall-rules create gke-redpanda-cluster-webhooks \ --description="Allow master to hit pods for admission controllers/webhooks" \ --network="" \ --project="" \ --direction="INGRESS" \ --source-ranges="" \ --allow="tcp:9443,tcp:8443,tcp:6443" ``` Replace `` with a /28 CIDR. For example: 172.16.0.32/28. For information about the master CIDR, and how to set it using `--master-ipv4-cidr`, see the **gcloud** tab in [Creating a private cluster with no client access to the public endpoint](https://cloud.google.com/kubernetes-engine/docs/how-to/legacy/network-isolation#private_cp) 4. Grant permission to read the VPC and related resources. If the host project and service project are in different projects, itโ€™s helpful for the Redpanda team to have read access to the VPC and related resources in the host project. If your host project and service project are the same, you can skip this step. - Redpanda Agent custom role: ```bash cat << EOT > redpanda-agent.role { "name": "redpanda_agent_role", "title": "Redpanda Agent Role", "description": "A role granting the redpanda agent permissions to view network resources in the project of the vpc.", "includedPermissions": [ "compute.firewalls.get", "compute.subnetworks.get", "resourcemanager.projects.get", "compute.networks.getRegionEffectiveFirewalls", "compute.networks.getEffectiveFirewalls" ] } EOT gcloud iam roles create redpanda_agent_role --project= --file redpanda-agent.role ``` ## [](#configure-the-service-project)Configure the service project 1. Enable Google APIs in the service project: ```bash gcloud services enable cloudresourcemanager.googleapis.com --project gcloud services enable dns.googleapis.com --project gcloud services enable secretmanager.googleapis.com --project gcloud services enable compute.googleapis.com --project gcloud services enable iam.googleapis.com --project gcloud services enable storage-api.googleapis.com --project gcloud services enable container.googleapis.com --project gcloud services enable serviceusage.googleapis.com --project ``` 2. Create storage buckets at the service project in the same region as the cluster: ```bash gcloud storage buckets create gs:// \ --location="" \ --uniform-bucket-level-access gcloud storage buckets create gs:// \ --location="" \ --uniform-bucket-level-access gcloud storage buckets update gs:// --versioning ``` - Redpanda uses the tiered storage bucket for writing log segments. This should not be versioned. - Redpanda uses the management storage bucket to store cluster metadata. This can have versioning enabled. 3. Create service accounts with necessary permissions and roles. - Redpanda Cloud agent service account Show commands ```bash gcloud iam service-accounts create redpanda-agent \ --display-name="Redpanda Agent Service Account" cat << EOT > redpanda-agent.role { "name": "redpanda_agent_role", "title": "Redpanda Agent Role", "description": "A role comprising general permissions allowing the agent to manage Redpanda cluster resources.", "includedPermissions": [ "compute.firewalls.get", "compute.disks.get", "compute.globalOperations.get", "compute.instanceGroupManagers.get", "compute.instanceGroupManagers.delete", "compute.instanceGroups.delete", "compute.instances.list", "compute.instanceTemplates.delete", "compute.networks.getRegionEffectiveFirewalls", "compute.networks.getEffectiveFirewalls", "compute.projects.get", "compute.subnetworks.get", "compute.zoneOperations.get", "compute.zoneOperations.list", "compute.zones.get", "compute.zones.list", "dns.changes.create", "dns.changes.get", "dns.changes.list", "dns.managedZones.create", "dns.managedZones.delete", "dns.managedZones.get", "dns.managedZones.list", "dns.managedZones.update", "dns.projects.get", "dns.resourceRecordSets.create", "dns.resourceRecordSets.delete", "dns.resourceRecordSets.get", "dns.resourceRecordSets.list", "dns.resourceRecordSets.update", "iam.roles.get", "iam.roles.list", "iam.serviceAccounts.actAs", "iam.serviceAccounts.get", "iam.serviceAccounts.getIamPolicy", "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy", "serviceusage.services.list", "storage.buckets.get", "storage.buckets.getIamPolicy", "compute.subnetworks.use", "compute.instances.use", "compute.networks.use", "compute.regionOperations.get", "compute.serviceAttachments.create", "compute.serviceAttachments.delete", "compute.serviceAttachments.get", "compute.serviceAttachments.list", "compute.serviceAttachments.update", "compute.forwardingRules.use", "compute.forwardingRules.create", "compute.forwardingRules.delete", "compute.forwardingRules.get", "compute.forwardingRules.setLabels", "compute.forwardingRules.setTarget", "compute.forwardingRules.pscCreate", "compute.forwardingRules.pscDelete", "compute.forwardingRules.pscSetLabels", "compute.forwardingRules.pscSetTarget", "compute.forwardingRules.pscUpdate", "compute.regionBackendServices.create", "compute.regionBackendServices.delete", "compute.regionBackendServices.get", "compute.regionBackendServices.use", "compute.regionNetworkEndpointGroups.create", "compute.regionNetworkEndpointGroups.delete", "compute.regionNetworkEndpointGroups.get", "compute.regionNetworkEndpointGroups.use", "compute.regionNetworkEndpointGroups.attachNetworkEndpoints", "compute.regionNetworkEndpointGroups.detachNetworkEndpoints", "compute.disks.list", "compute.disks.setLabels", "compute.instanceGroupManagers.update", "compute.instances.delete", "compute.instances.get", "compute.instances.setLabels" ] } EOT gcloud iam roles create redpanda_agent_role --project= --file redpanda-agent.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-agent@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_agent_role" gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-agent@.iam.gserviceaccount.com" \ --role="roles/container.admin" gcloud storage buckets add-iam-policy-binding gs:// \ --member="serviceAccount:redpanda-agent@.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin" # skip this step if host project and service project are the same gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-agent@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_agent_role" ``` - Redpanda cluster service account Show commands ```bash cat << EOT > redpanda-cluster.role { "name": "redpanda_cluster_role", "title": "Redpanda Cluster Role", "description": "Redpanda Cluster role", "includedPermissions": [ "resourcemanager.projects.get", "secretmanager.secrets.get", "secretmanager.versions.access" ] } EOT gcloud iam service-accounts create redpanda-cluster \ --display-name="Redpanda Cluster Service Account" gcloud storage buckets add-iam-policy-binding gs:// \ --member="serviceAccount:redpanda-cluster@.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin" gcloud iam roles create redpanda_cluster_role --project= --file redpanda-cluster.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-cluster@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_cluster_role" ``` - Redpanda operator service account Show commands ```bash gcloud iam service-accounts create redpanda-operator \ --display-name="Redpanda Operator Service Account" cat << EOT > redpanda-operator.role { "name": "redpanda_operator_role", "title": "Redpanda Operator Role", "description": "Redpanda Operator role", "includedPermissions": [ "resourcemanager.projects.get", "secretmanager.secrets.get", "secretmanager.versions.access" ] } EOT gcloud iam roles create redpanda_operator_role --project= --file redpanda-operator.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-operator@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_operator_role" ``` - Redpanda Connect service accounts Show commands ```bash # Account used to check for and read secrets, which are required to create Redpanda Connect pipelines. gcloud iam service-accounts create redpanda-connect-api \ --display-name="Redpanda Connect API Service Account" cat << EOT > redpanda-connect-api.role { "name": "redpanda_connect_api_role", "title": "Redpanda Connect API Role", "description": "Redpanda Connect API role", "includedPermissions": [ "resourcemanager.projects.get", "secretmanager.secrets.get", "secretmanager.versions.access" ] } EOT gcloud iam roles create redpanda_connect_api_role --project= --file redpanda-connect-api.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-connect-api@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_connect_api_role" ``` ```bash # Account used to retrieve secrets and create Redpanda Connect pipelines. gcloud iam service-accounts create redpanda-connect \ --display-name="Redpanda Connect Service Account" cat << EOT > redpanda-connect.role { "name": "redpanda_connect_role", "title": "Redpanda Connect Role", "description": "Redpanda Connect role", "includedPermissions": [ "resourcemanager.projects.get", "secretmanager.versions.access" ] } EOT gcloud iam roles create redpanda_connect_role --project= --file redpanda-connect.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-connect@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_connect_role" ``` - Redpanda Cloud secret manager Show commands ```bash gcloud iam service-accounts create redpanda-console \ --display-name="Redpanda Cloud Secret Manager" cat << EOT > redpanda-console.role { "name": "redpanda_console_secret_manager_role", "title": "Redpanda Cloud Secret Manager Writer", "description": "Redpanda Cloud Secret Manager Writer", "includedPermissions": [ "secretmanager.secrets.get", "secretmanager.secrets.create", "secretmanager.secrets.delete", "secretmanager.secrets.list", "secretmanager.secrets.update", "secretmanager.versions.add", "secretmanager.versions.destroy", "secretmanager.versions.disable", "secretmanager.versions.enable", "secretmanager.versions.list", "iam.serviceAccounts.getAccessToken" ] } EOT gcloud iam roles create redpanda_console_secret_manager_role --project= --file redpanda-console.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-console@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_console_secret_manager_role" ``` - Kafka Connect service account Show commands ```bash gcloud iam service-accounts create redpanda-connectors \ --display-name="Kafka Connect Service Account" cat << EOT > redpanda-connectors.role { "name": "redpanda_connectors_role", "title": "Kafka Connect Custom Role", "description": "Kafka Connect custom role", "includedPermissions": [ "resourcemanager.projects.get", "secretmanager.versions.access" ] } EOT gcloud iam roles create redpanda_connectors_role --project= --file redpanda-connectors.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-connectors@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_connectors_role" ``` - Redpanda GKE cluster service account Show commands ```bash gcloud iam service-accounts create redpanda-gke \ --display-name="Redpanda GKE cluster default node service account" cat << EOT > redpanda-gke.role { "name": "redpanda_gke_utility_role", "title": "Redpanda cluster utility node role", "description": "Redpanda cluster utility node role", "includedPermissions": [ "artifactregistry.dockerimages.get", "artifactregistry.dockerimages.list", "artifactregistry.files.get", "artifactregistry.files.list", "artifactregistry.locations.get", "artifactregistry.locations.list", "artifactregistry.mavenartifacts.get", "artifactregistry.mavenartifacts.list", "artifactregistry.npmpackages.get", "artifactregistry.npmpackages.list", "artifactregistry.packages.get", "artifactregistry.packages.list", "artifactregistry.projectsettings.get", "artifactregistry.pythonpackages.get", "artifactregistry.pythonpackages.list", "artifactregistry.repositories.downloadArtifacts", "artifactregistry.repositories.get", "artifactregistry.repositories.list", "artifactregistry.repositories.listEffectiveTags", "artifactregistry.repositories.listTagBindings", "artifactregistry.repositories.readViaVirtualRepository", "artifactregistry.tags.get", "artifactregistry.tags.list", "artifactregistry.versions.get", "artifactregistry.versions.list", "logging.logEntries.create", "logging.logEntries.route", "monitoring.metricDescriptors.create", "monitoring.metricDescriptors.get", "monitoring.metricDescriptors.list", "monitoring.monitoredResourceDescriptors.get", "monitoring.monitoredResourceDescriptors.list", "monitoring.timeSeries.create", "cloudnotifications.activities.list", "monitoring.alertPolicies.get", "monitoring.alertPolicies.list", "monitoring.dashboards.get", "monitoring.dashboards.list", "monitoring.groups.get", "monitoring.groups.list", "monitoring.notificationChannelDescriptors.get", "monitoring.notificationChannelDescriptors.list", "monitoring.notificationChannels.get", "monitoring.notificationChannels.list", "monitoring.publicWidgets.get", "monitoring.publicWidgets.list", "monitoring.services.get", "monitoring.services.list", "monitoring.slos.get", "monitoring.slos.list", "monitoring.snoozes.get", "monitoring.snoozes.list", "monitoring.timeSeries.list", "monitoring.uptimeCheckConfigs.get", "monitoring.uptimeCheckConfigs.list", "opsconfigmonitoring.resourceMetadata.list", "resourcemanager.projects.get", "stackdriver.projects.get", "stackdriver.resourceMetadata.list", "dns.changes.create", "dns.changes.get", "dns.changes.list", "dns.managedZones.list", "dns.resourceRecordSets.create", "dns.resourceRecordSets.delete", "dns.resourceRecordSets.get", "dns.resourceRecordSets.list", "dns.resourceRecordSets.update", "secretmanager.versions.access", "stackdriver.resourceMetadata.write", "storage.objects.get", "storage.objects.list", "compute.instances.use", "iam.serviceAccounts.getAccessToken", "compute.regionNetworkEndpointGroups.create", "compute.regionNetworkEndpointGroups.delete", "compute.regionNetworkEndpointGroups.get", "compute.regionNetworkEndpointGroups.use", "compute.regionNetworkEndpointGroups.attachNetworkEndpoints", "compute.regionNetworkEndpointGroups.detachNetworkEndpoints" ] } EOT gcloud iam roles create redpanda_gke_utility_role --project= --file redpanda-gke.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-gke@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_gke_utility_role" ``` 4. Bind the service accounts. The account ID of the GCP service account is used to configure service account bindings. This account ID is the local part of the email address for the GCP service account. For example, if the GCP service account is `my-gcp-sa@my-project.iam.gserviceaccount.com`, then the account ID is `my-gcp-sa`. - Redpanda cluster service account Show command ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda/rp-]" ``` - Redpanda operator service account Show command ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda-system/]" ``` - Redpanda Console service account Show command ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda/console-]" ``` - Redpanda Connect service accounts Show command ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda-connect/]" ``` ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda-connect/]" ``` - Kafka Connect service account Show command ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda-connectors/connectors-]" ``` - Cert-manager and external-DNS service accounts Show commands ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[cert-manager/cert-manager]" gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[external-dns/external-dns]" ``` - Private Service Connect Controller service account Show commands ```bash gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda-psc/psc-controller]" ``` ## [](#create-cluster)Create cluster Log in to the [Redpanda Cloud UI](https://cloud.redpanda.com), and follow the steps to [create a BYOC cluster](https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/gcp/create-byoc-cluster-gcp/), with the following exceptions: 1. On the **Network** page, select the **BYOVPC** connection type, and enter the network, service account, storage bucket information, and GKE master CIDR range you created. 2. With customer-managed networks, you must grant yourself (the user deploying the cluster with `rpk`) the following permissions: Expand permissions - `compute.disks.create` - `compute.disks.setLabels` - `compute.instanceGroupManagers.create` - `compute.instanceGroupManagers.delete` - `compute.instanceGroupManagers.get` - `compute.instanceGroups.create` - `compute.instanceGroups.delete` - `compute.instanceTemplates.create` - `compute.instanceTemplates.delete` - `compute.instanceTemplates.get` - `compute.instanceTemplates.useReadOnly` - `compute.instances.create` - `compute.instances.setLabels` - `compute.instances.setMetadata` - `compute.instances.setTags` - `compute.subnetworks.get` - `compute.subnetworks.use` - `compute.zones.list` - `iam.roles.get` - `iam.serviceAccounts.actAs` - `iam.serviceAccounts.get` - `resourcemanager.projects.get` - `resourcemanager.projects.getIamPolicy` - `serviceusage.services.list` - `storage.buckets.get` - `storage.buckets.getIamPolicy` - `storage.objects.create` - `storage.objects.delete` - `storage.objects.get` - `storage.objects.list` This can be done through a Google account, a service account, or any principal identity supported by GCP. - If running `rpk` from a Google account, the user must acquire new user credentials to use for [Application Default Credentials](https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login). - If running `rpk` from a service account, the user must create a [service account key](https://cloud.google.com/iam/docs/keys-create-delete#creating), then [export GOOGLE\_APPLICATION\_CREDENTIALS](https://cloud.google.com/docs/authentication/application-default-credentials#GAC) and [set the account as the default in gcloud](https://cloud.google.com/sdk/gcloud/reference/config/set): ```bash export GOOGLE_APPLICATION_CREDENTIALS= gcloud config set account $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com ``` 3. To validate your configuration, run: ```bash rpk cloud byoc gcp apply --redpanda-id='' --project-id='' --validate-only ``` 4. Click **Next**. 5. On the **Deploy** page, similar to standard BYOC clusters, log in to Redpanda Cloud and deploy the agent. > ๐Ÿ“ **NOTE** > > Redpanda Cloud does not support customer access or modifications to any of the internal data plane resources. This restriction allows Redpanda Data to manage all configuration changes internally to ensure a 99.99% service level agreement (SLA) for BYOC clusters. ## [](#delete-cluster)Delete cluster You can delete the cluster in the Cloud UI. 1. Log in to [Redpanda Cloud](https://cloud.redpanda.com). 2. Select your cluster. 3. Go to the **Dataplane settings** page and click **Delete**, then confirm your deletion. ## [](#manage-custom-resource-labels-and-network-tags)Manage custom resource labels and network tags Your organization might require custom resource labels and network tags for cost allocation, audit compliance, or governance policies. After cluster creation, you can manage this with the [Cloud Control Plane API](https://docs.redpanda.com/cloud-data-platform/manage/api/cloud-byoc-controlplane-api/). The Control Plane API allows up to 16 custom resource labels and network tags in GCP. Make sure you have: - The cluster ID. You can find this in the Redpanda Cloud UI, in the **Details** section of the cluster overview. - A valid bearer token for the Cloud Control Plane API. For details, see [Authenticate to the API](https://docs.redpanda.com/api/doc/cloud-controlplane/authentication). > โ— **IMPORTANT** > > To unlock this feature for your account, contact [Redpanda Support](https://support.redpanda.com/hc/en-us/requests/new). 1. To refresh agent permissions so the Redpanda agent can update labels and network tags, run: ```bash export CLUSTER_ID="" export PROJECT_ID="" rpk cloud byoc gcp apply --redpanda-id="$CLUSTER_ID" --project-id="$PROJECT_ID" ``` This step is required because label/tag management requires additional IAM permissions that may not have been granted during initial cluster creation: - `compute.disks.get` - `compute.disks.list` - `compute.disks.setLabels` - `compute.instances.setLabels` 2. To update labels and network tags, invoke the Cloud API. First, set your authentication token: ```bash export AUTH_TOKEN="" ``` The `PATCH` call sets the labels and network tags specified under `"cloud_provider_tags"`. It replaces the existing labels and tags with the specified labels and tags. Include all desired labels and tags in the request. To remove a single entry, omit it from the map you send. ```bash cluster_patch_body=$(cat <<'JSON' { "cloud_provider_tags": { "environment": "production", "cost-center": "engineering", "gcp.network-tag.web-servers": "true", "gcp.network-tag.database-access": "true" } } JSON ) curl -X PATCH "https://api.redpanda.com/v1/clusters/$CLUSTER_ID" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$cluster_patch_body" ``` To remove all labels and network tags, send an empty `cloud_provider_tags` object: ```bash cluster_patch_body='{"cloud_provider_tags": {}}' curl -X PATCH "https://api.redpanda.com/v1/clusters/$CLUSTER_ID" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$cluster_patch_body" ``` > ๐Ÿ“ **NOTE** > > For BYOVPC clusters, custom labels are not applied to the customer-managed resources that are deployed by the customer. ## [](#next-steps)Next steps [Configure private networking](https://docs.redpanda.com/cloud-data-platform/networking/byoc/gcp/)