redis · cmilesb · May 15, 2025 · May 15, 2025 · May 16, 2025
diff --git a/content/operate/rc/databases/create-database/create-pro-database-new.md b/content/operate/rc/databases/create-database/create-pro-database-new.md
@@ -123,6 +123,7 @@ The following settings are defined in the **Advanced options** of the **Setup**
 | **Multi-AZ** | Determines if replication spans multiple Availability Zones, which provides automatic failover when problems occur. See [High Availability]({{< relref "/operate/rc/databases/configuration/high-availability" >}}). |
 | **Allowed Availability Zones** | The availability zones for your selected region.<br/><br/>If you choose **Manual selection**, you must select at least one zone ID from the **Zone IDs** list.  For more information, see [Availability zones]({{< relref "/operate/rc/databases/configuration/high-availability#availability-zones" >}}). |
 | **Cloud account** | To deploy these databases to an existing cloud account, select it here.  Use the **Add** button to add a new cloud account.<br/><br/>(Available only if [Redis Cloud Bring your own Cloud]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud" >}}) is enabled) |
+| **Public endpoint access** | Select whether or not to [block public endpoints]({{< relref "/operate/rc/security/database-security/block-public-endpoints" >}}) for all databases in the subscription.  |
 | **VPC configuration** | Select **In a new VPC** to deploy to a new [virtual private cloud](https://en.wikipedia.org/wiki/Virtual_private_cloud) (VPC).<br/><br/>To deploy these databases to an existing virtual private cloud, select **In existing VPC** and then set VPC ID to the appropriate ID value.<br/><br/>(Available only if [Redis Cloud Bring your own Cloud]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud" >}}) is enabled) |
 | **Deployment CIDR** | The [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) range of IP addresses for your deployment. Redis creates a new [subnet](https://en.wikipedia.org/wiki/Subnetwork) for the **Deployment CIDR** in your [virtual private cloud](https://en.wikipedia.org/wiki/Virtual_private_cloud) (VPC). It cannot overlap with the CIDR ranges of other subnets used by your account.<br/><br/>For deployments in an existing VPC, the **Deployment CIDR** must be within your VPC's **primary** CIDR range (secondary CIDRs are not supported). |
 | **Auto Tiering**| Determines if your databases are stored only in memory (RAM) or are split between memory and Flash storage (RAM+Flash).  See [Auto Tiering]({{< relref "/operate/rs/databases/auto-tiering/" >}})|

diff --git a/content/operate/rc/security/database-security/block-public-endpoints.md b/content/operate/rc/security/database-security/block-public-endpoints.md
@@ -0,0 +1,53 @@
+---
+Title: Block public endpoints
+alwaysopen: false
+categories:
+- docs
+- operate
+- rc
+description: Learn how to block the public endpoints of your databases.
+weight: 40
+---
+
+By default, you can connect to Redis Cloud databases through the database's public endpoint, or through the database's private endpoint with a private connectivity method. 
+
+Public endpoints are accessible from the public internet and don't require a private connectivity method. While this makes Redis Cloud databases convenient to use, it also exposes the databases to potential unauthorized access or brute force attacks, even with a database password in place. Some organizations may want to block public access to their databases to comply with security policies or to better meet stringent compliance standards.
+
+Users with Redis Cloud Pro databases can choose to block public endpoints for all databases in their subscription.
+
+## Block public endpoints
+
+You can block public endpoints for a [new subscription](#new-subscription) or an [existing subscription](#existing-subscription).
+
+### New subscription
+
+To block the public endpoints when you [create a new Pro subscription]({{< relref "/operate/rc/databases/create-database/create-pro-database-new" >}}):
+
+1. Follow the instructions to [create a Pro database with custom settings]({{< relref "/operate/rc/databases/create-database/create-pro-database-new#custom-settings" >}}). 
+1. On the **Setup** tab, go to **Advanced options > Security** to select persistent storage encryption options. 
+1. Select **Block public endpoint** to block the public endpoint for all databases on the subscription. 
+1. Select **Continue** to go to the [Sizing tab]({{< relref "/operate/rc/databases/create-database/create-pro-database-new#sizing-tab" >}}). Follow the instructions to provision your database(s).
+
+After you block the public endpoints for a new subscription, you will need to set up a [private connectivity method](#private-connectivity-methods) to connect to your databases. 
+
+### Existing subscription
+
+For existing subscriptions, we recommend setting up a [private connectivity method](#private-connectivity-methods) to connect to your databases before blocking the private endpoint and migrating all connections to the private endpoint. 
+
+To block the public endpoints of an existing Pro subscription:
+
+1. From the [Redis Cloud console](https://cloud.redis.io/), select the **Subscriptions** menu and then select your subscription from the list. 
+1. Open the **Security** tab to view security settings.
+1. In the **Endpoint** section, select **Edit**.
+1. Select **Block public endpoint**.
+1. Select **Save** to save your changes.
+1. A window will appear asking you to confirm that blocking the public endpoint will reject clients connecting to the public endpoint. Select **I understand** and then **Block** to confirm.
+
+After your changes are saved, any incoming connections to the public endpoint of your database will be rejected.
+
+## Private connectivity methods
+
+Redis Cloud supports the following private connectivity options:
+- [VPC peering]({{< relref "/operate/rc/security/vpc-peering" >}})
+- [Google Cloud Private Service Connect]({{< relref "/operate/rc/security/private-service-connect" >}}) _(Google Cloud only)_
+- [AWS Transit Gateway]({{< relref "/operate/rc/security/aws-transit-gateway" >}}) _(AWS only)_
diff --git a/content/operate/rc/subscriptions/view-pro-subscription.md b/content/operate/rc/subscriptions/view-pro-subscription.md
@@ -41,6 +41,8 @@ In addition, three tabs are available:
 
 3.  The **Connectivity** tab lets you limit access to the subscription by defining a VPC peering or other connectivity options.
 
+4.  The **Security** tab lets you set security settings for the databases in your subscription.
+
 The following sections provide more info.
 
 ## **Databases** tab
@@ -122,3 +124,9 @@ Here, you can:
 - Set up [Private Service Connect]({{< relref "/operate/rc/security/private-service-connect" >}}) (*Google Cloud only*) or [Transit Gateway]({{< relref "/operate/rc/security/aws-transit-gateway" >}}) (*AWS only*).
 
 See the individual links to learn more.
+
+## **Security** tab
+
+The **Security** tab lets you set security settings for the databases in your subscription.
+
+Here, you can [block public endpoints]({{< relref "/operate/rc/security/database-security/block-public-endpoints" >}}) for all databases in the subscription.