From fe63b4c98c2892bf317f3295e925083fa253d63c Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Fri, 6 Jun 2025 14:39:17 -0400
Subject: [PATCH 01/38] little start

---
 deploy-manage/_snippets/ecloud-security.md             |  2 +-
 deploy-manage/security/_snippets/cluster-comparison.md | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/deploy-manage/_snippets/ecloud-security.md b/deploy-manage/_snippets/ecloud-security.md
index 803969ea26..ae58b0a0f2 100644
--- a/deploy-manage/_snippets/ecloud-security.md
+++ b/deploy-manage/_snippets/ecloud-security.md
@@ -1,7 +1,7 @@
 {{ecloud}} has built-in security. For example, HTTPS communications between {{ecloud}} and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
 
 In {{ech}}, you can augment these security features in the following ways:
-* Configure [traffic filtering](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
+* Configure [network security policies](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.
diff --git a/deploy-manage/security/_snippets/cluster-comparison.md b/deploy-manage/security/_snippets/cluster-comparison.md
index b72ca09fb8..cd74078915 100644
--- a/deploy-manage/security/_snippets/cluster-comparison.md
+++ b/deploy-manage/security/_snippets/cluster-comparison.md
@@ -19,7 +19,7 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
 | | Private link | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Managed | You can [bring your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md) |
@@ -36,7 +36,7 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | N/A | |
+| **Network** | IP filtering | N/A | |
 | | Private link | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Fully managed | Automatically encrypted by Elastic |
@@ -53,7 +53,7 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
 | | Private link | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
@@ -70,7 +70,7 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) for customization |
 | | TLS (Transport layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) for customization |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
 | | Private link | N/A |  |
 | | Kubernetes network policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
 | **Data** | Encryption at rest | N/A |  |
@@ -88,7 +88,7 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
 | | TLS (Transport layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
 | | Private link | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |

From 25d3e6564794bac876d75748c43e4f5bc408209c Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 9 Jun 2025 17:24:29 -0400
Subject: [PATCH 02/38] more stuff

---
 deploy-manage/_snippets/ecloud-security.md    |   4 +-
 deploy-manage/security.md                     |   1 +
 .../cluster-communication-network.md          |   2 +-
 .../security/_snippets/cluster-comparison.md  |  12 +-
 .../_snippets/eck-traffic-filtering.md        |   2 +-
 .../ec-traffic-filtering-through-the-api.md   |   5 +-
 deploy-manage/security/ece-filter-rules.md    |  86 ++++++++++
 deploy-manage/security/ip-filtering-cloud.md  |  11 +-
 deploy-manage/security/ip-filtering-ece.md    | 153 ++++++++++++++++++
 .../security/ip-traffic-filtering.md          |  33 +++-
 .../security/network-security-policies.md     |  86 ++++++++++
 .../security/private-link-traffic-filters.md  |   1 +
 .../secure-your-cluster-deployment.md         |   5 +-
 deploy-manage/security/traffic-filtering.md   | 108 +++----------
 deploy-manage/toc.yml                         |   6 +-
 15 files changed, 402 insertions(+), 113 deletions(-)
 create mode 100644 deploy-manage/security/ece-filter-rules.md
 create mode 100644 deploy-manage/security/ip-filtering-ece.md
 create mode 100644 deploy-manage/security/network-security-policies.md

diff --git a/deploy-manage/_snippets/ecloud-security.md b/deploy-manage/_snippets/ecloud-security.md
index ae58b0a0f2..93dfedb36f 100644
--- a/deploy-manage/_snippets/ecloud-security.md
+++ b/deploy-manage/_snippets/ecloud-security.md
@@ -1,7 +1,9 @@
 {{ecloud}} has built-in security. For example, HTTPS communications between {{ecloud}} and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
 
+In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](?) to prevent unauthorized access to your deployments and projects.
+
 In {{ech}}, you can augment these security features in the following ways:
-* Configure [network security policies](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
+* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.
diff --git a/deploy-manage/security.md b/deploy-manage/security.md
index 82827fd47f..6c33e73f24 100644
--- a/deploy-manage/security.md
+++ b/deploy-manage/security.md
@@ -18,6 +18,7 @@ products:
   - id: cloud-kubernetes
   - id: cloud-enterprise
   - id: cloud-hosted
+  - id: cloud-serverless
 ---
 
 # Security
diff --git a/deploy-manage/security/_snippets/cluster-communication-network.md b/deploy-manage/security/_snippets/cluster-communication-network.md
index 7d16451e88..3cf287d6e2 100644
--- a/deploy-manage/security/_snippets/cluster-communication-network.md
+++ b/deploy-manage/security/_snippets/cluster-communication-network.md
@@ -3,5 +3,5 @@
   * **The transport layer**: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
   * In self-managed {{es}} clusters, you can also [Configure {{kib}} and {{es}} to use mutual TLS](/deploy-manage/security/kibana-es-mutual-tls.md).
 * [Enable cipher suites for stronger encryption](/deploy-manage/security/enabling-cipher-suites-for-stronger-encryption.md): The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
-* [Restrict connections using traffic filtering](/deploy-manage/security/traffic-filtering.md): Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+* [Secure your network using IP filtering and private connections](/deploy-manage/security/traffic-filtering.md): Network security allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
 * [Allow or deny {{ech}} IP ranges](/deploy-manage/security/elastic-cloud-static-ips.md): {{ecloud}} publishes a list of IP addresses used by its {{ech}} services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to {{ech}} services.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/cluster-comparison.md b/deploy-manage/security/_snippets/cluster-comparison.md
index cd74078915..d4f3bf264a 100644
--- a/deploy-manage/security/_snippets/cluster-comparison.md
+++ b/deploy-manage/security/_snippets/cluster-comparison.md
@@ -20,7 +20,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private link | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
+| | Private connections and VPC filtering | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Managed | You can [bring your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md) |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -36,8 +36,8 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP filtering | N/A | |
-| | Private link | N/A |  |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private connections and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Fully managed | Automatically encrypted by Elastic |
 | | Secure settings | N/A |  |
@@ -54,7 +54,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private link | N/A |  |
+| | Private connections and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -71,7 +71,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) for customization |
 | | TLS (Transport layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) for customization |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private link | N/A |  |
+| | Private connections and VPC filtering | N/A |  |
 | | Kubernetes network policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/k8s-secure-settings.md) |
@@ -89,7 +89,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
 | | TLS (Transport layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private link | N/A |  |
+| | Private connections and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Keystore security | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
diff --git a/deploy-manage/security/_snippets/eck-traffic-filtering.md b/deploy-manage/security/_snippets/eck-traffic-filtering.md
index cb7d47acd2..c43daaecaf 100644
--- a/deploy-manage/security/_snippets/eck-traffic-filtering.md
+++ b/deploy-manage/security/_snippets/eck-traffic-filtering.md
@@ -1,3 +1,3 @@
 :::{tip}
-Elastic recommends that you use Kubernetes network policies over IP traffic filters for {{eck}}. This is because, in containerized environments like Kubernetes, IP addresses are usually dynamic, making network policies a more robust option.
+Elastic recommends that you use Kubernetes network policies over IP filters for {{eck}}. This is because, in containerized environments like Kubernetes, IP addresses are usually dynamic, making network policies a more robust option.
 :::
\ No newline at end of file
diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index 27f5a69700..b6c900b8c7 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -9,11 +9,12 @@ applies_to:
 products:
   - id: cloud-hosted
   - id: cloud-enterprise
+navigation_title: Through the API
 ---
 
-# Manage traffic filters through the API [ec-traffic-filtering-through-the-api]
+# Manage network security through the API [ec-traffic-filtering-through-the-api]
 
-This example demonstrates how to use the {{ecloud}} RESTful API or {{ece}} RESTful API or to manage different types of traffic filters. We cover the following examples:
+This example demonstrates how to use the {{ecloud}} RESTful API or {{ece}} RESTful API or to manage different types of network security rules and policies. We cover the following examples:
 
 * [Create a traffic filter rule set](ec-traffic-filtering-through-the-api.md#ec-create-a-traffic-filter-rule-set)
 
diff --git a/deploy-manage/security/ece-filter-rules.md b/deploy-manage/security/ece-filter-rules.md
new file mode 100644
index 0000000000..9519229754
--- /dev/null
+++ b/deploy-manage/security/ece-filter-rules.md
@@ -0,0 +1,86 @@
+---
+navigation_title: How rules work in ECE
+applies_to:
+  deployment:
+    ess: ga
+  serverless: ga
+---
+
+# Traffic filter rules in {{ece}}
+
+% could be refined further
+
+By default, in {{ece}} and {{ech}}, all your deployments are accessible over the public internet. In {{ece}}, this assumes that your orchestrator's proxies are accessible.
+
+Filtering *rules* are grouped into *rule sets*, which in turn are *associated* with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
+
+Traffic filters apply to external traffic only. Internal traffic is managed by ECE or ECH. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
+
+Traffic filters operate on the proxy. Requests rejected by the traffic filters are not forwarded to the deployment. The proxy responds to the client with `403 Forbidden`.
+
+Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+
+Rule sets work as follows:
+
+- You can assign multiple rule sets to a single deployment. The rule sets can be of different types. In case of multiple rule sets, traffic can match ANY of them. If none of the rule sets match, the request is rejected with `403 Forbidden`.
+- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
+- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
+- Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
+- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
+
+:::{admonition} Rule limits
+In {{ech}}, you can have a maximum of 1024 rule sets per organization and 128 rules in each rule set.
+
+In {{ece}}, you can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
+:::
+
+### Tips
+
+This section offers suggestions on how to manage and analyze the impact of your traffic filters in ECH and ECE.
+
+#### Review the rule sets associated with a deployment
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) or [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. On the **Deployments** page, select your deployment.
+3. Select the **Security** tab on the left-hand side menu bar.
+
+Traffic filter rule sets are listed under **Traffic filters**.
+
+On this page, you can view and remove existing filters and attach new filters.
+
+#### Identify default rule sets
+To identify which rule sets are automatically applied to new deployments in your account:
+
+1. Navigate to the traffic filters list:
+
+    ::::{tab-set}
+    :group: ech-ece
+
+    :::{tab-item} {{ech}}
+    :sync: ech
+    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+    3. Under the **Features** tab, open the **Traffic filters** page.
+    :::
+    :::{tab-item} {{ece}}
+    :sync: ece
+    4. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+    5. From the **Platform** menu, select **Security**.
+    :::
+    ::::
+
+2. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
+
+#### View rejected requests
+
+Requests rejected by traffic filter have status code `403 Forbidden` and one of the following in the response body:
+
+```json
+{"ok":false,"message":"Forbidden"}
+```
+
+```json
+{"ok":false,"message":"Forbidden due to traffic filtering. Please see the Elastic documentation on Traffic Filtering for more information."}
+```
+
+Additionally, traffic filter rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index 58c95240b6..e463b70323 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -1,5 +1,5 @@
 ---
-navigation_title: In ECH or ECE
+navigation_title: In ECH or Serverless
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-traffic-filtering-ip.html
   - https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-ip.html
@@ -8,12 +8,13 @@ applies_to:
   deployment:
     ess: ga
     ece: ga
+    serverless: ga
 products:
-  - id: cloud-enterprise
   - id: cloud-hosted
+  - id: cloud-serverless
 ---
 
-# Manage IP traffic filters in ECH or ECE
+# Manage IP traffic filters in ECH or Serverless
 
 Traffic filtering, by IP address or CIDR block, is one of the security layers available in {{ece}} and {{ech}}. It allows you to limit how your deployments can be accessed.
 
@@ -29,7 +30,9 @@ To learn how traffic filter rules work together, refer to [traffic filter rules]
 To learn how to manage IP traffic filters using the Traffic Filtering API, refer to [](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
 
 :::{note}
-To learn how to create IP traffic filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
+To learn how to create IP filters for {{ece}} deployments, refer to [](ip-filtering-ece.md).
+
+To learn how to create IP filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
 :::
 
 ## Prerequisites
diff --git a/deploy-manage/security/ip-filtering-ece.md b/deploy-manage/security/ip-filtering-ece.md
new file mode 100644
index 0000000000..68f497fb97
--- /dev/null
+++ b/deploy-manage/security/ip-filtering-ece.md
@@ -0,0 +1,153 @@
+---
+navigation_title: In ECE
+mapped_pages:
+  - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-traffic-filtering-ip.html
+applies_to:
+  deployment:
+    ece: ga
+products:
+  - id: cloud-enterprise
+---
+
+# Manage IP filters in ECE
+
+Filtering by IP address or CIDR block is one of the security layers available in {{ece}}. It allows you to limit how your deployments can be accessed.
+
+You can only configure ingress or inbound IP filters**. These restrict access to your deployments from a set of IP addresses or CIDR blocks.
+
+Follow the step described here to set up ingress or inbound IP filters through the Cloud UI.
+
+To learn how traffic filter rules work together, refer to [traffic filter rules](/deploy-manage/security/traffic-filtering.md#traffic-filter-rules).
+
+To learn how to manage IP traffic filters using the Traffic Filtering API, refer to [](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
+
+:::{note}
+To learn how to create IP filters for {{ech}} deployments or {{serverless-full}} projects, refer to [](ip-filtering-cloud.md).
+
+To learn how to create IP filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
+:::
+
+## Prerequisites
+```{applies_to}
+deployment:
+  ece:
+```
+
+On {{ece}}, make sure your [load balancer](/deploy-manage/deploy/cloud-enterprise/ece-load-balancers.md) handles the `X-Forwarded-For` header appropriately for HTTP requests to prevent IP address spoofing. Make sure the proxy protocol v2 is enabled for HTTP and transport protocols (9243 and 9343).
+
+This step is not required in {{ech}}.
+
+## Apply an IP filter to a deployment
+
+To apply an IP filter to a deployment, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
+
+### Step 1: Create an IP filter rule set
+
+You can combine any rules into a set, so we recommend that you group rules according to what they allow, and make sure to label them accordingly. Since multiple sets can be applied to a deployment, you can be as granular in your sets as you feel is necessary.
+
+To create a rule set:
+
+1. Navigate to the traffic filters list:
+
+    ::::{tab-set}
+    :group: ech-ece
+
+    :::{tab-item} {{ech}}
+    :sync: ech
+    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+    3. Under the **Features** tab, open the **Traffic filters** page.
+    :::
+    :::{tab-item} {{ece}}
+    :sync: ece
+    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+    2. From the **Platform** menu, select **Security**.
+    :::
+    ::::
+
+2. Select **Create filter**.
+3. Select **IP filtering rule set**.
+4. Create your rule set, providing a meaningful name and description.
+5. Select the region for the rule set.
+6. Select if this rule set should be automatically attached to new deployments.
+
+    ::::{note}
+    Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
+    ::::
+
+7.  Add one or more rules using IPv4, or a range of addresses with CIDR.
+
+    ::::{note}
+    DNS names are not supported in rules.
+    ::::
+
+### Step 2: Associate an IP filter rule set with your deployment
+
+After you’ve created the rule set, you’ll need to associate IP filter rules with your deployment:
+
+1. Go to the deployment.
+2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
+3. Choose the filter you want to apply and select **Apply filter**.
+
+At this point, the traffic filter is active. You can remove or edit it at any time.
+
+## Remove an IP filter rule set association from your deployment [remove-filter-deployment]
+
+If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
+
+1. Go to the deployment.
+2. On the **Security** page, under **Traffic filters** select **Remove**.
+
+## Edit an IP filter rule set
+
+You can edit a rule set name or change the allowed traffic sources using IPv4, or a range of addresses with CIDR.
+
+1. Navigate to the traffic filters list:
+
+    ::::{tab-set}
+    :group: ech-ece
+
+    :::{tab-item} {{ech}}
+    :sync: ech
+    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+    3. Under the **Features** tab, open the **Traffic filters** page.
+    :::
+    :::{tab-item} {{ece}}
+    :sync: ece
+    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+    2. From the **Platform** menu, select **Security**.
+    :::
+    ::::
+
+2. Find the rule set you want to edit.
+5. Select the **Edit** icon.
+
+
+## Delete an IP filter rule set
+
+If you need to remove a rule set, you must first remove any associations with deployments.
+
+To delete a rule set with all its rules:
+
+1. [Remove any deployment associations](#remove-filter-deployment).
+1. Navigate to the traffic filters list:
+
+    ::::{tab-set}
+    :group: ech-ece
+
+    :::{tab-item} {{ech}}
+    :sync: ech
+    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+    3. Under the **Features** tab, open the **Traffic filters** page.
+    :::
+    :::{tab-item} {{ece}}
+    :sync: ece
+    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+    2. From the **Platform** menu, select **Security**.
+    :::
+    ::::
+
+3. Find the rule set you want to edit.
+4. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
diff --git a/deploy-manage/security/ip-traffic-filtering.md b/deploy-manage/security/ip-traffic-filtering.md
index 1c6c3bff69..55bcd1e321 100644
--- a/deploy-manage/security/ip-traffic-filtering.md
+++ b/deploy-manage/security/ip-traffic-filtering.md
@@ -5,19 +5,38 @@ applies_to:
     ece: ga
     eck: ga
     self: ga
-  serverless: unavailable
+  serverless: ga
+navigation_title: "Add IP filters"
 ---
 
-# IP traffic filtering
+# IP filtering
 
 This section covers traffic filtering by IP address or CIDR block.
 
-The way that you configure IP traffic filters depends on your deployment type: 
+The way that you configure IP filters depends on your deployment type.
 
-* **In {{ece}} and {{ech}}**, traffic filter rules are created at the organization or platform level, and then applied at the deployment level. [Learn how to create, apply and manage these rules](/deploy-manage/security/ip-filtering-cloud.md).
+:::{tip}
+If you use {{ech}} or {{eck}}, then other [network security](/deploy-manage/security/traffic-filtering.md) methods are also available.
+:::
+
+## Serverless and ECH
+
+In {{serverless-full}} and {{ech}}, network security policies are created at the organization level, and then applied at the deployment level. Follow these guides to learn how to create, apply, and manage these policies using your preferred method:
+  
+  * [In the {{ecloud}} console](/deploy-manage/security/ip-filtering-cloud.md)
+  * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api)
+  
+To learn how multiple IP filter policies are processed, and how IP filters and [private connections](/deploy-manage/security/private-link-traffic-filters.md) work together in ECH, refer to [](/deploy-manage/security/network-security-policies.md).
+
+## ECE
+
+In {{ece}}, filter rules are created at the platform level, and then applied at the deployment level. Follow these guides to learn how to create, apply, and manage these policies using your preferred method:
+  
+  * [In the Cloud UI](/deploy-manage/security/ip-filtering-ece.md)
+  * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api)
   
-  To learn how multiple rules are processed, and how IP traffic filters and [private link traffic filters](/deploy-manage/security/private-link-traffic-filters.md) work together in ECH, refer to [Traffic filter rules](/deploy-manage/security/traffic-filtering.md#traffic-filter-rules).
+To learn how multiple rules are processed, refer to [Traffic filter rules](/deploy-manage/security/traffic-filter-rules.md).
 
-* **In {{eck}} and self-managed clusters**, traffic filters are applied at the cluster level using `elasticsearch.yml`. [Learn how to configure traffic filtering at the cluster level](/deploy-manage/security/ip-filtering-basic.md).
+## ECK and self managed
 
-If you use {{ech}} or {{eck}}, then other [traffic filtering](/deploy-manage/security/traffic-filtering.md) methods are also available.
\ No newline at end of file
+In {{eck}} and self-managed clusters, traffic filters are applied at the cluster level using `elasticsearch.yml`. [Learn how to configure traffic filtering at the cluster level](/deploy-manage/security/ip-filtering-basic.md).
\ No newline at end of file
diff --git a/deploy-manage/security/network-security-policies.md b/deploy-manage/security/network-security-policies.md
new file mode 100644
index 0000000000..91f3624d7a
--- /dev/null
+++ b/deploy-manage/security/network-security-policies.md
@@ -0,0 +1,86 @@
+---
+navigation_title: How policies work in Cloud
+applies_to:
+  deployment:
+    ess: ga
+  serverless: ga
+---
+
+# Network security policies in {{ecloud}} [traffic-filter-rules]
+
+% could be refined further
+
+By default, in {{ece}} and {{ech}}, all your deployments are accessible over the public internet. In {{ece}}, this assumes that your orchestrator's proxies are accessible.
+
+Filtering *rules* are grouped into *rule sets*, which in turn are *associated* with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
+
+Traffic filters apply to external traffic only. Internal traffic is managed by ECE or ECH. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
+
+Traffic filters operate on the proxy. Requests rejected by the traffic filters are not forwarded to the deployment. The proxy responds to the client with `403 Forbidden`.
+
+Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+
+Rule sets work as follows:
+
+- You can assign multiple rule sets to a single deployment. The rule sets can be of different types. In case of multiple rule sets, traffic can match ANY of them. If none of the rule sets match, the request is rejected with `403 Forbidden`.
+- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
+- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
+- Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
+- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
+
+:::{admonition} Rule limits
+In {{ech}}, you can have a maximum of 1024 rule sets per organization and 128 rules in each rule set.
+
+In {{ece}}, you can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
+:::
+
+### Tips
+
+This section offers suggestions on how to manage and analyze the impact of your traffic filters in ECH and ECE.
+
+#### Review the rule sets associated with a deployment
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) or [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. On the **Deployments** page, select your deployment.
+3. Select the **Security** tab on the left-hand side menu bar.
+
+Traffic filter rule sets are listed under **Traffic filters**.
+
+On this page, you can view and remove existing filters and attach new filters.
+
+#### Identify default rule sets
+To identify which rule sets are automatically applied to new deployments in your account:
+
+1. Navigate to the traffic filters list:
+
+    ::::{tab-set}
+    :group: ech-ece
+
+    :::{tab-item} {{ech}}
+    :sync: ech
+    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+    3. Under the **Features** tab, open the **Traffic filters** page.
+    :::
+    :::{tab-item} {{ece}}
+    :sync: ece
+    4. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+    5. From the **Platform** menu, select **Security**.
+    :::
+    ::::
+
+2. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
+
+#### View rejected requests
+
+Requests rejected by traffic filter have status code `403 Forbidden` and one of the following in the response body:
+
+```json
+{"ok":false,"message":"Forbidden"}
+```
+
+```json
+{"ok":false,"message":"Forbidden due to traffic filtering. Please see the Elastic documentation on Traffic Filtering for more information."}
+```
+
+Additionally, traffic filter rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md
index 3dd010e189..36cba5eb5d 100644
--- a/deploy-manage/security/private-link-traffic-filters.md
+++ b/deploy-manage/security/private-link-traffic-filters.md
@@ -2,6 +2,7 @@
 applies_to:
   deployment:
     ess: ga
+navigation_title: "Add private connections"
 ---
 
 # Private link traffic filters
diff --git a/deploy-manage/security/secure-your-cluster-deployment.md b/deploy-manage/security/secure-your-cluster-deployment.md
index 39fd4d9382..4225a7e637 100644
--- a/deploy-manage/security/secure-your-cluster-deployment.md
+++ b/deploy-manage/security/secure-your-cluster-deployment.md
@@ -5,9 +5,10 @@ applies_to:
     eck: all
     ece: all
     ess: all
+    serverless: all
 ---
 
-# Secure your cluster or deployment
+# Secure your cluster, deployment, or project
 
 It's important to protect your {{es}} cluster and the data it contains. Implementing an in-depth defense strategy provides multiple layers of security to help safeguard your system.
 
@@ -23,7 +24,7 @@ It's important to protect your {{es}} cluster and the data it contains. Implemen
 You must secure [other {{stack}} components](/deploy-manage/security/secure-clients-integrations.md), as well as [client and integration communications](/deploy-manage/security/httprest-clients-security.md), separately.
 :::
 
-You can configure the following aspects of your Elastic cluster or deployment to maintain and enhance security:
+You can configure the following aspects of your Elastic cluster, deployment, or project to maintain and enhance security:
 
 ## Initial security setup [manually-configure-security]
 
diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md
index 56b3b33782..f5dc77d029 100644
--- a/deploy-manage/security/traffic-filtering.md
+++ b/deploy-manage/security/traffic-filtering.md
@@ -1,5 +1,5 @@
 ---
-navigation_title: Traffic filtering
+navigation_title: Network security
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-traffic-filtering-deployment-configuration.html
   - https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-deployment-configuration.html
@@ -10,116 +10,50 @@ applies_to:
     ece: ga
     eck: ga
     self: ga
-  serverless: unavailable
+  serverless: ga
 products:
   - id: cloud-enterprise
   - id: cloud-hosted
+  - id: cloud-kubernetes
+  - id: elasticsearch
+  - id: cloud-serverless
 ---
 
-# Traffic filtering
+# Network security
 
-Traffic filtering allows you to limit how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust.
+Network security allows you to limit how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust.
 
-## Traffic filtering methods
+## Network security methods
 
 Depending on your deployment type you can use different mechanisms to restrict traffic.
 
 ::::{note}
-This section covers traffic filtering at the deployment level. If you need the IP addresses used by {{ech}} to configure them in your network firewalls, refer to [](./elastic-cloud-static-ips.md).
+This section covers network security at the deployment level. If you need the IP addresses used by {{ech}} to configure them in your network firewalls, refer to [](./elastic-cloud-static-ips.md).
 
 You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-clusters.md) for use with cross-cluster replication or search.
 ::::
 
 | Filter type | Description | Applicable deployment types |
 | --- | --- | --- |
-| [IP traffic filters](ip-traffic-filtering.md) | Filter traffic using IP addresses and Classless Inter-Domain Routing (CIDR) masks.<br><br>• [In ECH or ECE](/deploy-manage/security/ip-filtering-cloud.md)<br><br>• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | ECH, ECE, ECK, and self-managed clusters |
-| [Private link filters](/deploy-manage/security/private-link-traffic-filters.md) | Allow traffic between {{es}} and other resources hosted by the same cloud provider using private link services. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
+| [IP filters](ip-traffic-filtering.md) | Filter traffic using IP addresses and Classless Inter-Domain Routing (CIDR) masks.<br><br>• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)<br><br>• [In ECE](/deploy-manage/security/ip-filtering-ece.md)<br><br>• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
+| [Private connections and VCPE filtering](/deploy-manage/security/private-link-traffic-filters.md) | Allow traffic between {{es}} and other resources hosted by the same cloud provider using private link services. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
 | [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |
 
 :::{include} _snippets/eck-traffic-filtering.md
 :::
 
+## How security rules and policies work
 
-## Traffic filter rules in ECE and ECH [traffic-filter-rules]
-```{applies_to}
-  deployment:
-    ess:
-    ece:
-```
-
-% could be refined further
-
-By default, in {{ece}} and {{ech}}, all your deployments are accessible over the public internet. In {{ece}}, this assumes that your orchestrator's proxies are accessible.
-
-Filtering *rules* are grouped into *rule sets*, which in turn are *associated* with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
-
-Traffic filters apply to external traffic only. Internal traffic is managed by ECE or ECH. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
-
-Traffic filters operate on the proxy. Requests rejected by the traffic filters are not forwarded to the deployment. The proxy responds to the client with `403 Forbidden`.
-
-Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
-
-Rule sets work as follows:
-
-- You can assign multiple rule sets to a single deployment. The rule sets can be of different types. In case of multiple rule sets, traffic can match ANY of them. If none of the rule sets match, the request is rejected with `403 Forbidden`.
-- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
-- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
-- Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
-- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
-
-:::{admonition} Rule limits
-In {{ech}}, you can have a maximum of 1024 rule sets per organization and 128 rules in each rule set.
-
-In {{ece}}, you can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
-:::
-
-### Tips
-
-This section offers suggestions on how to manage and analyze the impact of your traffic filters in ECH and ECE.
-
-#### Review the rule sets associated with a deployment
-
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) or [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. On the **Deployments** page, select your deployment.
-3. Select the **Security** tab on the left-hand side menu bar.
-
-Traffic filter rule sets are listed under **Traffic filters**.
-
-On this page, you can view and remove existing filters and attach new filters.
-
-#### Identify default rule sets
-To identify which rule sets are automatically applied to new deployments in your account:
-
-1. Navigate to the traffic filters list:
-
-    ::::{tab-set}
-    :group: ech-ece
-
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    4. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    5. From the **Platform** menu, select **Security**.
-    :::
-    ::::
-
-2. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
-
-#### View rejected requests
+By default, in {{serverless-full}}, {{ech}}, and {{ece}}, all your deployments are accessible over the public internet. After you associate at least one IP filtering rule with an {{ece}} deployment, or one network security policy with an {{ecloud}} deployment or project, traffic that does not match any rules or policies for the deployment or project is denied.
 
-Requests rejected by traffic filter have status code `403 Forbidden` and one of the following in the response body:
+For details about how these rules and policies interact with your deployment or project, other rules or policies, and the internet, refer to the topic for your deployment type:
 
-```json
-{"ok":false,"message":"Forbidden"}
-```
+* [](network-security-policies.md)
+* [](ece-filter-rules.md)
 
-```json
-{"ok":false,"message":"Forbidden due to traffic filtering. Please see the Elastic documentation on Traffic Filtering for more information."}
-```
+:::{note}
+For details about how IP filters and Kubernetes network policies impact your network, refer to the guide for the feature: 
 
-Additionally, traffic filter rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
+* [](/deploy-manage/security/ip-filtering-basic.md)
+* [](/deploy-manage/security/k8s-network-policies.md) 
+:::
\ No newline at end of file
diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index de7e3bc74b..0461939f97 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -485,11 +485,12 @@ toc:
                   - file: security/k8s-transport-settings.md
           - file: security/traffic-filtering.md
             children:
+              - file: security/network-security-policies.md
+              - file: security/ece-filter-rules.md
               - file: security/ip-traffic-filtering.md
                 children:
                   - file: security/ip-filtering-cloud.md
-                    children:
-                      - file: security/ec-traffic-filtering-through-the-api.md
+                  - file: security/ip-filtering-ece.md
                   - file: security/ip-filtering-basic.md
               - file: security/private-link-traffic-filters.md
                 children:
@@ -497,6 +498,7 @@ toc:
                   - file: security/azure-private-link-traffic-filters.md
                   - file: security/gcp-private-service-connect-traffic-filters.md
                   - file: security/claim-traffic-filter-link-id-ownership-through-api.md
+              - file: security/ec-traffic-filtering-through-the-api.md
               - file: security/k8s-network-policies.md
           - file: security/elastic-cloud-static-ips.md
           - file: security/kibana-session-management.md

From accbfcecda30ffd7fbe410dce60803cb19aefd25 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Sat, 14 Jun 2025 13:31:47 -0400
Subject: [PATCH 03/38] logic pages and ece pages cleanup

---
 deploy-manage/security/ece-filter-rules.md    |  58 ++++------
 deploy-manage/security/ip-filtering-ece.md    |  88 +++------------
 .../security/network-security-policies.md     | 102 ++++++++++--------
 deploy-manage/security/traffic-filtering.md   |   2 +-
 4 files changed, 95 insertions(+), 155 deletions(-)

diff --git a/deploy-manage/security/ece-filter-rules.md b/deploy-manage/security/ece-filter-rules.md
index 9519229754..85cbdbe2fe 100644
--- a/deploy-manage/security/ece-filter-rules.md
+++ b/deploy-manage/security/ece-filter-rules.md
@@ -2,45 +2,42 @@
 navigation_title: How rules work in ECE
 applies_to:
   deployment:
-    ess: ga
-  serverless: ga
+    ece: ga
 ---
 
 # Traffic filter rules in {{ece}}
 
-% could be refined further
+By default, in {{ece}}, all your deployments are accessible over the public internet. This assumes that your orchestrator's proxies are accessible.
 
-By default, in {{ece}} and {{ech}}, all your deployments are accessible over the public internet. In {{ece}}, this assumes that your orchestrator's proxies are accessible.
+Filtering rules are created at the orchestrator level. Rules are grouped into rule sets, and then are associated with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
 
-Filtering *rules* are grouped into *rule sets*, which in turn are *associated* with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
-
-Traffic filters apply to external traffic only. Internal traffic is managed by ECE or ECH. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
+Traffic filters apply to external traffic only. Internal traffic is managed by ECE. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
 
 Traffic filters operate on the proxy. Requests rejected by the traffic filters are not forwarded to the deployment. The proxy responds to the client with `403 Forbidden`.
 
-Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+## Logic
 
 Rule sets work as follows:
 
 - You can assign multiple rule sets to a single deployment. The rule sets can be of different types. In case of multiple rule sets, traffic can match ANY of them. If none of the rule sets match, the request is rejected with `403 Forbidden`.
-- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
-- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
+
 - Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
+
 - Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
 
-:::{admonition} Rule limits
-In {{ech}}, you can have a maximum of 1024 rule sets per organization and 128 rules in each rule set.
+- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
+
+## Restrictions
 
-In {{ece}}, you can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
-:::
+- You can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
 
-### Tips
+- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
 
-This section offers suggestions on how to manage and analyze the impact of your traffic filters in ECH and ECE.
+- Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
 
-#### Review the rule sets associated with a deployment
+## Review the rule sets associated with a deployment
 
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) or [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+1. Log in to the [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
 2. On the **Deployments** page, select your deployment.
 3. Select the **Security** tab on the left-hand side menu bar.
 
@@ -48,30 +45,17 @@ Traffic filter rule sets are listed under **Traffic filters**.
 
 On this page, you can view and remove existing filters and attach new filters.
 
-#### Identify default rule sets
-To identify which rule sets are automatically applied to new deployments in your account:
+## Identify default rule sets
 
-1. Navigate to the traffic filters list:
+To identify which rule sets are automatically applied to new deployments in your account:
 
-    ::::{tab-set}
-    :group: ech-ece
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
 
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    4. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    5. From the **Platform** menu, select **Security**.
-    :::
-    ::::
+2. From the **Platform** menu, select **Security**.
 
-2. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
+3. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
 
-#### View rejected requests
+## View rejected requests
 
 Requests rejected by traffic filter have status code `403 Forbidden` and one of the following in the response body:
 
diff --git a/deploy-manage/security/ip-filtering-ece.md b/deploy-manage/security/ip-filtering-ece.md
index 68f497fb97..223b8a7099 100644
--- a/deploy-manage/security/ip-filtering-ece.md
+++ b/deploy-manage/security/ip-filtering-ece.md
@@ -17,7 +17,7 @@ You can only configure ingress or inbound IP filters**. These restrict access to
 
 Follow the step described here to set up ingress or inbound IP filters through the Cloud UI.
 
-To learn how traffic filter rules work together, refer to [traffic filter rules](/deploy-manage/security/traffic-filtering.md#traffic-filter-rules).
+To learn how traffic filter rules work together, refer to [](ece-filter-rules.md).
 
 To learn how to manage IP traffic filters using the Traffic Filtering API, refer to [](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
 
@@ -28,14 +28,8 @@ To learn how to create IP filters for self-managed clusters or {{eck}} deploymen
 :::
 
 ## Prerequisites
-```{applies_to}
-deployment:
-  ece:
-```
 
-On {{ece}}, make sure your [load balancer](/deploy-manage/deploy/cloud-enterprise/ece-load-balancers.md) handles the `X-Forwarded-For` header appropriately for HTTP requests to prevent IP address spoofing. Make sure the proxy protocol v2 is enabled for HTTP and transport protocols (9243 and 9343).
-
-This step is not required in {{ech}}.
+Make sure your [load balancer](/deploy-manage/deploy/cloud-enterprise/ece-load-balancers.md) handles the `X-Forwarded-For` header appropriately for HTTP requests to prevent IP address spoofing. Make sure the proxy protocol v2 is enabled for HTTP and transport protocols (9243 and 9343).
 
 ## Apply an IP filter to a deployment
 
@@ -47,35 +41,19 @@ You can combine any rules into a set, so we recommend that you group rules accor
 
 To create a rule set:
 
-1. Navigate to the traffic filters list:
-
-    ::::{tab-set}
-    :group: ech-ece
-
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    2. From the **Platform** menu, select **Security**.
-    :::
-    ::::
-
-2. Select **Create filter**.
-3. Select **IP filtering rule set**.
-4. Create your rule set, providing a meaningful name and description.
-5. Select the region for the rule set.
-6. Select if this rule set should be automatically attached to new deployments.
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Select **Create filter**.
+4. Select **IP filtering rule set**.
+5. Create your rule set, providing a meaningful name and description.
+6. Select the region for the rule set.
+7. Select if this rule set should be automatically attached to new deployments.
 
     ::::{note}
     Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
     ::::
 
-7.  Add one or more rules using IPv4, or a range of addresses with CIDR.
+8.  Add one or more rules using IPv4, or a range of addresses with CIDR.
 
     ::::{note}
     DNS names are not supported in rules.
@@ -102,26 +80,10 @@ If you want to remove any traffic restrictions from a deployment or delete a rul
 
 You can edit a rule set name or change the allowed traffic sources using IPv4, or a range of addresses with CIDR.
 
-1. Navigate to the traffic filters list:
-
-    ::::{tab-set}
-    :group: ech-ece
-
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    2. From the **Platform** menu, select **Security**.
-    :::
-    ::::
-
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
 2. Find the rule set you want to edit.
-5. Select the **Edit** icon.
+3. Select the **Edit** icon.
 
 
 ## Delete an IP filter rule set
@@ -131,23 +93,7 @@ If you need to remove a rule set, you must first remove any associations with de
 To delete a rule set with all its rules:
 
 1. [Remove any deployment associations](#remove-filter-deployment).
-1. Navigate to the traffic filters list:
-
-    ::::{tab-set}
-    :group: ech-ece
-
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    2. From the **Platform** menu, select **Security**.
-    :::
-    ::::
-
-3. Find the rule set you want to edit.
-4. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
+2. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+3. From the **Platform** menu, select **Security**.
+4. Find the rule set you want to edit.
+5. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
diff --git a/deploy-manage/security/network-security-policies.md b/deploy-manage/security/network-security-policies.md
index 91f3624d7a..35aa8296d4 100644
--- a/deploy-manage/security/network-security-policies.md
+++ b/deploy-manage/security/network-security-policies.md
@@ -6,74 +6,84 @@ applies_to:
   serverless: ga
 ---
 
-# Network security policies in {{ecloud}} [traffic-filter-rules]
+# Network security policies in {{ecloud}}
 
-% could be refined further
+By default, in {{ech}} and {{serverless-full}}, all your deployments are accessible over the public internet.
 
-By default, in {{ece}} and {{ech}}, all your deployments are accessible over the public internet. In {{ece}}, this assumes that your orchestrator's proxies are accessible.
+Network security policies are created at the organization level, and then are associated with one or more resources, such as a deployment or project, to take effect. After you associate at least one policy with a resource, traffic that does not match the policy or any other policy associated with the resource is denied.
 
-Filtering *rules* are grouped into *rule sets*, which in turn are *associated* with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
+Policies apply to external traffic only. Internal traffic is managed by the deployment or project. For example, in {{ech}}, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment, Other deployments can’t connect to deployments protected by network security policies.
 
-Traffic filters apply to external traffic only. Internal traffic is managed by ECE or ECH. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
+Policies operate on the proxy. Requests rejected by the policies are not forwarded to the resource. The proxy responds to the client with `403 Forbidden`.
 
-Traffic filters operate on the proxy. Requests rejected by the traffic filters are not forwarded to the deployment. The proxy responds to the client with `403 Forbidden`.
+## Logic
 
-Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+- You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
 
-Rule sets work as follows:
+- Policies, when associated with a deployment or project, will apply to all endpoints, such as {{es}}, {{kib}}, APM Server, and others.
 
-- You can assign multiple rule sets to a single deployment. The rule sets can be of different types. In case of multiple rule sets, traffic can match ANY of them. If none of the rule sets match, the request is rejected with `403 Forbidden`.
-- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
-- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
-- Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
-- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
+- Any policy assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, if you specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the policies.
 
-:::{admonition} Rule limits
-In {{ech}}, you can have a maximum of 1024 rule sets per organization and 128 rules in each rule set.
+- You can [mark a policy as default](#default-network-security-policies). Default policies are automatically attached to all new resources of the matching resource type that you create in its region.
 
-In {{ece}}, you can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
-:::
+## Restrictions
+
+- You can have a maximum of 1024 policies per organization and 128 sources in each policy.
+- Policies must be created for a specific resource type. If you want to associate a policy to both hosted deployments and Serverless projects, then you have to create the same policy for each resource types.
+- Policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+- Domain-based filtering rules are not allowed for network security policies, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+
+## Default network security policies
+
+You can mark a policy as default. Default policies are automatically attached to all new resources of the matching resource type that you create in its region.
 
-### Tips
+You can detach default policies from resources after they are created. Default policies are not automatically attached to existing resources.
 
-This section offers suggestions on how to manage and analyze the impact of your traffic filters in ECH and ECE.
+### Apply policies to new resources by default
 
-#### Review the rule sets associated with a deployment
+To automatically apply a network security policy to new resources by default new deployments or projects in your organization:
 
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) or [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. On the **Deployments** page, select your deployment.
-3. Select the **Security** tab on the left-hand side menu bar.
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+4. Select **Create** to create a new policy, or select **Edit** to open an existing policy.
+5. Under **Apply to future resources by default**, select **Include by default**.
 
-Traffic filter rule sets are listed under **Traffic filters**.
+### Identify default policies
 
-On this page, you can view and remove existing filters and attach new filters.
+To identify which network security policies are automatically applied to new deployments or projects in your organization:
 
-#### Identify default rule sets
-To identify which rule sets are automatically applied to new deployments in your account:
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+4. Select each of the policies. **Include by default** is checked when a policy is automatically applied to all new deployments or projects in its region.
+  
+## Review the policies associated with a resource
 
-1. Navigate to the traffic filters list:
+To identify the network security policies that are applied to your deployment or project:
 
-    ::::{tab-set}
-    :group: ech-ece
+::::{tab-set}
+:::{tab-item} Serverless
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Serverless projects** page, select your project.
+3. Select the **Network security** tab on the left-hand side menu bar.
 
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    4. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    5. From the **Platform** menu, select **Security**.
-    :::
-    ::::
+Network security policies are listed on the page. From this page, you can view and remove existing policies and attach new policies.
 
-2. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
+:::
+:::{tab-item} Hosted
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Hosted deployments** page, select your deployment.
+3. Select the **Network security** tab on the left-hand side menu bar.
+4. Select the **Security** tab on the left-hand side menu bar.
+
+Network security policies are listed under **Network security**. From this section, you can view and remove existing policies and attach new policies.
+:::
+::::
 
-#### View rejected requests
+## View rejected requests
 
-Requests rejected by traffic filter have status code `403 Forbidden` and one of the following in the response body:
+Requests rejected by a network security policy have the status code `403 Forbidden` and one of the following in the response body:
 
 ```json
 {"ok":false,"message":"Forbidden"}
@@ -83,4 +93,4 @@ Requests rejected by traffic filter have status code `403 Forbidden` and one of
 {"ok":false,"message":"Forbidden due to traffic filtering. Please see the Elastic documentation on Traffic Filtering for more information."}
 ```
 
-Additionally, traffic filter rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
+Additionally, network security policy rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md
index f5dc77d029..0c49eda868 100644
--- a/deploy-manage/security/traffic-filtering.md
+++ b/deploy-manage/security/traffic-filtering.md
@@ -52,7 +52,7 @@ For details about how these rules and policies interact with your deployment or
 * [](ece-filter-rules.md)
 
 :::{note}
-For details about how IP filters and Kubernetes network policies impact your network, refer to the guide for the feature: 
+For details about how basic IP filters and Kubernetes network policies impact your cluster, refer to the guide for the feature: 
 
 * [](/deploy-manage/security/ip-filtering-basic.md)
 * [](/deploy-manage/security/k8s-network-policies.md) 

From 3f704b20661ec7d59bf7fd3c782f12ff8645b29c Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Sat, 14 Jun 2025 13:34:02 -0400
Subject: [PATCH 04/38] cleanup

---
 deploy-manage/security/ip-filtering-cloud.md | 90 ++++----------------
 1 file changed, 18 insertions(+), 72 deletions(-)

diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index e463b70323..d2b67ecc7c 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -35,16 +35,6 @@ To learn how to create IP filters for {{ece}} deployments, refer to [](ip-filter
 To learn how to create IP filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
 :::
 
-## Prerequisites
-```{applies_to}
-deployment:
-  ece:
-```
-
-On {{ece}}, make sure your [load balancer](/deploy-manage/deploy/cloud-enterprise/ece-load-balancers.md) handles the `X-Forwarded-For` header appropriately for HTTP requests to prevent IP address spoofing. Make sure the proxy protocol v2 is enabled for HTTP and transport protocols (9243 and 9343).
-
-This step is not required in {{ech}}.
-
 ## Apply an IP filter to a deployment
 
 To apply an IP filter to a deployment, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
@@ -55,35 +45,21 @@ You can combine any rules into a set, so we recommend that you group rules accor
 
 To create a rule set:
 
-1. Navigate to the traffic filters list:
-
-    ::::{tab-set}
-    :group: ech-ece
-
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    2. From the **Platform** menu, select **Security**.
-    :::
-    ::::
 
-2. Select **Create filter**.
-3. Select **IP filtering rule set**.
-4. Create your rule set, providing a meaningful name and description.
-5. Select the region for the rule set.
-6. Select if this rule set should be automatically attached to new deployments.
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+3. Under the **Features** tab, open the **Traffic filters** page.
+4. Select **Create filter**.
+5. Select **IP filtering rule set**.
+6. Create your rule set, providing a meaningful name and description.
+7. Select the region for the rule set.
+8. Select if this rule set should be automatically attached to new deployments.
 
     ::::{note}
     Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
     ::::
 
-7.  Add one or more rules using IPv4, or a range of addresses with CIDR.
+9.  Add one or more rules using IPv4, or a range of addresses with CIDR.
 
     ::::{note}
     DNS names are not supported in rules.
@@ -110,25 +86,10 @@ If you want to remove any traffic restrictions from a deployment or delete a rul
 
 You can edit a rule set name or change the allowed traffic sources using IPv4, or a range of addresses with CIDR.
 
-1. Navigate to the traffic filters list:
-
-    ::::{tab-set}
-    :group: ech-ece
-
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    2. From the **Platform** menu, select **Security**.
-    :::
-    ::::
-
-2. Find the rule set you want to edit.
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+3. Under the **Features** tab, open the **Traffic filters** page.
+4. Find the rule set you want to edit.
 5. Select the **Edit** icon.
 
 
@@ -139,23 +100,8 @@ If you need to remove a rule set, you must first remove any associations with de
 To delete a rule set with all its rules:
 
 1. [Remove any deployment associations](#remove-filter-deployment).
-1. Navigate to the traffic filters list:
-
-    ::::{tab-set}
-    :group: ech-ece
-
-    :::{tab-item} {{ech}}
-    :sync: ech
-    1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-    3. Under the **Features** tab, open the **Traffic filters** page.
-    :::
-    :::{tab-item} {{ece}}
-    :sync: ece
-    1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-    2. From the **Platform** menu, select **Security**.
-    :::
-    ::::
-
-3. Find the rule set you want to edit.
-4. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
+2. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+3. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+4. Under the **Features** tab, open the **Traffic filters** page.
+5. Find the rule set you want to edit.
+6. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file

From d8dac259f4d89490fb6ed41cc733b192b32701c6 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Sat, 14 Jun 2025 17:10:33 -0400
Subject: [PATCH 05/38] ip filtering procedures fixed

---
 deploy-manage/security/ip-filtering-cloud.md  | 153 +++++++++++++-----
 .../security/network-security-policies.md     |   3 -
 2 files changed, 109 insertions(+), 47 deletions(-)

diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index d2b67ecc7c..b8d8364c9b 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -21,9 +21,9 @@ Traffic filtering, by IP address or CIDR block, is one of the security layers av
 There are types of filters are available for filtering by IP address or CIDR block:
 
 * **Ingress or inbound IP filters**: These restrict access to your deployments from a set of IP addresses or CIDR blocks. These filters are available through the UI.
-* **Egress or outbound IP filters** (ECH only): These restrict the set of IP addresses or CIDR blocks accessible from your deployment. These might be used to restrict access to a certain region or service. This feature is in beta and is currently only available through the [Traffic Filtering API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
+* **Egress or outbound IP filters**: These restrict the set of IP addresses or CIDR blocks accessible from your deployment. These might be used to restrict access to a certain region or service. This feature is in beta and is currently only available through the [Traffic Filtering API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
 
-Follow the step described here to set up ingress or inbound IP filters through the {{ecloud}} Console or Cloud UI.
+Follow the step described here to set up ingress or inbound IP filters through the {{ecloud}} Console.
 
 To learn how traffic filter rules work together, refer to [traffic filter rules](/deploy-manage/security/traffic-filtering.md#traffic-filter-rules).
 
@@ -35,73 +35,138 @@ To learn how to create IP filters for {{ece}} deployments, refer to [](ip-filter
 To learn how to create IP filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
 :::
 
-## Apply an IP filter to a deployment
+## Apply an IP filter to a deployment or project
 
-To apply an IP filter to a deployment, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
+To apply an IP filter to a deployment or project, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
 
-### Step 1: Create an IP filter rule set
+### Step 1: Create an IP filter policy
 
-You can combine any rules into a set, so we recommend that you group rules according to what they allow, and make sure to label them accordingly. Since multiple sets can be applied to a deployment, you can be as granular in your sets as you feel is necessary.
-
-To create a rule set:
+You can combine multiple IP address and CIDR block traffic sources into a single IP filter policy, so we recommend that you group sources according to what they allow, and make sure to label them accordingly. Because multiple sets can be applied to a deployment, you can be as granular in your policies as you feel is necessary.
 
+To create an IP filter policy:
 
 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-3. Under the **Features** tab, open the **Traffic filters** page.
-4. Select **Create filter**.
-5. Select **IP filtering rule set**.
-6. Create your rule set, providing a meaningful name and description.
-7. Select the region for the rule set.
-8. Select if this rule set should be automatically attached to new deployments.
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+   % From the left navigation menu, select **Access and security** > **Network security**. 
+4. Select **Create** > **IP filter**.
+5. Select the resource type that the IP filter will be applied to: either hosted deployments or serverless projects.
+6. Select the cloud provider and region for the filter. 
+   
+    :::{tip}
+    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    :::
+7. Add a meaningful name and description for the filter.
+8. Under **Access control**, select whether the filter should be applied to ingress or egress traffic. Currently, only ingress traffic filters are supported.
+9. Add one or more allowed sources using IPv4, or a range of addresses with CIDR.
 
     ::::{note}
-    Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
+    DNS names are not supported in network security policies.
     ::::
+10. Optional: Under **Apply to resources**, associate the new filter with one or more deployments or projects. After you associate the filter with a deployment or project, it starts filtering traffic.
+11. To automatically attach this IP filter policy to new deployments or projects, select **Apply by default**.
+12. Click **Create**.
 
-9.  Add one or more rules using IPv4, or a range of addresses with CIDR.
+### Step 2: Associate an IP filter policy with your deployment or project
 
-    ::::{note}
-    DNS names are not supported in rules.
-    ::::
+You can associate an IP filter policy with your deployment or project from the policy's settings, or from your deployment or project's settings. After you associate the filter with a deployment or project, it starts filtering traffic.
 
-### Step 2: Associate an IP filter rule set with your deployment
+#### From your deployment or project
 
-After you’ve created the rule set, you’ll need to associate IP filter rules with your deployment:
+::::{tab-set}
+:group: hosted-serverless
 
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
+:::{tab-item} Serverless project
+:sync: serverless
 
-At this point, the traffic filter is active. You can remove or edit it at any time.
+1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
 
-## Remove an IP filter rule set association from your deployment [remove-filter-deployment]
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Network security** page, select **Apply policies** > **IP filter**.
+3. Choose the filter you want to apply and select **Apply filter**.
+:::
 
-If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
+:::{tab-item} Hosted deployment
+:sync: hosted
 
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Remove**.
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+   
+   On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, select **Apply policies** > **IP filter**.
+3. Choose the filter you want to apply and select **Apply filter**.
+:::
 
-## Edit an IP filter rule set
+::::
 
-You can edit a rule set name or change the allowed traffic sources using IPv4, or a range of addresses with CIDR.
+#### From the IP filter policy settings
 
 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-3. Under the **Features** tab, open the **Traffic filters** page.
-4. Find the rule set you want to edit.
-5. Select the **Edit** icon.
+3. Under the **Features** tab, open the **Network security** page.
+   % From the left navigation menu, select **Access and security** > **Network security**. 
+5. Find the filter you want to edit.
+6. Under **Apply to resources**, associate the new filter with one or more deployments or projects.
+7. Click **Update** to save your changes.
+
+## Remove an IP filter policy from your deployment or project [remove-filter-deployment]
+
+If you want to a specific IP filter policy from a deployment or project, or delete the policy, you’ll need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
+
+#### From your deployment or project
 
+::::{tab-set}
+:group: hosted-serverless
+:::{tab-item} Serverless project
+:sync: serverless
+1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
+
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Network security** page, find the IP filter policy that you want to disconnect. 
+3. Under **Actions**, click the **Delete** icon.
+:::
+:::{tab-item} Hosted deployment
+:sync: hosted
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect. 
+3. Under **Actions**, click the **Delete** icon.
+:::
+::::
+
+#### From the IP filter policy settings
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+   % From the left navigation menu, select **Access and security** > **Network security**. 
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
+
+## Edit an IP filter policy
+
+You can edit an IP filter policy's name or description, change the allowed traffic sources, and change the associated resources, and more.
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+   % From the left navigation menu, select **Access and security** > **Network security**. 
+4. Find the policy you want to edit, then click the **Edit** icon.
+5. Click **Update** to save your changes.
+
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
+:::
 
-## Delete an IP filter rule set
+## Delete an IP filter policy
 
-If you need to remove a rule set, you must first remove any associations with deployments.
+If you need to remove a policy, you must first remove any associations with deployments.
 
-To delete a rule set with all its rules:
+To delete a policy:
 
-1. [Remove any deployment associations](#remove-filter-deployment).
-2. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-3. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-4. Under the **Features** tab, open the **Traffic filters** page.
-5. Find the rule set you want to edit.
-6. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
+1. [Remove any associations](#remove-filter-deployment).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+   % From the left navigation menu, select **Access and security** > **Network security**. 
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/network-security-policies.md b/deploy-manage/security/network-security-policies.md
index 35aa8296d4..064463f363 100644
--- a/deploy-manage/security/network-security-policies.md
+++ b/deploy-manage/security/network-security-policies.md
@@ -19,11 +19,8 @@ Policies operate on the proxy. Requests rejected by the policies are not forward
 ## Logic
 
 - You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
-
 - Policies, when associated with a deployment or project, will apply to all endpoints, such as {{es}}, {{kib}}, APM Server, and others.
-
 - Any policy assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, if you specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the policies.
-
 - You can [mark a policy as default](#default-network-security-policies). Default policies are automatically attached to all new resources of the matching resource type that you create in its region.
 
 ## Restrictions

From 43e9fd8a7ee8ca64293bbf921ad83e941ecbf7d7 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 00:14:54 -0400
Subject: [PATCH 06/38] more

---
 .../security/aws-privatelink-traffic-filters.md      |  2 ++
 .../security/azure-private-link-traffic-filters.md   |  2 ++
 .../gcp-private-service-connect-traffic-filters.md   |  2 ++
 .../security/private-link-traffic-filters.md         | 12 ++++++++----
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index f9fa308070..00b0413863 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -5,8 +5,10 @@ mapped_pages:
 applies_to:
   deployment:
     ess: ga
+  serverless: ga
 products:
   - id: cloud-hosted
+  - id: cloud-serverless
 ---
 
 # AWS PrivateLink traffic filters
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index f8331fb0b9..8a3537e849 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -5,8 +5,10 @@ mapped_pages:
 applies_to:
   deployment:
     ess: ga
+  serverless: ga
 products:
   - id: cloud-hosted
+  - id: cloud-serverless
 ---
 
 # Azure Private Link traffic filters
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index f4c9a29903..6b744f4703 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -5,8 +5,10 @@ mapped_pages:
 applies_to:
   deployment:
     ess: ga
+  serverless: ga
 products:
   - id: cloud-hosted
+  - id: cloud-serverless
 ---
 
 # GCP Private Service Connect traffic filters
diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md
index 36cba5eb5d..5a51e0d51b 100644
--- a/deploy-manage/security/private-link-traffic-filters.md
+++ b/deploy-manage/security/private-link-traffic-filters.md
@@ -2,12 +2,16 @@
 applies_to:
   deployment:
     ess: ga
+  serverless: ga
 navigation_title: "Add private connections"
+products:
+  - id: cloud-hosted
+  - id: cloud-serverless
 ---
 
-# Private link traffic filters
+# Private connections
 
-In {{ech}}, you can allow traffic between {{es}} and other resources hosted by the same cloud provider using private link services. 
+In {{ech}} and {{serverless-full}}, you can allow traffic between {{es}} and other virtual private cloud (VCP) endpoints hosted by the same cloud provider  by setting up a private connection using that provider's private link service. You can also optionally further filter that cloud provider's traffic using VCP filters. 
 
 Choose the relevant option for your cloud service provider:
 
@@ -17,8 +21,8 @@ Choose the relevant option for your cloud service provider:
 | Azure | [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md) |
 | GCP | [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) |
 
-After you set up your private link, you can [claim ownership of your filter link ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md) to prevent other organizations from using it in a traffic filter ruleset.
+After you set up your private connection, you can [claim ownership of your filter link ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md) to prevent other organizations from using it.
 
 :::{tip}
-{{ech}} also supports [IP traffic filters](/deploy-manage/security/ip-filtering-cloud.md).
+{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
 :::

From 94637e1298359ad3813270b3a6d42ed17fc7d1b0 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 16:52:00 -0400
Subject: [PATCH 07/38] more

---
 .../aws-privatelink-traffic-filters.md        | 25 +++++++++----------
 deploy-manage/security/ip-filtering-cloud.md  |  2 +-
 .../security/private-link-traffic-filters.md  |  6 +++--
 3 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 00b0413863..f9f23aa50d 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -11,30 +11,29 @@ products:
   - id: cloud-serverless
 ---
 
-# AWS PrivateLink traffic filters
+# AWS PrivateLink private connections
 
-Traffic filtering to only AWS PrivateLink connections is one of the security layers available in {{ech}}. It allows you to limit how your deployments can be accessed.
+You can use AWS PrivateLink to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet. In these configurations, {{ecloud}} is the third-party service provider and the customers are service consumers.
 
-Refer to [](/deploy-manage/security/traffic-filtering.md) to learn more about traffic filtering in {{ech}}, and how traffic filter rules work.
+You can also optionally filter traffic to your deployments and projects by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment or project to the VCPE specified in the policy, as well as any other policies applied to the deployment or project.
 
-AWS PrivateLink establishes a secure connection between two AWS Virtual Private Clouds (VPCs). The VPCs can belong to separate accounts, i.e. a service provider and its service consumers. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
-
-PrivateLink is a connection between a VPC Endpoint and a PrivateLink Service.
-
-Read more about [Traffic Filtering](/deploy-manage/security/traffic-filtering.md) for the general concepts behind traffic filtering in {{ecloud}}.
+To learn how private connection policies impact your deployment or project, refer to [](/deploy-manage/security/network-security-policies.md).
 
+:::{tip}
+{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+:::
 
 ## Considerations
 
 Before you begin, review  the following considerations:
 
-### PrivateLink filtering and regions
+### Private connections and regions
 
-AWS PrivateLink filtering is supported only for AWS regions. Elastic does not yet support cross-region AWS PrivateLink connections. Your PrivateLink endpoint needs to be in the same region as your target deployments. Additional details can be found in the [AWS VPCE Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations).
+Private connections over AWS PrivateLink are only supported only for AWS regions. Elastic does not yet support cross-region AWS PrivateLink connections. Your PrivateLink endpoint needs to be in the same region as your target deployments or projects. Additional details can be found in the [AWS VPCE Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations).
 
-AWS interface VPC endpoints are configured for one or more availability zones (AZ). In some regions, our VPC endpoint *service* is not present in all the possible AZs that a region offers. You can only choose AZs that are common on both sides. As the *names* of AZs (for example `us-east-1a`) differ between AWS accounts, the following list of AWS regions shows the *ID* (e.g. `use1-az4`) of each available AZ for the service.
+AWS interface virtual private connection (VPC) endpoints are configured for one or more availability zones (AZ). In some regions, our VPC endpoint service is not present in all the possible AZs that a region offers. You can only choose AZs that are common on both sides. As the names of AZs (for example `us-east-1a`) differ between AWS accounts, the following list of AWS regions shows the ID (e.g. `use1-az4`) of each available AZ for the service.
 
-Check [interface endpoint availability zone considerations](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-availability-zones) for more details.
+Refer to [interface endpoint availability zone considerations](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-availability-zones) for more details.
 
 ### Availability zones
 
@@ -42,7 +41,7 @@ Elastic [charges](/deploy-manage/cloud-organization/billing/cloud-hosted-deploym
 
 On the customer VPC side, the inter-availability zone data transfer, within the same AWS region, towards AWS PrivateLink endpoints, [is free of charge](https://aws.amazon.com/about-aws/whats-new/2022/04/aws-data-transfer-price-reduction-privatelink-transit-gateway-client-vpn-services/). As a result, you do not incur charges for cross-AZ data transfer within your VPC when the target is the AWS Privatelink {{ecloud}} service endpoint. We recommend you set up the VPC endpoints in all supported {{ecloud}} AZs for a particular region for maximum traffic throughput and resiliency.
 
-If Elastic and your VPC overlap in two AZs or less, you can create subnets and VPC PrivateLink endpoints in your VPC within the same availability zones where Elastic PrivateLink service has presence.
+If Elastic and your VPC overlap in two AZs or less, you can create subnets and VPC PrivateLink endpoints in your VPC within the same availability zones where the Elastic PrivateLink service is present.
 
 ### Transport client
 
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index b8d8364c9b..841ede7310 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -25,7 +25,7 @@ There are types of filters are available for filtering by IP address or CIDR blo
 
 Follow the step described here to set up ingress or inbound IP filters through the {{ecloud}} Console.
 
-To learn how traffic filter rules work together, refer to [traffic filter rules](/deploy-manage/security/traffic-filtering.md#traffic-filter-rules).
+To learn how IP filter policies work together, and alongside [private connection policies](private-link-traffic-filters.md), refer to [](/deploy-manage/security/network-security-policies.md).
 
 To learn how to manage IP traffic filters using the Traffic Filtering API, refer to [](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
 
diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md
index 5a51e0d51b..cadf711953 100644
--- a/deploy-manage/security/private-link-traffic-filters.md
+++ b/deploy-manage/security/private-link-traffic-filters.md
@@ -11,7 +11,7 @@ products:
 
 # Private connections
 
-In {{ech}} and {{serverless-full}}, you can allow traffic between {{es}} and other virtual private cloud (VCP) endpoints hosted by the same cloud provider  by setting up a private connection using that provider's private link service. You can also optionally further filter that cloud provider's traffic using VCP filters. 
+A private connection is a secure way for your {{ecloud}} deployments and projects to communicate with other cloud provider services over your cloud provider's private network. You can create a virtual private connection endpoint (VCPE) using your provider's private link service. You can also optionally filter traffic to your deployments and projects by creating ingress filters for your VCPE in {{ecloud}}.
 
 Choose the relevant option for your cloud service provider:
 
@@ -21,7 +21,9 @@ Choose the relevant option for your cloud service provider:
 | Azure | [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md) |
 | GCP | [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) |
 
-After you set up your private connection, you can [claim ownership of your filter link ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md) to prevent other organizations from using it.
+After you set up your private connection, you can [claim ownership of your VCPE ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md) to prevent other organizations from using it.
+
+To learn how private connection policies work, how they affect your deployment, and how they interact with [IP filter policies](ip-filtering-cloud.md), refer to [](/deploy-manage/security/network-security-policies.md).
 
 :::{tip}
 {{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.

From 8e2e5ea8135284441b9681ebad7e56e0483b6634 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 18:05:31 -0400
Subject: [PATCH 08/38] more

---
 .../aws-privatelink-traffic-filters.md        | 146 ++++++++++++------
 .../azure-private-link-traffic-filters.md     |   1 +
 ...ic-filter-link-id-ownership-through-api.md |   2 +-
 ...private-service-connect-traffic-filters.md |   1 +
 4 files changed, 99 insertions(+), 51 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index f9f23aa50d..2af439e3be 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -9,11 +9,14 @@ applies_to:
 products:
   - id: cloud-hosted
   - id: cloud-serverless
+navigation_title: AWS PrivateLink
 ---
 
 # AWS PrivateLink private connections
 
-You can use AWS PrivateLink to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet. In these configurations, {{ecloud}} is the third-party service provider and the customers are service consumers.
+You can use AWS PrivateLink to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet.
+
+AWS PrivateLink connects your Virtual Private Cloud (VPC) to the AWS-hosted services that you use, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access AWS-hosted services.
 
 You can also optionally filter traffic to your deployments and projects by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment or project to the VCPE specified in the policy, as well as any other policies applied to the deployment or project.
 
@@ -52,7 +55,7 @@ Transport client is not supported over PrivateLink connections.
 PrivateLink Service is set up by Elastic in all supported AWS regions under the following service names:
 
 ::::{dropdown} AWS public regions
-| **Region** | **VPC Service Name** | **Private hosted zone domain name** | **AZ Names (AZ IDs)** |
+| Region | VPC service name | Private hosted zone domain name | AZ names (AZ IDs) |
 | --- | --- | --- | --- |
 | af-south-1 | `com.amazonaws.vpce.af-south-1.vpce-svc-0d3d7b74f60a6c32c` | `vpce.af-south-1.aws.elastic-cloud.com` | `af-south-1a` (`afs1-az1`), `af-south-1b` (`afs1-az2`), `af-south-1c` (`afs1-az3`) |
 | ap-east-1 | `com.amazonaws.vpce.ap-east-1.vpce-svc-0f96fbfaf55558d5c` | `vpce.ap-east-1.aws.elastic-cloud.com` | `ap-east-1a` (`ape1-az1`), `ap-east-1b` (`ape1-az2`), `ap-east-1c` (`ape1-az3`) |
@@ -75,35 +78,44 @@ PrivateLink Service is set up by Elastic in all supported AWS regions under the
 | us-east-2 | `com.amazonaws.vpce.us-east-2.vpce-svc-02d187d2849ffb478` | `vpce.us-east-2.aws.elastic-cloud.com` | `us-east-2a` (`use2-az1`), `us-east-2b` (`use2-az2`), `us-east-2a` (`use2-az3`) |
 | us-west-1 | `com.amazonaws.vpce.us-west-1.vpce-svc-00def4a16a26cb1b4` | `vpce.us-west-1.aws.elastic-cloud.com` | `us-west-1a` (`usw1-az1`), `us-west-1b` (`usw1-az2`), `us-west-1c` (`usw1-az3`) |
 | us-west-2 | `com.amazonaws.vpce.us-west-2.vpce-svc-0e69febae1fb91870` | `vpce.us-west-2.aws.elastic-cloud.com` | `us-west-2a` (`usw2-az2`), `us-west-2b` (`usw2-az1`), `us-west-2c` (`usw2-az3`) |
-
 ::::
 
 
 ::::{dropdown} GovCloud regions
-| **Region** | **VPC Service Name** | **Private hosted zone domain name** |
+| Region | VPC service name | Private hosted zone domain name |
 | --- | --- | --- |
 | us-gov-east-1 (GovCloud) | `com.amazonaws.vpce.us-gov-east-1.vpce-svc-0bba5ffa04f0cb26d` | `vpce.us-gov-east-1.aws.elastic-cloud.com` |
-
 ::::
 
+## Set up a private connection
 
-The process of setting up the PrivateLink connection to your clusters is split between AWS (e.g. by using AWS console) and {{ecloud}} UI. These are the high-level steps:
+The process of setting up a private connection with AWS PrivateLink is split between AWS (e.g. by using AWS console) and the {{ecloud}} console. These are the high-level steps:
 
 | AWS console | {{ecloud}} |
 | --- | --- |
-| 1. Create a VPC endpoint using {{ecloud}} service name. |  |
-| 2. Create a DNS record pointing to the VPC endpoint. |  |
-|  | 3. Create a PrivateLink rule set with your VPC endpoint ID. |
-|  | 4. Associate the PrivateLink rule set with your deployments. |
-|  | 5. Interact with your deployments over PrivateLink. |
+| 1. [Create a VPC endpoint using {{ecloud}} service name.](#ec-aws-vpc-dns) |  |
+| 2. [Create a DNS record pointing to the VPC endpoint.](#ec-aws-vpc-dns) |  |
+|  | 3. **Optional**: [Create a private connection policy.](ec-add-vpc-elastic)<br><br>A private connection policy is required to filter traffic using the VCP endpoint ID. |
+|  | 4. **Optional**: [Associate the private connection policy with deployments or projects](#ec-associate-traffic-filter-private-link-rule-set). |
+|  | 5. [Interact with your deployments over PrivateLink](#ec-access-the-deployment-over-private-link). |
 
+After you create your private connection policy, you can [edit](#ec-edit-traffic-filter-private-link-rule-set), [disconnect](#remove-filter-deployment), or [delete](#ec-delete-traffic-filter-private-link-rule-set) it.
 
-## Ensure your VPC is in all availability zones [ec-aws-vpc-overlapping-azs]
+:::{admonition} Private connection policies are optional
+Private connection policies are optional for AWS PrivateLink. After the VPC endpoint and DNS record are created, private connectivity is established.
 
-Ensure your VPC endpoint is in all availability zones supported by {{ecloud}} on the region for the VPC service.
+Creating a private connection policy and associating it with your deployments allows you to do the following: 
 
-Ensuring that your VPC is in all supported {{ecloud}} availability zones for a particular region avoids potential for a traffic imbalance. That imbalance may saturate some coordinating nodes and underutilize others in the deployment, eventually impacting performance. Enabling all supported {{ecloud}} zones ensures that traffic is balanced optimally.
+* Record that you've established private connectivity between AWS and Elastic in the applicable region.
+* Filter traffic to your deployment or project using VCPE filters.
+:::
+
+
+### Before you begin [ec-aws-vpc-overlapping-azs]
 
+Before you begin, you should ensure your VPC endpoint is in all availability zones supported by {{ecloud}} on the region for the VPC service.
+
+Ensuring that your VPC is in all supported {{ecloud}} availability zones for a particular region avoids potential for a traffic imbalance. That imbalance may saturate some coordinating nodes and underutilize others in the deployment, eventually impacting performance. Enabling all supported {{ecloud}} zones ensures that traffic is balanced optimally.
 
 You can find the zone name to zone ID mapping with AWS CLI:
 
@@ -120,33 +132,37 @@ $ aws ec2 describe-availability-zones --region us-east-1 | jq -c '.AvailabilityZ
 The mapping will be different for your region. Our production VPC Service for `us-east-1` is located in `use1-az2`, `use1-az4`, `use1-az6`. We need to create the VPC Endpoint for the preceding mapping in at least one of `us-east-1e`, `us-east-1a`, `us-east-1b`.
 
 
-## Create your VPC endpoint and DNS entries in AWS [ec-aws-vpc-dns]
+### Create your VPC endpoint and DNS entries in AWS [ec-aws-vpc-dns]
 
 1. Create a VPC endpoint in your VPC using the service name for your region.
 
-    Follow the [AWS instructions](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) for details on creating a VPC interface endpoint to an endpoint service.
+    Refer to the [AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) for details on creating a VPC interface endpoint to an endpoint service.
 
-    Use [the service name for your region](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-private-link-service-names-aliases).
+    Use [the service name for your region](#ec-private-link-service-names-aliases).
 
     :::{image} /deploy-manage/images/cloud-ec-private-link-service.png
     :alt: PrivateLink
     :screenshot:
     :::
 
-    The security group for the endpoint should at minimum allow for inbound connectivity from your instances CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243.
+    The security group for the endpoint should, at minimum, allow for inbound connectivity from your instances' CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243.
 
 2. Create a DNS record.
 
-    1. Create a *Private hosted zone*. Consult  *Private hosted zone domain name* in *PrivateLink service names and aliases* for the name of the zone. For example, in *us-east-1* use `vpce.us-east-1.aws.elastic-cloud.com` as the zone domain name. Don’t forget to associate the zone with your VPC.
+    1. Create a Private hosted zone. 
+
+        Refer to the **Private hosted zone domain name** column in the [PrivateLink service names and aliases](#ec-private-link-service-names-aliases) table for the name of the zone. For example, in `us-east-1`, use `vpce.us-east-1.aws.elastic-cloud.com` as the zone domain name. 
+        
+        Don’t forget to associate the zone with your VPC.
 
         :::{image} /deploy-manage/images/cloud-ec-private-link-private-hosted-zone-example.png
         :alt: Private hosted zone example
         :screenshot:
         :::
 
-    2. Then create a DNS CNAME alias pointing to the PrivateLink Endpoint. Add the record to a private DNS zone in your VPC. Use `*` as the record name, and the VPC endpoint DNS name as a value.
+    2. Create a DNS CNAME alias pointing to the PrivateLink endpoint. Add the record to a private DNS zone in your VPC. Use `*` as the record name, and the VPC endpoint DNS name as a value.
 
-        Follow the [AWS instructions](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) for details on creating a CNAME record which points to your VPC endpoint DNS name.
+        Refer to the [AWS documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) for details on creating a CNAME record which points to your VPC endpoint DNS name.
 
         :::{image} /deploy-manage/images/cloud-ec-private-link-cname.png
         :alt: PrivateLink CNAME
@@ -154,37 +170,68 @@ The mapping will be different for your region. Our production VPC Service for `u
         :::
 
 3. Test the connection.
+   
+   1. Find the endpoint of your deployment or project:
+   
+        ::::{tab-set}
+        :::{tab-item} Hosted deployment
+        1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 
-    Find out the endpoint of your deployment. You can do that by selecting **Copy endpoint** in the Cloud UI. It looks something like:
+        2. Under **Hosted deployments**, find your deployment.
 
-    ```
-    my-deployment-d53192.es.us-east-1.aws.found.io
-    ```
+                :::{tip}
+                If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
+                :::
 
-    where `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
+        3. Select **Manage**.
+        4. In the deployment overview, under **Applications** find the application that you want to test.
+        5. Click **Copy endpoint**. The value looks something like the following:
 
-    To access your {{es}} cluster over PrivateLink:
+        ```
+        https://my-deployment-d53192.es.us-central1.aws.elastic.cloud
+        ```
 
-    * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-    * Alternatively, use the following URL structure:
+        In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
+        :::
+        :::{tab-item} Serverless project
+
+        1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+
+        2. On the home page, under **Serverless projects**, find your project. 
+
+        3. Select **Manage**.
+        4. In the project overview, beside **Connection alias**, click **Edit**.
+        5. Copy the URL of the application that you want to test. It looks something like the following: 
 
         ```
-        https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
+        https://serverless-es-b592e9.es.us-east-1.aws.elastic.cloud/
         ```
+        :::
+        ::::
 
-        For example:
+    2. Access your {{es}} cluster over PrivateLink:
 
-        ```text
-        https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-        ```
+       * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+       * In all other cases, use the following URL structure:
 
+           ```
+           https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
+           ```
+           % need to verify this
 
-    ::::{tip}
-    You can use either 443, or 9243 as a port.
-    ::::
+           For example:
 
+           ```text
+           https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+           ```
 
-    You can test the AWS console part of the setup with a following curl (substitute the region and {{es}} ID with your cluster):
+
+       ::::{tip}
+       You can use either 443, or 9243 as a port.
+       ::::
+
+
+    You can test the AWS console part of the setup with a following curl. Make sure to substitute the region and {{es}} ID with your cluster.
 
     Request:
     ```sh
@@ -201,20 +248,20 @@ The mapping will be different for your region. Our production VPC Service for `u
     ```
 
     The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
+    % needs to be edited
 
+## Create a private connection policy
 
+### Step 3 (Optional): Add a private connection policy [ec-add-vpc-elastic]
 
-## Add the private link rules to your deployments [ec-add-vpc-elastic]
-
-Follow these high-level steps to add private link rules to your deployments.
+Follow these high-level steps to add a private connection policy that can be associated with your deployment or project.
 
 1. [Find your VPC endpoint ID](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-find-your-endpoint).
 2. [Create rules using the VPC endpoint](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-create-traffic-filter-private-link-rule-set).
 3. [Associate the VPC endpoint with your deployment](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set).
 4. [Access the deployment over a private link](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-access-the-deployment-over-private-link).
 
-
-### Find your VPC endpoint ID [ec-find-your-endpoint]
+#### Find your VPC endpoint ID [ec-find-your-endpoint]
 
 You can find your VPC endpoint ID in the AWS console:
 
@@ -223,8 +270,7 @@ You can find your VPC endpoint ID in the AWS console:
 :screenshot:
 :::
 
-
-### Create rules with the VPC endpoint [ec-create-traffic-filter-private-link-rule-set]
+#### Create rules with the VPC endpoint [ec-create-traffic-filter-private-link-rule-set]
 
 Once you know your VPC endpoint ID you can create a private link traffic filter rule set.
 
@@ -246,14 +292,14 @@ Once you know your VPC endpoint ID you can create a private link traffic filter
 The next step is to [associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployments.
 
 
-### Associate a PrivateLink rule set with your deployment [ec-associate-traffic-filter-private-link-rule-set]
+### Step 4 (Optional): Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
 
 To associate a private link rule set with your deployment:
 
 :::{include} _snippets/associate-filter.md
 :::
 
-### Access the deployment over a PrivateLink [ec-access-the-deployment-over-private-link]
+## Step 5: Access the deployment or project over a PrivateLink [ec-access-the-deployment-over-private-link]
 
 For traffic to connect with the deployment over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also setup network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
 
@@ -290,19 +336,19 @@ The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` t
 
 
 
-## Edit a PrivateLink connection [ec-edit-traffic-filter-private-link-rule-set]
+## Edit a policy [ec-edit-traffic-filter-private-link-rule-set]
 
 You can edit a rule set name or to change the VPC endpoint ID.
 
 :::{include} _snippets/edit-ruleset.md
 :::
 
-### Delete a PrivateLink rule set [ec-delete-traffic-filter-private-link-rule-set]
+## Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
 
 :::{include} _snippets/delete-ruleset.md
 :::
 
-### Remove a PrivateLink rule set association from your deployment [remove-filter-deployment]
+## Disconnect a policy from your deployment or project [remove-filter-deployment]
 
 :::{include} _snippets/remove-filter.md
 :::
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index 8a3537e849..bc7beca24b 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -9,6 +9,7 @@ applies_to:
 products:
   - id: cloud-hosted
   - id: cloud-serverless
+navigation_title: Azure Private Link
 ---
 
 # Azure Private Link traffic filters
diff --git a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
index bad82da343..e6e04eaf65 100644
--- a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
+++ b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
@@ -8,7 +8,7 @@ products:
   - id: cloud-hosted
 ---
 
-# Claim traffic filter link ID ownership through the API [ec-claim-traffic-filter-link-id-through-the-api]
+# Claim VCPE ID ownership [ec-claim-traffic-filter-link-id-through-the-api]
 
 This example demonstrates how to use the {{ecloud}} RESTful API to claim different types of private link ID (AWS PrivateLink, Azure Private Link, and GCP Private Service Connect). We cover the following examples:
 
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 6b744f4703..3960e3dfc4 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -9,6 +9,7 @@ applies_to:
 products:
   - id: cloud-hosted
   - id: cloud-serverless
+navigation_title: GCP Private Service Connect
 ---
 
 # GCP Private Service Connect traffic filters

From 76e1375cbebe81c50de00cf0a11e38cc01ca24fa Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 18:11:44 -0400
Subject: [PATCH 09/38] more

---
 .../aws-privatelink-traffic-filters.md        | 64 +++++++++++--------
 1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 2af439e3be..cb3de56558 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -231,37 +231,48 @@ The mapping will be different for your region. Our production VPC Service for `u
        ::::
 
 
-    You can test the AWS console part of the setup with a following curl. Make sure to substitute the region and {{es}} ID with your cluster.
-
-    Request:
-    ```sh
-    $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-    ```
-    Response:
-    ```sh
-    * Server certificate:
-    *  subject: CN=*.us-east-1.aws.elastic-cloud.com
-    *  SSL certificate verify ok.
-    ..
-    {"ok":false,"message":"Forbidden"}
-    * Connection #0 to host my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com left intact
-    ```
-
-    The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
-    % needs to be edited
+You can test the AWS console part of the setup using the following cURL command. Make sure to substitute the region and {{es}} ID with your cluster.
+
+**Request**
+```sh
+$ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+```
+**Response**
+```sh
+* Server certificate:
+*  subject: CN=*.us-east-1.aws.elastic-cloud.com
+*  SSL certificate verify ok.
+..
+{"ok":false,"message":"Forbidden"}
+* Connection #0 to host my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com left intact
+```
+
+The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
+% needs to be edited
 
 ## Create a private connection policy
 
-### Step 3 (Optional): Add a private connection policy [ec-add-vpc-elastic]
+After you test your PrivateLink connection, you can create a private connection policy in {{ecloud}}. 
+
+Private connection policies are optional for AWS PrivateLink. After the VPC endpoint and DNS record are created, private connectivity is established.
+
+Creating a private connection policy and associating it with your deployments allows you to do the following: 
+
+* Record that you've established private connectivity between AWS and Elastic in the applicable region.
+* Filter traffic to your deployment or project using VCPE filters.
+
+### Add a private connection policy [ec-add-vpc-elastic]
 
 Follow these high-level steps to add a private connection policy that can be associated with your deployment or project.
 
-1. [Find your VPC endpoint ID](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-find-your-endpoint).
-2. [Create rules using the VPC endpoint](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-create-traffic-filter-private-link-rule-set).
-3. [Associate the VPC endpoint with your deployment](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set).
-4. [Access the deployment over a private link](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-access-the-deployment-over-private-link).
+1. [Find your VPC endpoint ID](#ec-find-your-endpoint).
+2. [Create rules using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
+3. [Associate the VPC endpoint with your deployment](#ec-associate-traffic-filter-private-link-rule-set).
+4. [Access the deployment over a private link](#ec-access-the-deployment-over-private-link).
 
-#### Find your VPC endpoint ID [ec-find-your-endpoint]
+#### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
+
+The VPC endpoint id is only required if you want to filter traffic to your deployment or project using VCPE filters.
 
 You can find your VPC endpoint ID in the AWS console:
 
@@ -270,10 +281,9 @@ You can find your VPC endpoint ID in the AWS console:
 :screenshot:
 :::
 
-#### Create rules with the VPC endpoint [ec-create-traffic-filter-private-link-rule-set]
-
-Once you know your VPC endpoint ID you can create a private link traffic filter rule set.
+#### Create a new private connection policy [ec-create-traffic-filter-private-link-rule-set]
 
+Create a private link traffic filter rule set.
 
 :::{include} _snippets/create-filter.md
 :::

From a7e24f167c87e5382a6cf90e80f0674e5a61a47c Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 19:00:04 -0400
Subject: [PATCH 10/38] more

---
 .../security/_snippets/create-filter.md       |  4 --
 .../_snippets/network-security-page.md        |  4 ++
 .../aws-privatelink-traffic-filters.md        | 48 +++++++++++--------
 ...private-service-connect-traffic-filters.md |  2 +-
 deploy-manage/security/ip-filtering-cloud.md  | 46 +++++++-----------
 5 files changed, 52 insertions(+), 52 deletions(-)
 delete mode 100644 deploy-manage/security/_snippets/create-filter.md
 create mode 100644 deploy-manage/security/_snippets/network-security-page.md

diff --git a/deploy-manage/security/_snippets/create-filter.md b/deploy-manage/security/_snippets/create-filter.md
deleted file mode 100644
index 72cfe87c62..0000000000
--- a/deploy-manage/security/_snippets/create-filter.md
+++ /dev/null
@@ -1,4 +0,0 @@
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-3. Under the **Features** tab, open the **Traffic filters** page.
-4. Select **Create filter**.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/network-security-page.md b/deploy-manage/security/_snippets/network-security-page.md
new file mode 100644
index 0000000000..d4fdf78434
--- /dev/null
+++ b/deploy-manage/security/_snippets/network-security-page.md
@@ -0,0 +1,4 @@
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page. 
+      % From the left navigation menu, select **Access and security** > **Network security**. 
\ No newline at end of file
diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index cb3de56558..1e0cd8d806 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -250,7 +250,7 @@ $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
 The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
 % needs to be edited
 
-## Create a private connection policy
+## Optional: Create a private connection policy
 
 After you test your PrivateLink connection, you can create a private connection policy in {{ecloud}}. 
 
@@ -265,14 +265,14 @@ Creating a private connection policy and associating it with your deployments al
 
 Follow these high-level steps to add a private connection policy that can be associated with your deployment or project.
 
-1. [Find your VPC endpoint ID](#ec-find-your-endpoint).
+1. Optional: [Find your VPC endpoint ID](#ec-find-your-endpoint).
 2. [Create rules using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
 3. [Associate the VPC endpoint with your deployment](#ec-associate-traffic-filter-private-link-rule-set).
 4. [Access the deployment over a private link](#ec-access-the-deployment-over-private-link).
 
 #### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
 
-The VPC endpoint id is only required if you want to filter traffic to your deployment or project using VCPE filters.
+The VPC endpoint ID is only required if you want to filter traffic to your deployment or project using VCPE filters.
 
 You can find your VPC endpoint ID in the AWS console:
 
@@ -283,33 +283,43 @@ You can find your VPC endpoint ID in the AWS console:
 
 #### Create a new private connection policy [ec-create-traffic-filter-private-link-rule-set]
 
-Create a private link traffic filter rule set.
+Create a new private connection policy.
 
-:::{include} _snippets/create-filter.md
+:::{include} _snippets/network-security-page.md
 :::
-1. Select **Private link endpoint**.
-2. Create your rule set, providing a meaningful name and description.
-3. Select the region for the rule set.
-4. Enter your VPC endpoint ID.
-5. Select if this rule set should be automatically attached to new deployments.
-
-    ::::{note}
-    Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
-    ::::
-
-6.  (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+4. Select **Private connection**.
+3. Select the resource type that the private connection will be applied to: either hosted deployments or serverless projects.
+10. Select the cloud provider and region for the private connection. 
+   
+    :::{tip}
+    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    :::
+11. Under **Connectivity**, select **Privatelink**.
+12. Optional: Under **VPCE filter**, enter your VPC endpoint ID. You should only specify a VPC endpoint ID if you want to filter traffic to your deployment or project. 
+    
+    If you don't specify a VPCE filter, then the private connection policy only acts as a record that you've established private connectivity between AWS and Elastic in the applicable region.
+    
+    :::{tip}
+    You can assign multiple policies to a single deployment or project. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+
+    [Learn more about how network security policies affect your deployment or project](network-security-policies.md).
+    :::
+13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. If you specified a VPCE filter, then after you associate the filter with a deployment or project, it starts filtering traffic.
+14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
+15.  Click **Create**.
 
-The next step is to [associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployments.
+16. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
 
+The next step is to [associate the rule set](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
 
-### Step 4 (Optional): Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
+### Optional: Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
 
 To associate a private link rule set with your deployment:
 
 :::{include} _snippets/associate-filter.md
 :::
 
-## Step 5: Access the deployment or project over a PrivateLink [ec-access-the-deployment-over-private-link]
+## Access the deployment or project over a PrivateLink [ec-access-the-deployment-over-private-link]
 
 For traffic to connect with the deployment over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also setup network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
 
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 3960e3dfc4..031091adb8 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -176,7 +176,7 @@ Follow these high-level steps to add private link rules to your deployments.
 
 When you have your Private Service Connect endpoint connection ID, you can create a traffic filter rule set.
 
-:::{include} _snippets/create-filter.md
+:::{include} _snippets/network-security-page.md
 :::
 1. Select **Private Service Connect endpoint**.
 2. Create your rule set, providing a meaningful name and description.
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index 841ede7310..38ce3d7a23 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -45,27 +45,25 @@ You can combine multiple IP address and CIDR block traffic sources into a single
 
 To create an IP filter policy:
 
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. From any deployment or project on the home page, select **Manage**.
-3. Under the **Features** tab, open the **Network security** page.
-   % From the left navigation menu, select **Access and security** > **Network security**. 
+:::{include} _snippets/network-security-page.md
+::: 
 4. Select **Create** > **IP filter**.
-5. Select the resource type that the IP filter will be applied to: either hosted deployments or serverless projects.
-6. Select the cloud provider and region for the filter. 
+3. Select the resource type that the IP filter will be applied to: either hosted deployments or serverless projects.
+4. Select the cloud provider and region for the filter. 
    
     :::{tip}
     Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
     :::
-7. Add a meaningful name and description for the filter.
-8. Under **Access control**, select whether the filter should be applied to ingress or egress traffic. Currently, only ingress traffic filters are supported.
-9. Add one or more allowed sources using IPv4, or a range of addresses with CIDR.
+5. Add a meaningful name and description for the filter.
+6. Under **Access control**, select whether the filter should be applied to ingress or egress traffic. Currently, only ingress traffic filters are supported.
+7. Add one or more allowed sources using IPv4, or a range of addresses with CIDR.
 
     ::::{note}
     DNS names are not supported in network security policies.
     ::::
-10. Optional: Under **Apply to resources**, associate the new filter with one or more deployments or projects. After you associate the filter with a deployment or project, it starts filtering traffic.
-11. To automatically attach this IP filter policy to new deployments or projects, select **Apply by default**.
-12. Click **Create**.
+8.  Optional: Under **Apply to resources**, associate the new filter with one or more deployments or projects. After you associate the filter with a deployment or project, it starts filtering traffic.
+9.  To automatically attach this IP filter policy to new deployments or projects, select **Apply by default**.
+10.  Click **Create**.
 
 ### Step 2: Associate an IP filter policy with your deployment or project
 
@@ -100,10 +98,8 @@ You can associate an IP filter policy with your deployment or project from the p
 
 #### From the IP filter policy settings
 
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-3. Under the **Features** tab, open the **Network security** page.
-   % From the left navigation menu, select **Access and security** > **Network security**. 
+:::{include} _snippets/network-security-page.md
+:::
 5. Find the filter you want to edit.
 6. Under **Apply to resources**, associate the new filter with one or more deployments or projects.
 7. Click **Update** to save your changes.
@@ -136,10 +132,8 @@ If you want to a specific IP filter policy from a deployment or project, or dele
 
 #### From the IP filter policy settings
 
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. From any deployment or project on the home page, select **Manage**.
-3. Under the **Features** tab, open the **Network security** page.
-   % From the left navigation menu, select **Access and security** > **Network security**. 
+:::{include} _snippets/network-security-page.md
+:::
 5. Find the policy you want to edit, then click the **Edit** icon.
 6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
 7. Click **Update** to save your changes.
@@ -148,10 +142,8 @@ If you want to a specific IP filter policy from a deployment or project, or dele
 
 You can edit an IP filter policy's name or description, change the allowed traffic sources, and change the associated resources, and more.
 
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. From any deployment or project on the home page, select **Manage**.
-3. Under the **Features** tab, open the **Network security** page.
-   % From the left navigation menu, select **Access and security** > **Network security**. 
+:::{include} _snippets/network-security-page.md
+:::
 4. Find the policy you want to edit, then click the **Edit** icon.
 5. Click **Update** to save your changes.
 
@@ -165,8 +157,6 @@ If you need to remove a policy, you must first remove any associations with depl
 
 To delete a policy:
 
-1. [Remove any associations](#remove-filter-deployment).
-2. From any deployment or project on the home page, select **Manage**.
-3. Under the **Features** tab, open the **Network security** page.
-   % From the left navigation menu, select **Access and security** > **Network security**. 
+:::{include} _snippets/network-security-page.md
+:::
 4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
\ No newline at end of file

From b41dc72f50861b66be822e82af983f3f43345858 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 19:20:20 -0400
Subject: [PATCH 11/38] more

---
 .../security/_snippets/associate-filter.md    | 27 +++++++++++--
 .../aws-privatelink-traffic-filters.md        | 16 +++++++-
 deploy-manage/security/ip-filtering-cloud.md  | 38 +++++--------------
 3 files changed, 47 insertions(+), 34 deletions(-)

diff --git a/deploy-manage/security/_snippets/associate-filter.md b/deploy-manage/security/_snippets/associate-filter.md
index 79acbdaede..cc87a73b28 100644
--- a/deploy-manage/security/_snippets/associate-filter.md
+++ b/deploy-manage/security/_snippets/associate-filter.md
@@ -1,3 +1,24 @@
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
\ No newline at end of file
+::::{tab-set}
+:group: hosted-serverless
+
+:::{tab-item} Serverless project
+:sync: serverless
+
+1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
+
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Network security** page, select **Apply policies** > **{{policy-type}}**.
+3. Choose the policy you want to apply and select **Apply**.
+:::
+
+:::{tab-item} Hosted deployment
+:sync: hosted
+
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+   
+   On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, select **Apply policies** > **{{policy-type}}**.
+3. Choose the policy you want to apply and select **Apply**.
+:::
+
+::::
\ No newline at end of file
diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 1e0cd8d806..96bfc8fd32 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -10,6 +10,8 @@ products:
   - id: cloud-hosted
   - id: cloud-serverless
 navigation_title: AWS PrivateLink
+sub:
+  policy-type: "Private connection"
 ---
 
 # AWS PrivateLink private connections
@@ -314,10 +316,20 @@ The next step is to [associate the rule set](#ec-associate-traffic-filter-privat
 
 ### Optional: Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
 
-To associate a private link rule set with your deployment:
+You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. If the policy contains a VCPE filter, then after you associate the policy with a deployment or project, it starts filtering traffic.
 
-:::{include} _snippets/associate-filter.md
+#### From a deployment or project
+
+:::{include} _snippets/associate-filter-from-resource.md
+:::
+
+#### From the policy settings
+
+:::{include} _snippets/network-security-page.md
 :::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments or projects.
+7. Click **Update** to save your changes.
 
 ## Access the deployment or project over a PrivateLink [ec-access-the-deployment-over-private-link]
 
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index 38ce3d7a23..6a2960964a 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -12,6 +12,8 @@ applies_to:
 products:
   - id: cloud-hosted
   - id: cloud-serverless
+sub:
+  policy-type: "IP filter"
 ---
 
 # Manage IP traffic filters in ECH or Serverless
@@ -65,43 +67,21 @@ To create an IP filter policy:
 9.  To automatically attach this IP filter policy to new deployments or projects, select **Apply by default**.
 10.  Click **Create**.
 
-### Step 2: Associate an IP filter policy with your deployment or project
+### Step 2: Associate a policy with a deployment or project
 
-You can associate an IP filter policy with your deployment or project from the policy's settings, or from your deployment or project's settings. After you associate the filter with a deployment or project, it starts filtering traffic.
+You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. After you associate the policy with a deployment or project, it starts filtering traffic.
 
-#### From your deployment or project
-
-::::{tab-set}
-:group: hosted-serverless
-
-:::{tab-item} Serverless project
-:sync: serverless
-
-1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
-
-    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-2. On the **Network security** page, select **Apply policies** > **IP filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
-:::
-
-:::{tab-item} Hosted deployment
-:sync: hosted
+#### From a deployment or project
 
-1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-   
-   On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-2. On the **Security** page, under **Network security**, select **Apply policies** > **IP filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
+:::{include} _snippets/associate-filter-from-resource.md
 :::
 
-::::
-
-#### From the IP filter policy settings
+#### From the policy settings
 
 :::{include} _snippets/network-security-page.md
 :::
-5. Find the filter you want to edit.
-6. Under **Apply to resources**, associate the new filter with one or more deployments or projects.
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments or projects.
 7. Click **Update** to save your changes.
 
 ## Remove an IP filter policy from your deployment or project [remove-filter-deployment]

From 56b2c93ecc91969d96dc92d49b907c373e4afa62 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 22:01:26 -0400
Subject: [PATCH 12/38] aws done

---
 .../aws-privatelink-traffic-filters.md        | 93 +++++++++++++++----
 1 file changed, 73 insertions(+), 20 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 96bfc8fd32..76e7efd223 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -190,7 +190,7 @@ The mapping will be different for your region. Our production VPC Service for `u
         5. Click **Copy endpoint**. The value looks something like the following:
 
         ```
-        https://my-deployment-d53192.es.us-central1.aws.elastic.cloud
+        https://my-deployment-2f1f1e.es.us-east-2.aws.elastic-cloud.com
         ```
 
         In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
@@ -299,24 +299,28 @@ Create a new private connection policy.
 11. Under **Connectivity**, select **Privatelink**.
 12. Optional: Under **VPCE filter**, enter your VPC endpoint ID. You should only specify a VPC endpoint ID if you want to filter traffic to your deployment or project. 
     
-    If you don't specify a VPCE filter, then the private connection policy only acts as a record that you've established private connectivity between AWS and Elastic in the applicable region.
+    If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
     
     :::{tip}
     You can assign multiple policies to a single deployment or project. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
 
     [Learn more about how network security policies affect your deployment or project](network-security-policies.md).
     :::
+
 13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. If you specified a VPCE filter, then after you associate the filter with a deployment or project, it starts filtering traffic.
 14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
 15.  Click **Create**.
-
 16. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
 
 The next step is to [associate the rule set](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
 
 ### Optional: Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
 
-You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. If the policy contains a VCPE filter, then after you associate the policy with a deployment or project, it starts filtering traffic.
+You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. 
+
+If the policy contains a VCPE filter, then after you associate the policy with a deployment or project, it starts filtering traffic. 
+
+If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a VCP endpoint exists for the deployment or project's region.
 
 #### From a deployment or project
 
@@ -333,18 +337,27 @@ You can associate a network security policy with your deployment or project from
 
 ## Access the deployment or project over a PrivateLink [ec-access-the-deployment-over-private-link]
 
-For traffic to connect with the deployment over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also setup network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
+For traffic to connect with the deployment or project over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
 
-::::{important}
-Use the alias you’ve set up as CNAME DNS record to access your deployment.
-::::
+    * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+    * In all other cases, use the following URL structure:
 
+        ```
+        https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
+        ```
+        % need to verify this
 
-If your deployment alias is `my-deployment-12ab9b` and it is located in `us-east-1` region you can access it at the following URL:
+        For example:
+
+        ```text
+        https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+        ```
+
+
+    ::::{tip}
+    You can use either 443, or 9243 as a port.
+    ::::
 
-```
-https://my-deployment-12ab9b.es.vpce.us-east-1.aws.elastic-cloud.com
-```
 
 Request:
 ```sh
@@ -360,27 +373,67 @@ Response:
 ::::{note}
 If you are using AWS PrivateLink together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the PrivateLink URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the PrivateLink URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<Private hosted zone domain name>:443`.
 
-Similarly, the {{es}} host needs to be updated to propagate the Privatelink URL. The {{es}} URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
+Similarly, the {{es}} host needs to be updated to propagate the PrivateLink URL. The {{es}} URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
 
 The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [{{kib}} settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
 
+% need to verify this
 ::::
 
-
-
 ## Edit a policy [ec-edit-traffic-filter-private-link-rule-set]
 
-You can edit a rule set name or to change the VPC endpoint ID.
+You can edit a policy's name, description, VPC endpoint ID, and more.
+
+:::{include} _snippets/network-security-page.md
+:::
+1. Find the policy you want to edit, then click the **Edit** icon.
+2. Click **Update** to save your changes.
 
-:::{include} _snippets/edit-ruleset.md
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
 :::
 
 ## Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
 
-:::{include} _snippets/delete-ruleset.md
+If you need to remove a policy, you must first remove any associations with deployments.
+
+To delete a policy:
+
+:::{include} _snippets/network-security-page.md
 :::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
 
-## Disconnect a policy from your deployment or project [remove-filter-deployment]
+## Remove a policy from your deployment or project [remove-filter-deployment]
 
-:::{include} _snippets/remove-filter.md
+If you want to a specific policy from a deployment or project, or delete the policy, then you need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
+
+#### From your deployment or project
+
+::::{tab-set}
+:group: hosted-serverless
+:::{tab-item} Serverless project
+:sync: serverless
+1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
+
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Network security** page, find the IP filter policy that you want to disconnect. 
+3. Under **Actions**, click the **Delete** icon.
 :::
+:::{tab-item} Hosted deployment
+:sync: hosted
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect. 
+3. Under **Actions**, click the **Delete** icon.
+:::
+::::
+
+#### From the IP filter policy settings
+
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
+

From a4a0bb4cecbeb1042a46c35b40ad72e6925874ae Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 22:08:34 -0400
Subject: [PATCH 13/38] more

---
 deploy-manage/_snippets/ecloud-security.md                    | 4 ++--
 deploy-manage/security/azure-private-link-traffic-filters.md  | 2 ++
 .../security/gcp-private-service-connect-traffic-filters.md   | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/deploy-manage/_snippets/ecloud-security.md b/deploy-manage/_snippets/ecloud-security.md
index 93dfedb36f..7f67cabaf8 100644
--- a/deploy-manage/_snippets/ecloud-security.md
+++ b/deploy-manage/_snippets/ecloud-security.md
@@ -1,9 +1,9 @@
 {{ecloud}} has built-in security. For example, HTTPS communications between {{ecloud}} and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
 
-In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](?) to prevent unauthorized access to your deployments and projects.
+In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](/deploy-manage/security/cloud-ip-filter.md) to prevent unauthorized access to your deployments and projects.
 
 In {{ech}}, you can augment these security features in the following ways:
-* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
+* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your Elastic Cloud deployments and projects to communicate with other cloud services, and restrict traffic to deployments and projects based on those private connections.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index bc7beca24b..f7316f63cb 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -10,6 +10,8 @@ products:
   - id: cloud-hosted
   - id: cloud-serverless
 navigation_title: Azure Private Link
+sub:
+  policy-type: "Private connection"
 ---
 
 # Azure Private Link traffic filters
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 031091adb8..a30c72cbc5 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -10,6 +10,8 @@ products:
   - id: cloud-hosted
   - id: cloud-serverless
 navigation_title: GCP Private Service Connect
+sub:
+  policy-type: "Private connection"
 ---
 
 # GCP Private Service Connect traffic filters

From 70214f13c182d0ff0cd0fa2d79e9f7930a21fc5e Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 22:55:44 -0400
Subject: [PATCH 14/38] gcp

---
 .../aws-privatelink-traffic-filters.md        |  13 +-
 ...private-service-connect-traffic-filters.md | 249 ++++++++++++------
 2 files changed, 183 insertions(+), 79 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 76e7efd223..0f7b8f0f93 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -91,7 +91,7 @@ PrivateLink Service is set up by Elastic in all supported AWS regions under the
 
 ## Set up a private connection
 
-The process of setting up a private connection with AWS PrivateLink is split between AWS (e.g. by using AWS console) and the {{ecloud}} console. These are the high-level steps:
+The process of setting up a private connection with AWS PrivateLink is split between AWS (e.g. by using AWS console) and the {{ecloud}} UI. These are the high-level steps:
 
 | AWS console | {{ecloud}} |
 | --- | --- |
@@ -186,7 +186,7 @@ The mapping will be different for your region. Our production VPC Service for `u
                 :::
 
         3. Select **Manage**.
-        4. In the deployment overview, under **Applications** find the application that you want to test.
+        4. In the deployment overview, under **Applications**, find the application that you want to test.
         5. Click **Copy endpoint**. The value looks something like the following:
 
         ```
@@ -270,7 +270,6 @@ Follow these high-level steps to add a private connection policy that can be ass
 1. Optional: [Find your VPC endpoint ID](#ec-find-your-endpoint).
 2. [Create rules using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
 3. [Associate the VPC endpoint with your deployment](#ec-associate-traffic-filter-private-link-rule-set).
-4. [Access the deployment over a private link](#ec-access-the-deployment-over-private-link).
 
 #### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
 
@@ -312,7 +311,7 @@ Create a new private connection policy.
 15.  Click **Create**.
 16. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
 
-The next step is to [associate the rule set](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
+The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
 
 ### Optional: Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
 
@@ -339,6 +338,10 @@ If the policy doesn't contain a VCPE filter, then the association can serve as a
 
 For traffic to connect with the deployment or project over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
 
+::::{important}
+Use the alias you’ve set up as CNAME DNS record to access your deployment or project.
+::::
+
     * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
     * In all other cases, use the following URL structure:
 
@@ -395,7 +398,7 @@ You can also edit network security policies from your deployment's **Security**
 
 ## Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
 
-If you need to remove a policy, you must first remove any associations with deployments.
+If you need to remove a policy, you must first remove any associations with deployments or projects.
 
 To delete a policy:
 
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index a30c72cbc5..0ecea05144 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -14,26 +14,23 @@ sub:
   policy-type: "Private connection"
 ---
 
-# GCP Private Service Connect traffic filters
+# GCP Private Service Connect private connections
 
-Traffic filtering to allow only Private Service Connect connections is one of the security layers available in {{ecloud}}. It allows you to limit how your deployments can be accessed.
+You can use GCP Private Service Connect to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other GCP services. GCP routes the Private Link traffic within the GCP data center and never exposes it to the public internet.
 
-Refer to [](/deploy-manage/security/traffic-filtering.md) to learn more about traffic filtering in {{ech}}, and how traffic filter rules work.
+GCP Private Service Connect connects your Virtual Private Cloud (VPC) to the GCP-hosted services that you use, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access GCP-hosted services.
 
-::::{note}
-Private Service Connect filtering is supported only for Google Cloud regions.
-::::
-
-
-Private Service Connect establishes a secure connection between two Google Cloud VPCs. The VPCs can belong to separate accounts, for example a service provider and their service consumers. Google Cloud routes the Private Service Connect traffic within the Google Cloud data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
+You can also optionally filter traffic to your deployments and projects by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment or project to the VCPE specified in the policy, as well as any other policies applied to the deployment or project.
 
 Private Link is a connection between a Private Service Connect Endpoint and a Service Attachment. [Learn more about using Private Service Connect on Google Cloud](https://cloud.google.com/vpc/docs/private-service-connect#benefits-services).
 
-::::{tip}
-Private Service Connect connections are regional, your Private Service Connect Endpoint needs to live in the same region as your deployment. The Endpoint can be accessed from any region once you enable its [*Global Access*](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) feature.
-::::
+To learn how private connection policies impact your deployment or project, refer to [](/deploy-manage/security/network-security-policies.md).
 
+::::{tip}
+Private Service Connect filtering is supported only for Google Cloud regions.
 
+Private Service Connect connections are regional, your Private Service Connect endpoint needs to live in the same region as your deployment. The endpoint can be accessed from any region after you enable its [Global Access](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) feature.
+::::
 
 ## Private Service Connect URIs [ec-private-service-connect-uris]
 
@@ -65,17 +62,28 @@ Service Attachments are set up by Elastic in all supported GCP regions under the
 
 ::::
 
+## Set up a private connection 
 
-The process of setting up the Private link connection to your clusters is split between Google Cloud (e.g. by using Google Cloud console), and {{ecloud}} UI. These are the high-level steps:
+The process of setting up the Private link connection to your deployments and projects is split between Google Cloud and the {{ecloud}} UI. These are the high-level steps:
 
-| Google Cloud console | {{ecloud}} UI |
+| Google Cloud console | {{ecloud}} |
 | --- | --- |
-| 1. Create a Private Service Connect endpoint using {{ecloud}} Service Attachment URI. |  |
-| 2. Create a DNS record pointing to the Private Service Connect endpoint. |  |
-|  | 3. Create a Private Service Connect rule set with the **PSC Connection ID**. |
-|  | 4. Associate the Private Service Connect rule set with your deployments. |
-|  | 5. Interact with your deployments over Private Service Connect. |
+| [1. Create a Private Service Connect endpoint using {{ecloud}} Service Attachment URI.](#ec-private-service-connect-enpoint-dns) |  |
+| [2. Create a DNS record pointing to the Private Service Connect endpoint.](#ec-private-service-connect-enpoint-dns) |  |
+|  | [3. Optional: Create a private connection policy with the PSC Connection ID.](#ec-psc-create-traffic-filter-psc-rule-set) |
+|  | [4. Optional: Associate the private connection policy with your deployments.](#ec-psc-associate-traffic-filter-psc-rule-set) |
+|  | [5. Interact with your deployments over Private Service Connect.](#ec-psc-access-the-deployment-over-psc) |
+
+After you create your private connection policy, you can [edit](#ec-edit-traffic-filter-psc-rule-set), [disconnect](#remove-filter-deployment), or [delete](#ec-delete-traffic-filter-psc-rule-set) it.
+
+:::{admonition} Private connection policies are optional
+Private connection policies are optional for GCP Private Service Connect. After the Private Service Connect endpoint and DNS record are created, private connectivity is established.
 
+Creating a private connection policy and associating it with your deployments allows you to do the following: 
+
+* Record that you've established private connectivity between GCP and Elastic in the applicable region.
+* Filter traffic to your deployment or project using VCPE filters.
+:::
 
 ## Create your Private Service Connect endpoint and DNS entries in Google Cloud [ec-private-service-connect-enpoint-dns]
 
@@ -94,48 +102,65 @@ The process of setting up the Private link connection to your clusters is split
 
 2. Create a DNS record.
 
-    1. Create a *DNS Zone* of type **Private**. Set the **DNS name** to *Private zone DNS name* for your region. For example, in *asia-southeast1* use `psc.asia-southeast1.gcp.elastic-cloud.com` as the zone domain name. Make sure the zone is associated with your VPC.
-    2. Then create a DNS record set with an A record pointing to the Private Service Connect endpoint IP. Use `*` as the **DNS name**, `A` as the **Resource Record Type**, and put the Private Service Connect endpoint IP address as the record value.
+    1. Create a DNS Zone of type **Private**. Set the **DNS name** to Private zone DNS name for your region. For example, in `asia-southeast1`, use `psc.asia-southeast1.gcp.elastic-cloud.com` as the zone domain name. Make sure the zone is associated with your VPC.
+    2. Create a DNS record set with an A record pointing to the Private Service Connect endpoint IP. Use `*` as the **DNS name**, `A` as the **Resource Record Type**, and put the Private Service Connect endpoint IP address as the record value.
 
         Follow the [Google Cloud instructions](https://cloud.google.com/dns/docs/records#adding_a_record) for details on creating an A record which points to your Private Service Connect endpoint IP address.
 
 3. Test the connection.
 
-    Find out the {{es}} cluster ID of your deployment. You can do that by selecting **Copy cluster id** in the Cloud UI. It looks something like `9c794b7c08fa494b9990fa3f6f74c2f8`.
-
-    ::::{tip}
-    The {{es}} cluster ID is **different** from the deployment ID, custom alias endpoint, and Cloud ID values that feature prominently in the user console.
-    ::::
+   1. Find the ID of your deployment's {{es}} cluster, or the ID of your project:
+   
+        ::::{tab-set}
+        :::{tab-item} Hosted deployment
+        1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 
+        2. Under **Hosted deployments**, find your deployment.
 
-    To access your {{es}} cluster over Private Link:
+                :::{tip}
+                If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
+                :::
 
-    * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+        3. Select **Manage**.
+        4. In the deployment overview, under **Applications**, find the application that you want to test.
+        5. Click **Copy cluster ID**. The value looks something like the following:
 
         ```
-        https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
+        be36ce6c84434913a5a40f3f1521b6e5
         ```
+        :::
+        :::{tab-item} Serverless project
 
-        For example:
+        6. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 
-        ```text
-        https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com
-        ```
+        7. On the home page, under **Serverless projects**, find your project. 
 
-    * Alternatively, use the following URL structure:
+        8. Select **Manage**.
+        9. In the project overview, beside **Project ID**, click **Copy**. The value looks something like the following: 
 
         ```
-        https://{{elasticsearch_cluster_ID}}.{private_hosted_zone_domain_name}:9243
+        fbb9f6535def41119fb00a475d2fb976
         ```
+        :::
+        ::::
 
-        For example:
+    2. Access your cluster or project over Private Link:
 
-        ```text
-        https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
-        ```
+       * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+       * In all other cases, use the following URL structure:
 
+           ```
+           https://{{cluster_or_project_ID}}.{private_hosted_zone_domain_name}:9243
+           ```
+           % need to verify this
 
-    You can test the Google Cloud console part of the setup with the following command (substitute the region and {{es}} ID with your cluster):
+           For example:
+
+           ```text
+           https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+           ```
+
+    You can test the Google Cloud console part of the setup with the following command. Make sure to substitute the region and ID with your cluster or project information.
 
     Request:
     ```sh
@@ -152,62 +177,100 @@ The process of setting up the Private link connection to your clusters is split
     {"ok":false,"message":"Forbidden"}
     ```
 
-    Check the IP address `192.168.100.2`. it should be the same as the IP address assigned to your Private Service Connect endpoint.
+    Check the IP address. it should be the same as the IP address assigned to your Private Service Connect endpoint.
 
     The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.
+    % verify
+
+## Optional: Create a private connection policy
+
+After you test your PrivateLink connection, you can create a private connection policy in {{ecloud}}. 
+
+Private connection policies are optional for GCP Private Service Connect. After the Private Service Connect endpoint and DNS record are created, private connectivity is established.
 
+Creating a private connection policy and associating it with your deployments allows you to do the following: 
 
+* Record that you've established private connectivity between GCP and Elastic in the applicable region.
+* Filter traffic to your deployment or project using VCPE filters.
 
-## Add the Private Service Connect rules to your deployments [ec-private-service-connect-allow-from-psc-connection-id]
+### Add a private connection policy [ec-private-service-connect-allow-from-psc-connection-id]
 
 Follow these high-level steps to add private link rules to your deployments.
 
-1. [Find your Private Service Connect connection ID](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-find-your-psc-connection-id).
-2. [Create rules using the Private Service Connect endpoint connection ID](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-psc-create-traffic-filter-psc-rule-set).
-3. [Associate the Private Service Connect endpoint with your deployment](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-psc-associate-traffic-filter-psc-rule-set).
-4. [Access the deployment over the Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-psc-access-the-deployment-over-psc).
+1. Optional: [Find your Private Service Connect connection ID](#ec-find-your-psc-connection-id).
+2. [Create rules using the Private Service Connect endpoint connection ID](#ec-psc-create-traffic-filter-psc-rule-set).
+3. [Associate the Private Service Connect endpoint with your deployment](#ec-psc-associate-traffic-filter-psc-rule-set).
 
+### Optional: Find your Private Service Connect connection ID [ec-find-your-psc-connection-id]
 
-### Find your Private Service Connect connection ID [ec-find-your-psc-connection-id]
+The PSC connection ID is only required if you want to filter traffic to your deployment or project using VCPE filters.
 
 1. Go to your Private Service Connect endpoint in the Google Cloud console.
 2. Copy the value of **PSC Connection ID**.
 
+### Create a new private connection policy [ec-psc-create-traffic-filter-psc-rule-set]
 
-### Create rules using the Private Service Connect endpoint connection ID [ec-psc-create-traffic-filter-psc-rule-set]
-
-When you have your Private Service Connect endpoint connection ID, you can create a traffic filter rule set.
+Create a new private connection policy.
 
 :::{include} _snippets/network-security-page.md
 :::
-1. Select **Private Service Connect endpoint**.
-2. Create your rule set, providing a meaningful name and description.
-3. Select the region for the rule set.
-4. Enter your **PSC Connection ID**.
-5. Select if this rule set should be automatically attached to new deployments.
+4. Select **Private connection**.
+3. Select the resource type that the private connection will be applied to: either hosted deployments or serverless projects.
+10. Select the cloud provider and region for the private connection. 
+   
+    :::{tip}
+    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    :::
+11. Under **Connectivity**, select **Privatelink**.
+12. Optional: Under **VPCE filter**, enter your Private Service Connect endpoint connection ID. You should only specify a Private Service Connect endpoint connection ID if you want to filter traffic to your deployment or project. 
+    
+    If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
+    
+    :::{tip}
+    You can assign multiple policies to a single deployment or project. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+
+    [Learn more about how network security policies affect your deployment or project](network-security-policies.md).
+    :::
+
+13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. If you specified a VPCE filter, then after you associate the filter with a deployment or project, it starts filtering traffic.
+14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
+15.  Click **Create**.
+16. (Optional) You can [claim your Private Service Connect endpoint connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+
+The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
+
+
+### Optional: Associate a policy with a deployment or project [ec-psc-associate-traffic-filter-psc-rule-set]
 
-    ::::{note}
-    Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
-    ::::
+To associate a private link rule set with your deployment:
 
-6. (Optional) You can [claim your PSC Connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+### Optional: Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
 
-The next step is to [associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployments.
+You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. 
 
+If the policy contains a VCPE filter, then after you associate the policy with a deployment or project, it starts filtering traffic. 
 
-### Associate the Private Service Connect endpoint with your deployment [ec-psc-associate-traffic-filter-psc-rule-set]
+If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a VCP endpoint exists for the deployment or project's region.
 
-To associate a private link rule set with your deployment:
+#### From a deployment or project
 
-:::{include} _snippets/associate-filter.md
+:::{include} _snippets/associate-filter-from-resource.md
 :::
 
-### Access the deployment over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
+#### From the policy settings
 
-For traffic to connect with the deployment over Private Service Connect, the client making the request needs to be located within the VPC where you’ve created the Private Service Connect endpoint. You can also setup network traffic to flow through the originating VPC from somewhere else, such as another VPC or a VPN from your corporate network. This assumes that the Private Service Connect endpoint and the DNS record are also available within that context. Check your cloud service provider documentation for setup instructions.
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments or projects.
+7. Click **Update** to save your changes.
+
+### Access the deployment or project over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
+
+For traffic to connect with the deployment or project over Private Service Connect, the client making the request needs to be located within the VPC where you’ve created the Private Service Connect endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or a VPN from your corporate network. This assumes that the Private Service Connect endpoint and the DNS record are also available within that context. Check your cloud service provider documentation for setup instructions.
 
 ::::{important}
-Use the alias you’ve set up as CNAME A record to access your deployment.
+Use the alias you’ve set up as CNAME A record to access your deployment or project.
 ::::
 
 
@@ -216,6 +279,7 @@ For example, if your {{es}} ID is `6b111580caaa4a9e84b18ec7c600155e` and it is l
 ```
 https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
 ```
+% verify
 
 Request:
 ```sh
@@ -234,26 +298,63 @@ If you are using Private Service Connect together with Fleet, and enrolling the
 Similarly, the {{es}} host needs to be updated to propagate the Private Service Connect URL. The {{es}} URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<private zone DNS name>:443`.
 
 The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [{{kib}} settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
+% verify
 
 ::::
 
+## Edit a policy [ec-edit-traffic-filter-psc-rule-set]
+
+You can edit a policy's name, description, VPC endpoint ID, and more.
+
+:::{include} _snippets/network-security-page.md
+:::
+1. Find the policy you want to edit, then click the **Edit** icon.
+2. Click **Update** to save your changes.
+
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
+:::
 
+## Delete a policy [ec-delete-traffic-filter-psc-rule-set]
 
-## Edit a Private Service Connect rule set [ec-psc-edit-traffic-filter-psc-rule-set]
+If you need to remove a policy, you must first remove any associations with deployments.
 
-You can edit a rule set name or to change the PSC connection ID.
+To delete a policy:
 
-:::{include} _snippets/edit-ruleset.md
+:::{include} _snippets/network-security-page.md
 :::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
+
+## Remove a policy from your deployment or project [remove-filter-deployment]
 
+If you want to a specific policy from a deployment or project, or delete the policy, then you need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
 
-### Delete a Private Service Connect rule set [ec-psc-delete-psc-rule-set]
+#### From your deployment or project
 
-:::{include} _snippets/delete-ruleset.md
+::::{tab-set}
+:group: hosted-serverless
+:::{tab-item} Serverless project
+:sync: serverless
+1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
+
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Network security** page, find the IP filter policy that you want to disconnect. 
+3. Under **Actions**, click the **Delete** icon.
 :::
+:::{tab-item} Hosted deployment
+:sync: hosted
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
 
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect. 
+3. Under **Actions**, click the **Delete** icon.
+:::
+::::
 
-### Remove a Private Service Connect rule set association from your deployment [remove-filter-deployment]
+#### From the IP filter policy settings
 
-:::{include} _snippets/remove-filter.md
-:::
\ No newline at end of file
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
\ No newline at end of file

From ada20defd9932685e00f2af6b8e01bc0990ce67a Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 23:10:53 -0400
Subject: [PATCH 15/38] more

---
 .../azure-private-link-traffic-filters.md     | 50 +++++++++++--------
 ...private-service-connect-traffic-filters.md | 12 +++--
 2 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index f7316f63cb..fd7ff058e8 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -16,18 +16,21 @@ sub:
 
 # Azure Private Link traffic filters
 
-Traffic filtering to allow only Azure Private Link connections is one of the security layers available in {{ech}}. It allows you to limit how your deployments can be accessed.
+You can use Azure Private Link to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other Azure services. Azure routes the Private Link traffic within the Azure data center and never exposes it to the public internet.
 
-Refer to [](/deploy-manage/security/traffic-filtering.md) to learn more about traffic filtering in {{ech}}, and how traffic filter rules work.
+Azure Private Link establishes a secure connection between two Azure VNets. The VNets can belong to separate accounts, for example a service provider and their service consumers. Azure routes the Private Link traffic within the Azure data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
 
-::::{note}
-Azure Private Link filtering is supported only for Azure regions.
-::::
+Private Link is a connection between an Azure Private Endpoint and a Azure Private Link Service.
 
+You can also optionally filter traffic to your deployments and projects by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment or project to the VCPE specified in the policy, as well as any other policies applied to the deployment or project.
 
-Azure Private Link establishes a secure connection between two Azure VNets. The VNets can belong to separate accounts, for example a service provider and their service consumers. Azure routes the Private Link traffic within the Azure data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
+To learn how private connection policies impact your deployment or project, refer to [](/deploy-manage/security/network-security-policies.md).
 
-Private Link is a connection between an Azure Private Endpoint and a Azure Private Link Service.
+:::{tip}
+Azure Private Link filtering is supported only for Azure regions.
+
+{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+:::
 
 
 ## Azure Private Link Service aliases [ec-private-link-azure-service-aliases]
@@ -35,7 +38,7 @@ Private Link is a connection between an Azure Private Endpoint and a Azure Priva
 Private Link Services are set up by Elastic in all supported Azure regions under the following aliases:
 
 ::::{dropdown} Azure public regions
-| **Region** | **Azure Private Link Service alias** | **Private hosted zone domain name** |
+| Region | Azure Private Link Service alias | Private hosted zone domain name |
 | --- | --- | --- |
 | australiaeast | australiaeast-prod-012-privatelink-service.a0cf0c1a-33ab-4528-81e7-9cb23608f94e.australiaeast.azure.privatelinkservice | privatelink.australiaeast.azure.elastic-cloud.com |
 | centralus | centralus-prod-009-privatelink-service.49a041f7-2ad1-4bd2-9898-fba7f7a1ff77.centralus.azure.privatelinkservice | privatelink.centralus.azure.elastic-cloud.com |
@@ -56,35 +59,38 @@ Private Link Services are set up by Elastic in all supported Azure regions under
 
 ::::
 
+## Set up a private connection
 
-The process of setting up the Private link connection to your clusters is split between Azure (e.g. by using Azure portal), {{ecloud}} Support, and {{ecloud}} UI. These are the high-level steps:
+The process of setting up the private connection with Azure Private link is split between Azure (e.g. by using Azure portal), and the {{ecloud}} UI. These are the high-level steps:
 
-| Azure portal | {{ecloud}} UI |
+| Azure portal | {{ecloud}} |
 | --- | --- |
-| 1. Create a private endpoint using {{ecloud}} service alias. |  |
-| 2. Create a [DNS record pointing to the private endpoint](https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone). |  |
-|  | 3. Create an Azure Private Link rule set with the private endpoint **Name** and **ID**. |
-|  | 4. Associate the Azure Private Link rule set with your deployments. |
-|  | 5. Interact with your deployments over Private Link. |
+| 1. [Create a private endpoint using {{ecloud}} service alias.](#ec-private-link-azure-dns) |  |
+| 2. [Create a DNS record pointing to the private endpoint](#ec-private-link-azure-dns). |  |
+|  | 3. [Create a private connection policy.](#ec-azure-allow-traffic-from-link-id) |
+|  | 4. [Associate the Azure Private Link rule set with your deployments](#ec-azure-associate-traffic-filter-private-link-rule-set). |
+|  | 5. [Interact with your deployments over Private Link.](#ec-azure-access-the-deployment-over-private-link) |
 
 
-## Create your private endpoint and DNS entries in Azure [ec-private-link-azure-dns]
+### Create your private endpoint and DNS entries in Azure [ec-private-link-azure-dns]
 
 1. Create a private endpoint in your VNet using the alias for your region.
 
     Follow the [Azure instructions](https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal#create-a-private-endpoint) for details on creating a private endpoint to an endpoint service.
 
-    Use [the service aliases for your region](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-service-aliases). Select the "Connect to an Azure resource by resource ID or alias" option. For example for the region `eastus2` the service alias is `eastus2-prod-002-privatelink-service.64359fdd-7893-4215-9929-ece3287e1371.eastus2.azure.privatelinkservice`
+    Use [the service aliases for your region](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-service-aliases). Select the **Connect to an Azure resource by resource ID or alias** option. For example for the region `eastus2` the service alias is `eastus2-prod-002-privatelink-service.64359fdd-7893-4215-9929-ece3287e1371.eastus2.azure.privatelinkservice`
 
     ::::{note}
-    You will notice that the Private Link endpoint is in the `Awaiting Approval` state. We validate and approve the endpoints when you create the ruleset using the Private Link `resource name` and `resource ID`, as described in the next section [Add the Private Link rules to your deployments](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-allow-traffic-from-link-id).
+    The Private Link endpoint is created in the `Awaiting Approval` state. We validate and approve the endpoints when you create the private connection policy using the Private Link `resource name` and `resource ID`, as described in the next section [Create a private connection policy](#ec-azure-allow-traffic-from-link-id).
     ::::
 
 2. Create a DNS record.
 
-    1. Create a *Private DNS Zone*. Get the private hosted zone domain name in *Azure Private Link Service Alias* for the name of the zone. For example, in `eastus2`, use `privatelink.eastus2.azure.elastic-cloud.com` as the zone domain name. Using this zone domain name is required to ensure certificate names match.
-    2. After creating the *Private DNS Zone*, associate the zone with your VNet by creating a [virtual network link](https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal).
-    3. Then create a DNS A record pointing to the private endpoint. Use `*` as the record name, `A` as the type, and put the private endpoint IP address as the record value.
+    1. Create a private DNS zone. 
+        
+       Refer to the **Azure Private Link Service Alias** column in the [Azure Private Link Service aliases](#ec-private-link-azure-service-aliases) table for the name of the zone. For example, in `eastus2`, use `privatelink.eastus2.azure.elastic-cloud.com` as the zone domain name. Using this zone domain name is required to ensure certificate names match.
+    2. After creating the private DNS zone, associate the zone with your VNet by creating a [virtual network link](https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal).
+    3. Create a DNS A record pointing to the private endpoint. Use `*` as the record name, `A` as the type, and put the private endpoint IP address as the record value.
 
         Follow the [Azure instructions](https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal#create-an-additional-dns-record) for details on creating an A record which points to your private endpoint IP address.
 
@@ -93,7 +99,7 @@ The process of setting up the Private link connection to your clusters is split
         ::::
 
 
-
+% START HERE %
 ## Add the Private Link rules to your deployments [ec-azure-allow-traffic-from-link-id]
 
 Follow these high-level steps to add Private Link rules to your deployments.
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 0ecea05144..3c7c6b9ec3 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -32,12 +32,16 @@ Private Service Connect filtering is supported only for Google Cloud regions.
 Private Service Connect connections are regional, your Private Service Connect endpoint needs to live in the same region as your deployment. The endpoint can be accessed from any region after you enable its [Global Access](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) feature.
 ::::
 
+:::{tip}
+{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+:::s
+
 ## Private Service Connect URIs [ec-private-service-connect-uris]
 
 Service Attachments are set up by Elastic in all supported GCP regions under the following URIs:
 
 ::::{dropdown} GCP public regions
-| **Region** | **Service Attachment URI** | **Private zone DNS name** |
+| Region | Service attachment URI | Private zone DNS name |
 | --- | --- | --- |
 | `asia-east1` | `projects/cloud-production-168820/regions/asia-east1/serviceAttachments/proxy-psc-production-asia-east1-v1-attachment` | `psc.asia-east1.gcp.elastic-cloud.com` |
 | `asia-northeast1` | `projects/cloud-production-168820/regions/asia-northeast1/serviceAttachments/proxy-psc-production-asia-northeast1-v1-attachment` | `psc.asia-northeast1.gcp.cloud.es.io` |
@@ -102,8 +106,10 @@ Creating a private connection policy and associating it with your deployments al
 
 2. Create a DNS record.
 
-    1. Create a DNS Zone of type **Private**. Set the **DNS name** to Private zone DNS name for your region. For example, in `asia-southeast1`, use `psc.asia-southeast1.gcp.elastic-cloud.com` as the zone domain name. Make sure the zone is associated with your VPC.
-    2. Create a DNS record set with an A record pointing to the Private Service Connect endpoint IP. Use `*` as the **DNS name**, `A` as the **Resource Record Type**, and put the Private Service Connect endpoint IP address as the record value.
+    1. Create a DNS Zone of type **Private**. 
+   
+       Refer to the **Private zone DNS name** column in the [Private Service Connect URIs](#ec-private-service-connect-uris) table for the name of the zone. For example, in `asia-southeast1`, use `psc.asia-southeast1.gcp.elastic-cloud.com` as the zone domain name. Make sure the zone is associated with your VPC.
+    2. Create a DNS record set with an A record pointing to the Private Service Connect endpoint IP. Use `*` as the **DNS name**, `A` as the **Resource record type**, and put the Private Service Connect endpoint IP address as the record value.
 
         Follow the [Google Cloud instructions](https://cloud.google.com/dns/docs/records#adding_a_record) for details on creating an A record which points to your Private Service Connect endpoint IP address.
 

From b1a826305877f4843146bf6f6eeef9eb24e76a58 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Mon, 16 Jun 2025 23:12:35 -0400
Subject: [PATCH 16/38] restore file to quiet ci

---
 deploy-manage/security/_snippets/create-filter.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 deploy-manage/security/_snippets/create-filter.md

diff --git a/deploy-manage/security/_snippets/create-filter.md b/deploy-manage/security/_snippets/create-filter.md
new file mode 100644
index 0000000000..e438ad8c12
--- /dev/null
+++ b/deploy-manage/security/_snippets/create-filter.md
@@ -0,0 +1,6 @@
+% NO LONGER USED
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page. 
+      % From the left navigation menu, select **Access and security** > **Network security**. 
\ No newline at end of file

From 422b7c7b52eb702a3d6dd9bf25d116c3432fd31b Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Tue, 17 Jun 2025 09:18:02 -0400
Subject: [PATCH 17/38] more

---
 .../security/gcp-private-service-connect-traffic-filters.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 3c7c6b9ec3..66215b8886 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -89,7 +89,7 @@ Creating a private connection policy and associating it with your deployments al
 * Filter traffic to your deployment or project using VCPE filters.
 :::
 
-## Create your Private Service Connect endpoint and DNS entries in Google Cloud [ec-private-service-connect-enpoint-dns]
+### Create your Private Service Connect endpoint and DNS entries in Google Cloud [ec-private-service-connect-enpoint-dns]
 
 1. Create a Private Service Connect endpoint in your VPC using the Service Attachment URI for your region.
 

From a95efe9b0108686d2ff72ce45fbed07a1eab885f Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Tue, 17 Jun 2025 10:34:07 -0400
Subject: [PATCH 18/38] checkpoint

---
 .../aws-privatelink-traffic-filters.md        |  94 +++++++-------
 .../azure-private-link-traffic-filters.md     | 115 ++++++++++--------
 ...private-service-connect-traffic-filters.md | 106 ++++++++--------
 3 files changed, 159 insertions(+), 156 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 0f7b8f0f93..7ab63538ff 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -171,66 +171,66 @@ The mapping will be different for your region. Our production VPC Service for `u
         :screenshot:
         :::
 
-3. Test the connection.
+### Test the connection
    
-   1. Find the endpoint of your deployment or project:
-   
-        ::::{tab-set}
-        :::{tab-item} Hosted deployment
-        1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+1. Find the endpoint of your deployment or project:
 
-        2. Under **Hosted deployments**, find your deployment.
+     ::::{tab-set}
+     :::{tab-item} Hosted deployment
+     1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 
-                :::{tip}
-                If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
-                :::
+     2. Under **Hosted deployments**, find your deployment.
 
-        3. Select **Manage**.
-        4. In the deployment overview, under **Applications**, find the application that you want to test.
-        5. Click **Copy endpoint**. The value looks something like the following:
+             :::{tip}
+             If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
+             :::
 
-        ```
-        https://my-deployment-2f1f1e.es.us-east-2.aws.elastic-cloud.com
-        ```
+     3. Select **Manage**.
+     4. In the deployment overview, under **Applications**, find the application that you want to test.
+     5. Click **Copy endpoint**. The value looks something like the following:
 
-        In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
-        :::
-        :::{tab-item} Serverless project
+     ```
+     https://my-deployment-2f1f1e.es.us-east-2.aws.elastic-cloud.com
+     ```
 
-        1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+     In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
+     :::
+     :::{tab-item} Serverless project
 
-        2. On the home page, under **Serverless projects**, find your project. 
+     6. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 
-        3. Select **Manage**.
-        4. In the project overview, beside **Connection alias**, click **Edit**.
-        5. Copy the URL of the application that you want to test. It looks something like the following: 
+     7. On the home page, under **Serverless projects**, find your project. 
 
-        ```
-        https://serverless-es-b592e9.es.us-east-1.aws.elastic.cloud/
-        ```
-        :::
-        ::::
+     8. Select **Manage**.
+     9. In the project overview, beside **Connection alias**, click **Edit**.
+     10. Copy the URL of the application that you want to test. It looks something like the following: 
 
-    2. Access your {{es}} cluster over PrivateLink:
+     ```
+     https://serverless-es-b592e9.es.us-east-1.aws.elastic.cloud/
+     ```
+     :::
+     ::::
 
-       * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-       * In all other cases, use the following URL structure:
+ 2. Access your {{es}} cluster over PrivateLink:
 
-           ```
-           https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
-           ```
-           % need to verify this
+    * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+    * In all other cases, use the following URL structure:
+
+        ```
+        https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
+        ```
+        % need to verify this
 
-           For example:
+        For example:
 
-           ```text
-           https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-           ```
+        ```text
+        https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+        ```
 
 
-       ::::{tip}
-       You can use either 443, or 9243 as a port.
-       ::::
+    ::::{tip}
+    You can use either 443, or 9243 as a port.
+    ::::
 
 
 You can test the AWS console part of the setup using the following cURL command. Make sure to substitute the region and {{es}} ID with your cluster.
@@ -383,7 +383,9 @@ The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` t
 % need to verify this
 ::::
 
-## Edit a policy [ec-edit-traffic-filter-private-link-rule-set]
+## Manage policies
+
+### Edit a policy [ec-edit-traffic-filter-private-link-rule-set]
 
 You can edit a policy's name, description, VPC endpoint ID, and more.
 
@@ -396,7 +398,7 @@ You can edit a policy's name, description, VPC endpoint ID, and more.
 You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
 :::
 
-## Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
+### Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
 
 If you need to remove a policy, you must first remove any associations with deployments or projects.
 
@@ -406,7 +408,7 @@ To delete a policy:
 :::
 4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
 
-## Remove a policy from your deployment or project [remove-filter-deployment]
+### Remove a policy from your deployment or project [remove-filter-deployment]
 
 If you want to a specific policy from a deployment or project, or delete the policy, then you need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
 
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index fd7ff058e8..aeafd4ef9f 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -99,24 +99,18 @@ The process of setting up the private connection with Azure Private link is spli
         ::::
 
 
-% START HERE %
-## Add the Private Link rules to your deployments [ec-azure-allow-traffic-from-link-id]
 
-Follow these high-level steps to add Private Link rules to your deployments.
-
-1. [Find your private endpoint resource name](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-name).
-2. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
-3. [Create rules using the Private Link Endpoint Resource Name and Resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
-4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-associate-traffic-filter-private-link-rule-set).
-5. [Access the deployment over a Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link).
+## Create a private connection policy [ec-azure-allow-traffic-from-link-id]
 
+After you create your private endpoint and DNS entries, you can create a private connection policy in {{ecloud}}.
 
-### Find your private endpoint resource name [ec-find-your-resource-name]
-
-1. Go to your Private Link Endpoint in the Azure Portal.
-2. Select **JSON View**.
-3. Copy the value of the top level **name** property.
+Follow these high-level steps to add Private Link rules to your deployments.
 
+1. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
+2. [Create policies using the Private Link Endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
+3. [Test the connection](#test-the-connection).
+4. [Associate the private endpoint with your deployment or project](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-associate-traffic-filter-private-link-rule-set).
+5. [Access the deployment or project over a Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link).
 
 ### Find your private endpoint resource ID [ec-find-your-resource-id]
 
@@ -133,34 +127,48 @@ Follow these high-level steps to add Private Link rules to your deployments.
 :alt: Private endpoint Properties
 :screenshot:
 :::
+% fix me
 
 
-### Create rules using the Private Link Endpoint Resource Name and Resource ID [ec-azure-create-traffic-filter-private-link-rule-set]
+### Create policies using the Private Link Endpoint resource ID [ec-azure-create-traffic-filter-private-link-rule-set]
 
-When you have your private endpoint name and ID, you can create a Private Link traffic filter rule set.
+When you have your private endpoint ID, you can create a private connection policy.
 
 ::::{note}
-The Private Link connection will be approved automatically after the traffic filter is created.
+The Private Link connection will be approved automatically after the private connection policy is created.
 ::::
 
 
-1. From the **Account** menu, select **Traffic filters**.
-2. Select **Create filter**.
-3. Select **Private link endpoint**.
-4. Create your rule set, providing a meaningful name and description.
-5. Select the region for the rule set.
-6. Enter your Private Endpoint Resource Name and Resource ID.
-7. Select if this rule set should be automatically attached to new deployments.
-
-    ::::{note}
-    Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
-    ::::
-
-8. (Optional) You can [claim your Private Endpoint Resource Name and Resource ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+:::{include} _snippets/network-security-page.md
+:::
+4. Select **Private connection**.
+3. Select the resource type that the private connection will be applied to: either hosted deployments or serverless projects.
+10. Select the cloud provider and region for the private connection. 
+   
+    :::{tip}
+    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    :::
+11. Under **Connectivity**, select **Privatelink**.
+12. Under **VPCE filter**, enter your rivate Endpoint resource ID.
+    
+    If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
+    
+    :::{tip}
+    You can assign multiple policies to a single deployment or project. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+
+    [Learn more about how network security policies affect your deployment or project](network-security-policies.md).
+    :::
+
+13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. After you associate the filter with a deployment or project, it starts filtering traffic.
+14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
+15.  Click **Create**.
+16. (Optional) You can [claim your Private Endpoint resource ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
 
 Creating the filter approves the Private Link connection.
 
-Let’s test the connection:
+After the private link connection is approved, you can optionally [test the connection](#test-the-connection), and then [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
+
+### Test the connection
 
 1. Find out the {{es}} cluster ID of your deployment. You can do that by selecting **Copy cluster id** in the Cloud UI. It looks something like `9c794b7c08fa494b9990fa3f6f74c2f8`.
 
@@ -236,7 +244,7 @@ Let’s test the connection:
     ```
 
 
-The next step is to [associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployments.
+The next step is to [associate the policy](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
 
 
 ### Associate a Private Link rule set with your deployment [ec-azure-associate-traffic-filter-private-link-rule-set]
@@ -246,7 +254,7 @@ To associate a Private Link rule set with your deployment:
 :::{include} _snippets/associate-filter.md
 :::
 
-### Access the deployment over a Private Link [ec-azure-access-the-deployment-over-private-link]
+## Access the deployment over a Private Link [ec-azure-access-the-deployment-over-private-link]
 
 For traffic to connect with the deployment over Azure Private Link, the client making the request needs to be located within the VNet where you’ve created the private endpoint. You can also setup network traffic to flow through the originating VNet from somewhere else, such as another VNet or a VPN from your corporate network. This assumes that the private endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
 
@@ -279,27 +287,6 @@ Similarly, the {{es}} host needs to be updated to propagate the Private Link URL
 
 ::::
 
-
-
-## Edit a Private Link connection [ec-azure-edit-traffic-filter-private-link-rule-set]
-
-You can edit a rule set name or to change the endpoint ID.
-
-:::{include} _snippets/edit-ruleset.md
-:::
-
-### Delete a Private Link rule set [ec-azure-delete-traffic-filter-private-link-rule-set]
-
-:::{include} _snippets/delete-ruleset.md
-:::
-
-
-### Remove a Private Link rule set association from your deployment [remove-filter-deployment]
-
-:::{include} _snippets/remove-filter.md
-:::
-
-
 ## Setting up an inter-region Private Link connection [ec-azure-inter-region-private-link]
 
 Azure supports inter-region Private Link as described in the [Azure documentation](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview). "The Private Link resource can be deployed in a different region than the virtual network and private endpoint."
@@ -318,3 +305,23 @@ This means your deployment on {{ecloud}} can be in a different region than the P
 
 2. [Create a traffic filter rule set](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set) and [Associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) through the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body), just as you would for any deployment.
 3. [Test the connection](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link) from a VM or client in region 1 to your Private Link endpoint, and it should be able to connect to your {{es}} cluster hosted in region 2.
+
+## Manage policies
+
+### Edit a Private Link connection [ec-azure-edit-traffic-filter-private-link-rule-set]
+
+You can edit a rule set name or to change the endpoint ID.
+
+:::{include} _snippets/edit-ruleset.md
+:::
+
+### Delete a Private Link rule set [ec-azure-delete-traffic-filter-private-link-rule-set]
+
+:::{include} _snippets/delete-ruleset.md
+:::
+
+
+### Remove a Private Link rule set association from your deployment [remove-filter-deployment]
+
+:::{include} _snippets/remove-filter.md
+:::
\ No newline at end of file
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 66215b8886..d701b9134a 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -8,7 +8,6 @@ applies_to:
   serverless: ga
 products:
   - id: cloud-hosted
-  - id: cloud-serverless
 navigation_title: GCP Private Service Connect
 sub:
   policy-type: "Private connection"
@@ -113,58 +112,58 @@ Creating a private connection policy and associating it with your deployments al
 
         Follow the [Google Cloud instructions](https://cloud.google.com/dns/docs/records#adding_a_record) for details on creating an A record which points to your Private Service Connect endpoint IP address.
 
-3. Test the connection.
+### Test the connection
 
-   1. Find the ID of your deployment's {{es}} cluster, or the ID of your project:
-   
-        ::::{tab-set}
-        :::{tab-item} Hosted deployment
-        1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+1. Find the ID of your deployment's {{es}} cluster, or the ID of your project:
 
-        2. Under **Hosted deployments**, find your deployment.
+     ::::{tab-set}
+     :::{tab-item} Hosted deployment
+     1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 
-                :::{tip}
-                If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
-                :::
+     2. Under **Hosted deployments**, find your deployment.
 
-        3. Select **Manage**.
-        4. In the deployment overview, under **Applications**, find the application that you want to test.
-        5. Click **Copy cluster ID**. The value looks something like the following:
+             :::{tip}
+             If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
+             :::
 
-        ```
-        be36ce6c84434913a5a40f3f1521b6e5
-        ```
-        :::
-        :::{tab-item} Serverless project
+     3. Select **Manage**.
+     4. In the deployment overview, under **Applications**, find the application that you want to test.
+     5. Click **Copy cluster ID**. The value looks something like the following:
 
-        6. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+     ```
+     be36ce6c84434913a5a40f3f1521b6e5
+     ```
+     :::
+     :::{tab-item} Serverless project
 
-        7. On the home page, under **Serverless projects**, find your project. 
+     6. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 
-        8. Select **Manage**.
-        9. In the project overview, beside **Project ID**, click **Copy**. The value looks something like the following: 
+     7. On the home page, under **Serverless projects**, find your project. 
 
-        ```
-        fbb9f6535def41119fb00a475d2fb976
-        ```
-        :::
-        ::::
+     8. Select **Manage**.
+     9. In the project overview, beside **Project ID**, click **Copy**. The value looks something like the following: 
+
+     ```
+     fbb9f6535def41119fb00a475d2fb976
+     ```
+     :::
+     ::::
 
-    2. Access your cluster or project over Private Link:
+ 2. Access your cluster or project over Private Link:
 
-       * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-       * In all other cases, use the following URL structure:
+    * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+    * In all other cases, use the following URL structure:
 
-           ```
-           https://{{cluster_or_project_ID}}.{private_hosted_zone_domain_name}:9243
-           ```
-           % need to verify this
+        ```
+        https://{{cluster_or_project_ID}}.{private_hosted_zone_domain_name}:9243
+        ```
+        % need to verify this
 
-           For example:
+        For example:
 
-           ```text
-           https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
-           ```
+        ```text
+        https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+        ```
 
     You can test the Google Cloud console part of the setup with the following command. Make sure to substitute the region and ID with your cluster or project information.
 
@@ -188,7 +187,7 @@ Creating a private connection policy and associating it with your deployments al
     The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.
     % verify
 
-## Optional: Create a private connection policy
+## Optional: Create a private connection policy [ec-private-service-connect-allow-from-psc-connection-id]
 
 After you test your PrivateLink connection, you can create a private connection policy in {{ecloud}}. 
 
@@ -199,13 +198,11 @@ Creating a private connection policy and associating it with your deployments al
 * Record that you've established private connectivity between GCP and Elastic in the applicable region.
 * Filter traffic to your deployment or project using VCPE filters.
 
-### Add a private connection policy [ec-private-service-connect-allow-from-psc-connection-id]
-
-Follow these high-level steps to add private link rules to your deployments.
+Follow these high-level steps to a private connection policy to your deployments or projects.
 
 1. Optional: [Find your Private Service Connect connection ID](#ec-find-your-psc-connection-id).
-2. [Create rules using the Private Service Connect endpoint connection ID](#ec-psc-create-traffic-filter-psc-rule-set).
-3. [Associate the Private Service Connect endpoint with your deployment](#ec-psc-associate-traffic-filter-psc-rule-set).
+2. [Create policies using the Private Service Connect endpoint connection ID](#ec-psc-create-traffic-filter-psc-rule-set).
+3. [Associate the Private Service Connect endpoint with your deployment or project](#ec-psc-associate-traffic-filter-psc-rule-set).
 
 ### Optional: Find your Private Service Connect connection ID [ec-find-your-psc-connection-id]
 
@@ -241,16 +238,11 @@ Create a new private connection policy.
 13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. If you specified a VPCE filter, then after you associate the filter with a deployment or project, it starts filtering traffic.
 14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
 15.  Click **Create**.
-16. (Optional) You can [claim your Private Service Connect endpoint connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+16. (Optional) You can [claim your Private Service Connect endpoint connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
 
 The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
 
-
-### Optional: Associate a policy with a deployment or project [ec-psc-associate-traffic-filter-psc-rule-set]
-
-To associate a private link rule set with your deployment:
-
-### Optional: Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
+### Associate a policy with a deployment or project [ec-psc-associate-traffic-filter-psc-rule-set]
 
 You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. 
 
@@ -271,7 +263,7 @@ If the policy doesn't contain a VCPE filter, then the association can serve as a
 6. Under **Apply to resources**, associate the policy with one or more deployments or projects.
 7. Click **Update** to save your changes.
 
-### Access the deployment or project over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
+## Access the deployment or project over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
 
 For traffic to connect with the deployment or project over Private Service Connect, the client making the request needs to be located within the VPC where you’ve created the Private Service Connect endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or a VPN from your corporate network. This assumes that the Private Service Connect endpoint and the DNS record are also available within that context. Check your cloud service provider documentation for setup instructions.
 
@@ -308,7 +300,9 @@ The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` t
 
 ::::
 
-## Edit a policy [ec-edit-traffic-filter-psc-rule-set]
+## Manage policies
+
+### Edit a policy [ec-edit-traffic-filter-psc-rule-set]
 
 You can edit a policy's name, description, VPC endpoint ID, and more.
 
@@ -321,7 +315,7 @@ You can edit a policy's name, description, VPC endpoint ID, and more.
 You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
 :::
 
-## Delete a policy [ec-delete-traffic-filter-psc-rule-set]
+### Delete a policy [ec-delete-traffic-filter-psc-rule-set]
 
 If you need to remove a policy, you must first remove any associations with deployments.
 
@@ -331,7 +325,7 @@ To delete a policy:
 :::
 4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
 
-## Remove a policy from your deployment or project [remove-filter-deployment]
+### Remove a policy from your deployment or project [remove-filter-deployment]
 
 If you want to a specific policy from a deployment or project, or delete the policy, then you need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
 

From 8cb424f069ad89d74c3edcfa299306f3ee22e1c8 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Tue, 17 Jun 2025 14:35:02 -0400
Subject: [PATCH 19/38] more

---
 deploy-manage/_snippets/ecloud-security.md    |   4 +-
 .../associate-filter-from-resource.md         |   8 +
 .../security/_snippets/associate-filter.md    |  24 --
 .../security/_snippets/find-endpoint.md       |  17 ++
 .../_snippets/private-connection-fleet.md     |  15 ++
 .../security/_snippets/private-url-struct.md  |  19 ++
 .../aws-privatelink-traffic-filters.md        | 253 ++++++------------
 .../azure-private-link-traffic-filters.md     |  46 ++--
 ...private-service-connect-traffic-filters.md | 213 +++++++--------
 .../secure-your-cluster-deployment.md         |   2 +-
 10 files changed, 265 insertions(+), 336 deletions(-)
 create mode 100644 deploy-manage/security/_snippets/associate-filter-from-resource.md
 delete mode 100644 deploy-manage/security/_snippets/associate-filter.md
 create mode 100644 deploy-manage/security/_snippets/find-endpoint.md
 create mode 100644 deploy-manage/security/_snippets/private-connection-fleet.md
 create mode 100644 deploy-manage/security/_snippets/private-url-struct.md

diff --git a/deploy-manage/_snippets/ecloud-security.md b/deploy-manage/_snippets/ecloud-security.md
index 7f67cabaf8..415fe5a63a 100644
--- a/deploy-manage/_snippets/ecloud-security.md
+++ b/deploy-manage/_snippets/ecloud-security.md
@@ -1,9 +1,9 @@
 {{ecloud}} has built-in security. For example, HTTPS communications between {{ecloud}} and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
 
-In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](/deploy-manage/security/cloud-ip-filter.md) to prevent unauthorized access to your deployments and projects.
+In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](/deploy-manage/security/ip-filtering-cloud.md) to prevent unauthorized access to your deployments and projects.
 
 In {{ech}}, you can augment these security features in the following ways:
-* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your Elastic Cloud deployments and projects to communicate with other cloud services, and restrict traffic to deployments and projects based on those private connections.
+* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your Elastic Cloud deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.
diff --git a/deploy-manage/security/_snippets/associate-filter-from-resource.md b/deploy-manage/security/_snippets/associate-filter-from-resource.md
new file mode 100644
index 0000000000..4b30a99a4e
--- /dev/null
+++ b/deploy-manage/security/_snippets/associate-filter-from-resource.md
@@ -0,0 +1,8 @@
+::::{tab-set}
+:group: hosted-serverless
+
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+   
+   On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, select **Apply policies** > **{{policy-type}}**.
+3. Choose the policy you want to apply and select **Apply**.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/associate-filter.md b/deploy-manage/security/_snippets/associate-filter.md
deleted file mode 100644
index cc87a73b28..0000000000
--- a/deploy-manage/security/_snippets/associate-filter.md
+++ /dev/null
@@ -1,24 +0,0 @@
-::::{tab-set}
-:group: hosted-serverless
-
-:::{tab-item} Serverless project
-:sync: serverless
-
-1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
-
-    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-2. On the **Network security** page, select **Apply policies** > **{{policy-type}}**.
-3. Choose the policy you want to apply and select **Apply**.
-:::
-
-:::{tab-item} Hosted deployment
-:sync: hosted
-
-1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-   
-   On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-2. On the **Security** page, under **Network security**, select **Apply policies** > **{{policy-type}}**.
-3. Choose the policy you want to apply and select **Apply**.
-:::
-
-::::
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/find-endpoint.md b/deploy-manage/security/_snippets/find-endpoint.md
new file mode 100644
index 0000000000..dcf5b50024
--- /dev/null
+++ b/deploy-manage/security/_snippets/find-endpoint.md
@@ -0,0 +1,17 @@
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+
+2. Under **Hosted deployments**, find your deployment.
+
+:::{tip}
+If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
+:::
+
+3. Select **Manage**.
+4. In the deployment overview, under **Applications**, find the application that you want to test.
+5. Click **Copy endpoint**. The value looks something like the following:
+
+```
+https://my-deployment-d53192.es.us-east-2.aws.elastic-cloud.com
+```
+
+In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/private-connection-fleet.md b/deploy-manage/security/_snippets/private-connection-fleet.md
new file mode 100644
index 0000000000..5596c6d907
--- /dev/null
+++ b/deploy-manage/security/_snippets/private-connection-fleet.md
@@ -0,0 +1,15 @@
+If you are using {{service-name}} together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the {{service-name}} URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the {{service-name}} URL. 
+
+The URL needs to follow this pattern: 
+
+```text
+https://{{fleet_component_ID_or_deployment_alias}}.fleet.{{private_hosted_zone_domain_name}}:443`
+```
+
+Similarly, the {{es}} host needs to be updated to propagate the PrivateLink URL. The {{es}} URL needs to follow this pattern: 
+
+```text
+https://elasticsearch_cluster_ID_or_deployment_alias}}.es.{{private_hosted_zone_domain_name}}:443
+```
+
+The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are not available in the {{kib}} settings in {{ecloud}}.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/private-url-struct.md b/deploy-manage/security/_snippets/private-url-struct.md
new file mode 100644
index 0000000000..53c3e0e407
--- /dev/null
+++ b/deploy-manage/security/_snippets/private-url-struct.md
@@ -0,0 +1,19 @@
+* If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+* If you don't have a custom endpoint alias, then use the following URL structure. This URL is built from endpoint information retrieved from your Elastic deployment and the private hosted zone domain name that you registered.
+
+  ```
+  https://{{alias}}.{{product}}.{{private_hosted_zone_domain_name}}
+  ```
+
+  For example:
+
+  ```text subs=true
+  https://my-deployment-d53192.es.{{example-phz-dn}}
+  ```
+
+
+::::{tip}
+You can use either 443 or 9243 as a port.
+
+You can also connect to the cluster using the {{es}} cluster ID, for example, https://6b111580caaa4a9e84b18ec7c600155e.{{example-phz-dn}}
+::::
\ No newline at end of file
diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 7ab63538ff..a9809a4439 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -5,27 +5,27 @@ mapped_pages:
 applies_to:
   deployment:
     ess: ga
-  serverless: ga
 products:
   - id: cloud-hosted
-  - id: cloud-serverless
 navigation_title: AWS PrivateLink
 sub:
   policy-type: "Private connection"
+  service-name: "AWS PrivateLink"
+  example-phz-dn: "vpce.us-east-1.aws.elastic-cloud.com"
 ---
 
 # AWS PrivateLink private connections
 
-You can use AWS PrivateLink to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet.
+You can use AWS PrivateLink to establish a secure connection for your {{ecloud}} deployments to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet.
 
 AWS PrivateLink connects your Virtual Private Cloud (VPC) to the AWS-hosted services that you use, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access AWS-hosted services.
 
-You can also optionally filter traffic to your deployments and projects by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment or project to the VCPE specified in the policy, as well as any other policies applied to the deployment or project.
+You can also optionally filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other policies applied to the deployment.
 
-To learn how private connection policies impact your deployment or project, refer to [](/deploy-manage/security/network-security-policies.md).
+To learn how private connection policies impact your deployment, refer to [](/deploy-manage/security/network-security-policies.md).
 
 :::{tip}
-{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+{{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
 :::
 
 ## Considerations
@@ -34,7 +34,7 @@ Before you begin, review  the following considerations:
 
 ### Private connections and regions
 
-Private connections over AWS PrivateLink are only supported only for AWS regions. Elastic does not yet support cross-region AWS PrivateLink connections. Your PrivateLink endpoint needs to be in the same region as your target deployments or projects. Additional details can be found in the [AWS VPCE Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations).
+Private connections over AWS PrivateLink are only supported only for AWS regions. Elastic does not yet support cross-region AWS PrivateLink connections. Your PrivateLink endpoint needs to be in the same region as your target deployments. Additional details can be found in the [AWS VPCE Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations).
 
 AWS interface virtual private connection (VPC) endpoints are configured for one or more availability zones (AZ). In some regions, our VPC endpoint service is not present in all the possible AZs that a region offers. You can only choose AZs that are common on both sides. As the names of AZs (for example `us-east-1a`) differ between AWS accounts, the following list of AWS regions shows the ID (e.g. `use1-az4`) of each available AZ for the service.
 
@@ -91,14 +91,14 @@ PrivateLink Service is set up by Elastic in all supported AWS regions under the
 
 ## Set up a private connection
 
-The process of setting up a private connection with AWS PrivateLink is split between AWS (e.g. by using AWS console) and the {{ecloud}} UI. These are the high-level steps:
+The process of setting up a private connection with AWS PrivateLink is split between the AWS console and the {{ecloud}} UI. These are the high-level steps:
 
 | AWS console | {{ecloud}} |
 | --- | --- |
 | 1. [Create a VPC endpoint using {{ecloud}} service name.](#ec-aws-vpc-dns) |  |
 | 2. [Create a DNS record pointing to the VPC endpoint.](#ec-aws-vpc-dns) |  |
 |  | 3. **Optional**: [Create a private connection policy.](ec-add-vpc-elastic)<br><br>A private connection policy is required to filter traffic using the VCP endpoint ID. |
-|  | 4. **Optional**: [Associate the private connection policy with deployments or projects](#ec-associate-traffic-filter-private-link-rule-set). |
+|  | 4. **Optional**: [Associate the private connection policy with deployments](#ec-associate-traffic-filter-private-link-rule-set). |
 |  | 5. [Interact with your deployments over PrivateLink](#ec-access-the-deployment-over-private-link). |
 
 After you create your private connection policy, you can [edit](#ec-edit-traffic-filter-private-link-rule-set), [disconnect](#remove-filter-deployment), or [delete](#ec-delete-traffic-filter-private-link-rule-set) it.
@@ -109,7 +109,7 @@ Private connection policies are optional for AWS PrivateLink. After the VPC endp
 Creating a private connection policy and associating it with your deployments allows you to do the following: 
 
 * Record that you've established private connectivity between AWS and Elastic in the applicable region.
-* Filter traffic to your deployment or project using VCPE filters.
+* Filter traffic to your deployment using VCPE filters.
 :::
 
 
@@ -172,87 +172,39 @@ The mapping will be different for your region. Our production VPC Service for `u
         :::
 
 ### Test the connection
-   
-1. Find the endpoint of your deployment or project:
-
-     ::::{tab-set}
-     :::{tab-item} Hosted deployment
-     1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-
-     2. Under **Hosted deployments**, find your deployment.
-
-             :::{tip}
-             If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
-             :::
-
-     3. Select **Manage**.
-     4. In the deployment overview, under **Applications**, find the application that you want to test.
-     5. Click **Copy endpoint**. The value looks something like the following:
-
-     ```
-     https://my-deployment-2f1f1e.es.us-east-2.aws.elastic-cloud.com
-     ```
-
-     In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
-     :::
-     :::{tab-item} Serverless project
-
-     6. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-
-     7. On the home page, under **Serverless projects**, find your project. 
-
-     8. Select **Manage**.
-     9. In the project overview, beside **Connection alias**, click **Edit**.
-     10. Copy the URL of the application that you want to test. It looks something like the following: 
-
-     ```
-     https://serverless-es-b592e9.es.us-east-1.aws.elastic.cloud/
-     ```
-     :::
-     ::::
-
- 2. Access your {{es}} cluster over PrivateLink:
-
-    * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-    * In all other cases, use the following URL structure:
-
-        ```
-        https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
-        ```
-        % need to verify this
-
-        For example:
-
-        ```text
-        https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-        ```
 
+After you create your VPC endpoint and DNS entries, check that you are able to reach your cluster over PrivateLink.
 
-    ::::{tip}
-    You can use either 443, or 9243 as a port.
-    ::::
+:::{include} _snippets/private-url-struct.md
 
+To test the connection:
 
-You can test the AWS console part of the setup using the following cURL command. Make sure to substitute the region and {{es}} ID with your cluster.
+1. If needed, find the endpoint of an application in your deployment:
+   
+    :::{include} _snippets/find-endpoint.md
+    :::
 
-**Request**
-```sh
-$ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-```
-**Response**
-```sh
-* Server certificate:
-*  subject: CN=*.us-east-1.aws.elastic-cloud.com
-*  SSL certificate verify ok.
-..
-{"ok":false,"message":"Forbidden"}
-* Connection #0 to host my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com left intact
-```
+2. Test the setup using the following cURL command. Make sure to replace the URL with your custom endpoint URL, or with your deployment's endpoint information and the private hosted zone domain name that you registered.
+
+    **Request**
+    ```sh
+    $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+    ```
+    **Response**
+    ```sh
+    * Server certificate:
+    *  subject: CN=*.us-east-1.aws.elastic-cloud.com
+    *  SSL certificate verify ok.
+    ..
+    {"ok":false,"message":"Forbidden"}
+    * Connection #0 to host my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com left intact
+    ```
 
 The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
+
 % needs to be edited
 
-## Optional: Create a private connection policy
+## Optional: Create a private connection policy [ec-add-vpc-elastic]
 
 After you test your PrivateLink connection, you can create a private connection policy in {{ecloud}}. 
 
@@ -261,11 +213,9 @@ Private connection policies are optional for AWS PrivateLink. After the VPC endp
 Creating a private connection policy and associating it with your deployments allows you to do the following: 
 
 * Record that you've established private connectivity between AWS and Elastic in the applicable region.
-* Filter traffic to your deployment or project using VCPE filters.
-
-### Add a private connection policy [ec-add-vpc-elastic]
+* Filter traffic to your deployment using VCPE filters.
 
-Follow these high-level steps to add a private connection policy that can be associated with your deployment or project.
+Follow these high-level steps to add a private connection policy that can be associated with your deployment.
 
 1. Optional: [Find your VPC endpoint ID](#ec-find-your-endpoint).
 2. [Create rules using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
@@ -273,7 +223,7 @@ Follow these high-level steps to add a private connection policy that can be ass
 
 #### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
 
-The VPC endpoint ID is only required if you want to filter traffic to your deployment or project using VCPE filters.
+The VPC endpoint ID is only required if you want to filter traffic to your deployment using VCPE filters.
 
 You can find your VPC endpoint ID in the AWS console:
 
@@ -289,39 +239,39 @@ Create a new private connection policy.
 :::{include} _snippets/network-security-page.md
 :::
 4. Select **Private connection**.
-3. Select the resource type that the private connection will be applied to: either hosted deployments or serverless projects.
+3. Select the resource type that the private connection will be applied to. Currently, only hosted deployments are supported.
 10. Select the cloud provider and region for the private connection. 
    
     :::{tip}
-    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
     :::
 11. Under **Connectivity**, select **Privatelink**.
-12. Optional: Under **VPCE filter**, enter your VPC endpoint ID. You should only specify a VPC endpoint ID if you want to filter traffic to your deployment or project. 
+12. Optional: Under **VPCE filter**, enter your VPC endpoint ID. You should only specify a VPC endpoint ID if you want to filter traffic to your deployment. 
     
     If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
     
     :::{tip}
-    You can assign multiple policies to a single deployment or project. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+    You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
 
-    [Learn more about how network security policies affect your deployment or project](network-security-policies.md).
+    [Learn more about how network security policies affect your deployment](network-security-policies.md).
     :::
 
-13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. If you specified a VPCE filter, then after you associate the filter with a deployment or project, it starts filtering traffic.
-14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
+13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. If you specified a VPCE filter, then after you associate the filter with a deployment, it starts filtering traffic.
+14. To automatically attach this private connection policy to new deployments, select **Apply by default**.
 15.  Click **Create**.
 16. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
 
-The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
+The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
 
-### Optional: Associate a policy with a deployment or project [ec-associate-traffic-filter-private-link-rule-set]
+### Optional: Associate a policy with a deployment [ec-associate-traffic-filter-private-link-rule-set]
 
-You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. 
+You can associate a network security policy with your deployment from the policy's settings, or from your deployment's settings. 
 
-If the policy contains a VCPE filter, then after you associate the policy with a deployment or project, it starts filtering traffic. 
+If the policy contains a VCPE filter, then after you associate the policy with a deployment, it starts filtering traffic. 
 
-If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a VCP endpoint exists for the deployment or project's region.
+If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a VCP endpoint exists for the deployment's region.
 
-#### From a deployment or project
+#### From a deployment
 
 :::{include} _snippets/associate-filter-from-resource.md
 :::
@@ -331,60 +281,49 @@ If the policy doesn't contain a VCPE filter, then the association can serve as a
 :::{include} _snippets/network-security-page.md
 :::
 5. Find the policy you want to edit.
-6. Under **Apply to resources**, associate the policy with one or more deployments or projects.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
 7. Click **Update** to save your changes.
 
-## Access the deployment or project over a PrivateLink [ec-access-the-deployment-over-private-link]
+## Access the deployment over a PrivateLink [ec-access-the-deployment-over-private-link]
 
-For traffic to connect with the deployment or project over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
+For traffic to connect with the deployment over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
 
 ::::{important}
-Use the alias you’ve set up as CNAME DNS record to access your deployment or project.
+Use the alias you’ve set up as CNAME DNS record to access your deployment.
 ::::
 
-    * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-    * In all other cases, use the following URL structure:
-
-        ```
-        https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
-        ```
-        % need to verify this
-
-        For example:
-
-        ```text
-        https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-        ```
-
-
-    ::::{tip}
-    You can use either 443, or 9243 as a port.
-    ::::
+:::{include} _snippets/private-url-struct.md
+:::
 
+To access the deployment:
 
-Request:
-```sh
-$ curl -u 'username:password' -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-```
+1. If needed, find the endpoint of an application in your deployment:
+   
+    :::{include} _snippets/find-endpoint.md
+    :::
 
-Response:
-```
-< HTTP/1.1 200 OK
-..
-```
+2. Send a request:
 
-::::{note}
-If you are using AWS PrivateLink together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the PrivateLink URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the PrivateLink URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<Private hosted zone domain name>:443`.
+    **Request**
+    ```sh
+    $ curl -u 'username:password' -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+    ```
 
-Similarly, the {{es}} host needs to be updated to propagate the PrivateLink URL. The {{es}} URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
+    **Response**
+    ```
+    < HTTP/1.1 200 OK
+    ..
+    ```
 
-The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [{{kib}} settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
+### AWS PrivateLink and Fleet
 
-% need to verify this
-::::
+:::{include} _snippets/private-connection-fleet.md
+:::
 
 ## Manage policies
 
+After you create your private connection policy, you can edit it, remove it from your deployment, or delete it.
+
 ### Edit a policy [ec-edit-traffic-filter-private-link-rule-set]
 
 You can edit a policy's name, description, VPC endpoint ID, and more.
@@ -398,41 +337,17 @@ You can edit a policy's name, description, VPC endpoint ID, and more.
 You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
 :::
 
-### Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
-
-If you need to remove a policy, you must first remove any associations with deployments or projects.
-
-To delete a policy:
-
-:::{include} _snippets/network-security-page.md
-:::
-4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
-
-### Remove a policy from your deployment or project [remove-filter-deployment]
-
-If you want to a specific policy from a deployment or project, or delete the policy, then you need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
+### Remove a policy from your deployment [remove-filter-deployment]
 
-#### From your deployment or project
+If you want to a specific policy from a deployment, or delete the policy, then you need to disconnect it from any associated deployments first. You can do this from the policy's settings, or from your deployment's settings. To remove an association through the UI:
 
-::::{tab-set}
-:group: hosted-serverless
-:::{tab-item} Serverless project
-:sync: serverless
-1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
+#### From your deployment
 
-    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-2. On the **Network security** page, find the IP filter policy that you want to disconnect. 
-3. Under **Actions**, click the **Delete** icon.
-:::
-:::{tab-item} Hosted deployment
-:sync: hosted
 1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
 
     On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
 2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect. 
 3. Under **Actions**, click the **Delete** icon.
-:::
-::::
 
 #### From the IP filter policy settings
 
@@ -442,3 +357,13 @@ If you want to a specific policy from a deployment or project, or delete the pol
 6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
 7. Click **Update** to save your changes.
 
+
+### Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
+
+If you need to remove a policy, you must first remove any associations with deployments.
+
+To delete a policy:
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index aeafd4ef9f..c2b1373f4f 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -5,10 +5,8 @@ mapped_pages:
 applies_to:
   deployment:
     ess: ga
-  serverless: ga
 products:
   - id: cloud-hosted
-  - id: cloud-serverless
 navigation_title: Azure Private Link
 sub:
   policy-type: "Private connection"
@@ -16,22 +14,24 @@ sub:
 
 # Azure Private Link traffic filters
 
-You can use Azure Private Link to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other Azure services. Azure routes the Private Link traffic within the Azure data center and never exposes it to the public internet.
+You can use Azure Private Link to establish a secure connection for your {{ecloud}} deployments to communicate with other Azure services. Azure routes the Private Link traffic within the Azure data center and never exposes it to the public internet.
 
 Azure Private Link establishes a secure connection between two Azure VNets. The VNets can belong to separate accounts, for example a service provider and their service consumers. Azure routes the Private Link traffic within the Azure data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
 
 Private Link is a connection between an Azure Private Endpoint and a Azure Private Link Service.
 
-You can also optionally filter traffic to your deployments and projects by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment or project to the VCPE specified in the policy, as well as any other policies applied to the deployment or project.
+You can also optionally filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other policies applied to the deployment.
 
-To learn how private connection policies impact your deployment or project, refer to [](/deploy-manage/security/network-security-policies.md).
+To learn how private connection policies impact your deployment, refer to [](/deploy-manage/security/network-security-policies.md).
 
 :::{tip}
-Azure Private Link filtering is supported only for Azure regions.
-
-{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+{{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
 :::
 
+## Considerations
+
+Azure Private Link filtering is supported only for Azure regions.
+
 
 ## Azure Private Link Service aliases [ec-private-link-azure-service-aliases]
 
@@ -109,8 +109,8 @@ Follow these high-level steps to add Private Link rules to your deployments.
 1. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
 2. [Create policies using the Private Link Endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
 3. [Test the connection](#test-the-connection).
-4. [Associate the private endpoint with your deployment or project](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-associate-traffic-filter-private-link-rule-set).
-5. [Access the deployment or project over a Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link).
+4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-associate-traffic-filter-private-link-rule-set).
+5. [Access the deployment over a Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link).
 
 ### Find your private endpoint resource ID [ec-find-your-resource-id]
 
@@ -142,31 +142,31 @@ The Private Link connection will be approved automatically after the private con
 :::{include} _snippets/network-security-page.md
 :::
 4. Select **Private connection**.
-3. Select the resource type that the private connection will be applied to: either hosted deployments or serverless projects.
-10. Select the cloud provider and region for the private connection. 
+5. Select the resource type that the private connection will be applied to. Currently, only hosted deployments are supported.
+6.  Select the cloud provider and region for the private connection. 
    
     :::{tip}
-    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
     :::
-11. Under **Connectivity**, select **Privatelink**.
-12. Under **VPCE filter**, enter your rivate Endpoint resource ID.
+7.  Under **Connectivity**, select **Privatelink**.
+8.  Under **VPCE filter**, enter your rivate Endpoint resource ID.
     
     If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
     
     :::{tip}
-    You can assign multiple policies to a single deployment or project. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+    You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
 
-    [Learn more about how network security policies affect your deployment or project](network-security-policies.md).
+    [Learn more about how network security policies affect your deployment](network-security-policies.md).
     :::
 
-13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. After you associate the filter with a deployment or project, it starts filtering traffic.
-14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
-15.  Click **Create**.
-16. (Optional) You can [claim your Private Endpoint resource ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
+9.  Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. After you associate the filter with a deployment, it starts filtering traffic.
+10. To automatically attach this private connection policy to new deployments, select **Apply by default**.
+11.  Click **Create**.
+12. (Optional) You can [claim your Private Endpoint resource ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
 
 Creating the filter approves the Private Link connection.
 
-After the private link connection is approved, you can optionally [test the connection](#test-the-connection), and then [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
+After the private link connection is approved, you can optionally [test the connection](#test-the-connection), and then [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
 
 ### Test the connection
 
@@ -244,7 +244,7 @@ After the private link connection is approved, you can optionally [test the conn
     ```
 
 
-The next step is to [associate the policy](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
+The next step is to [associate the policy](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
 
 
 ### Associate a Private Link rule set with your deployment [ec-azure-associate-traffic-filter-private-link-rule-set]
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index d701b9134a..da451d9104 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -11,29 +11,31 @@ products:
 navigation_title: GCP Private Service Connect
 sub:
   policy-type: "Private connection"
+  service-name: "Private Service Connect"
+  example-phz-dn: ".psc.asia-southeast1.gcp.elastic-cloud.com"
 ---
 
 # GCP Private Service Connect private connections
 
-You can use GCP Private Service Connect to establish a secure connection for your {{ecloud}} deployments and projects to communicate with other GCP services. GCP routes the Private Link traffic within the GCP data center and never exposes it to the public internet.
+You can use GCP Private Service Connect to establish a secure connection for your {{ecloud}} deployments to communicate with other GCP services. GCP routes the Private Link traffic within the GCP data center and never exposes it to the public internet.
 
 GCP Private Service Connect connects your Virtual Private Cloud (VPC) to the GCP-hosted services that you use, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access GCP-hosted services.
 
-You can also optionally filter traffic to your deployments and projects by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment or project to the VCPE specified in the policy, as well as any other policies applied to the deployment or project.
+You can also optionally filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other policies applied to the deployment.
 
 Private Link is a connection between a Private Service Connect Endpoint and a Service Attachment. [Learn more about using Private Service Connect on Google Cloud](https://cloud.google.com/vpc/docs/private-service-connect#benefits-services).
 
-To learn how private connection policies impact your deployment or project, refer to [](/deploy-manage/security/network-security-policies.md).
+To learn how private connection policies impact your deployment, refer to [](/deploy-manage/security/network-security-policies.md).
 
-::::{tip}
-Private Service Connect filtering is supported only for Google Cloud regions.
+:::{tip}
+{{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+:::
 
-Private Service Connect connections are regional, your Private Service Connect endpoint needs to live in the same region as your deployment. The endpoint can be accessed from any region after you enable its [Global Access](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) feature.
-::::
+## Considerations
 
-:::{tip}
-{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
-:::s
+* Private Service Connect filtering is supported only for Google Cloud regions.
+
+* Private Service Connect connections are regional. As a result, your Private Service Connect endpoint needs to be created in the same region as your deployment. The endpoint can be accessed from any region after you enable its [Global Access](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) feature.
 
 ## Private Service Connect URIs [ec-private-service-connect-uris]
 
@@ -67,7 +69,7 @@ Service Attachments are set up by Elastic in all supported GCP regions under the
 
 ## Set up a private connection 
 
-The process of setting up the Private link connection to your deployments and projects is split between Google Cloud and the {{ecloud}} UI. These are the high-level steps:
+The process of setting up the Private link connection to your deployments is split between Google Cloud and the {{ecloud}} UI. These are the high-level steps:
 
 | Google Cloud console | {{ecloud}} |
 | --- | --- |
@@ -85,7 +87,7 @@ Private connection policies are optional for GCP Private Service Connect. After
 Creating a private connection policy and associating it with your deployments allows you to do the following: 
 
 * Record that you've established private connectivity between GCP and Elastic in the applicable region.
-* Filter traffic to your deployment or project using VCPE filters.
+* Filter traffic to your deployment using VCPE filters.
 :::
 
 ### Create your Private Service Connect endpoint and DNS entries in Google Cloud [ec-private-service-connect-enpoint-dns]
@@ -94,7 +96,7 @@ Creating a private connection policy and associating it with your deployments al
 
     Follow the [Google Cloud instructions](https://cloud.google.com/vpc/docs/configure-private-service-connect-services#create-endpoint) for details on creating a Private Service Connect endpoint to access Private Service Connect services.
 
-    Use [the Service Attachment URI for your region](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-private-service-connect-uris). Select the **Published service** option and enter the selected *Service Attachment URI* as the **Target service**. For example for the region `asia-southeast1` the Service Attachment URI is `projects/cloud-production-168820/regions/asia-southeast1/serviceAttachments/proxy-psc-production-asia-southeast1-v1-attachment`
+    Use [the Service Attachment URI for your region](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-private-service-connect-uris). Select the **Published service** option and enter the selected Service Attachment URI as the **Target service**. For example, for the region `asia-southeast1` the Service Attachment URI is `projects/cloud-production-168820/regions/asia-southeast1/serviceAttachments/proxy-psc-production-asia-southeast1-v1-attachment`
 
     ::::{note}
     you need to [reserve a static internal IP address](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address) in your VPC. The address is used by Private Service Connect endpoint.
@@ -114,65 +116,29 @@ Creating a private connection policy and associating it with your deployments al
 
 ### Test the connection
 
-1. Find the ID of your deployment's {{es}} cluster, or the ID of your project:
-
-     ::::{tab-set}
-     :::{tab-item} Hosted deployment
-     1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-
-     2. Under **Hosted deployments**, find your deployment.
-
-             :::{tip}
-             If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
-             :::
-
-     3. Select **Manage**.
-     4. In the deployment overview, under **Applications**, find the application that you want to test.
-     5. Click **Copy cluster ID**. The value looks something like the following:
-
-     ```
-     be36ce6c84434913a5a40f3f1521b6e5
-     ```
-     :::
-     :::{tab-item} Serverless project
-
-     6. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-
-     7. On the home page, under **Serverless projects**, find your project. 
-
-     8. Select **Manage**.
-     9. In the project overview, beside **Project ID**, click **Copy**. The value looks something like the following: 
+After you create your Private Service Connect endpoint and DNS entries, verify that you are able to reach your cluster over Private Link.
 
-     ```
-     fbb9f6535def41119fb00a475d2fb976
-     ```
-     :::
-     ::::
-
- 2. Access your cluster or project over Private Link:
-
-    * For {{ech}} deployments, if you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-    * In all other cases, use the following URL structure:
+    :::{include} _snippets/find-endpoint.md
+    :::
 
-        ```
-        https://{{cluster_or_project_ID}}.{private_hosted_zone_domain_name}:9243
-        ```
-        % need to verify this
+To test the connection:
 
-        For example:
+1. If needed, find the endpoint of an application in your deployment:
+    
+    :::{include} _snippets/find-endpoint.md
+    :::
 
-        ```text
-        https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
-        ```
+ 1. Access your cluster over Private Link:
 
-    You can test the Google Cloud console part of the setup with the following command. Make sure to substitute the region and ID with your cluster or project information.
+    * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+    * Test the setup using the following cURL command. Make sure to replace the URL with your custom endpoint URL, or with your deployment's endpoint information and the private hosted zone domain name that you registered.
 
-    Request:
+    **Request**
     ```sh
-    $ curl -v https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+    $ curl -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243
     ```
 
-    Response:
+    **Response**
     ```sh
     ..
     *   Trying 192.168.100.2...
@@ -182,31 +148,32 @@ Creating a private connection policy and associating it with your deployments al
     {"ok":false,"message":"Forbidden"}
     ```
 
-    Check the IP address. it should be the same as the IP address assigned to your Private Service Connect endpoint.
+Check the IP address. it should be the same as the IP address assigned to your Private Service Connect endpoint.
+
+The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.
 
-    The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.
-    % verify
+% needs to be edited
 
 ## Optional: Create a private connection policy [ec-private-service-connect-allow-from-psc-connection-id]
 
-After you test your PrivateLink connection, you can create a private connection policy in {{ecloud}}. 
+After you test your Private Link connection, you can create a private connection policy in {{ecloud}}. 
 
 Private connection policies are optional for GCP Private Service Connect. After the Private Service Connect endpoint and DNS record are created, private connectivity is established.
 
 Creating a private connection policy and associating it with your deployments allows you to do the following: 
 
 * Record that you've established private connectivity between GCP and Elastic in the applicable region.
-* Filter traffic to your deployment or project using VCPE filters.
+* Filter traffic to your deployment using VCPE filters.
 
-Follow these high-level steps to a private connection policy to your deployments or projects.
+Follow these high-level steps to a private connection policy to your deployments.
 
 1. Optional: [Find your Private Service Connect connection ID](#ec-find-your-psc-connection-id).
 2. [Create policies using the Private Service Connect endpoint connection ID](#ec-psc-create-traffic-filter-psc-rule-set).
-3. [Associate the Private Service Connect endpoint with your deployment or project](#ec-psc-associate-traffic-filter-psc-rule-set).
+3. [Associate the Private Service Connect endpoint with your deployment](#ec-psc-associate-traffic-filter-psc-rule-set).
 
 ### Optional: Find your Private Service Connect connection ID [ec-find-your-psc-connection-id]
 
-The PSC connection ID is only required if you want to filter traffic to your deployment or project using VCPE filters.
+The PSC connection ID is only required if you want to filter traffic to your deployment using VCPE filters.
 
 1. Go to your Private Service Connect endpoint in the Google Cloud console.
 2. Copy the value of **PSC Connection ID**.
@@ -218,39 +185,39 @@ Create a new private connection policy.
 :::{include} _snippets/network-security-page.md
 :::
 4. Select **Private connection**.
-3. Select the resource type that the private connection will be applied to: either hosted deployments or serverless projects.
+3. Select the resource type that the private connection will be applied to. Currently, only hosted deployments are supported.
 10. Select the cloud provider and region for the private connection. 
    
     :::{tip}
-    Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+    Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
     :::
 11. Under **Connectivity**, select **Privatelink**.
-12. Optional: Under **VPCE filter**, enter your Private Service Connect endpoint connection ID. You should only specify a Private Service Connect endpoint connection ID if you want to filter traffic to your deployment or project. 
+12. Optional: Under **VPCE filter**, enter your Private Service Connect endpoint connection ID. You should only specify a Private Service Connect endpoint connection ID if you want to filter traffic to your deployment. 
     
     If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
     
     :::{tip}
-    You can assign multiple policies to a single deployment or project. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+    You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
 
-    [Learn more about how network security policies affect your deployment or project](network-security-policies.md).
+    [Learn more about how network security policies affect your deployment](network-security-policies.md).
     :::
 
-13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments or projects. If you specified a VPCE filter, then after you associate the filter with a deployment or project, it starts filtering traffic.
-14. To automatically attach this private connection policy to new deployments or projects, select **Apply by default**.
+13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. If you specified a VPCE filter, then after you associate the filter with a deployment, it starts filtering traffic.
+14. To automatically attach this private connection policy to new deployments, select **Apply by default**.
 15.  Click **Create**.
 16. (Optional) You can [claim your Private Service Connect endpoint connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
 
-The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment or project.
+The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
 
-### Associate a policy with a deployment or project [ec-psc-associate-traffic-filter-psc-rule-set]
+### Optional: Associate a policy with a deployment [ec-psc-associate-traffic-filter-psc-rule-set]
 
-You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. 
+You can associate a network security policy with your deployment from the policy's settings, or from your deployment's settings. 
 
-If the policy contains a VCPE filter, then after you associate the policy with a deployment or project, it starts filtering traffic. 
+If the policy contains a VCPE filter, then after you associate the policy with a deployment, it starts filtering traffic. 
 
-If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a VCP endpoint exists for the deployment or project's region.
+If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a Private Service Connect endpoint exists for the deployment's region.
 
-#### From a deployment or project
+#### From a deployment
 
 :::{include} _snippets/associate-filter-from-resource.md
 :::
@@ -260,48 +227,49 @@ If the policy doesn't contain a VCPE filter, then the association can serve as a
 :::{include} _snippets/network-security-page.md
 :::
 5. Find the policy you want to edit.
-6. Under **Apply to resources**, associate the policy with one or more deployments or projects.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
 7. Click **Update** to save your changes.
 
-## Access the deployment or project over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
+## Access the deployment over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
 
-For traffic to connect with the deployment or project over Private Service Connect, the client making the request needs to be located within the VPC where you’ve created the Private Service Connect endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or a VPN from your corporate network. This assumes that the Private Service Connect endpoint and the DNS record are also available within that context. Check your cloud service provider documentation for setup instructions.
+For traffic to connect with the deployment over Private Service Connect, the client making the request needs to be located within the VPC where you’ve created the Private Service Connect endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or a VPN from your corporate network. This assumes that the Private Service Connect endpoint and the DNS record are also available within that context. Check your cloud service provider documentation for setup instructions.
 
 ::::{important}
-Use the alias you’ve set up as CNAME A record to access your deployment or project.
+Use the alias you’ve set up as CNAME A record to access your deployment.
 ::::
 
+:::{include} _snippets/private-url-struct.md
+:::
 
-For example, if your {{es}} ID is `6b111580caaa4a9e84b18ec7c600155e` and it is located in `asia-southeast1` region you can access it at the following URL:
-
-```
-https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
-```
-% verify
+To access the deployment:
 
-Request:
-```sh
-$ curl -u 'username:password' -v https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
-```
+1. If needed, find the endpoint of an application in your deployment:
+   
+    :::{include} _snippets/find-endpoint.md
+    :::
 
-Response:
-```
-< HTTP/1.1 200 OK
-..
-```
+2. Send a request:
 
-::::{note}
-If you are using Private Service Connect together with Fleet, and enrolling the Elastic Agent with a Private Service Connect URL, you need to configure Fleet Server to use and propagate the Private Service Connect URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the Private Service Connect URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<private zone DNS name>:443`.
+    **Request**
+    ```sh
+    $ curl -u 'username:password' -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+    ```
 
-Similarly, the {{es}} host needs to be updated to propagate the Private Service Connect URL. The {{es}} URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<private zone DNS name>:443`.
+    **Response**
+    ```
+    < HTTP/1.1 200 OK
+    ..
+    ```
 
-The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [{{kib}} settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
-% verify
+### GCP Private Service Connect and Fleet
 
-::::
+:::{include} _snippets/private-connection-fleet.md
+:::
 
 ## Manage policies
 
+After you create your private connection policy, you can edit it, remove it from your deployment, or delete it.
+
 ### Edit a policy [ec-edit-traffic-filter-psc-rule-set]
 
 You can edit a policy's name, description, VPC endpoint ID, and more.
@@ -315,21 +283,12 @@ You can edit a policy's name, description, VPC endpoint ID, and more.
 You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
 :::
 
-### Delete a policy [ec-delete-traffic-filter-psc-rule-set]
-
-If you need to remove a policy, you must first remove any associations with deployments.
-
-To delete a policy:
-
-:::{include} _snippets/network-security-page.md
-:::
-4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
 
-### Remove a policy from your deployment or project [remove-filter-deployment]
+### Remove a policy from your deployment [remove-filter-deployment]
 
-If you want to a specific policy from a deployment or project, or delete the policy, then you need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
+If you want to a specific policy from a deployment, or delete the policy, then you need to disconnect it from any associated deployments first. You can do this from the policy's settings, or from your deployment's settings. To remove an association through the UI:
 
-#### From your deployment or project
+#### From your deployment
 
 ::::{tab-set}
 :group: hosted-serverless
@@ -357,4 +316,14 @@ If you want to a specific policy from a deployment or project, or delete the pol
 :::
 5. Find the policy you want to edit, then click the **Edit** icon.
 6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
-7. Click **Update** to save your changes.
\ No newline at end of file
+7. Click **Update** to save your changes.
+
+### Delete a policy [ec-delete-traffic-filter-psc-rule-set]
+
+If you need to remove a policy, you must first remove any associations with deployments.
+
+To delete a policy:
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/secure-your-cluster-deployment.md b/deploy-manage/security/secure-your-cluster-deployment.md
index 4225a7e637..f971825fb2 100644
--- a/deploy-manage/security/secure-your-cluster-deployment.md
+++ b/deploy-manage/security/secure-your-cluster-deployment.md
@@ -5,7 +5,7 @@ applies_to:
     eck: all
     ece: all
     ess: all
-    serverless: all
+  serverless: all
 ---
 
 # Secure your cluster, deployment, or project

From 4a6e170a91f372079db3b49d76a164c458900115 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Tue, 17 Jun 2025 14:36:20 -0400
Subject: [PATCH 20/38] more

---
 .../{associate-filter-from-resource.md => associate-filter.md}  | 0
 deploy-manage/security/aws-privatelink-traffic-filters.md       | 2 +-
 .../security/gcp-private-service-connect-traffic-filters.md     | 2 +-
 deploy-manage/security/ip-filtering-cloud.md                    | 2 +-
 4 files changed, 3 insertions(+), 3 deletions(-)
 rename deploy-manage/security/_snippets/{associate-filter-from-resource.md => associate-filter.md} (100%)

diff --git a/deploy-manage/security/_snippets/associate-filter-from-resource.md b/deploy-manage/security/_snippets/associate-filter.md
similarity index 100%
rename from deploy-manage/security/_snippets/associate-filter-from-resource.md
rename to deploy-manage/security/_snippets/associate-filter.md
diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index a9809a4439..917fc11b37 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -273,7 +273,7 @@ If the policy doesn't contain a VCPE filter, then the association can serve as a
 
 #### From a deployment
 
-:::{include} _snippets/associate-filter-from-resource.md
+:::{include} _snippets/associate-filter.md
 :::
 
 #### From the policy settings
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index da451d9104..c16f87f63f 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -219,7 +219,7 @@ If the policy doesn't contain a VCPE filter, then the association can serve as a
 
 #### From a deployment
 
-:::{include} _snippets/associate-filter-from-resource.md
+:::{include} _snippets/associate-filter.md
 :::
 
 #### From the policy settings
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index 6a2960964a..efd20827bf 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -73,7 +73,7 @@ You can associate a network security policy with your deployment or project from
 
 #### From a deployment or project
 
-:::{include} _snippets/associate-filter-from-resource.md
+:::{include} _snippets/associate-filter.md
 :::
 
 #### From the policy settings

From f3851706122a99a17ce217f2562895c293952a8b Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Tue, 17 Jun 2025 15:37:03 -0400
Subject: [PATCH 21/38] azure

---
 .../security/_snippets/find-endpoint.md       |   4 +-
 .../_snippets/network-security-page.md        |   3 +-
 .../security/_snippets/private-url-struct.md  |   7 +-
 .../aws-privatelink-traffic-filters.md        |  10 +-
 .../azure-private-link-traffic-filters.md     | 200 ++++++++++--------
 ...private-service-connect-traffic-filters.md |   7 +-
 6 files changed, 129 insertions(+), 102 deletions(-)

diff --git a/deploy-manage/security/_snippets/find-endpoint.md b/deploy-manage/security/_snippets/find-endpoint.md
index dcf5b50024..f2a5a1df5f 100644
--- a/deploy-manage/security/_snippets/find-endpoint.md
+++ b/deploy-manage/security/_snippets/find-endpoint.md
@@ -10,8 +10,8 @@ If you have many deployments, you can instead go to the **Hosted deployments** (
 4. In the deployment overview, under **Applications**, find the application that you want to test.
 5. Click **Copy endpoint**. The value looks something like the following:
 
-```
-https://my-deployment-d53192.es.us-east-2.aws.elastic-cloud.com
+```subs=true
+https://my-deployment-d53192.es.{{example-default-dn}}
 ```
 
 In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/network-security-page.md b/deploy-manage/security/_snippets/network-security-page.md
index d4fdf78434..7a2c28c07b 100644
--- a/deploy-manage/security/_snippets/network-security-page.md
+++ b/deploy-manage/security/_snippets/network-security-page.md
@@ -1,4 +1,3 @@
 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 2. From any deployment or project on the home page, select **Manage**.
-3. Under the **Features** tab, open the **Network security** page. 
-      % From the left navigation menu, select **Access and security** > **Network security**. 
\ No newline at end of file
+3. From the left navigation menu, select **Access and security** > **Network security**. 
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/private-url-struct.md b/deploy-manage/security/_snippets/private-url-struct.md
index 53c3e0e407..620b4989ef 100644
--- a/deploy-manage/security/_snippets/private-url-struct.md
+++ b/deploy-manage/security/_snippets/private-url-struct.md
@@ -1,5 +1,4 @@
-* If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-* If you don't have a custom endpoint alias, then use the following URL structure. This URL is built from endpoint information retrieved from your Elastic deployment and the private hosted zone domain name that you registered.
+Use the following URL structure. This URL is built from endpoint information retrieved from your Elastic deployment and the private hosted zone domain name that you registered.
 
   ```
   https://{{alias}}.{{product}}.{{private_hosted_zone_domain_name}}
@@ -12,8 +11,8 @@
   ```
 
 
-::::{tip}
+:::{tip}
 You can use either 443 or 9243 as a port.
 
 You can also connect to the cluster using the {{es}} cluster ID, for example, https://6b111580caaa4a9e84b18ec7c600155e.{{example-phz-dn}}
-::::
\ No newline at end of file
+:::
\ No newline at end of file
diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 917fc11b37..c0c55edafc 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -12,6 +12,7 @@ sub:
   policy-type: "Private connection"
   service-name: "AWS PrivateLink"
   example-phz-dn: "vpce.us-east-1.aws.elastic-cloud.com"
+  example-default-dn: "us-east-1.aws.elastic-cloud.com"
 ---
 
 # AWS PrivateLink private connections
@@ -176,6 +177,7 @@ The mapping will be different for your region. Our production VPC Service for `u
 After you create your VPC endpoint and DNS entries, check that you are able to reach your cluster over PrivateLink.
 
 :::{include} _snippets/private-url-struct.md
+:::
 
 To test the connection:
 
@@ -184,7 +186,7 @@ To test the connection:
     :::{include} _snippets/find-endpoint.md
     :::
 
-2. Test the setup using the following cURL command. Make sure to replace the URL with your custom endpoint URL, or with your deployment's endpoint information and the private hosted zone domain name that you registered.
+2. Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
 
     **Request**
     ```sh
@@ -215,13 +217,13 @@ Creating a private connection policy and associating it with your deployments al
 * Record that you've established private connectivity between AWS and Elastic in the applicable region.
 * Filter traffic to your deployment using VCPE filters.
 
-Follow these high-level steps to add a private connection policy that can be associated with your deployment.
+Follow these high-level steps to add a private connection policy that can be associated with your deployments.
 
 1. Optional: [Find your VPC endpoint ID](#ec-find-your-endpoint).
 2. [Create rules using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
 3. [Associate the VPC endpoint with your deployment](#ec-associate-traffic-filter-private-link-rule-set).
 
-#### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
+### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
 
 The VPC endpoint ID is only required if you want to filter traffic to your deployment using VCPE filters.
 
@@ -232,7 +234,7 @@ You can find your VPC endpoint ID in the AWS console:
 :screenshot:
 :::
 
-#### Create a new private connection policy [ec-create-traffic-filter-private-link-rule-set]
+### Create a new private connection policy [ec-create-traffic-filter-private-link-rule-set]
 
 Create a new private connection policy.
 
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index c2b1373f4f..1889542223 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -10,6 +10,9 @@ products:
 navigation_title: Azure Private Link
 sub:
   policy-type: "Private connection"
+  service-name: "Azure Private Link"
+  example-phz-dn: "privatelink.eastus2.azure.elastic-cloud.com"
+  example-default-dn: "eastus2.azure.elastic-cloud.com"
 ---
 
 # Azure Private Link traffic filters
@@ -20,7 +23,7 @@ Azure Private Link establishes a secure connection between two Azure VNets. The
 
 Private Link is a connection between an Azure Private Endpoint and a Azure Private Link Service.
 
-You can also optionally filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other policies applied to the deployment.
+Azure Private Link requires that you also filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other filters defined in policies applied to the deployment.
 
 To learn how private connection policies impact your deployment, refer to [](/deploy-manage/security/network-security-policies.md).
 
@@ -32,7 +35,6 @@ To learn how private connection policies impact your deployment, refer to [](/de
 
 Azure Private Link filtering is supported only for Azure regions.
 
-
 ## Azure Private Link Service aliases [ec-private-link-azure-service-aliases]
 
 Private Link Services are set up by Elastic in all supported Azure regions under the following aliases:
@@ -104,13 +106,12 @@ The process of setting up the private connection with Azure Private link is spli
 
 After you create your private endpoint and DNS entries, you can create a private connection policy in {{ecloud}}.
 
-Follow these high-level steps to add Private Link rules to your deployments.
+Follow these high-level steps to add a private connection policy that can be associated with your deployments.
 
 1. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
 2. [Create policies using the Private Link Endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
 3. [Test the connection](#test-the-connection).
 4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-associate-traffic-filter-private-link-rule-set).
-5. [Access the deployment over a Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link).
 
 ### Find your private endpoint resource ID [ec-find-your-resource-id]
 
@@ -119,18 +120,18 @@ Follow these high-level steps to add Private Link rules to your deployments.
 3. Copy the value of the **properties.resourceGUID** property.
 
 :::{image} /deploy-manage/images/cloud-ec-private-link-azure-json-view.png
-:alt: Private endpoint JSON View
+:alt: Private endpoint JSON view
 :screenshot:
 :::
 
 :::{image} /deploy-manage/images/cloud-ec-private-link-azure-properties.png
-:alt: Private endpoint Properties
+:alt: Private endpoint properties
 :screenshot:
 :::
 % fix me
 
 
-### Create policies using the Private Link Endpoint resource ID [ec-azure-create-traffic-filter-private-link-rule-set]
+### Create a policy using the Private Link Endpoint resource ID [ec-azure-create-traffic-filter-private-link-rule-set]
 
 When you have your private endpoint ID, you can create a private connection policy.
 
@@ -149,9 +150,8 @@ The Private Link connection will be approved automatically after the private con
     Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
     :::
 7.  Under **Connectivity**, select **Privatelink**.
-8.  Under **VPCE filter**, enter your rivate Endpoint resource ID.
-    
-    If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
+8.  Under **VPCE filter**, enter your Private Endpoint resource ID.
+
     
     :::{tip}
     You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
@@ -170,48 +170,28 @@ After the private link connection is approved, you can optionally [test the conn
 
 ### Test the connection
 
-1. Find out the {{es}} cluster ID of your deployment. You can do that by selecting **Copy cluster id** in the Cloud UI. It looks something like `9c794b7c08fa494b9990fa3f6f74c2f8`.
-
-    ::::{tip}
-    The {{es}} cluster ID is **different** from the deployment ID, custom alias endpoint, and Cloud ID values that feature prominently in the user console.
-    ::::
-
-2. To access your {{es}} cluster over Private Link:
-
-    * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-
-        ```
-        https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
-        ```
+After you create your private connection, you can check that you're able to reach a cluster over Private Link.
 
-        For example:
-
-        ```text
-        https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com
-        ```
-
-    * Alternatively, use the following URL structure:
-
-        ```
-        https://{{elasticsearch_cluster_ID}}.{private_hosted_zone_domain_name}:9243
-        ```
+:::{include} _snippets/private-url-struct.md
+:::
 
-        For example:
+To test the connection:
 
-        ```text
-        https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
-        ```
+1. If needed, find the endpoint of an application in your deployment:
+   
+    :::{include} _snippets/find-endpoint.md
+    :::
 
-3. You can test the Azure portal part of the setup with the following command (substitute the region and {{es}} ID with your cluster):
+2. Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
 
     ```sh
-    $ curl -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
+    $ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
     ```
 
     The output should look like this:
 
     ```sh
-    * Rebuilt URL to: https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243/
+    * Rebuilt URL to: https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243/
     *   Trying 192.168.46.5... # note this IP address
     ..
     * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
@@ -226,34 +206,48 @@ After the private link connection is approved, you can optionally [test the conn
 
     The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associate the rule set with any deployment yet.
 
-4. In the event that the Private Link connection is not approved by {{ecloud}}, you’ll get an error message like the following. Double check that the filter you’ve created in the previous step uses the right resource name and GUID.
+In the event that the Private Link connection is not approved by {{ecloud}}, you’ll get an error message like the following. Double check that the filter you’ve created in the previous step uses the right resource ID.
 
-    Request:
-    ```sh
-    $ curl -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
-    ```
+**Request**
+```sh
+$ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
+```
 
-    Response:
-    ```sh
-    * Rebuilt URL to: https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243/
-    *   Trying 192.168.46.5...
-    * connect to 192.168.46.5 port 9243 failed: No route to host
-    * Failed to connect to 6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
-    * Closing connection 0
-    curl: (7) Failed to connect to 6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
-    ```
+**Response**
+```sh
+* Rebuilt URL to: https:/my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243/
+*   Trying 192.168.46.5...
+* connect to 192.168.46.5 port 9243 failed: No route to host
+* Failed to connect to my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
+* Closing connection 0
+curl: (7) Failed to connect to my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
+```
 
 
 The next step is to [associate the policy](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
 
 
-### Associate a Private Link rule set with your deployment [ec-azure-associate-traffic-filter-private-link-rule-set]
+### Associate a policy with a deployment [ec-associate-traffic-filter-private-link-rule-set]
+
+% is this optional?
 
-To associate a Private Link rule set with your deployment:
+You can associate a network security policy with your deployment from the policy's settings, or from your deployment's settings. 
+
+After you associate the policy with a deployment, it starts filtering traffic. 
+
+#### From a deployment
 
 :::{include} _snippets/associate-filter.md
 :::
 
+#### From the policy settings
+
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
+7. Click **Update** to save your changes.
+
 ## Access the deployment over a Private Link [ec-azure-access-the-deployment-over-private-link]
 
 For traffic to connect with the deployment over Azure Private Link, the client making the request needs to be located within the VNet where you’ve created the private endpoint. You can also setup network traffic to flow through the originating VNet from somewhere else, such as another VNet or a VPN from your corporate network. This assumes that the private endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
@@ -262,34 +256,37 @@ For traffic to connect with the deployment over Azure Private Link, the client m
 Use the alias you’ve set up as CNAME A record to access your deployment.
 ::::
 
+:::{include} _snippets/private-url-struct.md
+:::
 
-For example, if your {{es}} ID is `6b111580caaa4a9e84b18ec7c600155e` and it is located in `eastus2` region you can access it at the following URL:
+To access the deployment:
 
-```text
-https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
-```
+1. If needed, find the endpoint of an application in your deployment:
+   
+    :::{include} _snippets/find-endpoint.md
+    :::
 
-Request:
-```sh
-$ curl -u 'username:password'  -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
-```
+2. Send a request:
 
-Response:
-```
-< HTTP/1.1 200 OK
-..
-```
+    **Request**
+    ```sh
+    $ curl -u 'username:password'  -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
+    ```
 
-::::{note}
-If you are using Azure Private Link together with Fleet, and enrolling the Elastic Agent with a Private Link URL, you need to configure Fleet Server to use and propagate the Private Link URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the Private Link URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<Private hosted zone domain name>:443`.
+    **Response**
+    ```
+    < HTTP/1.1 200 OK
+    ..
+    ```
 
-Similarly, the {{es}} host needs to be updated to propagate the Private Link URL. The {{es}} URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
+### Azure Pivate Link and Fleet
 
-::::
+:::{include} _snippets/private-connection-fleet.md
+:::
 
 ## Setting up an inter-region Private Link connection [ec-azure-inter-region-private-link]
 
-Azure supports inter-region Private Link as described in the [Azure documentation](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview). "The Private Link resource can be deployed in a different region than the virtual network and private endpoint."
+Azure supports inter-region Private Link as described in the [Azure documentation](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview).
 
 This means your deployment on {{ecloud}} can be in a different region than the Private Link endpoints or the clients that consume the deployment endpoints.
 
@@ -300,28 +297,57 @@ This means your deployment on {{ecloud}} can be in a different region than the P
 
 1. Set up Private Link Endpoint in region 1 for a deployment hosted in region 2.
 
-    1. Create your Private Endpoint using the service alias for region 2 in the region 1 VNET (let’s call this VNET1).
-    2. Create a Private Hosted Zone for region 2, and associate it with VNET1 similar to the step [Create a Private Link endpoint and DNS](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-dns). Note that you are creating these resources in region 1, VNET1.
+    1. Create your Private Link Endpoint using the service alias for region 2 in the region 1 VNET (let’s call this VNET1).
+    2. Create a Private Hosted Zone for region 2, and associate it with VNET1 similar to the step [Create a Private Link endpoint and DNS](#ec-private-link-azure-dns). Note that you are creating these resources in region 1, VNET1.
 
-2. [Create a traffic filter rule set](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set) and [Associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) through the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body), just as you would for any deployment.
-3. [Test the connection](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link) from a VM or client in region 1 to your Private Link endpoint, and it should be able to connect to your {{es}} cluster hosted in region 2.
+2. [Create a private connection policy](#ec-azure-create-traffic-filter-private-link-rule-set) and [associate it](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
+   
+   % what region should the policy be in?  
+3. [Test the connection](#ec-azure-access-the-deployment-over-private-link) from a VM or client in region 1 to your Private Link endpoint, and it should be able to connect to your {{es}} cluster hosted in region 2.
 
 ## Manage policies
 
-### Edit a Private Link connection [ec-azure-edit-traffic-filter-private-link-rule-set]
+After you create your private connection policy, you can edit it, remove it from your deployment, or delete it.
+
+### Edit a policy [ec-azure-edit-traffic-filter-private-link-rule-set]
 
-You can edit a rule set name or to change the endpoint ID.
+You can edit a policy's name, description, VPC endpoint ID, and more.
+
+:::{include} _snippets/network-security-page.md
+:::
+1. Find the policy you want to edit, then click the **Edit** icon.
+2. Click **Update** to save your changes.
 
-:::{include} _snippets/edit-ruleset.md
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
 :::
 
-### Delete a Private Link rule set [ec-azure-delete-traffic-filter-private-link-rule-set]
+### Remove a policy from your deployment [remove-filter-deployment]
+
+If you want to a specific policy from a deployment, or delete the policy, then you need to disconnect it from any associated deployments first. You can do this from the policy's settings, or from your deployment's settings. To remove an association through the UI:
+
+#### From your deployment
 
-:::{include} _snippets/delete-ruleset.md
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+
+    On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect. 
+3. Under **Actions**, click the **Delete** icon.
+
+#### From the IP filter policy settings
+
+:::{include} _snippets/network-security-page.md
 :::
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
 
+### Delete a policy [ec-azure-delete-traffic-filter-private-link-rule-set]
 
-### Remove a Private Link rule set association from your deployment [remove-filter-deployment]
+If you need to remove a policy, you must first remove any associations with deployments.
 
-:::{include} _snippets/remove-filter.md
-:::
\ No newline at end of file
+To delete a policy:
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index c16f87f63f..f016a946e2 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -12,7 +12,8 @@ navigation_title: GCP Private Service Connect
 sub:
   policy-type: "Private connection"
   service-name: "Private Service Connect"
-  example-phz-dn: ".psc.asia-southeast1.gcp.elastic-cloud.com"
+  example-phz-dn: "psc.asia-southeast1.gcp.elastic-cloud.com"
+  example-default-dn: "us-central1.gcp.cloud.es.io"
 ---
 
 # GCP Private Service Connect private connections
@@ -131,7 +132,7 @@ To test the connection:
  1. Access your cluster over Private Link:
 
     * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-    * Test the setup using the following cURL command. Make sure to replace the URL with your custom endpoint URL, or with your deployment's endpoint information and the private hosted zone domain name that you registered.
+    * Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
 
     **Request**
     ```sh
@@ -165,7 +166,7 @@ Creating a private connection policy and associating it with your deployments al
 * Record that you've established private connectivity between GCP and Elastic in the applicable region.
 * Filter traffic to your deployment using VCPE filters.
 
-Follow these high-level steps to a private connection policy to your deployments.
+Follow these high-level steps to add a private connection policy that can be associated with your deployments.
 
 1. Optional: [Find your Private Service Connect connection ID](#ec-find-your-psc-connection-id).
 2. [Create policies using the Private Service Connect endpoint connection ID](#ec-psc-create-traffic-filter-psc-rule-set).

From 128c3e4156f2fd32a5a1640a4aba72bf25525b7e Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Tue, 17 Jun 2025 15:39:08 -0400
Subject: [PATCH 22/38] private connection almost done

---
 ...m-traffic-filter-link-id-ownership-through-api.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
index e6e04eaf65..178decb78f 100644
--- a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
+++ b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
@@ -12,14 +12,14 @@ products:
 
 This example demonstrates how to use the {{ecloud}} RESTful API to claim different types of private link ID (AWS PrivateLink, Azure Private Link, and GCP Private Service Connect). We cover the following examples:
 
-* [Claim a traffic filter link id](#ec-claim-a-traffic-filter-link-id)
+* [Claim a VCP ID](#ec-claim-a-traffic-filter-link-id)
 
     * [AWS PrivateLink](#ec-claim-aws-privatelink)
     * [Azure Private Link](#ec-claim-azure-private-link)
     * [GCP Private Service Connect](#ec-claim-gcp-private-service-connect)
 
-* [List claimed traffic filter link id](#ec-list-claimed-traffic-filter-link-id)
-* [Unclaim a traffic filter link id](#ec-unclaim-a-traffic-filter-link-id)
+* [List claimed VCP IDs](#ec-list-claimed-traffic-filter-link-id)
+* [Unclaim a VCP ID](#ec-unclaim-a-traffic-filter-link-id)
 
     * [AWS PrivateLink](#ec-unclaim-aws-privatelink)
     * [Azure Private Link](#ec-unclaim-azure-private-link)
@@ -27,7 +27,7 @@ This example demonstrates how to use the {{ecloud}} RESTful API to claim differe
 
 
 
-## Claim a traffic filter link id [ec-claim-a-traffic-filter-link-id] 
+## Claim a VCP ID [ec-claim-a-traffic-filter-link-id] 
 
 
 ### AWS PrivateLink [ec-claim-aws-privatelink] 
@@ -79,7 +79,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids/_claim
 ```
 
 
-## List claimed traffic filter link id [ec-list-claimed-traffic-filter-link-id] 
+## List claimed VCP IDs [ec-list-claimed-traffic-filter-link-id] 
 
 ```sh
 curl \
@@ -89,7 +89,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids \
 ```
 
 
-## Unclaim a traffic filter link id [ec-unclaim-a-traffic-filter-link-id] 
+## Unclaim a VCP ID [ec-unclaim-a-traffic-filter-link-id] 
 
 
 ### AWS PrivateLink [ec-unclaim-aws-privatelink] 

From 695079bbaaabbe5a91ab4fc80fc87ec21c19b791 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Tue, 17 Jun 2025 16:04:09 -0400
Subject: [PATCH 23/38] cleanup

---
 .../elastic-cloud/azure-native-isv-service.md  | 17 ++++++-----------
 ...ences-from-other-elasticsearch-offerings.md |  2 +-
 .../ec-customize-deployment-components.md      |  2 +-
 deploy-manage/deploy/elastic-cloud/heroku.md   |  2 +-
 .../restrictions-known-problems.md             | 18 +++++++++---------
 .../deploy/elastic-cloud/tools-apis.md         |  2 +-
 deploy-manage/remote-clusters/ec-enable-ccs.md | 14 +++++++-------
 .../remote-clusters/ec-remote-cluster-ece.md   |  2 +-
 .../security/private-link-traffic-filters.md   |  4 ++++
 deploy-manage/security/traffic-filtering.md    | 12 ++++++++----
 deploy-manage/users-roles.md                   |  2 +-
 11 files changed, 40 insertions(+), 37 deletions(-)

diff --git a/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md b/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
index 39f9f4d9c4..7013a03a7b 100644
--- a/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
+++ b/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
@@ -349,7 +349,7 @@ $$$azure-integration-monitor$$$How do I monitor my existing Azure services?
 
 
 ::::{note}
-If you want to send platform logs to a deployment that has [IP or Private Link traffic filters](../../security/traffic-filtering.md) enabled, then you need to contact [the Elastic Support Team](#azure-integration-support) to perform additional configurations. Refer support to the article [Azure++ Resource Logs blocked by Traffic Filters](https://support.elastic.co/knowledge/18603788).
+If you want to send platform logs to a deployment that has [network security policies](../../security/traffic-filtering.md) applied, then you need to contact [the Elastic Support Team](#azure-integration-support) to perform additional configurations. Refer support to the article [Azure++ Resource Logs blocked by Traffic Filters](https://support.elastic.co/knowledge/18603788).
 
 ::::
 
@@ -477,20 +477,15 @@ $$$azure-integration-deployment-failed-traffic-filter$$$My {{ecloud}} deployment
       ]
     ```
 
-    One possible cause of a deployment creation failure is the default traffic filtering rules. Deployments fail to create if a previously created traffic filter has enabled the **Include by default** option. When this option is enabled, traffic to the deployment is blocked, including traffic that is part of the {{ecloud}} Azure Native ISV Service. As a result, some of the integration components are not successfully provisioned and the deployment creation fails.
+    One possible cause of a deployment creation failure is the default network security policies. Deployments fail to create if a previously created network security policy has enabled the **Include by default** option. When this option is enabled, traffic to the deployment is blocked, including traffic that is part of the {{ecloud}} Azure Native ISV Service. As a result, some of the integration components are not successfully provisioned and the deployment creation fails.
 
     Follow these steps to resolve the problem:
 
     1. Login to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Go to the [Traffic filters page](https://cloud.elastic.co/deployment-features/traffic-filters).
-    3. Edit the traffic filter and disable the **Include by default** option.
-
-        :::{image} /deploy-manage/images/cloud-ec-marketplace-azure-traffic-filter-option.png
-        :alt: The Include by default option under Add to Deployments on the Traffic Filter page
-        :::
-
+    2. Go to the [Network security page](https://cloud.elastic.co/deployment-features/traffic-filters).
+    3. Edit the policy and disable the **Include by default** option.
     4. In Azure, create a new {{ecloud}} deployment.
-    5. After the deployment has been created successfully, go back to the [Traffic filters page](https://cloud.elastic.co/deployment-features/traffic-filters) in {{ecloud}} and re-enable the **Include by default** option.
+    5. After the deployment has been created successfully, go back to the [Network security page](https://cloud.elastic.co/deployment-features/traffic-filters) in {{ecloud}} and re-enable the **Include by default** option.
 
 
 If your deployment still does not create successfully, [contact the Elastic Support Team](#azure-integration-support) for assistance.
@@ -511,7 +506,7 @@ Mimicking this metadata by manually adding tags to an {{ecloud}} deployment will
 
 $$$azure-integration-logs-not-ingested$$$My {{ecloud}} Azure Native ISV Service logs are not being ingested.
 :   * When you set up monitoring for your Azure services, if your Azure and Elastic resources are in different subscriptions, you need to make sure that the `Microsoft.Elastic` resource provider is registered in the subscription in which the Azure resources exist. Check [How do I monitor my existing Azure services?](#azure-integration-monitor) for details.
-* If you are using [IP or Private Link traffic filters](../../security/traffic-filtering.md), reach out to [the Elastic Support Team](#azure-integration-support).
+* If you are using [network security policies](../../security/traffic-filtering.md), reach out to [the Elastic Support Team](#azure-integration-support).
 
 
 
diff --git a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
index 84b94f4668..f33d126108 100644
--- a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
+++ b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
@@ -67,7 +67,7 @@ This table compares the core platform capabilities between {{ech}} deployments a
 | **Deployment monitoring** | AutoOps or monitoring cluster | Managed | Monitoring is handled by Elastic |
 | **Hardware configuration** | Limited control | Managed | Hardware choices are managed by Elastic |
 | **High availability** | ✅ | ✅ | Automatic resilience |
-| **Network security** | Public IP traffic filtering, private connectivity (VPCs, PrivateLink) | **Planned** | - Traffic filtering anticipated in a future release <br>- Private connectivity options anticipated in a future release |
+| **Network security** | Public IP filtering, private connectivity (VPCs, PrivateLink) | Public IP filtering | Private connectivity options anticipated in a future release |
 | **Node management** | User-controlled | Managed | No node configuration access by design |
 | **Snapshot/restore** | ✅ | **Planned** | User-initiated snapshots are anticipated in a future release |
 
diff --git a/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md b/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
index 016fa01d89..be015c0d60 100644
--- a/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
+++ b/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
@@ -129,7 +129,7 @@ Refer to [Manage your Integrations Server](manage-integrations-server.md) to lea
 
 ## Security [ec_security]
 
-Here, you can configure features that keep your deployment secure: reset the password for the `elastic` user, set up traffic filters, and add settings to the {{es}} keystore. You can also set up remote connections to other deployments.
+Here, you can configure features that keep your deployment secure: reset the password for the `elastic` user, set up network security policies, and add settings to the {{es}} keystore. You can also set up remote connections to other deployments.
 
 
 ## Actions [ec_actions]
diff --git a/deploy-manage/deploy/elastic-cloud/heroku.md b/deploy-manage/deploy/elastic-cloud/heroku.md
index 72e0fe21ca..f9de1c5876 100644
--- a/deploy-manage/deploy/elastic-cloud/heroku.md
+++ b/deploy-manage/deploy/elastic-cloud/heroku.md
@@ -82,7 +82,7 @@ You might want to add more layers of security to your deployment, such as:
 
 * Add more users to the deployment with third-party authentication providers and services like [SAML](../../users-roles/cluster-or-deployment-auth/saml.md), [OpenID Connect](../../users-roles/cluster-or-deployment-auth/openid-connect.md), or [Kerberos](../../users-roles/cluster-or-deployment-auth/kerberos.md).
 * Do not use clients that only support HTTP to connect to {{ecloud}}. If you need to do so, you should use a reverse proxy setup.
-* Create [traffic filters](../../security/traffic-filtering.md) and apply them to your deployments.
+* Create [network security policies](../../security/traffic-filtering.md) and apply them to your deployments.
 * If needed, you can [reset](../../users-roles/cluster-or-deployment-auth/built-in-users.md) the `elastic` password.
 
 ### Scale or adjust your deployment [echscale_or_adjust_your_deployment]
diff --git a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
index f1ecfeed94..5a0214788d 100644
--- a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
+++ b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
@@ -20,8 +20,8 @@ When using {{ecloud}}, there are some limitations you should be aware of:
 * [Private Link and SSO to {{kib}} URLs](#ec-restrictions-traffic-filters-kibana-sso)
 * [PDF report generation using Alerts or Watcher webhooks](#ec-restrictions-traffic-filters-watcher)
 * [Kibana](#ec-restrictions-kibana)
-% * [APM Agent central configuration with Private Link or traffic filters](#ec-restrictions-apm-traffic-filters)
-* [Fleet with Private Link or traffic filters](#ec-restrictions-fleet-traffic-filters)
+% * [APM Agent central configuration with network security policies](#ec-restrictions-apm-traffic-filters)
+* [Fleet with network security policies](#ec-restrictions-fleet-traffic-filters)
 * [Restoring a snapshot across deployments](#ec-snapshot-restore-enterprise-search-kibana-across-deployments)
 * [Migrate Fleet-managed {{agents}} across deployments by restoring a snapshot](#ec-migrate-elastic-agent)
 * [Regions and Availability Zones](#ec-regions-and-availability-zone)
@@ -88,13 +88,13 @@ Alternatively, a custom mail server can be configured as described in [Configuri
 
 ## Private Link and SSO to {{kib}} URLs [ec-restrictions-traffic-filters-kibana-sso]
 
-Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} endpoints that are protected by Private Link traffic filters. However, you can still SSO into Private Link protected {{kib}} endpoints individually using the [SAML](../../users-roles/cluster-or-deployment-auth/saml.md) or [OIDC](../../users-roles/cluster-or-deployment-auth/openid-connect.md) protocol from your own identity provider, just not through the {{ecloud}} console. Stack level authentication using the {{es}} username and password should also work with `{{kibana-id}}.{vpce|privatelink|psc}.domain` URLs.
+Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} endpoints that are protected by Private Link network security policies. However, you can still SSO into Private Link protected {{kib}} endpoints individually using the [SAML](../../users-roles/cluster-or-deployment-auth/saml.md) or [OIDC](../../users-roles/cluster-or-deployment-auth/openid-connect.md) protocol from your own identity provider, just not through the {{ecloud}} console. Stack level authentication using the {{es}} username and password should also work with `{{kibana-id}}.{vpce|privatelink|psc}.domain` URLs.
 
 
 ## PDF report generation using Alerts or Watcher webhooks [ec-restrictions-traffic-filters-watcher]
 
 * PDF report automatic generation via Alerts is not possible on {{ecloud}}.
-* PDF report generation isn’t possible for deployments running on {{stack}} version 8.7.0 or before that are protected by traffic filters. This limitation doesn’t apply to public webhooks such as Slack, PagerDuty, and email. For deployments running on {{stack}} version 8.7.1 and beyond, [PDF report automatic generation via Watcher webhook](../../../explore-analyze/report-and-share/automating-report-generation.md#use-watcher) is possible using the `xpack.notification.webhook.additional_token_enabled` configuration setting to bypass traffic filters.
+* PDF report generation isn’t possible for deployments running on {{stack}} version 8.7.0 or before that are protected by IP filters. This limitation doesn’t apply to public webhooks such as Slack, PagerDuty, and email. For deployments running on {{stack}} version 8.7.1 and beyond, [PDF report automatic generation via Watcher webhook](../../../explore-analyze/report-and-share/automating-report-generation.md#use-watcher) is possible using the `xpack.notification.webhook.additional_token_enabled` configuration setting to bypass IP filters.
 
 
 ## {{kib}} [ec-restrictions-kibana]
@@ -103,18 +103,18 @@ Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} end
 * Running an external {{kib}} in parallel to {{ecloud}}’s {{kib}} instances may cause errors, for example [`Unable to decrypt attribute`](../../../explore-analyze/alerts-cases/alerts/alerting-common-issues.md#rule-cannot-decrypt-api-key), due to a mismatched [`xpack.encryptedSavedObjects.encryptionKey`](kibana://reference/configuration-reference/security-settings.md#security-encrypted-saved-objects-settings) as {{ecloud}} does not [allow users to set](edit-stack-settings.md) nor expose this value. While workarounds are possible, this is not officially supported nor generally recommended.
 
 
-% ## APM Agent central configuration with PrivateLink or traffic filters [ec-restrictions-apm-traffic-filters]
+% ## APM Agent central configuration with network security policies [ec-restrictions-apm-traffic-filters]
 
 % If you are using APM 7.9.0 or older:
 
-% * You cannot use [APM Agent central configuration](/solutions/observability/apm/apm-agent-central-configuration.md) if your deployment is secured by [traffic filters](../../security/traffic-filtering.md).
+% * You cannot use [APM Agent central configuration](/solutions/observability/apm/apm-agent-central-configuration.md) if your deployment is secured by [network security policies](../../security/traffic-filtering.md).
 % * If you access your APM deployment over [PrivateLink](../../security/aws-privatelink-traffic-filters.md), to use APM Agent central configuration you need to allow access to the APM deployment over public internet.
 
 
-## Fleet with PrivateLink or traffic filters [ec-restrictions-fleet-traffic-filters]
+## Fleet with network security policies [ec-restrictions-fleet-traffic-filters]
 
-% * You cannot use Fleet 7.13.x if your deployment is secured by [traffic filters](../../security/traffic-filtering.md). Fleet 7.14.0 and later works with traffic filters (both Private Link and IP filters).
-* If you are using Fleet 8.12+, using a remote {{es}} output with a target cluster that has [traffic filters](../../security/traffic-filtering.md) enabled is not currently supported.
+% * You cannot use Fleet 7.13.x if your deployment is secured by [network security policies](../../security/traffic-filtering.md). Fleet 7.14.0 and later works with network security policies (both IP filters and private connection policies).
+* If you are using Fleet 8.12+, using a remote {{es}} output with a target cluster that has [network security policies](../../security/traffic-filtering.md) applied is not currently supported.
 
 ## Restoring a snapshot across deployments [ec-snapshot-restore-enterprise-search-kibana-across-deployments]
 
diff --git a/deploy-manage/deploy/elastic-cloud/tools-apis.md b/deploy-manage/deploy/elastic-cloud/tools-apis.md
index 916cb76d53..9368502fa9 100644
--- a/deploy-manage/deploy/elastic-cloud/tools-apis.md
+++ b/deploy-manage/deploy/elastic-cloud/tools-apis.md
@@ -30,7 +30,7 @@ The following REST APIs allow you to manage your {{ecloud}} organization, users,
 
 | Area | API | Tasks |
 | --- | --- | --- |
-| {{ecloud}} organization<br><br>{{ech}} deployments | [{{ecloud}} API](https://www.elastic.co/docs/api/doc/cloud/) | Manage your Cloud organization, members, costs, billing, and more.<br><br>Manage your hosted deployments and all of the resources associated with them, including scaling or autoscaling resources, and managing traffic filters, deployment extensions, remote clusters, and {{stack}} versions.<br><br>Refer to [{{ecloud}} RESTful API](cloud://reference/cloud-hosted/ec-api-restful.md) for usage information and examples. |
+| {{ecloud}} organization<br><br>{{ech}} deployments | [{{ecloud}} API](https://www.elastic.co/docs/api/doc/cloud/) | Manage your Cloud organization, members, costs, billing, and more.<br><br>Manage your hosted deployments and all of the resources associated with them, including scaling or autoscaling resources, and managing network security policies, deployment extensions, remote clusters, and {{stack}} versions.<br><br>Refer to [{{ecloud}} RESTful API](cloud://reference/cloud-hosted/ec-api-restful.md) for usage information and examples. |
 | {{serverless-full}} projects | [{{serverless-full}} API](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless) | Manage {{serverless-full}} projects. |
 | {{ecloud}} services | [Service Status API](https://status.elastic.co/api/) | Programmatically ingest [service status](/deploy-manage/cloud-organization/service-status.md) updates. |
 
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 66e2724a8e..61362d6d49 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -52,21 +52,21 @@ The steps, information, and authentication method required to configure CCS and
     * [From an ECK environment](ec-enable-ccs-for-eck.md)
 
 
-## Remote clusters and traffic filtering [ec-ccs-ccr-traffic-filtering]
+## Remote clusters and network security [ec-ccs-ccr-traffic-filtering]
 
 ::::{note}
-Traffic filtering isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+[Network security](../security/traffic-filtering.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
 ::::
 
-API key authentication for remote clusters cannot be used in combination with traffic filtering.
+API key authentication for remote clusters cannot be used in combination with network security.
 
-For remote clusters configured using TLS certificate authentication, [traffic filtering](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
+For remote clusters configured using TLS certificate authentication, [network security](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
 
-Traffic filtering for remote clusters supports 2 methods:
+Network security for remote clusters supports 2 methods:
 
 * [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-traffic-filtering.md)
-* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Features** > **Traffic filters** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
+* Filtering by Organization or {{es}} cluster ID with a Remote cluster private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
 
 ::::{note}
-When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
+When setting up network security for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
 ::::
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index e4bcc47851..27a084198c 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -39,7 +39,7 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
 ### Prerequisites and limitations [ec_prerequisites_and_limitations_3]
 
 * The local and remote deployments must be on {{stack}} 8.14 or later.
-* API key authentication can’t be used in combination with traffic filters.
+* API key authentication can’t be used in combination with [network security](/deploy-manage/security/traffic-filtering.md).
 * Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.
 
 
diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md
index cadf711953..fde876685f 100644
--- a/deploy-manage/security/private-link-traffic-filters.md
+++ b/deploy-manage/security/private-link-traffic-filters.md
@@ -28,3 +28,7 @@ To learn how private connection policies work, how they affect your deployment,
 :::{tip}
 {{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
 :::
+
+:::{note}
+Private connections were formerly referred to as PrivateLink filters.
+:::
\ No newline at end of file
diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md
index 0c49eda868..0ab33d8567 100644
--- a/deploy-manage/security/traffic-filtering.md
+++ b/deploy-manage/security/traffic-filtering.md
@@ -21,11 +21,15 @@ products:
 
 # Network security
 
-Network security allows you to limit how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust.
+Network security allows you to control how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust.
+
+:::{note}
+Network security policies were formerly referred to as traffic filtering rules.
+:::
 
 ## Network security methods
 
-Depending on your deployment type you can use different mechanisms to restrict traffic.
+Depending on your deployment type you can use different mechanisms to control access.
 
 ::::{note}
 This section covers network security at the deployment level. If you need the IP addresses used by {{ech}} to configure them in your network firewalls, refer to [](./elastic-cloud-static-ips.md).
@@ -35,8 +39,8 @@ You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-c
 
 | Filter type | Description | Applicable deployment types |
 | --- | --- | --- |
-| [IP filters](ip-traffic-filtering.md) | Filter traffic using IP addresses and Classless Inter-Domain Routing (CIDR) masks.<br><br>• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)<br><br>• [In ECE](/deploy-manage/security/ip-filtering-ece.md)<br><br>• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
-| [Private connections and VCPE filtering](/deploy-manage/security/private-link-traffic-filters.md) | Allow traffic between {{es}} and other resources hosted by the same cloud provider using private link services. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
+| [IP filters](ip-traffic-filtering.md) | Filter traffic from the public internet by allowlisting specific IP addresses and Classless Inter-Domain Routing (CIDR) masks.<br><br>• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)<br><br>• [In ECE](/deploy-manage/security/ip-filtering-ece.md)<br><br>• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
+| [Private connections and VCPE filtering](/deploy-manage/security/private-link-traffic-filters.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPCE filtering. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
 | [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |
 
 :::{include} _snippets/eck-traffic-filtering.md
diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md
index b01706d51f..ec902a0bdc 100644
--- a/deploy-manage/users-roles.md
+++ b/deploy-manage/users-roles.md
@@ -22,7 +22,7 @@ The methods that you use to authenticate users and control access depends on the
 ::::{note}
 Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following:
  
-* Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md). 
+* Restrict the nodes and clients that can connect to the cluster using [network security](/deploy-manage/security/traffic-filtering.md) controls. 
 * Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-cluster-communications.md), as well as [encrypting your data at rest](/deploy-manage/security/data-security.md).
 * Maintain an [audit trail](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) for security-related events.
 * Control access to dashboards and other saved objects in your UI using [{{kib}} spaces](/deploy-manage/manage-spaces.md). 

From 1c268c6bdfbf5dccd5e0d8df5cbda31d61e3acb6 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Wed, 18 Jun 2025 09:25:02 -0400
Subject: [PATCH 24/38] more

---
 deploy-manage/remote-clusters/ec-enable-ccs.md           | 4 ++--
 .../remote-clusters/ec-remote-cluster-other-ess.md       | 2 +-
 deploy-manage/security/_snippets/delete-ruleset.md       | 9 +--------
 deploy-manage/security/traffic-filtering.md              | 2 ++
 4 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 61362d6d49..4b17c76394 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -60,12 +60,12 @@ The steps, information, and authentication method required to configure CCS and
 
 API key authentication for remote clusters cannot be used in combination with network security.
 
-For remote clusters configured using TLS certificate authentication, [network security](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
+For remote clusters configured using TLS certificate authentication, [network security policies](../security/traffic-filtering.md) can be applies to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
 
 Network security for remote clusters supports 2 methods:
 
 * [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-traffic-filtering.md)
-* Filtering by Organization or {{es}} cluster ID with a Remote cluster private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
+* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
 
 ::::{note}
 When setting up network security for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
index 0f3998ff7d..603e4ff756 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
@@ -14,7 +14,7 @@ products:
 This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ecloud}} organization.
 
 ::::{note}
-If traffic filtering is enabled on the remote cluster, the remote cluster administrator must configure a traffic filter of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a network security private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
 ::::
 
 ## Allow the remote connection [ec_allow_the_remote_connection_2]
diff --git a/deploy-manage/security/_snippets/delete-ruleset.md b/deploy-manage/security/_snippets/delete-ruleset.md
index 3cf7899c99..6ba92aa028 100644
--- a/deploy-manage/security/_snippets/delete-ruleset.md
+++ b/deploy-manage/security/_snippets/delete-ruleset.md
@@ -1,8 +1 @@
-If you need to remove a rule set, you must first remove any associations with deployments.
-
-To delete a rule set with all its rules:
-
-1. [Remove any deployment associations](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#remove-filter-deployment).
-2. From the **Account** menu, select **Traffic filters**.
-3. Find the rule set you want to edit.
-4. Select the **Remove** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
+% no longer used
\ No newline at end of file
diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md
index 0ab33d8567..3de83c72e7 100644
--- a/deploy-manage/security/traffic-filtering.md
+++ b/deploy-manage/security/traffic-filtering.md
@@ -24,6 +24,8 @@ products:
 Network security allows you to control how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust.
 
 :::{note}
+The network security feature was formerly referred to as traffic filtering.
+
 Network security policies were formerly referred to as traffic filtering rules.
 :::
 

From 3e17a592500b22cc206bc4fcaf17c68a48760f3e Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Wed, 18 Jun 2025 09:57:39 -0400
Subject: [PATCH 25/38] fix

---
 .../elastic-cloud/azure-native-isv-service.md  | 17 +++++++++++------
 .../ec-customize-deployment-components.md      |  2 +-
 deploy-manage/deploy/elastic-cloud/heroku.md   |  2 +-
 .../restrictions-known-problems.md             | 18 +++++++++---------
 .../deploy/elastic-cloud/tools-apis.md         |  2 +-
 .../remote-clusters/ec-remote-cluster-ece.md   |  2 +-
 6 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md b/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
index 7013a03a7b..39f9f4d9c4 100644
--- a/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
+++ b/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
@@ -349,7 +349,7 @@ $$$azure-integration-monitor$$$How do I monitor my existing Azure services?
 
 
 ::::{note}
-If you want to send platform logs to a deployment that has [network security policies](../../security/traffic-filtering.md) applied, then you need to contact [the Elastic Support Team](#azure-integration-support) to perform additional configurations. Refer support to the article [Azure++ Resource Logs blocked by Traffic Filters](https://support.elastic.co/knowledge/18603788).
+If you want to send platform logs to a deployment that has [IP or Private Link traffic filters](../../security/traffic-filtering.md) enabled, then you need to contact [the Elastic Support Team](#azure-integration-support) to perform additional configurations. Refer support to the article [Azure++ Resource Logs blocked by Traffic Filters](https://support.elastic.co/knowledge/18603788).
 
 ::::
 
@@ -477,15 +477,20 @@ $$$azure-integration-deployment-failed-traffic-filter$$$My {{ecloud}} deployment
       ]
     ```
 
-    One possible cause of a deployment creation failure is the default network security policies. Deployments fail to create if a previously created network security policy has enabled the **Include by default** option. When this option is enabled, traffic to the deployment is blocked, including traffic that is part of the {{ecloud}} Azure Native ISV Service. As a result, some of the integration components are not successfully provisioned and the deployment creation fails.
+    One possible cause of a deployment creation failure is the default traffic filtering rules. Deployments fail to create if a previously created traffic filter has enabled the **Include by default** option. When this option is enabled, traffic to the deployment is blocked, including traffic that is part of the {{ecloud}} Azure Native ISV Service. As a result, some of the integration components are not successfully provisioned and the deployment creation fails.
 
     Follow these steps to resolve the problem:
 
     1. Login to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-    2. Go to the [Network security page](https://cloud.elastic.co/deployment-features/traffic-filters).
-    3. Edit the policy and disable the **Include by default** option.
+    2. Go to the [Traffic filters page](https://cloud.elastic.co/deployment-features/traffic-filters).
+    3. Edit the traffic filter and disable the **Include by default** option.
+
+        :::{image} /deploy-manage/images/cloud-ec-marketplace-azure-traffic-filter-option.png
+        :alt: The Include by default option under Add to Deployments on the Traffic Filter page
+        :::
+
     4. In Azure, create a new {{ecloud}} deployment.
-    5. After the deployment has been created successfully, go back to the [Network security page](https://cloud.elastic.co/deployment-features/traffic-filters) in {{ecloud}} and re-enable the **Include by default** option.
+    5. After the deployment has been created successfully, go back to the [Traffic filters page](https://cloud.elastic.co/deployment-features/traffic-filters) in {{ecloud}} and re-enable the **Include by default** option.
 
 
 If your deployment still does not create successfully, [contact the Elastic Support Team](#azure-integration-support) for assistance.
@@ -506,7 +511,7 @@ Mimicking this metadata by manually adding tags to an {{ecloud}} deployment will
 
 $$$azure-integration-logs-not-ingested$$$My {{ecloud}} Azure Native ISV Service logs are not being ingested.
 :   * When you set up monitoring for your Azure services, if your Azure and Elastic resources are in different subscriptions, you need to make sure that the `Microsoft.Elastic` resource provider is registered in the subscription in which the Azure resources exist. Check [How do I monitor my existing Azure services?](#azure-integration-monitor) for details.
-* If you are using [network security policies](../../security/traffic-filtering.md), reach out to [the Elastic Support Team](#azure-integration-support).
+* If you are using [IP or Private Link traffic filters](../../security/traffic-filtering.md), reach out to [the Elastic Support Team](#azure-integration-support).
 
 
 
diff --git a/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md b/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
index be015c0d60..016fa01d89 100644
--- a/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
+++ b/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
@@ -129,7 +129,7 @@ Refer to [Manage your Integrations Server](manage-integrations-server.md) to lea
 
 ## Security [ec_security]
 
-Here, you can configure features that keep your deployment secure: reset the password for the `elastic` user, set up network security policies, and add settings to the {{es}} keystore. You can also set up remote connections to other deployments.
+Here, you can configure features that keep your deployment secure: reset the password for the `elastic` user, set up traffic filters, and add settings to the {{es}} keystore. You can also set up remote connections to other deployments.
 
 
 ## Actions [ec_actions]
diff --git a/deploy-manage/deploy/elastic-cloud/heroku.md b/deploy-manage/deploy/elastic-cloud/heroku.md
index f9de1c5876..72e0fe21ca 100644
--- a/deploy-manage/deploy/elastic-cloud/heroku.md
+++ b/deploy-manage/deploy/elastic-cloud/heroku.md
@@ -82,7 +82,7 @@ You might want to add more layers of security to your deployment, such as:
 
 * Add more users to the deployment with third-party authentication providers and services like [SAML](../../users-roles/cluster-or-deployment-auth/saml.md), [OpenID Connect](../../users-roles/cluster-or-deployment-auth/openid-connect.md), or [Kerberos](../../users-roles/cluster-or-deployment-auth/kerberos.md).
 * Do not use clients that only support HTTP to connect to {{ecloud}}. If you need to do so, you should use a reverse proxy setup.
-* Create [network security policies](../../security/traffic-filtering.md) and apply them to your deployments.
+* Create [traffic filters](../../security/traffic-filtering.md) and apply them to your deployments.
 * If needed, you can [reset](../../users-roles/cluster-or-deployment-auth/built-in-users.md) the `elastic` password.
 
 ### Scale or adjust your deployment [echscale_or_adjust_your_deployment]
diff --git a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
index 5a0214788d..f1ecfeed94 100644
--- a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
+++ b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
@@ -20,8 +20,8 @@ When using {{ecloud}}, there are some limitations you should be aware of:
 * [Private Link and SSO to {{kib}} URLs](#ec-restrictions-traffic-filters-kibana-sso)
 * [PDF report generation using Alerts or Watcher webhooks](#ec-restrictions-traffic-filters-watcher)
 * [Kibana](#ec-restrictions-kibana)
-% * [APM Agent central configuration with network security policies](#ec-restrictions-apm-traffic-filters)
-* [Fleet with network security policies](#ec-restrictions-fleet-traffic-filters)
+% * [APM Agent central configuration with Private Link or traffic filters](#ec-restrictions-apm-traffic-filters)
+* [Fleet with Private Link or traffic filters](#ec-restrictions-fleet-traffic-filters)
 * [Restoring a snapshot across deployments](#ec-snapshot-restore-enterprise-search-kibana-across-deployments)
 * [Migrate Fleet-managed {{agents}} across deployments by restoring a snapshot](#ec-migrate-elastic-agent)
 * [Regions and Availability Zones](#ec-regions-and-availability-zone)
@@ -88,13 +88,13 @@ Alternatively, a custom mail server can be configured as described in [Configuri
 
 ## Private Link and SSO to {{kib}} URLs [ec-restrictions-traffic-filters-kibana-sso]
 
-Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} endpoints that are protected by Private Link network security policies. However, you can still SSO into Private Link protected {{kib}} endpoints individually using the [SAML](../../users-roles/cluster-or-deployment-auth/saml.md) or [OIDC](../../users-roles/cluster-or-deployment-auth/openid-connect.md) protocol from your own identity provider, just not through the {{ecloud}} console. Stack level authentication using the {{es}} username and password should also work with `{{kibana-id}}.{vpce|privatelink|psc}.domain` URLs.
+Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} endpoints that are protected by Private Link traffic filters. However, you can still SSO into Private Link protected {{kib}} endpoints individually using the [SAML](../../users-roles/cluster-or-deployment-auth/saml.md) or [OIDC](../../users-roles/cluster-or-deployment-auth/openid-connect.md) protocol from your own identity provider, just not through the {{ecloud}} console. Stack level authentication using the {{es}} username and password should also work with `{{kibana-id}}.{vpce|privatelink|psc}.domain` URLs.
 
 
 ## PDF report generation using Alerts or Watcher webhooks [ec-restrictions-traffic-filters-watcher]
 
 * PDF report automatic generation via Alerts is not possible on {{ecloud}}.
-* PDF report generation isn’t possible for deployments running on {{stack}} version 8.7.0 or before that are protected by IP filters. This limitation doesn’t apply to public webhooks such as Slack, PagerDuty, and email. For deployments running on {{stack}} version 8.7.1 and beyond, [PDF report automatic generation via Watcher webhook](../../../explore-analyze/report-and-share/automating-report-generation.md#use-watcher) is possible using the `xpack.notification.webhook.additional_token_enabled` configuration setting to bypass IP filters.
+* PDF report generation isn’t possible for deployments running on {{stack}} version 8.7.0 or before that are protected by traffic filters. This limitation doesn’t apply to public webhooks such as Slack, PagerDuty, and email. For deployments running on {{stack}} version 8.7.1 and beyond, [PDF report automatic generation via Watcher webhook](../../../explore-analyze/report-and-share/automating-report-generation.md#use-watcher) is possible using the `xpack.notification.webhook.additional_token_enabled` configuration setting to bypass traffic filters.
 
 
 ## {{kib}} [ec-restrictions-kibana]
@@ -103,18 +103,18 @@ Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} end
 * Running an external {{kib}} in parallel to {{ecloud}}’s {{kib}} instances may cause errors, for example [`Unable to decrypt attribute`](../../../explore-analyze/alerts-cases/alerts/alerting-common-issues.md#rule-cannot-decrypt-api-key), due to a mismatched [`xpack.encryptedSavedObjects.encryptionKey`](kibana://reference/configuration-reference/security-settings.md#security-encrypted-saved-objects-settings) as {{ecloud}} does not [allow users to set](edit-stack-settings.md) nor expose this value. While workarounds are possible, this is not officially supported nor generally recommended.
 
 
-% ## APM Agent central configuration with network security policies [ec-restrictions-apm-traffic-filters]
+% ## APM Agent central configuration with PrivateLink or traffic filters [ec-restrictions-apm-traffic-filters]
 
 % If you are using APM 7.9.0 or older:
 
-% * You cannot use [APM Agent central configuration](/solutions/observability/apm/apm-agent-central-configuration.md) if your deployment is secured by [network security policies](../../security/traffic-filtering.md).
+% * You cannot use [APM Agent central configuration](/solutions/observability/apm/apm-agent-central-configuration.md) if your deployment is secured by [traffic filters](../../security/traffic-filtering.md).
 % * If you access your APM deployment over [PrivateLink](../../security/aws-privatelink-traffic-filters.md), to use APM Agent central configuration you need to allow access to the APM deployment over public internet.
 
 
-## Fleet with network security policies [ec-restrictions-fleet-traffic-filters]
+## Fleet with PrivateLink or traffic filters [ec-restrictions-fleet-traffic-filters]
 
-% * You cannot use Fleet 7.13.x if your deployment is secured by [network security policies](../../security/traffic-filtering.md). Fleet 7.14.0 and later works with network security policies (both IP filters and private connection policies).
-* If you are using Fleet 8.12+, using a remote {{es}} output with a target cluster that has [network security policies](../../security/traffic-filtering.md) applied is not currently supported.
+% * You cannot use Fleet 7.13.x if your deployment is secured by [traffic filters](../../security/traffic-filtering.md). Fleet 7.14.0 and later works with traffic filters (both Private Link and IP filters).
+* If you are using Fleet 8.12+, using a remote {{es}} output with a target cluster that has [traffic filters](../../security/traffic-filtering.md) enabled is not currently supported.
 
 ## Restoring a snapshot across deployments [ec-snapshot-restore-enterprise-search-kibana-across-deployments]
 
diff --git a/deploy-manage/deploy/elastic-cloud/tools-apis.md b/deploy-manage/deploy/elastic-cloud/tools-apis.md
index 9368502fa9..916cb76d53 100644
--- a/deploy-manage/deploy/elastic-cloud/tools-apis.md
+++ b/deploy-manage/deploy/elastic-cloud/tools-apis.md
@@ -30,7 +30,7 @@ The following REST APIs allow you to manage your {{ecloud}} organization, users,
 
 | Area | API | Tasks |
 | --- | --- | --- |
-| {{ecloud}} organization<br><br>{{ech}} deployments | [{{ecloud}} API](https://www.elastic.co/docs/api/doc/cloud/) | Manage your Cloud organization, members, costs, billing, and more.<br><br>Manage your hosted deployments and all of the resources associated with them, including scaling or autoscaling resources, and managing network security policies, deployment extensions, remote clusters, and {{stack}} versions.<br><br>Refer to [{{ecloud}} RESTful API](cloud://reference/cloud-hosted/ec-api-restful.md) for usage information and examples. |
+| {{ecloud}} organization<br><br>{{ech}} deployments | [{{ecloud}} API](https://www.elastic.co/docs/api/doc/cloud/) | Manage your Cloud organization, members, costs, billing, and more.<br><br>Manage your hosted deployments and all of the resources associated with them, including scaling or autoscaling resources, and managing traffic filters, deployment extensions, remote clusters, and {{stack}} versions.<br><br>Refer to [{{ecloud}} RESTful API](cloud://reference/cloud-hosted/ec-api-restful.md) for usage information and examples. |
 | {{serverless-full}} projects | [{{serverless-full}} API](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless) | Manage {{serverless-full}} projects. |
 | {{ecloud}} services | [Service Status API](https://status.elastic.co/api/) | Programmatically ingest [service status](/deploy-manage/cloud-organization/service-status.md) updates. |
 
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index 27a084198c..e4bcc47851 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -39,7 +39,7 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
 ### Prerequisites and limitations [ec_prerequisites_and_limitations_3]
 
 * The local and remote deployments must be on {{stack}} 8.14 or later.
-* API key authentication can’t be used in combination with [network security](/deploy-manage/security/traffic-filtering.md).
+* API key authentication can’t be used in combination with traffic filters.
 * Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.
 
 

From d85e4e8993c26d2d337b3893800d13eb832b7a7d Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Wed, 18 Jun 2025 13:06:35 -0400
Subject: [PATCH 26/38] fixes

---
 deploy-manage/security/_snippets/find-endpoint.md           | 2 +-
 .../security/azure-private-link-traffic-filters.md          | 6 +++---
 deploy-manage/security/ece-filter-rules.md                  | 2 +-
 .../security/gcp-private-service-connect-traffic-filters.md | 2 +-
 deploy-manage/security/network-security-policies.md         | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/deploy-manage/security/_snippets/find-endpoint.md b/deploy-manage/security/_snippets/find-endpoint.md
index f2a5a1df5f..e13325253f 100644
--- a/deploy-manage/security/_snippets/find-endpoint.md
+++ b/deploy-manage/security/_snippets/find-endpoint.md
@@ -10,7 +10,7 @@ If you have many deployments, you can instead go to the **Hosted deployments** (
 4. In the deployment overview, under **Applications**, find the application that you want to test.
 5. Click **Copy endpoint**. The value looks something like the following:
 
-```subs=true
+```text subs=true
 https://my-deployment-d53192.es.{{example-default-dn}}
 ```
 
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index 1889542223..56fef91afa 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -70,7 +70,7 @@ The process of setting up the private connection with Azure Private link is spli
 | 1. [Create a private endpoint using {{ecloud}} service alias.](#ec-private-link-azure-dns) |  |
 | 2. [Create a DNS record pointing to the private endpoint](#ec-private-link-azure-dns). |  |
 |  | 3. [Create a private connection policy.](#ec-azure-allow-traffic-from-link-id) |
-|  | 4. [Associate the Azure Private Link rule set with your deployments](#ec-azure-associate-traffic-filter-private-link-rule-set). |
+|  | 4. [Associate the Azure Private Link rule set with your deployments](#ec-associate-traffic-filter-private-link-rule-set). |
 |  | 5. [Interact with your deployments over Private Link.](#ec-azure-access-the-deployment-over-private-link) |
 
 
@@ -83,7 +83,7 @@ The process of setting up the private connection with Azure Private link is spli
     Use [the service aliases for your region](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-service-aliases). Select the **Connect to an Azure resource by resource ID or alias** option. For example for the region `eastus2` the service alias is `eastus2-prod-002-privatelink-service.64359fdd-7893-4215-9929-ece3287e1371.eastus2.azure.privatelinkservice`
 
     ::::{note}
-    The Private Link endpoint is created in the `Awaiting Approval` state. We validate and approve the endpoints when you create the private connection policy using the Private Link `resource name` and `resource ID`, as described in the next section [Create a private connection policy](#ec-azure-allow-traffic-from-link-id).
+    The Private Link endpoint is created in the `Awaiting Approval` state. We validate and approve the endpoints when you create the private connection policy using the Private Link `resource ID`, as described in the next section [Create a private connection policy](#ec-azure-allow-traffic-from-link-id).
     ::::
 
 2. Create a DNS record.
@@ -111,7 +111,7 @@ Follow these high-level steps to add a private connection policy that can be ass
 1. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
 2. [Create policies using the Private Link Endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
 3. [Test the connection](#test-the-connection).
-4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-associate-traffic-filter-private-link-rule-set).
+4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set).
 
 ### Find your private endpoint resource ID [ec-find-your-resource-id]
 
diff --git a/deploy-manage/security/ece-filter-rules.md b/deploy-manage/security/ece-filter-rules.md
index 85cbdbe2fe..a2cd4607fa 100644
--- a/deploy-manage/security/ece-filter-rules.md
+++ b/deploy-manage/security/ece-filter-rules.md
@@ -23,7 +23,7 @@ Rule sets work as follows:
 
 - Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
 
-- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
+- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
 
 - You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
 
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index f016a946e2..495576dfa9 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -208,7 +208,7 @@ Create a new private connection policy.
 15.  Click **Create**.
 16. (Optional) You can [claim your Private Service Connect endpoint connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
 
-The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
+The next step is to [associate the policy](#ec-psc-associate-traffic-filter-psc-rule-set) with your deployment.
 
 ### Optional: Associate a policy with a deployment [ec-psc-associate-traffic-filter-psc-rule-set]
 
diff --git a/deploy-manage/security/network-security-policies.md b/deploy-manage/security/network-security-policies.md
index 064463f363..746c1ba142 100644
--- a/deploy-manage/security/network-security-policies.md
+++ b/deploy-manage/security/network-security-policies.md
@@ -20,7 +20,7 @@ Policies operate on the proxy. Requests rejected by the policies are not forward
 
 - You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
 - Policies, when associated with a deployment or project, will apply to all endpoints, such as {{es}}, {{kib}}, APM Server, and others.
-- Any policy assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, if you specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the policies.
+- Any policy assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint*. The implication is that if you make a mistake putting in the traffic source (for example, if you specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the policies.
 - You can [mark a policy as default](#default-network-security-policies). Default policies are automatically attached to all new resources of the matching resource type that you create in its region.
 
 ## Restrictions

From ed383b10ec9c6345d63d65fdb520c4712accd96a Mon Sep 17 00:00:00 2001
From: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
Date: Wed, 18 Jun 2025 13:10:09 -0400
Subject: [PATCH 27/38] Update deploy-manage/_snippets/ecloud-security.md

---
 deploy-manage/_snippets/ecloud-security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-manage/_snippets/ecloud-security.md b/deploy-manage/_snippets/ecloud-security.md
index 415fe5a63a..c183cf2d59 100644
--- a/deploy-manage/_snippets/ecloud-security.md
+++ b/deploy-manage/_snippets/ecloud-security.md
@@ -3,7 +3,7 @@
 In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](/deploy-manage/security/ip-filtering-cloud.md) to prevent unauthorized access to your deployments and projects.
 
 In {{ech}}, you can augment these security features in the following ways:
-* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your Elastic Cloud deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
+* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your {{ecloud}} deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.

From 7b7f50169180610b3137f97a61d1be036b07a676 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Wed, 18 Jun 2025 13:25:39 -0400
Subject: [PATCH 28/38] fix title

---
 deploy-manage/security/azure-private-link-traffic-filters.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index 56fef91afa..096352ea45 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -15,7 +15,7 @@ sub:
   example-default-dn: "eastus2.azure.elastic-cloud.com"
 ---
 
-# Azure Private Link traffic filters
+# Azure Private Link private connections
 
 You can use Azure Private Link to establish a secure connection for your {{ecloud}} deployments to communicate with other Azure services. Azure routes the Private Link traffic within the Azure data center and never exposes it to the public internet.
 

From dc36e5bcd2d8f83151f516512bff770d3c6f1ca2 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Wed, 18 Jun 2025 13:27:36 -0400
Subject: [PATCH 29/38] title fix

---
 deploy-manage/security/ip-filtering-cloud.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index efd20827bf..70970347bf 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -16,7 +16,7 @@ sub:
   policy-type: "IP filter"
 ---
 
-# Manage IP traffic filters in ECH or Serverless
+# Manage IP filters in ECH or Serverless
 
 Traffic filtering, by IP address or CIDR block, is one of the security layers available in {{ece}} and {{ech}}. It allows you to limit how your deployments can be accessed.
 

From 1512943bb6cc205ae43dc094045c0ce9d8deaad9 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 12:10:21 -0400
Subject: [PATCH 30/38] fixes

---
 .../security/_snippets/associate-filter.md      |  5 +----
 .../security/_snippets/create-filter.md         |  7 +------
 .../security/_snippets/edit-ruleset.md          |  4 +---
 deploy-manage/security/ip-filtering-cloud.md    | 17 ++++++++++++++++-
 deploy-manage/users-roles.md                    |  2 +-
 5 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/deploy-manage/security/_snippets/associate-filter.md b/deploy-manage/security/_snippets/associate-filter.md
index 4b30a99a4e..fab3e28d94 100644
--- a/deploy-manage/security/_snippets/associate-filter.md
+++ b/deploy-manage/security/_snippets/associate-filter.md
@@ -1,8 +1,5 @@
-::::{tab-set}
-:group: hosted-serverless
-
 1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
    
-   On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+   On the **Hosted deployments** page, you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
 2. On the **Security** page, under **Network security**, select **Apply policies** > **{{policy-type}}**.
 3. Choose the policy you want to apply and select **Apply**.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/create-filter.md b/deploy-manage/security/_snippets/create-filter.md
index e438ad8c12..6ba92aa028 100644
--- a/deploy-manage/security/_snippets/create-filter.md
+++ b/deploy-manage/security/_snippets/create-filter.md
@@ -1,6 +1 @@
-% NO LONGER USED
-
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. From any deployment or project on the home page, select **Manage**.
-3. Under the **Features** tab, open the **Network security** page. 
-      % From the left navigation menu, select **Access and security** > **Network security**. 
\ No newline at end of file
+% no longer used
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/edit-ruleset.md b/deploy-manage/security/_snippets/edit-ruleset.md
index fe7fc21024..6ba92aa028 100644
--- a/deploy-manage/security/_snippets/edit-ruleset.md
+++ b/deploy-manage/security/_snippets/edit-ruleset.md
@@ -1,3 +1 @@
-1. From the **Account** menu, select **Traffic filters**.
-2. Find the rule set you want to edit.
-3. Select the **Edit** icon.
\ No newline at end of file
+% no longer used
\ No newline at end of file
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index 70970347bf..bc69aa25a4 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -73,8 +73,23 @@ You can associate a network security policy with your deployment or project from
 
 #### From a deployment or project
 
-:::{include} _snippets/associate-filter.md
+::::{tab-set}
+:::{tab-item} Serverless
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Serverless projects** page, select your project.
+3. Select the **Network security** tab on the left-hand side menu bar.
+4. Select **Apply policies** > **IP filter**.
+6. Choose the policy you want to apply and select **Apply**.
+:::
+:::{tab-item} Hosted
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Hosted deployments** page, select your deployment.
+3. Select the **Network security** tab on the left-hand side menu bar.
+4. Select the **Security** tab on the left-hand side menu bar.
+5. Under **Network security**, select **Apply policies** > **IP filter**.
+6. Choose the policy you want to apply and select **Apply**.
 :::
+::::
 
 #### From the policy settings
 
diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md
index ec902a0bdc..b01706d51f 100644
--- a/deploy-manage/users-roles.md
+++ b/deploy-manage/users-roles.md
@@ -22,7 +22,7 @@ The methods that you use to authenticate users and control access depends on the
 ::::{note}
 Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following:
  
-* Restrict the nodes and clients that can connect to the cluster using [network security](/deploy-manage/security/traffic-filtering.md) controls. 
+* Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md). 
 * Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-cluster-communications.md), as well as [encrypting your data at rest](/deploy-manage/security/data-security.md).
 * Maintain an [audit trail](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) for security-related events.
 * Control access to dashboards and other saved objects in your UI using [{{kib}} spaces](/deploy-manage/manage-spaces.md). 

From 4734dbe90d4ac7df15fb2a8f9c1d0206e4f7a397 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 12:27:01 -0400
Subject: [PATCH 31/38] vcp -> vcpe

---
 ...m-traffic-filter-link-id-ownership-through-api.md | 12 ++++++------
 deploy-manage/security/ip-filtering-ece.md           |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
index 178decb78f..81dcd88fae 100644
--- a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
+++ b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
@@ -12,14 +12,14 @@ products:
 
 This example demonstrates how to use the {{ecloud}} RESTful API to claim different types of private link ID (AWS PrivateLink, Azure Private Link, and GCP Private Service Connect). We cover the following examples:
 
-* [Claim a VCP ID](#ec-claim-a-traffic-filter-link-id)
+* [Claim a VCPE ID](#ec-claim-a-traffic-filter-link-id)
 
     * [AWS PrivateLink](#ec-claim-aws-privatelink)
     * [Azure Private Link](#ec-claim-azure-private-link)
     * [GCP Private Service Connect](#ec-claim-gcp-private-service-connect)
 
-* [List claimed VCP IDs](#ec-list-claimed-traffic-filter-link-id)
-* [Unclaim a VCP ID](#ec-unclaim-a-traffic-filter-link-id)
+* [List claimed VCPE IDs](#ec-list-claimed-traffic-filter-link-id)
+* [Unclaim a VCPE ID](#ec-unclaim-a-traffic-filter-link-id)
 
     * [AWS PrivateLink](#ec-unclaim-aws-privatelink)
     * [Azure Private Link](#ec-unclaim-azure-private-link)
@@ -27,7 +27,7 @@ This example demonstrates how to use the {{ecloud}} RESTful API to claim differe
 
 
 
-## Claim a VCP ID [ec-claim-a-traffic-filter-link-id] 
+## Claim a VCPE ID [ec-claim-a-traffic-filter-link-id] 
 
 
 ### AWS PrivateLink [ec-claim-aws-privatelink] 
@@ -79,7 +79,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids/_claim
 ```
 
 
-## List claimed VCP IDs [ec-list-claimed-traffic-filter-link-id] 
+## List claimed VCPE IDs [ec-list-claimed-traffic-filter-link-id] 
 
 ```sh
 curl \
@@ -89,7 +89,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids \
 ```
 
 
-## Unclaim a VCP ID [ec-unclaim-a-traffic-filter-link-id] 
+## Unclaim a VCPE ID [ec-unclaim-a-traffic-filter-link-id] 
 
 
 ### AWS PrivateLink [ec-unclaim-aws-privatelink] 
diff --git a/deploy-manage/security/ip-filtering-ece.md b/deploy-manage/security/ip-filtering-ece.md
index 223b8a7099..4f252eea43 100644
--- a/deploy-manage/security/ip-filtering-ece.md
+++ b/deploy-manage/security/ip-filtering-ece.md
@@ -13,7 +13,7 @@ products:
 
 Filtering by IP address or CIDR block is one of the security layers available in {{ece}}. It allows you to limit how your deployments can be accessed.
 
-You can only configure ingress or inbound IP filters**. These restrict access to your deployments from a set of IP addresses or CIDR blocks.
+You can only configure ingress or inbound IP filters. These restrict access to your deployments from a set of IP addresses or CIDR blocks.
 
 Follow the step described here to set up ingress or inbound IP filters through the Cloud UI.
 

From bb6a5cac81521cb47677c4bf66f64ff96da653c7 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 12:36:57 -0400
Subject: [PATCH 32/38] fixes

---
 deploy-manage/security/aws-privatelink-traffic-filters.md   | 2 +-
 .../security/ec-traffic-filtering-through-the-api.md        | 2 +-
 deploy-manage/security/ip-traffic-filtering.md              | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index c0c55edafc..c755dc420a 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -98,7 +98,7 @@ The process of setting up a private connection with AWS PrivateLink is split bet
 | --- | --- |
 | 1. [Create a VPC endpoint using {{ecloud}} service name.](#ec-aws-vpc-dns) |  |
 | 2. [Create a DNS record pointing to the VPC endpoint.](#ec-aws-vpc-dns) |  |
-|  | 3. **Optional**: [Create a private connection policy.](ec-add-vpc-elastic)<br><br>A private connection policy is required to filter traffic using the VCP endpoint ID. |
+|  | 3. **Optional**: [Create a private connection policy.](#ec-add-vpc-elastic)<br><br>A private connection policy is required to filter traffic using the VCP endpoint ID. |
 |  | 4. **Optional**: [Associate the private connection policy with deployments](#ec-associate-traffic-filter-private-link-rule-set). |
 |  | 5. [Interact with your deployments over PrivateLink](#ec-access-the-deployment-over-private-link). |
 
diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index b6c900b8c7..17d10db47d 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -236,7 +236,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-To find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, check [Find your private endpoint resource name](azure-private-link-traffic-filters.md#ec-find-your-resource-name) and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
+To find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, check [Find your private endpoint resource name]() and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
 
 
 ### GCP Private Service Connect traffic filters [ec-gcp-private-service-connect-traffic-filters-rule-set]
diff --git a/deploy-manage/security/ip-traffic-filtering.md b/deploy-manage/security/ip-traffic-filtering.md
index 55bcd1e321..90409e03cf 100644
--- a/deploy-manage/security/ip-traffic-filtering.md
+++ b/deploy-manage/security/ip-traffic-filtering.md
@@ -24,7 +24,7 @@ If you use {{ech}} or {{eck}}, then other [network security](/deploy-manage/secu
 In {{serverless-full}} and {{ech}}, network security policies are created at the organization level, and then applied at the deployment level. Follow these guides to learn how to create, apply, and manage these policies using your preferred method:
   
   * [In the {{ecloud}} console](/deploy-manage/security/ip-filtering-cloud.md)
-  * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api)
+  * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md)
   
 To learn how multiple IP filter policies are processed, and how IP filters and [private connections](/deploy-manage/security/private-link-traffic-filters.md) work together in ECH, refer to [](/deploy-manage/security/network-security-policies.md).
 
@@ -33,9 +33,9 @@ To learn how multiple IP filter policies are processed, and how IP filters and [
 In {{ece}}, filter rules are created at the platform level, and then applied at the deployment level. Follow these guides to learn how to create, apply, and manage these policies using your preferred method:
   
   * [In the Cloud UI](/deploy-manage/security/ip-filtering-ece.md)
-  * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api)
+  * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md)
   
-To learn how multiple rules are processed, refer to [Traffic filter rules](/deploy-manage/security/traffic-filter-rules.md).
+To learn how multiple rules are processed, refer to [](/deploy-manage/security/ece-filter-rules.md).
 
 ## ECK and self managed
 

From 12cf5410b18e95c5b7a7b7660228ede699ba3836 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 13:10:28 -0400
Subject: [PATCH 33/38] fix better

---
 deploy-manage/security/ec-traffic-filtering-through-the-api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index 17d10db47d..3490c86184 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -236,7 +236,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-To find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, check [Find your private endpoint resource name]() and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
+To find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, check [Find your private endpoint resource name] and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
 
 
 ### GCP Private Service Connect traffic filters [ec-gcp-private-service-connect-traffic-filters-rule-set]

From a9f34462bd914b871c8ed0a2400522e83985789c Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 13:49:20 -0400
Subject: [PATCH 34/38] fix curl tests

---
 .../aws-privatelink-traffic-filters.md        | 37 ++++++++----
 .../azure-private-link-traffic-filters.md     | 60 ++++++++++++++-----
 .../ec-traffic-filtering-through-the-api.md   |  2 +-
 ...private-service-connect-traffic-filters.md | 29 ++++++---
 4 files changed, 91 insertions(+), 37 deletions(-)

diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index c755dc420a..0658d68cca 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -186,11 +186,11 @@ To test the connection:
     :::{include} _snippets/find-endpoint.md
     :::
 
-2. Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
+2. Test the setup using the following cURL command. Pass the username and password for a user that has access to the cluster. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
 
     **Request**
     ```sh
-    $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+    $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com -u {username}:{password}
     ```
     **Response**
     ```sh
@@ -198,13 +198,18 @@ To test the connection:
     *  subject: CN=*.us-east-1.aws.elastic-cloud.com
     *  SSL certificate verify ok.
     ..
-    {"ok":false,"message":"Forbidden"}
-    * Connection #0 to host my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com left intact
+        < HTTP/1.1 200 OK
+    ..
+    {
+        "name" : "instance-0000000009",
+        "cluster_name" : "fb7e805e5cfb4931bdccc4f3cb591f5f",
+        "cluster_uuid" : "2cTHeCQYS2a0iH7YnQHrIQ",
+        "version" : { ... },
+        "tagline" : "You Know, for Search"
+    }
     ```
 
-The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
-
-% needs to be edited
+The connection is established, and a valid certificate is presented to the client. Elastic responds, in the case of the {{es}} endpoint, with basic information about the cluster.
 
 ## Optional: Create a private connection policy [ec-add-vpc-elastic]
 
@@ -308,13 +313,23 @@ To access the deployment:
 
     **Request**
     ```sh
-    $ curl -u 'username:password' -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+    $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com -u {username}:{password}
     ```
-
     **Response**
-    ```
-    < HTTP/1.1 200 OK
+    ```sh
+    * Server certificate:
+    *  subject: CN=*.us-east-1.aws.elastic-cloud.com
+    *  SSL certificate verify ok.
+    ..
+        < HTTP/1.1 200 OK
     ..
+    {
+        "name" : "instance-0000000009",
+        "cluster_name" : "fb7e805e5cfb4931bdccc4f3cb591f5f",
+        "cluster_uuid" : "2cTHeCQYS2a0iH7YnQHrIQ",
+        "version" : { ... },
+        "tagline" : "You Know, for Search"
+    }
     ```
 
 ### AWS PrivateLink and Fleet
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index 096352ea45..35ec7ef3c0 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -108,10 +108,17 @@ After you create your private endpoint and DNS entries, you can create a private
 
 Follow these high-level steps to add a private connection policy that can be associated with your deployments.
 
-1. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
-2. [Create policies using the Private Link Endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
-3. [Test the connection](#test-the-connection).
-4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set).
+1. [Find your private endpoint resource name](#ec-find-your-resource-name).
+2. [Find your private endpoint resource ID](#ec-find-your-resource-id).
+3. [Create policies using the Private Link Endpoint resource ID](#ec-azure-create-traffic-filter-private-link-rule-set).
+4. [Test the connection](#test-the-connection).
+5. [Associate the private endpoint with your deployment](#ec-associate-traffic-filter-private-link-rule-set).
+
+### Find your private endpoint resource name [ec-find-your-resource-name]
+
+1. Go to your Private Link Endpoint in the Azure Portal.
+2. Select **JSON View**.
+3. Copy the value of the top level **name** property.
 
 ### Find your private endpoint resource ID [ec-find-your-resource-id]
 
@@ -128,10 +135,9 @@ Follow these high-level steps to add a private connection policy that can be ass
 :alt: Private endpoint properties
 :screenshot:
 :::
-% fix me
 
 
-### Create a policy using the Private Link Endpoint resource ID [ec-azure-create-traffic-filter-private-link-rule-set]
+### Create a policy using the Private Link Endpoint resource [ec-azure-create-traffic-filter-private-link-rule-set]
 
 When you have your private endpoint ID, you can create a private connection policy.
 
@@ -151,8 +157,8 @@ The Private Link connection will be approved automatically after the private con
     :::
 7.  Under **Connectivity**, select **Privatelink**.
 8.  Under **VPCE filter**, enter your Private Endpoint resource ID.
+    % where does name go
 
-    
     :::{tip}
     You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
 
@@ -182,10 +188,10 @@ To test the connection:
     :::{include} _snippets/find-endpoint.md
     :::
 
-2. Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
+2. Test the setup using the following cURL command. Pass the username and password for a user that has access to the cluster. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
 
     ```sh
-    $ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
+    $ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243 -u {username}:{password}
     ```
 
     The output should look like this:
@@ -198,19 +204,27 @@ To test the connection:
     * 	 server certificate verification OK
     * 	 common name: *.privatelink.elastic-cloud.com (matched)
     ..
-    < HTTP/1.1 403 Forbidden
-    {"ok":false,"message":"Forbidden"}
+        < HTTP/1.1 200 OK
+    ..
+    {
+        "name" : "instance-0000000009",
+        "cluster_name" : "fb7e805e5cfb4931bdccc4f3cb591f5f",
+        "cluster_uuid" : "2cTHeCQYS2a0iH7YnQHrIQ",
+        "version" : { ... },
+        "tagline" : "You Know, for Search"
+    }
     ```
 
     Check the IP address `192.168.46.5` it should be the same as the IP address of your private endpoint.
 
-    The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associate the rule set with any deployment yet.
+    The connection is established, and a valid certificate is presented to the client. Elastic responds, in the case of the {{es}} endpoint, with basic information about the cluster.
 
 In the event that the Private Link connection is not approved by {{ecloud}}, you’ll get an error message like the following. Double check that the filter you’ve created in the previous step uses the right resource ID.
 
+
 **Request**
 ```sh
-$ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
+$ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243 -u {username}:{password}
 ```
 
 **Response**
@@ -270,13 +284,27 @@ To access the deployment:
 
     **Request**
     ```sh
-    $ curl -u 'username:password'  -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
+    $ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243 -u {username}:{password}
     ```
 
     **Response**
-    ```
-    < HTTP/1.1 200 OK
+    ```sh
+    * Rebuilt URL to: https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243/
+    *   Trying 192.168.46.5... 
+    ..
+    * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
+    * 	 server certificate verification OK
+    * 	 common name: *.privatelink.elastic-cloud.com (matched)
+    ..
+        < HTTP/1.1 200 OK
     ..
+    {
+        "name" : "instance-0000000009",
+        "cluster_name" : "fb7e805e5cfb4931bdccc4f3cb591f5f",
+        "cluster_uuid" : "2cTHeCQYS2a0iH7YnQHrIQ",
+        "version" : { ... },
+        "tagline" : "You Know, for Search"
+    }
     ```
 
 ### Azure Pivate Link and Fleet
diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index 3490c86184..b6c900b8c7 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -236,7 +236,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-To find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, check [Find your private endpoint resource name] and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
+To find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, check [Find your private endpoint resource name](azure-private-link-traffic-filters.md#ec-find-your-resource-name) and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
 
 
 ### GCP Private Service Connect traffic filters [ec-gcp-private-service-connect-traffic-filters-rule-set]
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 495576dfa9..93826236e1 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -132,11 +132,11 @@ To test the connection:
  1. Access your cluster over Private Link:
 
     * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-    * Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
+    * Test the setup using the following cURL command. Pass the username and password for a user that has access to the cluster. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
 
     **Request**
     ```sh
-    $ curl -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+    $ curl -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243 -u {username}:{password}
     ```
 
     **Response**
@@ -144,16 +144,20 @@ To test the connection:
     ..
     *   Trying 192.168.100.2...
     ..
-    < HTTP/2 403
+        < HTTP/1.1 200 OK
     ..
-    {"ok":false,"message":"Forbidden"}
+    {
+        "name" : "instance-0000000009",
+        "cluster_name" : "fb7e805e5cfb4931bdccc4f3cb591f5f",
+        "cluster_uuid" : "2cTHeCQYS2a0iH7YnQHrIQ",
+        "version" : { ... },
+        "tagline" : "You Know, for Search"
+    }
     ```
 
 Check the IP address. it should be the same as the IP address assigned to your Private Service Connect endpoint.
 
-The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.
-
-% needs to be edited
+The connection is established, and a valid certificate is presented to the client. Elastic responds, in the case of the {{es}} endpoint, with basic information about the cluster.
 
 ## Optional: Create a private connection policy [ec-private-service-connect-allow-from-psc-connection-id]
 
@@ -253,13 +257,20 @@ To access the deployment:
 
     **Request**
     ```sh
-    $ curl -u 'username:password' -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+    $ curl -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243 -u {username}:{password}
     ```
 
     **Response**
-    ```
+    ```sh
     < HTTP/1.1 200 OK
     ..
+    {
+        "name" : "instance-0000000009",
+        "cluster_name" : "fb7e805e5cfb4931bdccc4f3cb591f5f",
+        "cluster_uuid" : "2cTHeCQYS2a0iH7YnQHrIQ",
+        "version" : { ... },
+        "tagline" : "You Know, for Search"
+    }
     ```
 
 ### GCP Private Service Connect and Fleet

From ca784e5dfffbdbf522a7454dae834d5a00b2c21a Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 14:09:17 -0400
Subject: [PATCH 35/38] fix

---
 deploy-manage/_snippets/ecloud-security.md             |  2 +-
 .../_snippets/cluster-communication-network.md         |  2 +-
 deploy-manage/security/_snippets/cluster-comparison.md | 10 +++++-----
 deploy-manage/security/_snippets/remove-filter.md      |  5 +----
 .../security/aws-privatelink-traffic-filters.md        |  6 +++---
 .../security/azure-private-link-traffic-filters.md     | 10 +++++-----
 .../gcp-private-service-connect-traffic-filters.md     |  2 +-
 deploy-manage/security/ip-filtering-cloud.md           |  4 ++--
 deploy-manage/security/network-security-policies.md    |  2 +-
 deploy-manage/security/private-link-traffic-filters.md |  7 +++----
 deploy-manage/security/traffic-filtering.md            |  2 +-
 11 files changed, 24 insertions(+), 28 deletions(-)

diff --git a/deploy-manage/_snippets/ecloud-security.md b/deploy-manage/_snippets/ecloud-security.md
index c183cf2d59..6d689920f4 100644
--- a/deploy-manage/_snippets/ecloud-security.md
+++ b/deploy-manage/_snippets/ecloud-security.md
@@ -3,7 +3,7 @@
 In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](/deploy-manage/security/ip-filtering-cloud.md) to prevent unauthorized access to your deployments and projects.
 
 In {{ech}}, you can augment these security features in the following ways:
-* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your {{ecloud}} deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
+* [Configure private connectivity and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your {{ecloud}} deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.
diff --git a/deploy-manage/security/_snippets/cluster-communication-network.md b/deploy-manage/security/_snippets/cluster-communication-network.md
index 3cf287d6e2..aa3a2c0cdf 100644
--- a/deploy-manage/security/_snippets/cluster-communication-network.md
+++ b/deploy-manage/security/_snippets/cluster-communication-network.md
@@ -3,5 +3,5 @@
   * **The transport layer**: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
   * In self-managed {{es}} clusters, you can also [Configure {{kib}} and {{es}} to use mutual TLS](/deploy-manage/security/kibana-es-mutual-tls.md).
 * [Enable cipher suites for stronger encryption](/deploy-manage/security/enabling-cipher-suites-for-stronger-encryption.md): The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
-* [Secure your network using IP filtering and private connections](/deploy-manage/security/traffic-filtering.md): Network security allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+* [Secure your network using IP filtering and private connectivity](/deploy-manage/security/traffic-filtering.md): Network security allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
 * [Allow or deny {{ech}} IP ranges](/deploy-manage/security/elastic-cloud-static-ips.md): {{ecloud}} publishes a list of IP addresses used by its {{ech}} services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to {{ech}} services.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/cluster-comparison.md b/deploy-manage/security/_snippets/cluster-comparison.md
index d4f3bf264a..2b747341a8 100644
--- a/deploy-manage/security/_snippets/cluster-comparison.md
+++ b/deploy-manage/security/_snippets/cluster-comparison.md
@@ -20,7 +20,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private connections and VPC filtering | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
+| | Private connectivity and VPC filtering | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Managed | You can [bring your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md) |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -37,7 +37,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private connections and VPC filtering | N/A |  |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Fully managed | Automatically encrypted by Elastic |
 | | Secure settings | N/A |  |
@@ -54,7 +54,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private connections and VPC filtering | N/A |  |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -71,7 +71,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) for customization |
 | | TLS (Transport layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) for customization |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private connections and VPC filtering | N/A |  |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/k8s-secure-settings.md) |
@@ -89,7 +89,7 @@ Select your deployment type below to see what's available and how implementation
 | **Communication** | TLS (HTTP layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
 | | TLS (Transport layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
 | **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private connections and VPC filtering | N/A |  |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Keystore security | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
diff --git a/deploy-manage/security/_snippets/remove-filter.md b/deploy-manage/security/_snippets/remove-filter.md
index 5ee5f0b29b..6ba92aa028 100644
--- a/deploy-manage/security/_snippets/remove-filter.md
+++ b/deploy-manage/security/_snippets/remove-filter.md
@@ -1,4 +1 @@
-If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
-
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Remove**.
\ No newline at end of file
+% no longer used
\ No newline at end of file
diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index 0658d68cca..c122338a78 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -15,7 +15,7 @@ sub:
   example-default-dn: "us-east-1.aws.elastic-cloud.com"
 ---
 
-# AWS PrivateLink private connections
+# AWS PrivateLink private connectivity
 
 You can use AWS PrivateLink to establish a secure connection for your {{ecloud}} deployments to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet.
 
@@ -225,7 +225,7 @@ Creating a private connection policy and associating it with your deployments al
 Follow these high-level steps to add a private connection policy that can be associated with your deployments.
 
 1. Optional: [Find your VPC endpoint ID](#ec-find-your-endpoint).
-2. [Create rules using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
+2. [Create a private connection policy using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
 3. [Associate the VPC endpoint with your deployment](#ec-associate-traffic-filter-private-link-rule-set).
 
 ### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
@@ -266,7 +266,7 @@ Create a new private connection policy.
 13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. If you specified a VPCE filter, then after you associate the filter with a deployment, it starts filtering traffic.
 14. To automatically attach this private connection policy to new deployments, select **Apply by default**.
 15.  Click **Create**.
-16. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+16. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
 
 The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
 
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index 35ec7ef3c0..34758b2ecb 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -15,7 +15,7 @@ sub:
   example-default-dn: "eastus2.azure.elastic-cloud.com"
 ---
 
-# Azure Private Link private connections
+# Azure Private Link private connectivity
 
 You can use Azure Private Link to establish a secure connection for your {{ecloud}} deployments to communicate with other Azure services. Azure routes the Private Link traffic within the Azure data center and never exposes it to the public internet.
 
@@ -67,11 +67,11 @@ The process of setting up the private connection with Azure Private link is spli
 
 | Azure portal | {{ecloud}} |
 | --- | --- |
-| 1. [Create a private endpoint using {{ecloud}} service alias.](#ec-private-link-azure-dns) |  |
+| 1. [Create a private endpoint using {{ecloud}} service alias](#ec-private-link-azure-dns). |  |
 | 2. [Create a DNS record pointing to the private endpoint](#ec-private-link-azure-dns). |  |
-|  | 3. [Create a private connection policy.](#ec-azure-allow-traffic-from-link-id) |
-|  | 4. [Associate the Azure Private Link rule set with your deployments](#ec-associate-traffic-filter-private-link-rule-set). |
-|  | 5. [Interact with your deployments over Private Link.](#ec-azure-access-the-deployment-over-private-link) |
+|  | 3. [Create a private connection policy](#ec-azure-allow-traffic-from-link-id). |
+|  | 4. [Associate the Azure private connection policy with your deployments](#ec-associate-traffic-filter-private-link-rule-set). |
+|  | 5. [Interact with your deployments over Private Link](#ec-azure-access-the-deployment-over-private-link). |
 
 
 ### Create your private endpoint and DNS entries in Azure [ec-private-link-azure-dns]
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 93826236e1..14894f63a5 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -16,7 +16,7 @@ sub:
   example-default-dn: "us-central1.gcp.cloud.es.io"
 ---
 
-# GCP Private Service Connect private connections
+# GCP Private Service Connect private connectivity
 
 You can use GCP Private Service Connect to establish a secure connection for your {{ecloud}} deployments to communicate with other GCP services. GCP routes the Private Link traffic within the GCP data center and never exposes it to the public internet.
 
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index bc69aa25a4..cded05bd26 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -8,7 +8,7 @@ applies_to:
   deployment:
     ess: ga
     ece: ga
-    serverless: ga
+  serverless: ga
 products:
   - id: cloud-hosted
   - id: cloud-serverless
@@ -39,7 +39,7 @@ To learn how to create IP filters for self-managed clusters or {{eck}} deploymen
 
 ## Apply an IP filter to a deployment or project
 
-To apply an IP filter to a deployment or project, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
+To apply an IP filter to a deployment or project, you must first create a policy at the organization or platform level, and then apply the policy to your deployment.
 
 ### Step 1: Create an IP filter policy
 
diff --git a/deploy-manage/security/network-security-policies.md b/deploy-manage/security/network-security-policies.md
index 746c1ba142..349c2ffc7f 100644
--- a/deploy-manage/security/network-security-policies.md
+++ b/deploy-manage/security/network-security-policies.md
@@ -28,7 +28,7 @@ Policies operate on the proxy. Requests rejected by the policies are not forward
 - You can have a maximum of 1024 policies per organization and 128 sources in each policy.
 - Policies must be created for a specific resource type. If you want to associate a policy to both hosted deployments and Serverless projects, then you have to create the same policy for each resource types.
 - Policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
-- Domain-based filtering rules are not allowed for network security policies, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+- Domain-based filtering sources are not allowed for network security policies, because the original IP is hidden behind the proxy. Only IP-based filtering sources are allowed.
 
 ## Default network security policies
 
diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md
index fde876685f..8a961f7b44 100644
--- a/deploy-manage/security/private-link-traffic-filters.md
+++ b/deploy-manage/security/private-link-traffic-filters.md
@@ -3,15 +3,14 @@ applies_to:
   deployment:
     ess: ga
   serverless: ga
-navigation_title: "Add private connections"
 products:
   - id: cloud-hosted
   - id: cloud-serverless
 ---
 
-# Private connections
+# Private connectivity
 
-A private connection is a secure way for your {{ecloud}} deployments and projects to communicate with other cloud provider services over your cloud provider's private network. You can create a virtual private connection endpoint (VCPE) using your provider's private link service. You can also optionally filter traffic to your deployments and projects by creating ingress filters for your VCPE in {{ecloud}}.
+Private connectivity is a secure way for your {{ecloud}} deployments and projects to communicate with other cloud provider services over your cloud provider's private network. You can create a virtual private connection endpoint (VCPE) using your provider's private link service. You can also optionally filter traffic to your deployments and projects by creating ingress filters for your VCPE in {{ecloud}}.
 
 Choose the relevant option for your cloud service provider:
 
@@ -30,5 +29,5 @@ To learn how private connection policies work, how they affect your deployment,
 :::
 
 :::{note}
-Private connections were formerly referred to as PrivateLink filters.
+Private connection policies were formerly referred to as PrivateLink filters.
 :::
\ No newline at end of file
diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md
index 3de83c72e7..d6e2a62580 100644
--- a/deploy-manage/security/traffic-filtering.md
+++ b/deploy-manage/security/traffic-filtering.md
@@ -42,7 +42,7 @@ You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-c
 | Filter type | Description | Applicable deployment types |
 | --- | --- | --- |
 | [IP filters](ip-traffic-filtering.md) | Filter traffic from the public internet by allowlisting specific IP addresses and Classless Inter-Domain Routing (CIDR) masks.<br><br>• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)<br><br>• [In ECE](/deploy-manage/security/ip-filtering-ece.md)<br><br>• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
-| [Private connections and VCPE filtering](/deploy-manage/security/private-link-traffic-filters.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPCE filtering. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
+| [Private connectivity and VCPE filtering](/deploy-manage/security/private-link-traffic-filters.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPCE filtering. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
 | [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |
 
 :::{include} _snippets/eck-traffic-filtering.md

From 21906574d81ddbac665239123f1d4d50ce2f4b2c Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 14:16:15 -0400
Subject: [PATCH 36/38] badge fixes

---
 deploy-manage/security/ec-traffic-filtering-through-the-api.md  | 2 ++
 .../security/gcp-private-service-connect-traffic-filters.md     | 1 -
 deploy-manage/security/ip-filtering-cloud.md                    | 1 -
 deploy-manage/security/private-link-traffic-filters.md          | 2 --
 4 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index b6c900b8c7..a064731952 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -6,9 +6,11 @@ applies_to:
   deployment:
     ess:
     ece:
+  serverless:
 products:
   - id: cloud-hosted
   - id: cloud-enterprise
+  - id: cloud-serverless
 navigation_title: Through the API
 ---
 
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index 14894f63a5..b7c4691afa 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -5,7 +5,6 @@ mapped_pages:
 applies_to:
   deployment:
     ess: ga
-  serverless: ga
 products:
   - id: cloud-hosted
 navigation_title: GCP Private Service Connect
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index cded05bd26..89979fcdfd 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -7,7 +7,6 @@ mapped_pages:
 applies_to:
   deployment:
     ess: ga
-    ece: ga
   serverless: ga
 products:
   - id: cloud-hosted
diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md
index 8a961f7b44..e4edb2f30a 100644
--- a/deploy-manage/security/private-link-traffic-filters.md
+++ b/deploy-manage/security/private-link-traffic-filters.md
@@ -2,10 +2,8 @@
 applies_to:
   deployment:
     ess: ga
-  serverless: ga
 products:
   - id: cloud-hosted
-  - id: cloud-serverless
 ---
 
 # Private connectivity

From ff602978174ebcf31e09f181d9b048630add8b26 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 15:51:02 -0400
Subject: [PATCH 37/38] fix API content

---
 .../azure-private-link-traffic-filters.md     |   5 +-
 ...ic-filter-link-id-ownership-through-api.md |  16 +-
 .../ec-traffic-filtering-through-the-api.md   | 344 ++++++++++++------
 3 files changed, 241 insertions(+), 124 deletions(-)

diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index 34758b2ecb..af18e12bbf 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -156,8 +156,7 @@ The Private Link connection will be approved automatically after the private con
     Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
     :::
 7.  Under **Connectivity**, select **Privatelink**.
-8.  Under **VPCE filter**, enter your Private Endpoint resource ID.
-    % where does name go
+8.  Enter your private endpoint **Resource name** and **Resource ID**. When applied to a deployment, this information will be used to filter traffic.
 
     :::{tip}
     You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
@@ -168,7 +167,7 @@ The Private Link connection will be approved automatically after the private con
 9.  Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. After you associate the filter with a deployment, it starts filtering traffic.
 10. To automatically attach this private connection policy to new deployments, select **Apply by default**.
 11.  Click **Create**.
-12. (Optional) You can [claim your Private Endpoint resource ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
+12. (Optional) You can [claim your Private Endpoint resource name and ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
 
 Creating the filter approves the Private Link connection.
 
diff --git a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
index 81dcd88fae..576da9c128 100644
--- a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
+++ b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
@@ -8,18 +8,18 @@ products:
   - id: cloud-hosted
 ---
 
-# Claim VCPE ID ownership [ec-claim-traffic-filter-link-id-through-the-api]
+# Claim VCPE ID or Azure resource ownership [ec-claim-traffic-filter-link-id-through-the-api]
 
-This example demonstrates how to use the {{ecloud}} RESTful API to claim different types of private link ID (AWS PrivateLink, Azure Private Link, and GCP Private Service Connect). We cover the following examples:
+This example demonstrates how to use the {{ecloud}} RESTful API to claim different types of ID (AWS PrivateLink, Azure Private Link, and GCP Private Service Connect). We cover the following examples:
 
-* [Claim a VCPE ID](#ec-claim-a-traffic-filter-link-id)
+* [Claim a VCPE ID or Azure resource](#ec-claim-a-traffic-filter-link-id)
 
     * [AWS PrivateLink](#ec-claim-aws-privatelink)
     * [Azure Private Link](#ec-claim-azure-private-link)
     * [GCP Private Service Connect](#ec-claim-gcp-private-service-connect)
 
-* [List claimed VCPE IDs](#ec-list-claimed-traffic-filter-link-id)
-* [Unclaim a VCPE ID](#ec-unclaim-a-traffic-filter-link-id)
+* [List claimed IDs](#ec-list-claimed-traffic-filter-link-id)
+* [Unclaim a VCPE ID or Azure resource](#ec-unclaim-a-traffic-filter-link-id)
 
     * [AWS PrivateLink](#ec-unclaim-aws-privatelink)
     * [Azure Private Link](#ec-unclaim-azure-private-link)
@@ -27,7 +27,7 @@ This example demonstrates how to use the {{ecloud}} RESTful API to claim differe
 
 
 
-## Claim a VCPE ID [ec-claim-a-traffic-filter-link-id] 
+## Claim a VCPE ID or Azure resource [ec-claim-a-traffic-filter-link-id] 
 
 
 ### AWS PrivateLink [ec-claim-aws-privatelink] 
@@ -79,7 +79,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids/_claim
 ```
 
 
-## List claimed VCPE IDs [ec-list-claimed-traffic-filter-link-id] 
+## List claimed IDs [ec-list-claimed-traffic-filter-link-id] 
 
 ```sh
 curl \
@@ -89,7 +89,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids \
 ```
 
 
-## Unclaim a VCPE ID [ec-unclaim-a-traffic-filter-link-id] 
+## Claim a VCPE ID or Azure resource [ec-unclaim-a-traffic-filter-link-id] 
 
 
 ### AWS PrivateLink [ec-unclaim-aws-privatelink] 
diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index a064731952..418aff36e4 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -16,23 +16,28 @@ navigation_title: Through the API
 
 # Manage network security through the API [ec-traffic-filtering-through-the-api]
 
-This example demonstrates how to use the {{ecloud}} RESTful API or {{ece}} RESTful API or to manage different types of network security rules and policies. We cover the following examples:
+This example demonstrates how to use the {{ecloud}} RESTful API, {{ece}} RESTful API, or {{serverless-full}} RESTful API or to manage different types of network security policies and rules. 
 
-* [Create a traffic filter rule set](ec-traffic-filtering-through-the-api.md#ec-create-a-traffic-filter-rule-set)
+We cover the following examples:
 
-    * [IP traffic filter ingress rule set](ec-traffic-filtering-through-the-api.md#ec-ip-traffic-filters-ingress-rule-set)
-    * {{ech}} only:
-      * [IP traffic filter egress rule set](ec-traffic-filtering-through-the-api.md#ec-ip-traffic-filters-egress-rule-set)
-      * [AWS Privatelink traffic filters](ec-traffic-filtering-through-the-api.md#ec-aws-privatelink-traffic-filters-rule-set)
-      * [Azure Private Link traffic filters](ec-traffic-filtering-through-the-api.md#ec-azure-privatelink-traffic-filters-rule-set)
-      * [GCP Private Service Connect traffic filters](ec-traffic-filtering-through-the-api.md#ec-gcp-private-service-connect-traffic-filters-rule-set)
+* [Create an IP filter policy or rule set](#ec-create-a-traffic-filter-rule-set)
 
-* [Update a traffic filter rule set](ec-traffic-filtering-through-the-api.md#ec-update-a-traffic-filter-rule-set)
-* [Associate a rule set with a deployment](ec-traffic-filtering-through-the-api.md#ec-associate-rule-set-with-a-deployment)
-* [Delete a rule set association with a deployment](ec-traffic-filtering-through-the-api.md#ec-delete-rule-set-association-with-a-deployment)
-* [Delete a traffic filter rule set](ec-traffic-filtering-through-the-api.md#ec-delete-a-rule-set)
+  * [Ingress](#ec-ip-traffic-filters-ingress-rule-set)
+  * [Egress](#ec-ip-traffic-filters-egress-rule-set) {applies_to}`ess: beta`
+  
+* [Create a private connection policy](#private-connection) {applies_to}`ess:`
+  * [AWS Privatelink](#ec-aws-privatelink-traffic-filters-rule-set)
+  * [Azure Private Link](#ec-azure-privatelink-traffic-filters-rule-set)
+  * [GCP Private Service Connect](#ec-gcp-private-service-connect-traffic-filters-rule-set)
 
-Refer to [](traffic-filtering.md) to learn about the general concepts behind filtering access to your {{ech}} and {{ece}} deployments.
+* [Update a policy or rule set](#ec-update-a-traffic-filter-rule-set)
+* [Associate a policy or rule set with a project or deployment](#ec-associate-rule-set-with-a-deployment)
+* [Remove a policy or rule set from a project or deployment](#ec-delete-rule-set-association-with-a-deployment)
+* [Delete a policy or rule set](#ec-delete-a-rule-set)
+
+Refer to [](traffic-filtering.md) to learn more about network security across all deployment types.
+
+## API reference
 
 To learn more about these endpoints, refer to the reference for your deployment type:
 
@@ -40,35 +45,79 @@ To learn more about these endpoints, refer to the reference for your deployment
 * [{{ece}} API](https://www.elastic.co/docs/api/doc/cloud-enterprise/group/endpoint-deploymentstrafficfilter)
 
 
-## Create a traffic filter rule set [ec-create-a-traffic-filter-rule-set]
-
-
-### IP traffic filter ingress rule set [ec-ip-traffic-filters-ingress-rule-set]
+## Terminology in the {{ecloud}} console and APIs
 ```{applies_to}
 deployment:
   ess:
-  ece:
+serverless:
 ```
 
-Send a request like the following to create an IP traffic filter ingress rule set:
+In {{ecloud}}, terminology related to network security has changed to more accurately reflect functionality. Terminology in the related APIs has not yet been updated.
+
+| {{ecloud}} concept | API terminology | 
+| --- | --- | 
+| Network security | Traffic filters |
+| Network security policy | Traffic filter rule set | 
+| IP filter source | IP filter rule | 
+| Private connection | Private link traffic filter |
+| VCPE filter | Private link filter source |
+
+
+## Create an IP filter policy or rule set [ec-create-a-traffic-filter-rule-set]
+
+
+### Ingress [ec-ip-traffic-filters-ingress-rule-set]
+
+Send a request like the following to create an IP filter ingress policy or rule set:
 
 ::::{tab-set}
-:group: ech-ece
+:group: ech-serverless-ece
 
 :::{tab-item} {{ech}}
 :sync: ech
 
-```sh
+```json
 curl \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
 https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 -d '
 {
-  "name": "My IP filtering Ingress Rule Set",
-  "region": "azure-japaneast",
+  "name": "My ingress IP filter policy",
+  "region": "azure-japaneast", <1>
   "description": "",
-  "type": "ip",
+  "type": "ip", <2>
+  "rules": [
+    {
+      "description": "Allow inbound traffic from IP address 192.168.131.0",
+      "source": "192.168.131.0"
+    },
+    {
+      "description": "Allow inbound traffic within CIDR block 192.168.132.6/22",
+      "source": "192.168.132.6/22"
+    }
+  ],
+  "include_by_default": false
+}
+'
+```
+
+1. The region is always the same region as the deployment you want to associate with an IP filter policy. For details, check the [list of available regions](cloud://reference/cloud-hosted/ec-regions-templates-instances.md).
+2. The type of policy. In the JSON object, we use `ip` for IP filter policies. Currently, we support `ip`, `egress_firewall`, `vpce` (AWS Private Link), `azure_private_endpoint` and `gcp_private_service_connect_endpoint`. These are described in further detail below.
+:::
+:::{tab-item} {{serverless-full}}
+:sync: serverless
+```json
+curl \
+-H "Authorization: ApiKey $API_KEY" \
+-H 'content-type: application/json' \
+https://api.elastic-cloud.com/api/v1/serverless/traffic-filters \
+-d '
+{
+  "name": "My ingress IP filter policy",
+  "region": "ap-southeast-1" <1>
+  "description": "",
+  "type": "ip", <2>
   "rules": [
     {
       "description": "Allow inbound traffic from IP address 192.168.131.0",
@@ -84,16 +133,14 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-`region`
-:   The region is always the same region as the deployment you want to associate with a traffic filter rule set. For details, check the [list of available regions](cloud://reference/cloud-hosted/ec-regions-templates-instances.md).
+1. The region is always the same region as the project you want to associate with an IP filter policy. For details, check the [list of available regions](/deploy-manage/deploy/elastic-cloud/regions.md).
 
-`type`
-:   The type of the rule set. In the JSON object, we use `ip` for the ingress IP traffic filter. Currently, we support `ip`, `egress_firewall`, `vpce` (AWS Private Link), `azure_private_endpoint` and `gcp_private_service_connect_endpoint`. These are described in further detail below.
+2. The type of policy. In the JSON object, we use `ip` for IP filter policies. Currently, only `ip` is supported.
 :::
 :::{tab-item} {{ece}}
 :sync: ece
 
-```sh
+```json
 curl \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
@@ -103,7 +150,7 @@ https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets \
   "name": "My IP filtering Ingress Rule Set",
   "region": "ece-region",
   "description": "",
-  "type": "ip",
+  "type": "ip", <1>
   "rules": [
     {
       "description": "Allow inbound traffic from IP address 192.168.131.0",
@@ -121,24 +168,24 @@ https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets \
 :::
 ::::
 
-If the request is successful, a response containing a $RULESET_ID is returned. $RULESET_ID is required to update or delete the rule set itself, or it can be used to associate the rule set to a deployment.
+If the request is successful, a response containing an ID for the policy or rule set is returned. This ID is required to update or delete the policy or rule set itself, or it can be used to associate the policy or rule set to a deployment or project. It is referred to as `$POLICY_ID` or `$RULESET_ID` in the following examples.
 
-```sh
+```json
 {
   "id" : "5470a0010ebf437bb9294ea9fcba0ba0"
 }
 ```
 
 
-### IP traffic filter egress rule set [ec-ip-traffic-filters-egress-rule-set]
+### Egress [ec-ip-traffic-filters-egress-rule-set]
 ```{applies_to}
 deployment:
   ess: beta
 ```
 
-Send a request like the following to create an IP traffic filter egress rule set:
+Send a request like the following to create an IP filter ingress policy:
 
-```sh
+```json
 curl \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
@@ -155,7 +202,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
        "egress_rule":
        {
            "target": "192.168.131.0",
-           "protocol": "all"
+           "protocol": "all" <1>
        }
     },
     {
@@ -172,32 +219,45 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-`protocol`
-:   This can be `udp`, `tcp`, or `all`.
+1. This can be `udp`, `tcp`, or `all`.
 
 
-### AWS Privatelink traffic filters [ec-aws-privatelink-traffic-filters-rule-set]
+## Create a private connection policy [private-connection]
 ```{applies_to}
 deployment:
   ess:
 ```
 
-Send a request like the following to create an AWS PrivateLink traffic filter rule set:
+:::{tip}
+Private connection policies are optional for AWS PrivateLink and GCP Private Service Connect. After the VPC endpoint and DNS record are created, private connectivity is established.
+
+Creating a private connection policy and associating it with your deployments allows you to do the following:
+
+* Record that you've established private connectivity between the cloud service provider and Elastic in the applicable region.
+* Filter traffic to your deployment using VCPE filters.
 
-```sh
+A private connection policy is required to establish a private connection with Azure Private Link.
+:::
+
+
+### AWS Privatelink [ec-aws-privatelink-traffic-filters-rule-set]
+
+Send a request like the following to create an AWS PrivateLink private connection policy:
+
+```json
 curl -XPOST \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
 https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 -d '
 {
-  "name": "AWS Private Link Traffic Filter",
+  "name": "AWS Private Link private connection policy",
   "region": "ap-northeast-1",
   "description": "",
   "type": "vpce",
   "rules": [
     {
-      "source": "vpce-00000000000"
+      "source": "vpce-00000000000" <1>
     }
   ],
   "include_by_default": false
@@ -205,32 +265,28 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-To find the value for `source` for type `vpce`, check [Find your VPC endpoint ID](aws-privatelink-traffic-filters.md#ec-find-your-endpoint). This setting is supported only in AWS regions.
+1. To learn how to find the value for `source` for type `vpce`, refer to [Find your VPC endpoint ID](aws-privatelink-traffic-filters.md#ec-find-your-endpoint). This setting is supported only in AWS regions.
 
 
-### Azure Private Link traffic filters [ec-azure-privatelink-traffic-filters-rule-set]
-```{applies_to}
-deployment:
-  ess:
-```
+### Azure Private Link [ec-azure-privatelink-traffic-filters-rule-set]
 
-Send a request like the following to create an Azure Private Link traffic filter rule set:
+Send a request like the following to create an Azure Private Link private connection policy:
 
-```sh
+```json
 curl -XPOST \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
 https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 -d '
 {
-  "name": "Azure Private Link Traffic Filter",
+  "name": "Azure Private Link private connection policy",
   "region": "azure-japaneast",
   "description": "",
   "type": "azure_private_endpoint",
   "rules": [
     {
-      "azure_endpoint_name": "azure-demo",
-      "azure_endpoint_guid": "7c0f05e4-e32b-4b10-a246-7b77f7dcc63c"
+      "azure_endpoint_name": "azure-demo", 
+      "azure_endpoint_guid": "7c0f05e4-e32b-4b10-a246-7b77f7dcc63c" <1>
     }
   ],
   "include_by_default": false
@@ -238,31 +294,27 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-To find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, check [Find your private endpoint resource name](azure-private-link-traffic-filters.md#ec-find-your-resource-name) and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
+1. To learn how to find the value for `azure_endpoint_name` and `azure_endpoint_guid` for type `azure_private_endpoint`, refer to [Find your private endpoint resource name](azure-private-link-traffic-filters.md#ec-find-your-resource-name) and [Find your private endpoint resource ID](azure-private-link-traffic-filters.md#ec-find-your-resource-id). This setting is supported only in Azure regions.
 
 
-### GCP Private Service Connect traffic filters [ec-gcp-private-service-connect-traffic-filters-rule-set]
-```{applies_to}
-deployment:
-  ess:
-```
+### GCP Private Service Connect [ec-gcp-private-service-connect-traffic-filters-rule-set]
 
-Send a request like the following to create a GCP Private Service Connect traffic filter rule set:
+Send a request like the following to create a GCP Private Service Connect private connection policy:
 
-```sh
+```json
 curl -XPOST \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
 https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 -d '
 {
-  "name": "GCP Private Service Connect Traffic Filter",
+  "name": "GCP Private Service Connect private connection policy",
   "region": "gcp-asia-northeast1",
   "description": "",
   "type": "gcp_private_service_connect_endpoint",
   "rules": [
     {
-      "source": "18446744072646845332"
+      "source": "18446744072646845332" <1>
     }
   ],
   "include_by_default": false
@@ -270,31 +322,26 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
 '
 ```
 
-To find the value for `source` for type `gcp_private_service_connect_endpoint`, check [Find your Private Service Connect connection ID](gcp-private-service-connect-traffic-filters.md#ec-find-your-psc-connection-id). This setting is supported only in GCP regions.
+1. To find the value for `source` for type `gcp_private_service_connect_endpoint`, check [Find your Private Service Connect connection ID](gcp-private-service-connect-traffic-filters.md#ec-find-your-psc-connection-id). This setting is supported only in GCP regions.
 
 
-## Update a traffic filter rule set [ec-update-a-traffic-filter-rule-set]
-```{applies_to}
-deployment:
-  ess:
-  ece:
-```
+## Update a policy or rule set [ec-update-a-traffic-filter-rule-set]
 
-Send a request like the following to update an IP traffic filter ingress rule set:
+Send a request like the following to update an IP filter ingress policy or rule set:
 
 ::::{tab-set}
 :group: ech-ece
 
 :::{tab-item} {{ech}}
 :sync: ech
-```sh
+```json
 curl -XPUT \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
-https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID \
+https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$POLICY_ID \
 -d '
 {
-  "name": "My IP filtering Ingress Rule Set",
+  "name": "My ingress IP filter policy",
   "region": "azure-japaneast",
   "description": "",
   "type": "ip",
@@ -313,10 +360,31 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESE
 '
 ```
 :::
+:::{tab-item} {{serverless-full}}
+:sync: serverless
+```json
+curl -X PATCH \
+-H "Authorization: ApiKey $API_KEY" \
+-H 'content-type: application/json' \
+https://api.elastic-cloud.com/api/v1/serverless/traffic-filters/$POLICY_ID \
+-d '
+{
+  "description": "Updated description of the policy",
+  "rules": [
+    {
+      "description": "Updated description of the source",
+      "source": "192.168.131.0"
+    },
+  ],
+  "include_by_default": true
+}
+'
+```
+:::
 :::{tab-item} {{ece}}
 :sync: ece
 
-```sh
+```json
 curl -XPUT \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
@@ -345,25 +413,20 @@ https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets/$RULE
 ::::
 
 
-## Associate a rule set with a deployment [ec-associate-rule-set-with-a-deployment]
-```{applies_to}
-deployment:
-  ess:
-  ece:
-```
+## Associate a policy or rule set with a project or deployment [ec-associate-rule-set-with-a-deployment]
 
-Send a request like the following to associate a rule set with a deployment:
+Send a request like the following to associate a policy or rule set with a project or deployment:
 
-::::{tab-set}
-:group: ech-ece
+:::::{tab-set}
+:group: ech-serverless-ece
 
-:::{tab-item} {{ech}}
+::::{tab-item} {{ech}}
 :sync: ech
-```sh
+```json
 curl -XPOST \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
-https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID/associations \
+https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$POLICY_ID/associations \
 -d '
 {
    "entity_type" : "deployment",
@@ -371,11 +434,41 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESE
 }
 '
 ```
+::::
+
+::::{tab-item} {{serverless-full}}
+:sync: serverless
+To associate a network security policy to a project, you must update the project object.
+
+```json
+curl -X PATCH \
+-H "Authorization: ApiKey $API_KEY" \
+-H 'content-type: application/json' \
+https://api.elastic-cloud.com/api/v1/admin/serverless/projects/elasticsearch \ <1>
+-d '
+{
+  "traffic_filters": [
+    {
+      "id": "$POLICY_ID"
+    },
+    {
+      "id": "$ANOTHER_POLICY_ID"
+    }
+  ]
+}
+'
+```
+1. Pass the project type in the endpoint URL: either `elasticsearch`, `observability`, or `security`.
+
+:::{warning}
+When adding, updating, or removing a policy association, you must provide a complete list of policies to be associated with the project in the `PATCH` request body. Any policies not included in this list will be removed from the project. 
 :::
-:::{tab-item} {{ece}}
+::::
+
+::::{tab-item} {{ece}}
 :sync: ece
 
-```sh
+```json
 curl -XPOST \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
@@ -387,37 +480,57 @@ https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets/$RULE
 }
 '
 ```
-:::
 ::::
+:::::
 
 
-## Delete a rule set association with a deployment [ec-delete-rule-set-association-with-a-deployment]
-```{applies_to}
-deployment:
-  ess:
-  ece:
-```
+## Remove a policy or rule set from a project or deployment [ec-delete-rule-set-association-with-a-deployment]
 
-Send a request like the following to delete a rule set association with a deployment:
+Send a request like the following to remove a policy or rule set from a project or deployment:
 
 ::::{tab-set}
-:group: ech-ece
+:group: ech-serverless-ece
 
 :::{tab-item} {{ech}}
 :sync: ech
 
-```sh
+```json
 curl -XDELETE \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
-https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID/associations/deployment/$DEPLOYMENT_ID \
+https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$POLICY_ID/associations/deployment/$DEPLOYMENT_ID \
+```
+:::
+
+:::{tab-item} {{serverless-full}}
+:sync: serverless
+
+To remove a network security policy from a project, you must update the project object. Pass a complete list of policies in the `PATCH` request body, excluding the policy that you want to remove from the list.
+
+```json
+curl -X PATCH \
+-H "Authorization: ApiKey $API_KEY" \
+-H 'content-type: application/json' \
+https://api.elastic-cloud.com/api/v1/admin/serverless/projects/elasticsearch \ <1>
+-d '
+{
+  "traffic_filters": [
+    {
+      "id": "$REMAINING_POLICY_ID" <2>
+    }
+  ]
+}
+'
 ```
+1. Pass the project type in the endpoint URL: either `elasticsearch`, `observability`, or `security`.
+2. `$POLICY_ID`, the policy that you want to remove, is not included in the list.
+:::
 :::
 
 :::{tab-item} {{ece}}
 :sync: ece
 
-```sh
+```json
 curl -XDELETE \
 -H "Authorization: ApiKey $API_KEY" \
 -H 'content-type: application/json' \
@@ -427,30 +540,35 @@ https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets/$RULE
 ::::
 
 
-## Delete a traffic filter rule set [ec-delete-a-rule-set]
-```{applies_to}
-deployment:
-  ess:
-  ece:
-```
+## Delete a policy or rule set [ec-delete-a-rule-set]
 
-Send a request like the following to delete a traffic filter rule set:
+Send a request like the following to delete a policy or rule set:
 
 ::::{tab-set}
-:group: ech-ece
+:group: ech-serverless-ece
 
 :::{tab-item} {{ech}}
 :sync: ech
 
-```sh
+```json
+curl -XDELETE \
+-H "Authorization: ApiKey $API_KEY" \
+https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$POLICY_ID \
+```
+:::
+:::{tab-item} {{serverless-full}}
+:sync: serverless
+
+```json
 curl -XDELETE \
 -H "Authorization: ApiKey $API_KEY" \
-https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID \
+https://api.elastic-cloud.com/api/v1/serverless/traffic-filters/$POLICY_ID \
 ```
 :::
 :::{tab-item} {{ece}}
 :sync: ece
-```sh
+
+```json
 curl -XDELETE \
 -H "Authorization: ApiKey $API_KEY" \
 https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID \

From dc614fade7d7098a5ecc6ca4f80a3d9208d67e75 Mon Sep 17 00:00:00 2001
From: shainaraskas <shaina.raskas@elastic.co>
Date: Thu, 19 Jun 2025 16:01:41 -0400
Subject: [PATCH 38/38] bad annotation

---
 deploy-manage/security/ec-traffic-filtering-through-the-api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index 418aff36e4..896ae0af10 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -150,7 +150,7 @@ https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets \
   "name": "My IP filtering Ingress Rule Set",
   "region": "ece-region",
   "description": "",
-  "type": "ip", <1>
+  "type": "ip",
   "rules": [
     {
       "description": "Allow inbound traffic from IP address 192.168.131.0",