Alex-ai-del
diff --git a/‎modules/beta-private-cluster-update-variant/README.md‎
Lines changed: 3 additions & 1 deletion b/‎modules/beta-private-cluster-update-variant/README.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎modules/beta-private-cluster/README.md‎
Lines changed: 3 additions & 1 deletion b/‎modules/beta-private-cluster/README.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎modules/private-cluster-update-variant/README.md‎
Lines changed: 3 additions & 1 deletion b/‎modules/private-cluster-update-variant/README.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎modules/private-cluster/README.md‎
Lines changed: 3 additions & 1 deletion b/‎modules/private-cluster/README.md‎
Lines changed: 3 additions & 1 deletion
@@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku
 If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed.
 If you are using these features with a private cluster, you will need to either:
 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`.
-2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`.
+2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect.
+3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted.
+4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster.
 
 
 ## Compatibility
 
@@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku
 If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed.
 If you are using these features with a private cluster, you will need to either:
 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`.
-2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`.
+2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect.
+3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted.
+4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster.
 
 
 ## Compatibility
 
@@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku
 If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed.
 If you are using these features with a private cluster, you will need to either:
 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`.
-2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`.
+2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect.
+3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted.
+4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster.
 
 
 ## Compatibility
 
@@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku
 If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed.
 If you are using these features with a private cluster, you will need to either:
 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`.
-2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`.
+2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect.
+3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted.
+4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster.
 
 
 ## Compatibility