# Enable Global Access

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt)

---
title: Enable Global Access
latest-operator-version: v26.1.4
latest-console-tag: v3.7.3
latest-connect-version: 4.93.0
latest-redpanda-tag: v26.1.9
docname: byoc/gcp/enable-global-access
page-component-name: cloud-data-platform
page-version: master
page-component-version: master
page-component-title: Cloud
page-relative-src-path: byoc/gcp/enable-global-access.adoc
page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/networking/pages/byoc/gcp/enable-global-access.adoc
description: Learn how to enable global access for new BYOC and BYOVPC clusters on GCP.
page-git-created-date: "2025-08-13"
page-git-modified-date: "2025-08-20"
---

<!-- Source: https://docs.redpanda.com/cloud-data-platform/networking/byoc/gcp/enable-global-access.md -->

By default, the seed load balancer for a cluster on GCP only accepts connections from the same region where the cluster is deployed. In Redpanda Cloud, the seed load balancer is the bootstrap server address you configure in your clients. If your Redpanda Cloud clients and BYOC or BYOVPC cluster are not all in the same GCP region, you must enable [global access](https://cloud.google.com/load-balancing/docs/internal/setting-up-internal#ilb-global-access).

Global access lets the seed load balancer accept connections from clients outside your cluster’s region, then route them to the appropriate broker addresses for producing and consuming data. You can enable global access when you create a new BYOC or BYOVPC cluster on GCP.

In this guide, you use the [Redpanda Cloud API](https://docs.redpanda.com/api/doc/cloud-controlplane/topic/topic-cloud-api-overview) to create a resource group, network, and cluster with global access enabled on GCP.

## [](#limitations)Limitations

You can only use the Cloud API to enable global access as part of cluster creation, and not on existing clusters. Enabling global access on a running cluster requires recreating the GCP forwarding rule, which may cause some downtime. To enable global access on an existing cluster, contact [Redpanda Support](https://support.redpanda.com/hc/en-us/requests/new).

## [](#get-a-cloud-api-access-token)Get a Cloud API access token

1.  Save the base URL of the Redpanda Cloud API in an environment variable:

    ```bash
    export PUBLIC_API_ENDPOINT="https://api.cloud.redpanda.com"
    ```

2.  In the Redpanda Cloud UI, go to the [**Organization IAM**](https://cloud.redpanda.com/organization-iam) page, and select the **Service account** tab. If you don’t have an existing service account, you can create a new one.

    Copy and store the client ID and secret.

    ```bash
    export CLOUD_CLIENT_ID=<client-id>
    export CLOUD_CLIENT_SECRET=<client-secret>
    ```

3.  Get an API token using the client ID and secret. You can click the **Request an API token** link to see code examples to generate the token.

    ```bash
    export AUTH_TOKEN=`curl -s --request POST \
        --url 'https://auth.prd.cloud.redpanda.com/oauth/token' \
        --header 'content-type: application/x-www-form-urlencoded' \
        --data grant_type=client_credentials \
        --data client_id="$CLOUD_CLIENT_ID" \
        --data client_secret="$CLOUD_CLIENT_SECRET" \
        --data audience=cloudv2-production.redpanda.cloud | jq -r .access_token`
    ```


You must send the API token in the `Authorization` header when making requests to the Cloud API.

## [](#create-a-cluster-with-global-access)Create a cluster with global access

### [](#create-a-resource-group)Create a resource group

Make a request to the `POST /v1/resource-groups` endpoint and store the ID of the resource group you create.

```bash
export RESOURCE_GROUP_ID=$(curl -X POST \
  https://api.redpanda.com/v1/resource-groups \
  -H "Authorization: Bearer $AUTH_TOKEN" \
  -H 'content-type: application/json' \
  -d '{
    "resource_group": {
      "name": "<resource-group-name>"
    }
  }' | jq -r '.resource_group.id')
```

If you’re creating a BYOVPC cluster, continue to the next section. Otherwise, if you’re creating a standard BYOC cluster, skip ahead to [Create a network](#create-a-network).

### [](#byovpc-only-configure-customer-managed-resources)BYOVPC only: Configure customer-managed resources

1.  Before you proceed, check the [prerequisites and limitations](https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/gcp/vpc-byo-gcp/#prerequisites) for new BYOVPC clusters on GCP.

2.  Follow the steps to [configure your VPC](https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/gcp/vpc-byo-gcp/#configure-your-vpc) with the required permissions and firewall rules.

3.  Follow the next steps to [configure the service project](https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/gcp/vpc-byo-gcp/#configure-the-service-project) and service account bindings.


### [](#create-a-network)Create a network

Make a request to the `POST /v1/networks` endpoint and store the ID of the network you create.

-   For standard BYOC clusters, run:

    Show BYOC network creation command

    ```bash
    NETWORK_POST_BODY=`cat << EOF
    {
      "network": {
        "name": "<byoc-network-name>",
        "resource_group_id": "$RESOURCE_GROUP_ID",
        "cloud_provider": "CLOUD_PROVIDER_GCP",
        "cluster_type": "TYPE_BYOC",
        "region": "<gcp-region>",
        "cidr_block": "10.0.0.0/20"
      }
    }
    EOF`

    export NETWORK_ID=$(curl -vv -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $AUTH_TOKEN" \
    -d "$NETWORK_POST_BODY" https://api.redpanda.com/v1/networks | jq -r '.operation.metadata.network_id')
    ```

-   For BYOVPC clusters, you also make a request to the `POST /v1/networks` endpoint, with a different request body:

    Show BYOVPC network creation command

    ```bash
    NETWORK_POST_BODY=`cat << EOF
    {
      "network": {
        "name": "<shared-vpc-name>",
        "resource_group_id": "$RESOURCE_GROUP_ID",
        "cloud_provider": "CLOUD_PROVIDER_GCP",
        "cluster_type": "TYPE_BYOC",
        "region": "<gcp-region>",
        "customer_managed_resources": {
            "gcp": {
                "network_name": "<byovpc-network-name>",
                "network_project_id": "<byovpc-network-gcp-project-id>",
                "management_bucket": { "name" : "<byovpc-management-bucket>" }
            }
        }
    }
    EOF`

    export NETWORK_ID=$(curl -vv -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $AUTH_TOKEN" \
    -d "$NETWORK_POST_BODY" https://api.redpanda.com/v1/networks | jq -r '.operation.metadata.network_id')
    ```

    Replace the following placeholder variables for the request body:

    -   `<shared-vpc-name>`: The name for the Redpanda network.

    -   `<gcp-region>`: The GCP region where the network will be created.

    -   `<byovpc-network-gcp-project-id>`: The ID of the GCP project where your VPC is created.

    -   `<byovpc-network-name>`: The name of your VPC.

    -   `<byovpc-management-bucket>`: The name of the Google Storage bucket you created for the cluster.



Note that this endpoint returns a long-running operation. To check the operation state, use the `GET /v1/operations/{operation_id}` endpoint.

### [](#enable-global-access)Enable global access

1.  Make a request to the `POST /v1/clusters` endpoint to create a new cluster with global access enabled (`"gcp_enable_global_access": true`).

    -   For BYOC clusters, run:

        Show BYOC cluster creation command

        ```bash
        CLUSTER_POST_BODY=`cat << EOF
        {
          "cluster": {
            "name": "<cluster-name>",
            "resource_group_id": "$RESOURCE_GROUP_ID",
            "network_id": "$NETWORK_ID",
            "cloud_provider": "CLOUD_PROVIDER_GCP",
            "type": "TYPE_BYOC",
            "region": "<gcp-region>",
            "zones": <gcp-zones>,
            "throughput_tier": "<usage-tier>",
            "gcp_enable_global_access": true
          }
        }
        EOF`

        export CLUSTER_ID=$(curl -X POST \
          https://api.redpanda.com/v1/clusters \
          -H "Authorization: Bearer $AUTH_TOKEN" \
          -H 'content-type: application/json' \
          -d "$CLUSTER_POST_BODY" | jq -r '.operation.metadata.cluster_id')
        ```

        Replace the following placeholder variables for the request body:

        -   `<cluster-name>`: The name for the Redpanda cluster.

        -   `<gcp-region>`: The GCP region where the cluster will be created.

        -   `<gcp-zones>`: Provide the list of GCP zones where the brokers will be deployed. Format: `["<zone 1>", "<zone 2>", "<zone N>"]`

        -   `<usage-tier>`: Choose a Redpanda Cloud cluster tier. For example, `tier-1-gcp-v2-x86`.


    -   For BYOVPC clusters, you also make a request to the `POST /v1/clusters` endpoint, with a different request body:

        Show BYOVPC cluster creation command

        ```bash
        CLUSTER_POST_BODY=`cat << EOF
        {
          "cluster": {
            "cloud_provider": "CLOUD_PROVIDER_GCP",
            "connection_type": "CONNECTION_TYPE_PRIVATE",
            "type": "TYPE_BYOC",
            "name": "<cluster-name>",
                "resource_group_id": "$RESOURCE_GROUP_ID",
                "network_id": "$NETWORK_ID",
                "region": "<gcp-region>",
                "zones": <gcp-zones>,
                "throughput_tier": "<usage-tier>",
                "redpanda_version": "<redpanda-version>",
                "gcp_enable_global_access": true,
                "customer_managed_resources": {
                    "gcp": {
                        "subnet": {
                            "name":"<byovpc-subnet-name>",
                            "secondary_ipv4_range_pods": {
                                "name": "<byovpc-subnet-pods-range-name>"
                            },
                            "secondary_ipv4_range_services": {
                                "name": "<byovpc-subnet-services-range-name>"
                            },
                            "k8s_master_ipv4_range": "<byovpc-subnet-master-range>"
                        },
                        "agent_service_account": {
                            "email": "<byovpc-agent-service-acc-email>"
                        },
                        "connector_service_account": {
                            "email": "<byovpc-connectors-service-acc-email>"
                        },
                        "console_service_account": {
                            "email": "<byovpc-console-service-acc-email>"
                        },
                        "redpanda_cluster_service_account": {
                            "email": "<byovpc-redpanda-service-acc-email>"
                        },
                        "gke_service_account": {
                            "email": "<byovpc-gke-service-acc-email>"
                        },
                        "tiered_storage_bucket": {
                            "name" : "<byovpc-tiered-storage-bucket>"
                        }
                    }
                }
            }
        }
        EOF`

        export CLUSTER_ID=$(curl -vv -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -d "$CLUSTER_POST_BODY" https://api.redpanda.com/v1/clusters | jq -r '.operation.metadata.cluster_id')
        ```

        Replace the following placeholders for the request body. Variables with a `byovpc_` prefix represent the customer-managed resources that you set up previously:

        -   `<cluster-name>`: Provide a name for the new cluster.

        -   `<gcp-region>`: Choose a GCP region where the cluster will be created.

        -   `<gcp-zones>`: Provide the list of GCP zones where the brokers will be deployed. Format: `["<zone 1>", "<zone 2>", "<zone N>"]`

        -   `<usage-tier>`: Choose a Redpanda Cloud cluster tier. For example, `tier-1-gcp-v2-x86`.

        -   `<redpanda-version>`: Choose the Redpanda Cloud version.

        -   `<byovpc-subnet-name>`: The name of the GCP subnet that was created for the cluster.

        -   `<byovpc-subnet-pods-range-name>`: The name of the IPv4 range designated for K8s pods.

        -   `<byovpc-subnet-services-range-name>`: The name of the IPv4 range designated for services.

        -   `<byovpc-subnet-master-range>`: The master IPv4 range.

        -   `<byovpc-agent-service-acc-email>`: The email for the agent service account.

        -   `<byovpc-connectors-service-acc-email>`: The email for the connectors service account.

        -   `<byovpc-console-service-acc-email>`: The email for the Console service account.

        -   `<byovpc-redpanda-service-acc-email>`: The email for the Redpanda service account.

        -   `<byovpc-gke-service-acc-email>`: The email for the GKE service account.

        -   `<byovpc-tiered-storage-bucket>`: The name of the Google Storage bucket to use for Tiered Storage.



2.  Run `rpk cloud byoc gcp apply`:

    ```bash
    rpk cloud byoc gcp apply --redpanda-id="${CLUSTER_ID}" --project-id='<gcp-service-project-id>'
    ```


## [](#test-global-access)Test global access

To test if global access is successfully enabled, see the [GCP documentation](https://cloud.google.com/load-balancing/docs/internal/setting-up-internal#gcloud_17).