add more detail around cross-zone load balancing and NLB security gro…

…ups for PL setups (#6179)

## What are you changing in this pull request and why?

There are a couple of finer details around certain PrivateLink setups
that haven't been included in the setup docs that have caused customers
to get tripped up. This PR will add:

1. A note about enabling cross-zone load balancing for their NLB or
target group (done through a snappet since it's the same on all 3 pages
and could apply to either NLB or Target Group
2. A section to the NLB setup about Security Groups (added inline in the
SG section since it only applies to NLB).

Additionally, I added some NLB info that was on the VCS page, but not
Redshift or Postgres. These details are applicable to any of them.

Feel free to suggest a different format for any of these changes.

## Checklist
- [X] I have reviewed the [Content style
guide](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/content-style-guide.md)
so my content adheres to these guidelines.

---------

Co-authored-by: Matt Shaver <[email protected]>

website/docs/docs/cloud/secure/postgres-privatelink.md

@@ -6,6 +6,7 @@ sidebar_label: "PrivateLink for Postgres"
 ---
 import SetUpPages from '/snippets/_available-tiers-privatelink.md';
 import PrivateLinkTroubleshooting from '/snippets/_privatelink-troubleshooting.md';
+import PrivateLinkCrossZone from '/snippets/_privatelink-cross-zone-load-balancing.md';
 
 <SetUpPages features={'/snippets/_available-tiers-privatelink.md'}/>
 
@@ -41,9 +42,16 @@ Creating an Interface VPC PrivateLink connection requires creating multiple AWS
     - Target Group protocol: **TCP** 
 
 - **Network Load Balancer (NLB)** &mdash; Requires creating a Listener that attaches to the newly created Target Group for port `5432`
+    - **Scheme:** Internal
+    - **IP address type:** IPv4
+    - **Network mapping:** Choose the VPC that the VPC Endpoint Service and NLB are being deployed in, and choose subnets from at least two Availability Zones.
+    - **Security Groups:** The Network Load Balancer (NLB) associated with the VPC endpoint service must either not have an associated security group, or the security group must have a rule that allows requests from the appropriate dbt Cloud **private CIDR(s)**. Note that _this is different_ than the static public IPs listed on the dbt Cloud [Access, Regions, & IP addresses](https://docs.getdbt.com/docs/cloud/about-cloud/access-regions-ip-addresses) page. dbt Support can provide the correct private CIDR(s) upon request. If necessary, until you can refine the rule to the smaller CIDR provided by dbt, allow connectivity by temporarily adding an allow rule of `10.0.0.0/8`.
+    - **Listeners:** Create one listener per target group that maps the appropriate incoming port to the corresponding target group ([details](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html)).
 - **VPC Endpoint Service** &mdash; Attach to the newly created NLB.
     - Acceptance required (optional) &mdash; Requires you to [accept our connection request](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests) after dbt creates the endpoint.
 
+<PrivateLinkCrossZone features={'/snippets/_privatelink-cross-zone-load-balancing.md'}/>
+
 ### 2. Grant dbt AWS account access to the VPC Endpoint Service
 
 On the provisioned VPC endpoint service, click the **Allow principals** tab. Click **Allow principals** to grant access. Enter the ARN of the root user in the appropriate production AWS account and save your changes.

website/docs/docs/cloud/secure/redshift-privatelink.md

@@ -7,6 +7,7 @@ sidebar_label: "PrivateLink for Redshift"
 
 import SetUpPages from '/snippets/_available-tiers-privatelink.md';
 import PrivateLinkTroubleshooting from '/snippets/_privatelink-troubleshooting.md';
+import PrivateLinkCrossZone from '/snippets/_privatelink-cross-zone-load-balancing.md';
 
 <SetUpPages features={'/snippets/_available-tiers-privatelink.md'}/>
 
@@ -79,9 +80,16 @@ Creating an Interface VPC PrivateLink connection requires creating multiple AWS
     - Target Group protocol: **TCP** 
 
 - **Network Load Balancer (NLB)** &mdash; Requires creating a Listener that attaches to the newly created Target Group for port `5439`
+    - **Scheme:** Internal
+    - **IP address type:** IPv4
+    - **Network mapping:** Choose the VPC that the VPC Endpoint Service and NLB are being deployed in, and choose subnets from at least two Availability Zones.
+    - **Security Groups:** The Network Load Balancer (NLB) associated with the VPC endpoint service must either not have an associated security group, or the security group must have a rule that allows requests from the appropriate dbt Cloud **private CIDR(s)**. Note that _this is different_ than the static public IPs listed on the dbt Cloud [Access, Regions, & IP addresses](https://docs.getdbt.com/docs/cloud/about-cloud/access-regions-ip-addresses) page. dbt Support can provide the correct private CIDR(s) upon request. If necessary, until you can refine the rule to the smaller CIDR provided by dbt, allow connectivity by temporarily adding an allow rule of `10.0.0.0/8`.
+    - **Listeners:** Create one listener per target group that maps the appropriate incoming port to the corresponding target group ([details](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html)).
 - **VPC Endpoint Service** &mdash; Attach to the newly created NLB.
     - Acceptance required (optional) &mdash; Requires you to [accept our connection request](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests) after dbt creates the endpoint.
 
+<PrivateLinkCrossZone features={'/snippets/_privatelink-cross-zone-load-balancing.md'}/>
+
 ### 2. Grant dbt AWS Account access to the VPC Endpoint Service
 
 On the provisioned VPC endpoint service, click the **Allow principals** tab. Click **Allow principals** to grant access. Enter the ARN of the root user in the appropriate production AWS account and save your changes.

website/docs/docs/cloud/secure/vcs-privatelink.md

@@ -7,6 +7,7 @@ sidebar_label: "PrivateLink for VCS"
 
 import SetUpPages from '/snippets/_available-tiers-privatelink.md';
 import PrivateLinkTroubleshooting from '/snippets/_privatelink-troubleshooting.md';
+import PrivateLinkCrossZone from '/snippets/_privatelink-cross-zone-load-balancing.md';
 
 <SetUpPages features={'/snippets/_available-tiers-privatelink.md'}/>
 
@@ -44,12 +45,15 @@ Creating an Interface VPC PrivateLink connection requires creating multiple AWS
     - **Scheme:** Internal
     - **IP address type:** IPv4
     - **Network mapping:** Choose the VPC that the VPC Endpoint Service and NLB are being deployed in, and choose subnets from at least two Availability Zones.
+    - **Security Groups:** The Network Load Balancer (NLB) associated with the VPC Endpoint Service must either not have an associated Security Group, or the Security Group must have a rule that allows requests from the appropriate dbt Cloud **private CIDR(s)**. Note that **this is different** than the static public IPs listed on the dbt Cloud [Access, Regions, & IP addresses](https://docs.getdbt.com/docs/cloud/about-cloud/access-regions-ip-addresses) page. The correct private CIDR(s) can be provided by dbt Support upon request. If necessary, temporarily adding an allow rule of `10.0.0.0/8` should allow connectivity until the rule can be refined to the smaller dbt provided CIDR.
     - **Listeners:** Create one Listener per Target Group that maps the appropriate incoming port to the corresponding Target Group ([details](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html)).
 - **Endpoint Service** - The VPC Endpoint Service is what allows for the VPC to VPC connection, routing incoming requests to the configured load balancer.
     - **Load balancer type:** Network.
     - **Load balancer:** Attach the NLB created in the previous step.
     - **Acceptance required (recommended)**:  When enabled, requires a new connection request to the VPC Endpoint Service to be accepted by the customer before connectivity is allowed ([details](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests)).
 
+<PrivateLinkCrossZone features={'/snippets/_privatelink-cross-zone-load-balancing.md'}/>
+
 ### 2. Grant dbt AWS account access to the VPC Endpoint Service
 
 Once these resources have been provisioned, access needs to be granted for the dbt Labs AWS account to create a VPC Endpoint in our VPC. On the provisioned VPC endpoint service, click the **Allow principals** tab. Click **Allow principals** to grant access. Enter the ARN of the following IAM role in the appropriate production AWS account and save your changes ([details](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permissions)).

website/snippets/_privatelink-cross-zone-load-balancing.md

@@ -0,0 +1,6 @@
+
+:::note Cross-Zone Load Balancing
+We highly recommend cross-zone load balancing for your NLB or Target Group; some connections may require it. Cross-zone load balancing may also [improve routing distribution and connection resiliency](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#cross-zone-load-balancing). Note that cross-zone connectivity may incur additional data transfer charges, though this should be minimal for requests from dbt Cloud.
+
+- [Enabling cross-zone load balancing for a load balancer or target group](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/edit-target-group-attributes.html#target-group-cross-zone)
+:::