Docs Cloud Networking BYOC GCP Enable Global Access Enable Global Access By default, the seed load balancer for a cluster on GCP only accepts connections from the same region where the cluster is deployed. In Redpanda Cloud, the seed load balancer is the bootstrap server address you configure in your clients. If your Redpanda Cloud clients and BYOC or BYOVPC cluster are not all in the same GCP region, you must enable global access. Global access lets the seed load balancer accept connections from clients outside your cluster’s region, then route them to the appropriate broker addresses for producing and consuming data. You can enable global access when you create a new BYOC or BYOVPC cluster on GCP. In this guide, you use the Redpanda Cloud API to create a resource group, network, and cluster with global access enabled on GCP. Limitations You can only use the Cloud API to enable global access as part of cluster creation, and not on existing clusters. Enabling global access on a running cluster requires recreating the GCP forwarding rule, which may cause some downtime. To enable global access on an existing cluster, contact Redpanda Support. Get a Cloud API access token Save the base URL of the Redpanda Cloud API in an environment variable: export PUBLIC_API_ENDPOINT="https://api.cloud.redpanda.com" In the Redpanda Cloud UI, go to the Organization IAM page, and select the Service account tab. If you don’t have an existing service account, you can create a new one. Copy and store the client ID and secret. export CLOUD_CLIENT_ID=<client-id> export CLOUD_CLIENT_SECRET=<client-secret> Get an API token using the client ID and secret. You can click the Request an API token link to see code examples to generate the token. export AUTH_TOKEN=`curl -s --request POST \ --url 'https://auth.prd.cloud.redpanda.com/oauth/token' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials \ --data client_id="$CLOUD_CLIENT_ID" \ --data client_secret="$CLOUD_CLIENT_SECRET" \ --data audience=cloudv2-production.redpanda.cloud | jq -r .access_token` You must send the API token in the Authorization header when making requests to the Cloud API. Create a cluster with global access Create a resource group Make a request to the POST /v1/resource-groups endpoint and store the ID of the resource group you create. export RESOURCE_GROUP_ID=$(curl -X POST \ https://api.redpanda.com/v1/resource-groups \ -H "Authorization: Bearer $AUTH_TOKEN" \ -H 'content-type: application/json' \ -d '{ "resource_group": { "name": "<resource-group-name>" } }' | jq -r '.resource_group.id') If you’re creating a BYOVPC cluster, continue to the next section. Otherwise, if you’re creating a standard BYOC cluster, skip ahead to Create a network. BYOVPC only: Configure customer-managed resources Before you proceed, check the prerequisites and limitations for new BYOVPC clusters on GCP. Follow the steps to configure your VPC with the required permissions and firewall rules. Follow the next steps to configure the service project and service account bindings. Create a network Make a request to the POST /v1/networks endpoint and store the ID of the network you create. For standard BYOC clusters, run: Show BYOC network creation command NETWORK_POST_BODY=`cat << EOF { "network": { "name": "<byoc-network-name>", "resource_group_id": "$RESOURCE_GROUP_ID", "cloud_provider": "CLOUD_PROVIDER_GCP", "cluster_type": "TYPE_BYOC", "region": "<gcp-region>", "cidr_block": "10.0.0.0/20" } } EOF` export NETWORK_ID=$(curl -vv -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$NETWORK_POST_BODY" https://api.redpanda.com/v1/networks | jq -r '.operation.metadata.network_id') For BYOVPC clusters, you also make a request to the POST /v1/networks endpoint, with a different request body: Show BYOVPC network creation command NETWORK_POST_BODY=`cat << EOF { "network": { "name": "<shared-vpc-name>", "resource_group_id": "$RESOURCE_GROUP_ID", "cloud_provider": "CLOUD_PROVIDER_GCP", "cluster_type": "TYPE_BYOC", "region": "<gcp-region>", "customer_managed_resources": { "gcp": { "network_name": "<byovpc-network-name>", "network_project_id": "<byovpc-network-gcp-project-id>", "management_bucket": { "name" : "<byovpc-management-bucket>" } } } } EOF` export NETWORK_ID=$(curl -vv -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$NETWORK_POST_BODY" https://api.redpanda.com/v1/networks | jq -r '.operation.metadata.network_id') Replace the following placeholder variables for the request body: <shared-vpc-name>: The name for the Redpanda network. <gcp-region>: The GCP region where the network will be created. <byovpc-network-gcp-project-id>: The ID of the GCP project where your VPC is created. <byovpc-network-name>: The name of your VPC. <byovpc-management-bucket>: The name of the Google Storage bucket you created for the cluster. Note that this endpoint returns a long-running operation. To check the operation state, use the GET /v1/operations/{operation_id} endpoint. Enable global access Make a request to the POST /v1/clusters endpoint to create a new cluster with global access enabled ("gcp_enable_global_access": true). For BYOC clusters, run: Show BYOC cluster creation command CLUSTER_POST_BODY=`cat << EOF { "cluster": { "name": "<cluster-name>", "resource_group_id": "$RESOURCE_GROUP_ID", "network_id": "$NETWORK_ID", "cloud_provider": "CLOUD_PROVIDER_GCP", "type": "TYPE_BYOC", "region": "<gcp-region>", "zones": <gcp-zones>, "throughput_tier": "<usage-tier>", "gcp_enable_global_access": true } } EOF` export CLUSTER_ID=$(curl -X POST \ https://api.redpanda.com/v1/clusters \ -H "Authorization: Bearer $AUTH_TOKEN" \ -H 'content-type: application/json' \ -d "$CLUSTER_POST_BODY" | jq -r '.operation.metadata.cluster_id') Replace the following placeholder variables for the request body: <cluster-name>: The name for the Redpanda cluster. <gcp-region>: The GCP region where the cluster will be created. <gcp-zones>: Provide the list of GCP zones where the brokers will be deployed. Format: ["<zone 1>", "<zone 2>", "<zone N>"] <usage-tier>: Choose a Redpanda Cloud cluster tier. For example, tier-1-gcp-v2-x86. For BYOVPC clusters, you also make a request to the POST /v1/clusters endpoint, with a different request body: Show BYOVPC cluster creation command CLUSTER_POST_BODY=`cat << EOF { "cluster": { "cloud_provider": "CLOUD_PROVIDER_GCP", "connection_type": "CONNECTION_TYPE_PRIVATE", "type": "TYPE_BYOC", "name": "<cluster-name>", "resource_group_id": "$RESOURCE_GROUP_ID", "network_id": "$NETWORK_ID", "region": "<gcp-region>", "zones": <gcp-zones>, "throughput_tier": "<usage-tier>", "redpanda_version": "<redpanda-version>", "gcp_enable_global_access": true, "customer_managed_resources": { "gcp": { "subnet": { "name":"<byovpc-subnet-name>", "secondary_ipv4_range_pods": { "name": "<byovpc-subnet-pods-range-name>" }, "secondary_ipv4_range_services": { "name": "<byovpc-subnet-services-range-name>" }, "k8s_master_ipv4_range": "<byovpc-subnet-master-range>" }, "agent_service_account": { "email": "<byovpc-agent-service-acc-email>" }, "connector_service_account": { "email": "<byovpc-connectors-service-acc-email>" }, "console_service_account": { "email": "<byovpc-console-service-acc-email>" }, "redpanda_cluster_service_account": { "email": "<byovpc-redpanda-service-acc-email>" }, "gke_service_account": { "email": "<byovpc-gke-service-acc-email>" }, "tiered_storage_bucket": { "name" : "<byovpc-tiered-storage-bucket>" } } } } } EOF` export CLUSTER_ID=$(curl -vv -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$CLUSTER_POST_BODY" https://api.redpanda.com/v1/clusters | jq -r '.operation.metadata.cluster_id') Replace the following placeholders for the request body. Variables with a byovpc_ prefix represent the customer-managed resources that you set up previously: <cluster-name>: Provide a name for the new cluster. <gcp-region>: Choose a GCP region where the cluster will be created. <gcp-zones>: Provide the list of GCP zones where the brokers will be deployed. Format: ["<zone 1>", "<zone 2>", "<zone N>"] <usage-tier>: Choose a Redpanda Cloud cluster tier. For example, tier-1-gcp-v2-x86. <redpanda-version>: Choose the Redpanda Cloud version. <byovpc-subnet-name>: The name of the GCP subnet that was created for the cluster. <byovpc-subnet-pods-range-name>: The name of the IPv4 range designated for K8s pods. <byovpc-subnet-services-range-name>: The name of the IPv4 range designated for services. <byovpc-subnet-master-range>: The master IPv4 range. <byovpc-agent-service-acc-email>: The email for the agent service account. <byovpc-connectors-service-acc-email>: The email for the connectors service account. <byovpc-console-service-acc-email>: The email for the Console service account. <byovpc-redpanda-service-acc-email>: The email for the Redpanda service account. <byovpc-gke-service-acc-email>: The email for the GKE service account. <byovpc-tiered-storage-bucket>: The name of the Google Storage bucket to use for Tiered Storage. Run rpk cloud byoc gcp apply: rpk cloud byoc gcp apply --redpanda-id="${CLUSTER_ID}" --project-id='<gcp-service-project-id>' Test global access To test if global access is successfully enabled, see the GCP documentation. Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution 🎉 Thanks for your feedback! Configure Private Service Connect with the Cloud API Dedicated