From 2c044a688a56ca14999af1a4c427c60b3cc36194 Mon Sep 17 00:00:00 2001
From: PlanetScale Actions Bot <operations+build@planetscale.com>
Date: Fri, 17 Nov 2023 15:36:30 +0000
Subject: [PATCH] docs: upstream

https://github.com/planetscale/www/commit/c778d81324c90be4825e26a2737c1d99bb15579a
---
 docs/concepts/deployment-options.md           |   4 +-
 .../managed/aws/back-up-and-restore.md        |  14 ++
 .../enterprise/managed/aws/getting-started.md | 198 ++++++++++++++++++
 docs/enterprise/managed/aws/overview.md       |  54 +++++
 docs/enterprise/managed/aws/privatelink.md    | 108 ++++++++++
 .../managed/cloud-accounts-and-contents.md    |  16 ++
 docs/enterprise/managed/data-requests.md      |  20 ++
 .../managed/gcp/back-up-and-restore.md        |  14 ++
 .../enterprise/managed/gcp/getting-started.md | 145 +++++++++++++
 docs/enterprise/managed/gcp/overview.md       |  44 ++++
 .../managed/gcp/private-service-connect.md    | 115 ++++++++++
 docs/enterprise/managed/overview.md           |  42 ++++
 docs/enterprise/managed/user-management.md    |  38 ++++
 13 files changed, 810 insertions(+), 2 deletions(-)
 create mode 100644 docs/enterprise/managed/aws/back-up-and-restore.md
 create mode 100644 docs/enterprise/managed/aws/getting-started.md
 create mode 100644 docs/enterprise/managed/aws/overview.md
 create mode 100644 docs/enterprise/managed/aws/privatelink.md
 create mode 100644 docs/enterprise/managed/cloud-accounts-and-contents.md
 create mode 100644 docs/enterprise/managed/data-requests.md
 create mode 100644 docs/enterprise/managed/gcp/back-up-and-restore.md
 create mode 100644 docs/enterprise/managed/gcp/getting-started.md
 create mode 100644 docs/enterprise/managed/gcp/overview.md
 create mode 100644 docs/enterprise/managed/gcp/private-service-connect.md
 create mode 100644 docs/enterprise/managed/overview.md
 create mode 100644 docs/enterprise/managed/user-management.md

diff --git a/docs/concepts/deployment-options.md b/docs/concepts/deployment-options.md
index 1aeea196..21bfcbca 100644
--- a/docs/concepts/deployment-options.md
+++ b/docs/concepts/deployment-options.md
@@ -1,7 +1,7 @@
 ---
 title: 'Deployment options'
 subtitle: 'Learn about the different deployment options PlanetScale offers'
-date: '2022-06-09'
+date: '2023-10-16'
 ---
 
 ## Overview
@@ -39,7 +39,7 @@ If you're interested in learning more, please [reach out](/contact) and we can f
 - Your databases can be deployed to any cloud provider region you choose that offers three Availability Zones, even [regions](/docs/concepts/regions) that PlanetScale does not offer on our self-serve plans
 - You can continue to use the PlanetScale UI and CLI in the same way that you would our general self-serve offerings, but the infrastructure runs in an isolated environment
 - BAAs available for HIPAA compliance
-- In the [Managed offering](/blog/introducing-planetscale-managed) where you own the account, it is possible to establish private database connectivity via:
+- Support for private database connectivity via:
   - **AWS** &mdash; [AWS PrivateLink](https://aws.amazon.com/privatelink/) (recommended) or [VPC Peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
   - **GCP** &mdash; [Private Service Connect](https://cloud.google.com/vpc/docs/private-access-options)
 
diff --git a/docs/enterprise/managed/aws/back-up-and-restore.md b/docs/enterprise/managed/aws/back-up-and-restore.md
new file mode 100644
index 00000000..ea042d95
--- /dev/null
+++ b/docs/enterprise/managed/aws/back-up-and-restore.md
@@ -0,0 +1,14 @@
+---
+title: 'Back up and restore'
+subtitle: 'Learn about how backups work in AWS and PlanetScale Managed.'
+label: 'Managed'
+date: '2023-11-06'
+---
+
+PlanetScale Managed backup and restore functions like the hosted PlanetScale product. For more info, see [how to create, schedule, and restore backups for your PlanetScale databases](/docs/concepts/back-up-and-restore).
+
+To learn more about the backup and restore access levels, see the [database level permissions documentation](/docs/concepts/access-control#database-level-permissions).
+
+By default, databases are automatically backed up once per day to an S3 bucket in the customer's AWS sub-account. This default can be adjusted when working with PlanetScale Support. However, configuring and validating additional backup frequencies is the customer's responsibility.
+
+During the initial provisioning process, PlanetScale applies an S3 configuration to ensure that backups are encrypted at rest on Amazon S3.
diff --git a/docs/enterprise/managed/aws/getting-started.md b/docs/enterprise/managed/aws/getting-started.md
new file mode 100644
index 00000000..6cc56278
--- /dev/null
+++ b/docs/enterprise/managed/aws/getting-started.md
@@ -0,0 +1,198 @@
+---
+title: 'Set up PlanetScale Managed in AWS'
+subtitle: 'Learn how to set up PlanetScale Managed within a AWS sub-account.'
+label: 'Managed'
+date: '2023-11-07'
+---
+
+## Overview
+
+The following guide will walk you through setting up a PlanetScale Managed cluster in your Amazon Web Services (AWS) organization. If you have any questions while working through this documentation, contact your PlanetScale Solutions Engineer for assistance.
+
+{% callout type="note" %}
+This guide is only intended for PlanetScale Managed customers currently working with the PlanetScale team. You cannot set PlanetScale Managed up on your own without PlanetScale enabling it for your organization. If you are interested in [PlanetScale Managed](/docs/enterprise/managed/overview), please [contact us](/contact).
+{% /callout %}
+
+## Step 1: Account requirements
+
+A new AWS sub-account must be set up following this documentation to successfully bootstrap a new PlanetScale Managed cluster. An existing AWS organization is required to proceed with this guide.
+
+### Dedicated sub-account
+
+PlanetScale Managed requires the use of a standalone sub-account in Amazon Web Services. This account should not have any existing resources running within it.
+
+The [creating a member account in your organization document](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html#orgs_manage_accounts_create-new) covers how to create a new sub-account in an existing AWS organization. The document also includes the required permissions to create a sub-account in your AWS organization.
+
+### Modification of accounts
+
+Once the sub-account is handed over to PlanetScale via granting IAM permissions, it should not be modified. Issues caused by modifications of the sub-account or its resources void the PlanetScale Managed SLA. Contact <support@planetscale.com> to discuss configuration changes or customization.
+
+### Recommendations
+
+During the initial provisioning process, PlanetScale applies the following recommendations to the AWS sub-account but still recommends that a customer enable them once the sub-account has been created:
+
+- **Encryption by default:** PlanetScale enables EBS encryption by default using the AWS-managed keys in the relevant regions in the sub-account. If you want to change this behavior, please consult PlanetScale before the initial deployment process.
+
+- **AWS CloudTrail + AWS Config:** Enable AWS CloudTrail for management events and resource tracking using AWS Config.
+
+### PCI Compliance
+
+Customers of PlanetScale Managed should ensure the following additional configurations are applied and maintained to ensure that the customer environment remains PCI-compliant for the storage and protection of cardholder data:
+
+#### Local Authentication Parameters
+
+As PlanetScale does not have access to IAM logs for the customer application environment, to maintain compliance with PCI requirement 8.3.4, it is the customer’s responsibility to ensure that all invalid login attempts to the cardholder data environment hosted in AWS are logged.
+
+#### Log Level Configuration
+
+The PlanetScale-controlled AWS sub-account will be pre-configured by PlanetScale with [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) enabled and configured to emit logging events from the customer application. As PlanetScale does not retain access to these logs after the account is configured, to maintain compliance with PCI requirement 10.2.1.1 (audit logs capture all individual user access to cardholder data), it is the customer’s responsibility to ensure this logging remains enabled and to regularly review and verify the following events:
+
+- All administrative action
+- Accessing cardholder data
+- Accessing audit trails
+- Invalid access attempts
+- Successful access attempts
+- Elevation of privileges
+- Creation/deletion/changing an account with admin privileges
+- Start/stop/pausing of audit logs
+
+As a best practice, it is recommended that these logs be captured and continuously analyzed by a Security Information & Event Management (SIEM) platform.
+
+## Step 2: Cross-account key management
+
+PlanetScale supports using Amazon Web Services Key Management Service with cross-account IAM permissions. This enables the isolation of keys so the infrastructure operated by PlanetScale has limited access to symmetric keys. AWS Elastic Block Storage and S3 are the services used with the key in question.
+
+In the KMS key's account, apply the baseline key policy:
+
+```json
+{
+  "Sid": "Allow PlanetScale Managed to use this key",
+  "Effect": "Allow",
+  "Principal": {
+    "AWS": ["[PlanetScale Managed sub-account ID]"]
+  },
+  "Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"],
+  "Resource": "*"
+}
+```
+
+Additional key policy is required to allow the sub-account to create persistent resources with the KMS key:
+
+```json
+{
+  "Sid": "Allow attachment of persistent resources for PlanetScale Managed",
+  "Effect": "Allow",
+  "Principal": {
+    "AWS": "[PlanetScale Managed sub-account ID]"
+  },
+  "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
+  "Resource": "*",
+  "Condition": {
+    "Bool": {
+      "kms:GrantIsForAWSResource": "true"
+    }
+  }
+}
+```
+
+Once these policies are attached to the key, provide PlanetScale with the full ARN of the KMS key. PlanetScale will attach relevant IAM policies to roles that require using the key.
+
+## Step 3: Bootstrap with CloudFormation
+
+We've created a CloudFormation template to complete the setup of required permissions in your AWS sub-account.
+
+Save the following as `planetscale-bootstrap.json`:
+
+```json
+{
+  "Resources": {
+    "GrantTerraformRunnerAccess": {
+      "Type": "AWS::IAM::Role",
+      "DeletionPolicy": "Retain",
+      "Properties": {
+        "RoleName": "TerraformRunner",
+        "ManagedPolicyArns": ["arn:aws:iam::aws:policy/AdministratorAccess"],
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": [
+                  "arn:aws:iam::313573332105:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Ops_feec88bc3aad314d"
+                ]
+              },
+              "Action": ["sts:AssumeRole"]
+            }
+          ]
+        }
+      }
+    },
+    "GrantOpsAccess": {
+      "Type": "AWS::IAM::Role",
+      "DeletionPolicy": "Retain",
+      "Properties": {
+        "RoleName": "PlanetscaleOps",
+        "ManagedPolicyArns": ["arn:aws:iam::aws:policy/AdministratorAccess"],
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": [
+                  "arn:aws:iam::867309876077:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Ops_f1d00b216d43a785"
+                ]
+              },
+              "Action": ["sts:AssumeRole"]
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+```
+
+Next, apply the CloudFormation template as a new stack:
+
+```shell
+aws cloudformation create-stack --stack-name planetscale-bootstrap \
+  --template-body file://planetscale-bootstrap.json \
+  --capabilities CAPABILITY_NAMED_IAM
+```
+
+Let your Solutions Engineer know once the new stack reaches the `CREATED` state in AWS.
+
+## Step 4: Requesting an initial quota increase
+
+By default, AWS may provision new sub-accounts with EC2 On-Demand quotas that may be too small for:
+
+- PlanetScale's initial provisioning process
+- The databases you may want to provision on your PlanetScale Managed cluster
+
+Although the PlanetScale Support and Operations teams will have the ability to request quota increases on your behalf after you give us access to the AWS sub-account, we recommend that you review the following quotas and request increases as necessary, as requesting quota increases later will delay the process:
+
+- [Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances](https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-1216C47A) &mdash; Since PlanetScale Managed typically runs small instances by default, it is generally best to set this high enough to avoid any later issues. At least **300** is sufficient for most customers.
+- [Storage for General Purpose SSD (gp3) volumes, in TiB](https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-7A658B76) &mdash; Note that we typically will keep 3 copies of all data (primary plus 2 replicas), so you have to consider that here. We will also create volumes at backup time, which could be a temporary 4th copy for quota purposes. **50** TiB should be sufficient for most customers.
+- [Storage modifications for General Purpose SSD (gp3) volumes, in TiB](https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-59C8FC87) &mdash; Ensure this is large enough, if possible, to cover your largest database so that storage volume performance modifications can be made (if necessary), without replacing volumes. Again, **50** TiB or more should be sufficient in most cases.
+
+You can read more about how to request a quota increase in the [AWS requesting a quota increase documentation](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html).
+
+{% callout type="note" %}
+If you have AWS Enterprise Support, you can contact your account manager to expedite quota requests; otherwise, quota requests above your current limit can take at least one business day. There is also a limit on how often you can make quota requests. A quota request can only be made once every 6 hours.
+{% /callout %}
+
+## Step 5: Initiating the provisioning process
+
+Once the CloudFormation stack has returned as `CREATED`, notify your Solutions Engineer, providing them the following information:
+
+- The name of the organization that you have created on `app.planetscale.com`.
+- The AWS Account ID of the sub-account, which can be found by using one of the choices in the [AWS account ID and alias documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html).
+- A confirmation of the region(s) that you have chosen for the deployment to reside in. The canonical list of regions can be found in the [AWS Regions and Zones documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
+
+Once your Solutions Engineer receives this information, they will forward it to the team responsible for provisioning your deployment. Provisioning the deployment takes PlanetScale, on average, one business day.
+
+Once the deployment has been provisioned, your Solutions Engineer will contact you to confirm that your team can start creating databases.
+
+{% callout type="note" %}
+Optionally, PlanetScale can connect you to your databases via [AWS PrivateLink](https://aws.amazon.com/privatelink/) with PlanetScale Managed. See the [AWS PrivateLink documentation](/docs/enterprise/managed/aws/privatelink) for more information on establishing a PrivateLink connection.
+{% /callout %}
diff --git a/docs/enterprise/managed/aws/overview.md b/docs/enterprise/managed/aws/overview.md
new file mode 100644
index 00000000..09f85932
--- /dev/null
+++ b/docs/enterprise/managed/aws/overview.md
@@ -0,0 +1,54 @@
+---
+title: 'PlanetScale Managed on AWS overview'
+subtitle: 'Learn more about deploying PlanetScale in your Amazon Web Services account with our PlanetScale Managed plan.'
+label: 'Managed'
+date: '2023-11-15'
+---
+
+## Overview
+
+With PlanetScale Managed on Amazon Web Services (AWS) is a single-tenant deployment of PlanetScale in your AWS organization within an isolated sub-account. In this configuration, you can use the same API, CLI, and web interface that PlanetScale offers, with the benefit of running entirely in an AWS sub-account that you own and PlanetScale manages for you.
+
+## Architecture
+
+As you can see in the architecture diagram below, the PlanetScale data plane is deployed inside of a PlanetScale-controlled sub-account in your AWS organization. Within the Vitess cluster orchestrated by Kubernetes, we use three AWS availability zones within a region to ensure high availability.
+
+You can deploy PlanetScale Managed to any AWS region with at least three availability zones, including those not supported by the PlanetScale self-serve product.
+
+Backups, part of the data plane, are stored in S3 inside the same sub-account. PlanetScale Managed uses isolated Amazon Elastic Compute Cloud (Amazon EC2) instances as part of the deployment.
+
+![Architecture diagram](/assets/docs/managed/aws/aws-arch-diagram.jpg)
+
+PlanetScale will not have access to any other sub-accounts or your organization level settings. Outside of your AWS organization, we run the PlanetScale control plane, which includes the PlanetScale API and web application, including the dashboard you see at `app.planetscale.com`.
+
+## Security and compliance
+
+PlanetScale Managed is an excellent option for organizations with specific security and compliance requirements.
+
+You own the AWS organization and sub-account that PlanetScale is deployed within in an isolated architecture. This differs from when your PlanetScale database is deployed within our AWS organizations.
+
+### PCI compliance
+
+Along with System and Organization Controls (SOC) 2 Type 2 and other [security and compliance](/docs/concepts/security) practices that PlanetScale has been issued and follows, PlanetScale Managed on AWS has been issued an Attestation of Compliance (AoC) and Report on Compliance (RoC), certifying our compliance with the PCI DSS 4.0 as a [Level 1 Service Provider](https://www.pcisecuritystandards.org/glossary/service-provider/). This enables PlanetScale Managed to be used via a shared responsibility model across merchants, acquirers, issuers, and other roles in storing and processing cardholder data.
+
+{% callout type="note" %}
+If you have any questions or concerns related to the security and compliance of PlanetScale Managed, please [contact us](/contact), and we will be happy to discuss them further.
+{% /callout %}
+
+### AWS PrivateLink
+
+By default, all connections are encrypted, but public. Optionally, you also have the option to use private database connectivity through [AWS PrivateLink](/docs/enterprise/managed/aws/privatelink), which is only available on single-tenancy deployment options, including PlanetScale Managed.
+
+## Billing
+
+With any of the PlanetScale Enterprise offerings, including PlanetScale Managed, you have the option to purchase PlanetScale through the [AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-luy3krhkpjne4). In addition to this, the resources you use on PlanetScale will qualify against your EDP commitment.
+
+{% callout type="note" %}
+If you have any billing-related questions for PlanetScale Managed, please [contact us](/contact), and we will be happy to discuss them further.
+{% /callout %}
+
+## Getting started with PlanetScale Managed in AWS
+
+If you want to see what is involved in getting set up with PlanetScale Managed in AWS, you can see the [AWS set up documentation](/docs/enterprise/managed/aws/getting-started).
+
+If you are interested in exploring PlanetScale Managed further, please [contact us](/contact), and we can chat more about your requirements and see if PlanetScale Managed is a good fit for you.
diff --git a/docs/enterprise/managed/aws/privatelink.md b/docs/enterprise/managed/aws/privatelink.md
new file mode 100644
index 00000000..c1a1f28d
--- /dev/null
+++ b/docs/enterprise/managed/aws/privatelink.md
@@ -0,0 +1,108 @@
+---
+title: 'Set up AWS PrivateLink with PlanetScale Managed'
+subtitle: 'Learn how to set up AWS PrivateLink to establish private database connectivity with PlanetScale Managed.'
+label: 'Managed'
+date: '2023-11-08'
+---
+
+## Overview
+
+PlanetScale Managed can connect you to your databases via [AWS PrivateLink](https://aws.amazon.com/privatelink/). The following guide describes how PlanetScale Managed with AWS PrivateLink works and how to set it up.
+
+{% callout type="note" %}
+AWS PrivateLink is only available on single-tenancy PlanetScale deployment options, including PlanetScale Managed. If you are interested in [PlanetScale Managed](/docs/enterprise/managed/overview), please [contact us](/contact).
+{% /callout %}
+
+## How PlanetScale Managed and AWS PrivateLink work
+
+AWS PrivateLink requires two components:
+
+- A [VPC endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service-overview.html) deployed in the sub-account that PlanetScale controls.
+- A [VPC endpoint interface](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html), sometimes referred to as a "VPC endpoint" in AWS, deployed in the account that your applications operate in.
+
+Once both components are operating correctly, the EC2 instances in the VPC that the VPC endpoint has been assigned to will leverage [Private DNS](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#vpce-private-dns) to connect to your VPC endpoint instead of the publicly accessible endpoint.
+
+The connection strings that PlanetScale provides will operate successfully inside and outside your VPC, creating PrivateLink connections inside of your VPC and regular connections outside of your VPC.
+
+## Step 1: Initiating the setup process
+
+There is no fully automated way to establish a PrivateLink connection. If you would like to initiate the process, please get in touch with your Solutions Engineer and let them know the [AWS Account ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) that you intend to create the [VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html) in.
+
+Once they receive your AWS Account ID and forward it to the team responsible for provisioning your deployment, the team will provide the Solutions Engineer (and ultimately you) with the Service Name of the [VPC endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service-overview.html) that will be responsible for accepting your connection.
+
+{% callout type="note" %}
+It is important to keep the service name in your records. It is the only piece of information you need to input when creating your VPC endpoint.
+{% /callout %}
+
+## Step 2: Establishing a VPC endpoint connection
+
+{% callout type="warning" %}
+Only proceed to the next steps once a PlanetScale Solutions Engineer has provided the service name and confirmed cross-account authentication has been configured.
+{% /callout %}
+
+The following steps are an example of establishing a VPC endpoint connection in the AWS Console. In this example, the customer has requested that their deployment be in the `eu-west-1` region.
+
+When you go through the steps, make sure that you have selected the region that matches the region that your PlanetScale Managed cluster deployment has been provisioned into.
+
+1. Navigate to the Endpoints section on the Virtual Private Cloud page and select "**Create Endpoint**."
+
+![nav_to_splash](/assets/docs/managed/aws/privatelink/nav_to_splash.png)
+
+2. Select the "**Find service by name**" selector, input the provided Service Name, and select the "**Verify**" button.
+
+![verified](/assets/docs/managed/aws/privatelink/verified.png)
+
+3. Select the VPC in the drop-down where you wish to provision this VPC endpoint and the relevant subnets inside your VPC.
+
+![cyo_vpc](/assets/docs/managed/aws/privatelink/cyo_vpc.png)
+
+4. Select the "**Enable DNS Name**" checkbox. Take note of the value of your "**Private DNS Name**" field. That is how we will verify that the connection is operating successfully.
+
+![enable_dns_name](/assets/docs/managed/aws/privatelink/enable_dns_name.png)
+
+5. Select the relevant Security Groups you want your VPC endpoint to adhere to.
+
+![select_sgs](/assets/docs/managed/aws/privatelink/select_sgs.png)
+
+6. Add as many tags as your heart desires (up to 50) and select "**Create endpoint**."
+
+![click_it](/assets/docs/managed/aws/privatelink/click_it.png)
+
+7. The "Creating" spinner will spin momentarily and then deliver you the news of the endpoint creation. You should see a VPC endpoint in the `pending` state if it was successful. If the creation failed, record the reason and consult your Solutions Engineer.
+
+![pending.png](/assets/docs/managed/aws/privatelink/pending.png)
+
+8. After 2-10 minutes (make sure to refresh), your VPC endpoint will report an `available` state.
+
+![available.png](/assets/docs/managed/aws/privatelink/available.png)
+
+## Step 3: Verifying a VPC endpoint connection
+
+PlanetScale publishes a [wildcard DNS record](https://en.wikipedia.org/wiki/Wildcard_DNS_record) for your private region. AWS PrivateLink will override the DNS record in your VPC to point to your VPC endpoint instead of the publicly published record.
+
+To verify that the DNS override is working correctly, issue the following `dig` command using the value of your "Private DNS Name" instead of the value in the example:
+
+```shell
+dig +short wildcard.frzzbztuqm3h-euwest1-1.psdb.cloud
+172.31.16.197
+172.31.13.7
+```
+
+If your `dig` command returns a set of static IP addresses, your VPC Endpoint connection is operating successfully. If it returns a `CNAME` to an ELB record (for example, something like `something.elb.region.amazoneaws.com`), your connection is not operating successfully, and you should consult your Solutions Engineer.
+
+Once you've verified that your connection is operating successfully, you will need to verify that you can reach a database you've provisioned:
+
+1. [Create a connection string](/docs/concepts/connection-strings#creating-a-password) for a PlanetScale database using the "**Connect**" button. Select "**MySQL CLI**" and copy the command.
+2. Paste your MySQL CLI command into a command prompt of an EC2 instance running in your VPC with the `mysql-client` package installed:
+
+```shell
+mysql -h <HOST_NAME> -u <USERNAME> -p --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/pki/tls/certs/ca-bundle.crt
+Enter password:
+...
+
+mysql>
+```
+
+Note: The correct path for the CA root configuration for the `--ssl-ca` flag depends on your operating system. See the [CA root configuration documentation](/docs/concepts/secure-connections#ca-root-configuration) for more the correct path.
+
+If you receive the `mysql>` prompt, your connection is operating successfully, and you have just confirmed that your connections to PlanetScale will be established through AWS PrivateLink. If you do not receive the `mysql>` prompt, please consult your Solutions Engineer.
diff --git a/docs/enterprise/managed/cloud-accounts-and-contents.md b/docs/enterprise/managed/cloud-accounts-and-contents.md
new file mode 100644
index 00000000..242c229e
--- /dev/null
+++ b/docs/enterprise/managed/cloud-accounts-and-contents.md
@@ -0,0 +1,16 @@
+---
+title: 'Cloud accounts and contents'
+subtitle: 'Learn more about cloud account access and content restrictions for PlanetScale Managed.'
+label: 'Managed'
+date: '2023-11-06'
+---
+
+## Cloud accounts
+
+PlanetScale is not responsible for the general configuration of services shared across the cloud organization in which the sub-account or project is provisioned. The customer is solely responsible for managing account access outside that granted to PlanetScale.
+
+## Content restrictions
+
+The data stored in PlanetScale Managed databases is contained entirely in the customer's AWS or GCP sub-account.
+
+Customers are responsible for all content that is stored in the databases they have created.
diff --git a/docs/enterprise/managed/data-requests.md b/docs/enterprise/managed/data-requests.md
new file mode 100644
index 00000000..4231aaf7
--- /dev/null
+++ b/docs/enterprise/managed/data-requests.md
@@ -0,0 +1,20 @@
+---
+title: 'Data requests'
+subtitle: 'Learn more about data requests for PlanetScale Managed.'
+label: 'Managed'
+date: '2023-11-06'
+---
+
+## End-user data requests
+
+Some laws require you and your company to allow your end-users to control their personal data. PlanetScale allows you to access, export, or delete their personal data.
+
+Reach out to <support@planetscale.com> for additional support with accessing, exporting, or deleting personal data.
+
+## Data portability
+
+PlanetScale does not offer the migration of specific metadata between regions. PlanetScale does support migrating a database between regions for PlanetScale Managed.
+
+## Data deletion
+
+Users can request to have their personal data removed by contacting <support@planetscale.com>.
diff --git a/docs/enterprise/managed/gcp/back-up-and-restore.md b/docs/enterprise/managed/gcp/back-up-and-restore.md
new file mode 100644
index 00000000..6f2c21d6
--- /dev/null
+++ b/docs/enterprise/managed/gcp/back-up-and-restore.md
@@ -0,0 +1,14 @@
+---
+title: 'Back up and restore'
+subtitle: 'Learn about how backups work in GCP and PlanetScale Managed.'
+label: 'Managed'
+date: '2023-11-06'
+---
+
+PlanetScale Managed backup and restore functions like the hosted PlanetScale product. For more info, see [how to create, schedule, and restore backups for your PlanetScale databases](/docs/concepts/back-up-and-restore).
+
+To learn more about the backup and restore access levels, see the [database level permissions documentation](/access-control#database-level-permissions).
+
+By default, databases are automatically backed up once per day to a Cloud Storage bucket in the customer's GCP project. This default can be adjusted when working with PlanetScale Support. However, configuring and validating additional backup frequencies is the customer's responsibility.
+
+During the initial provisioning process, PlanetScale applies a Cloud Storage configuration to ensure backups are encrypted at rest on GCP Cloud Storage.
diff --git a/docs/enterprise/managed/gcp/getting-started.md b/docs/enterprise/managed/gcp/getting-started.md
new file mode 100644
index 00000000..c20d129a
--- /dev/null
+++ b/docs/enterprise/managed/gcp/getting-started.md
@@ -0,0 +1,145 @@
+---
+title: 'Set up PlanetScale Managed in GCP'
+subtitle: 'Learn how to set up PlanetScale Managed within a GCP project.'
+label: 'Managed'
+date: '2023-11-07'
+---
+
+## Overview
+
+The following guide will walk you through setting up a PlanetScale Managed cluster in your Google Cloud Platform (GCP) organization. If you have any questions while working through this documentation, contact your PlanetScale Solutions Engineer for assistance.
+
+{% callout type="note" %}
+This guide is only intended for PlanetScale Managed customers currently working with the PlanetScale team. You cannot set PlanetScale Managed up on your own without PlanetScale enabling it for your organization. If you are interested in [PlanetScale Managed](/docs/enterprise/managed/overview), please [contact us](/contact).
+{% /callout %}
+
+## Step 1: Account requirements
+
+A new GCP project must be set up following this documentation to successfully bootstrap a new PlanetScale Managed cluster. To proceed with this guide, an existing GCP organization and an active Cloud Billing account are required.
+
+Further information on creating GCP organizations can be found in the [creating and managing organization resources documentation](https://cloud.google.com/resource-manager/docs/creating-managing-organization).
+
+## Dedicated GCP project
+
+PlanetScale Managed requires the use of a standalone project in GCP. This project should not have any existing resources running within it, as PlanetScale will request a set of permissions as defined in step 2.
+
+## Modification of accounts
+
+Once the GCP project is handed over to PlanetScale via granting IAM permissions, it should not be modified. Issues caused by modifications of the GCP project or its resources void the PlanetScale Managed SLA. Contact <support@planetscale.com> to discuss configuration changes or customization.
+
+## Step 2: Bootstrap GCP project
+
+Before setting up the IAM roles, you must create a new GCP project, assign it to a GCP Billing Account, and enable the Compute Engine API.
+
+### Create a new GCP project
+
+A new GCP project can be created via the command line if the [gcloud](https://cloud.google.com/sdk/docs/install) SDK is installed and configured:
+
+```shell
+gcloud projects create <project-name>
+```
+
+Projects can also be created through the [GCP console](https://console.cloud.google.com/projectcreate).
+
+Further information on creating GCP projects is available in the [Google Cloud Resource Manager documentation](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
+
+### Assign the new project to a GCP Billing Account
+
+Next, assign the new project to a GCP Billing Account inside your organization. The account to use will depend on your organization and its policies.
+
+{% callout type="note" %}
+If the user who created the project has the Billing Administrator role, the project may already have billing enabled. Please review the settings to ensure it is attached to the intended Billing Account.
+{% /callout %}
+
+Further information on assigning projects to Billing Accounts is available [here](https://cloud.google.com/billing/docs/how-to/modify-project).
+
+### Enable Compute Engine API
+
+The Compute Engine API must be enabled on the new project. This can be done via the command line:
+
+```shell
+gcloud services enable compute.googleapis.com --project "<project-name>"
+```
+
+Further information on enabling an API is available [here](https://cloud.google.com/apis/docs/getting-started#enabling_apis).
+
+### Assign IAM Roles
+
+For PlanetScale to provision resources in the project, the following IAM roles must be granted to the following service accounts:
+
+- `terraform-planner@planetscale-operations.iam.gserviceaccount.com` service account:
+
+  - `roles/viewer` - Viewer
+
+- `terraform-runner@planetscale-operations.iam.gserviceaccount.com` service account:
+  - `roles/cloudkms.admin` - Cloud KMS Admin
+  - `roles/compute.admin` - Compute Admin
+  - `roles/container.admin` - Kubernetes Engine Admin
+  - `roles/container.clusterAdmin` - Kubernetes Engine Cluster Admin
+  - `roles/iam.roleAdmin` - IAM Role Admin
+  - `roles/iam.securityAdmin` - Security Admin
+  - `roles/iam.serviceAccountAdmin` - Service Account Admin
+  - `roles/iam.serviceAccountKeyAdmin` - Service Account Key Admin
+  - `roles/logging.admin` - Logging Admin
+  - `roles/serviceusage.serviceUsageAdmin` - Service Usage Admin
+  - `roles/storage.admin` - Storage Admin
+  - `roles/viewer` - Viewer
+
+These can be assigned using the `gcloud` command line tool:
+
+```shell
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-planner@planetscale-operations.iam.gserviceaccount.com --role roles/viewer
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/cloudkms.admin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/compute.admin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/container.admin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/container.clusterAdmin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/iam.roleAdmin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/iam.securityAdmin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/iam.serviceAccountAdmin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/iam.serviceAccountKeyAdmin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/logging.admin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/serviceusage.serviceUsageAdmin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/storage.admin
+gcloud projects add-iam-policy-binding "<project-name>" --member serviceAccount:terraform-runner@planetscale-operations.iam.gserviceaccount.com --role roles/viewer
+```
+
+Alternatively, they can be assigned through the GCP console under the project's "**IAM & Admin > IAM**" section of the [GCP console](<(https://console.cloud.google.com/iam-admin/iam)>).
+
+Further information on assigning IAM roles to projects is available in the [GCP IAM documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
+
+## Step 3: Requesting an initial quota increase
+
+By default, GCP provides most new projects with quotas that are too small for PlanetScale's initial provisioning process.
+
+Submit increase requests for the following quotas. This must be done for all regions in which PlanetScale will provision resources. Depending on your organization, the default quotas may already be at or above these levels:
+
+1. `compute.googleapis.com/ssd_total_storage`: 10000 GB
+2. `compute.googleapis.com/disks_total_storage`: 10000 GB
+3. `compute.googleapis.com/n2_cpus`: 256
+4. `compute.googleapis.com/n2d_cpus`: 256
+5. `compute.googleapis.com/cpus_all_regions`: 256
+6. `compute.googleapis.com/instances`: 100
+
+You can submit GCP quota increase requests via the project's "**IAM & Admin > Quotas**" section of the [GCP console](<(https://console.cloud.google.com/iam-admin/quotas)>). Copy and paste the quota metrics from above into the table to search for them in the quota interface.
+
+While PlanetScale does not immediately consume all requested resources, we recommend these values to ensure enough resources are available for auto-scaling, growth, and upgrades.
+
+PlanetScale will request the quota increase if the customer does not but recommends that the customer initiate the request due to an unknown turnaround time for quota requests.
+
+Further information on requesting and managing GCP quotas can be found in the [Google Cloud Allocation quotas documentation](https://cloud.google.com/compute/quotas).
+
+## Step 4: Initiating the provisioning process
+
+Once the GCP project has been created, the IAM roles have been applied, and the quota increases have been granted, notify your Solutions Engineer, providing them the following information:
+
+- The name of the organization that you have created on `app.planetscale.com`.
+- The GCP project name
+- A confirmation of the region(s) that you have chosen for the deployment to reside in. The canonical list of regions can be found in the [Google Cloud Regions and Zones documentation](https://cloud.google.com/compute/docs/regions-zones).
+
+Once your Solutions Engineer receives this information, they will forward it to the team responsible for provisioning your deployment. Provisioning the deployment takes PlanetScale, on average, one business day.
+
+Once the deployment has been provisioned, your Solutions Engineer will contact you to confirm that your team can start creating databases.
+
+{% callout type="note" %}
+Optionally, PlanetScale can connect you to your databases via [GCP Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect) with PlanetScale Managed. See the [GCP Private Service Connect documentation](/docs/enterprise/managed/gcp/private-service-connect) for more information on establishing a Private Service Connect connection.
+{% /callout %}
diff --git a/docs/enterprise/managed/gcp/overview.md b/docs/enterprise/managed/gcp/overview.md
new file mode 100644
index 00000000..d0ee403e
--- /dev/null
+++ b/docs/enterprise/managed/gcp/overview.md
@@ -0,0 +1,44 @@
+---
+title: 'PlanetScale Managed on GCP overview'
+subtitle: 'Learn more about deploying PlanetScale in your Google Cloud Platform account with our PlanetScale Managed plan.'
+label: 'Managed'
+date: '2023-11-15'
+---
+
+## Overview
+
+With PlanetScale Managed on Google Cloud Platform (GCP) is a single-tenant deployment of PlanetScale in your GCP organization within an isolated project. In this configuration, you can use the same API, CLI, and web interface that PlanetScale offers, with the benefit of running entirely in a GCP project that you own and PlanetScale manages for you.
+
+## Architecture
+
+As you can see in the architecture diagram below, the PlanetScale data plane is deployed inside of a PlanetScale-controlled project in your GCP organization. Within the Vitess cluster orchestrated by Kubernetes, we use three GCP zones within a region to ensure high availability.
+
+You can deploy PlanetScale Managed to any GCP region with at least three zones, including zones not supported by the PlanetScale self-serve product, and support for the required GCP services (including but not limited to Google Compute Engine (GCE), Google Kubernetes Engine (GKE), Cloud Storage, Persistent Disk, Cloud Key Management Service (Cloud KMS), Cloud Logging).
+
+Backups, part of the data plane, are stored in Cloud Storage inside the same project. PlanetScale Managed uses isolated GCE instances as part of the deployment.
+
+![Architecture diagram](/assets/docs/managed/gcp/gcp-arch-diagram.jpg)
+
+PlanetScale will not have access to any other projects or your organization level settings. Outside of your GCP organization, we run the PlanetScale control plane, which includes the PlanetScale API and web application, including the dashboard you see at `app.planetscale.com`.
+
+## Security and compliance
+
+PlanetScale Managed is an excellent option for organizations with specific security and compliance requirements.
+
+You own the GCP organization and project that PlanetScale is deployed within in an isolated architecture. This differs from when your PlanetScale database is deployed within our GCP organizations.
+
+Along with System and Organization Controls (SOC) 2 Type 2 and PlanetScale [security and compliance](/docs/concepts/security) practices that PlanetScale has been issued and follows, we can also sign BAAs for [HIPAA compliance](/blog/planetscale-and-hipaa) on PlanetScale Managed.
+
+### GCP Private Service Connect
+
+By default, all connections are encrypted, but public. Optionally, you also have the option to use private database connectivity through [GCP Private Service Connect](/docs/enterprise/managed/gcp/private-service-connect), which is only available on single-tenancy deployment options, including PlanetScale Managed.
+
+{% callout type="note" %}
+If you have any questions or concerns related to the security and compliance of PlanetScale Managed, please [contact us](/contact), and we will be happy to discuss them further.
+{% /callout %}
+
+## Getting started with PlanetScale Managed in GCP
+
+If you want to see what is involved in getting set up with PlanetScale Managed in GCP, you can see the [GCP set up documentation](/docs/enterprise/managed/gcp/getting-started).
+
+If you are interested in exploring PlanetScale Managed further, please [contact us](/contact), and we can chat more about your requirements and see if PlanetScale Managed is a good fit for you.
diff --git a/docs/enterprise/managed/gcp/private-service-connect.md b/docs/enterprise/managed/gcp/private-service-connect.md
new file mode 100644
index 00000000..c97e6fec
--- /dev/null
+++ b/docs/enterprise/managed/gcp/private-service-connect.md
@@ -0,0 +1,115 @@
+---
+title: 'Set up GCP Private Service Connect with PlanetScale Managed'
+subtitle: 'Learn how to set up GCP Private Service Connect to establish private database connectivity with PlanetScale Managed.'
+label: 'Managed'
+date: '2023-11-08'
+---
+
+## Overview
+
+PlanetScale Managed can connect you to your databases via [GCP Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect). The following guide describes how PlanetScale Managed with GCP Private Service Connect works and how to set it up.
+
+{% callout type="note" %}
+GCP Private Service Connect is only available on single-tenancy PlanetScale deployment options, including PlanetScale Managed. If you are interested in [PlanetScale Managed](/docs/enterprise/managed/overview), please [contact us](/contact).
+{% /callout %}
+
+## How PlanetScale Managed and GCP Private Service Connect work
+
+Private Service Connect (PSC) lets a service producer offer services to a service consumer without the consumer being a member of the service producer's organization.
+
+The service producer is the Google Cloud project controlled by PlanetScale, and the service consumer is the project(s) where your applications operate. Your applications connect to a private IP you allocate in your project, which is routed to your PlanetScale databases in the project that PlanetScale controls.
+
+GCP PSC requires multiple components:
+
+- A Private Service Connect [Service Attachment](https://cloud.google.com/vpc/docs/private-service-connect#service-attachments) deployed in the project that PlanetScale controls.
+- A Private Service Connect [Endpoint](https://cloud.google.com/vpc/docs/private-service-connect#endpoints) deployed in the project(s) that your applications operate in.
+
+Once all components are operating correctly, the applications in the project with the endpoint configured will connect to the service attachment using private IP addresses instead of the publicly accessible endpoint.
+
+### Limitations
+
+Cross-region connectivity is not supported by Google Cloud for Private Service Connect. For example, if your PlanetScale databases are located in `us-central1` and your applications are located in `us-east4`, then you cannot connect to them using Private Service Connect.
+
+## Step 1: Initiating the setup process
+
+If you would like to initiate the process, please contact your Solutions Engineer and let them know the Google Cloud project ID(s) in which you intend to create Private Service Connect endpoints. If you need to add additional projects to the allowlist, please get in touch with your Solutions Engineer.
+
+{% callout type="warning" %}
+Google Cloud project IDs cannot be changed after initial setup. Please be sure to choose an ID that you will continue to use.
+{% /callout %}
+
+Once they receive your project IDs and forward them to the team responsible for provisioning your deployment, the team will provide them (and ultimately you) with the Private Service Connect Service Attachment URI, which will be in the form `projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME`.
+
+{% callout type="warning" %}
+If you use VPC Service Controls in your VPC, you must ensure that the policy allows access to the PlanetScale-controlled project.
+{% /callout %}
+
+Your Solutions Engineer will provide you the following information when the setup is complete:
+
+- `PS_Region`
+- `PSC_Link_URI`
+
+## Step 2: Establishing Private Service Connect
+
+{% callout type="warning" %}
+Only proceed to the next steps once a PlanetScale Solutions Engineer has provided the `PS_Region` and `PSC_Link_URI`.
+{% /callout %}
+
+Refer to Google Cloud's [Access managed services using Private Service Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-services) for more information on consuming services via Private Service Connect. This document covers additional details not covered here, including the IAM roles required to perform the configuration process.
+
+### Using the GCP console
+
+The following steps are an example of establishing a Private Service Connect endpoint in the [GCP Console](https://console.cloud.google.com/).
+
+1. Obtain the Private Service Connect Attachment URI from your Solutions Engineer. It will be in the format: `projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME`.
+
+2. Create a Private Service Connect Endpoint using the Attachment URI. In the GCP console, go to ["Private Service Connect"](<(https://console.cloud.google.com/net-services/psc)>) page, select the "**Connected endpoints**" tab, and select the "**Connect endpoint**" button.
+
+3. Add a Private Service Connect Endpoint with the following details:
+
+- **Target**: Published Service. This is the `PSC_Link_URI` provided by your Solutions Engineer.
+- **Target Service**: Paste the Private Service Connect Attachment URI from step 1.
+- **Name**: Enter a name for this endpoint. Use the `PS_Region` value provided by your Solutions Engineer.
+- **Network and subnet**: Select the network to create the endpoint in.
+- **Create and IP Address**: Create a reserved IP address. This is the address your applications will connect to to access your PlanetScale databases. PlanetScale recommends using the `PS_Region` name for the name of the reserved IP address.
+
+Then, add the endpoint.
+
+![connect_endpoint_details](/assets/docs/managed/gcp/private-service-connect/connect_endpoint_details.png)
+
+{% callout type="note" %}
+You must provide the list of projects to your Solutions Engineer. Your endpoint will only function once they have PlanetScale added to the allowlist.
+{% /callout %}
+
+4. The endpoint creation process will take a minute or two. When finished, select the endpoint and verify the status is **Accepted**.
+
+Repeat steps 2-4 for **each project** you wish to connect to the Private Service Connect Attachment.
+
+![Showing endpoint status as "Accepted"](/assets/docs/managed/gcp/private-service-connect/endpoint_status.png)
+
+## Step 3: Private Cloud DNS
+
+Next, you will set up a private Cloud DNS zone. This step may be optional. This step aims to make it possible to use the same PlanetScale connection strings and host names inside and outside of the project. When these host names are resolved inside the project, they will resolve to the IP address of the Private Service Connect Endpoint. When resolved anywhere else, they will resolve to the public IP address.
+
+When connecting to the PlanetScale Private Service Connect Endpoint directly via IP address or an alternate host name, you may need to disable TLS verification due to host name mismatch.
+
+1. Create a private Cloud DNS zone. In the GCP console, go to the ["Create a DNS zone"](https://console.cloud.google.com/net-services/dns/zones/new/create) page.
+
+- **Zone type**: `Private`
+- **Zone name**: `connect-psdb-cloud`
+- **DNS Name**: `connect.psdb.cloud`
+- **Options**: `Default (private)`
+- **Network**: Select all VPCs where this DNS zone should be available.
+
+![cloud_dns_zone_details](/assets/docs/managed/gcp/private-service-connect/cloud_dns_zone_details.png)
+
+2. Create DNS records. For each PlanetScale Private Service connect endpoint, create a DNS record with the following details by opening the zone's details page in the GCP Console.
+
+![add_record_set](/assets/docs/managed/gcp/private-service-connect/add_record_set.png)
+
+- **DNS name**: Use the **PS_Region** value provided by your Solutions Engineer.
+- **IP Address**: The reserved IP address assigned to the Private Service Connect Endpoint created in the first section of this document. You can also find this on the Private Service Connect page in the GCP Console.
+
+![record_set_details](/assets/docs/managed/gcp/private-service-connect/record_set_details.png)
+
+Repeat steps 1-2 for **each project** you wish to connect to set up Private Cloud DNS for.
diff --git a/docs/enterprise/managed/overview.md b/docs/enterprise/managed/overview.md
new file mode 100644
index 00000000..512b563c
--- /dev/null
+++ b/docs/enterprise/managed/overview.md
@@ -0,0 +1,42 @@
+---
+title: 'PlanetScale Managed overview'
+subtitle: 'Deploy PlanetScale in your Amazon Web Services or Google Cloud Platform account with our PlanetScale Managed plan.'
+label: 'Managed'
+date: '2023-11-08'
+---
+
+## What is PlanetScale Managed?
+
+PlanetScale Managed is a single-tenant deployment of PlanetScale within your Amazon Web Services (AWS) or Google Cloud Platform (GCP) account. In this configuration, you can use the same API, CLI, and web interface that PlanetScale offers, with the benefit of running entirely in your own AWS or GCP account.
+
+We have packaged the best parts of PlanetScale into a container and can deploy and operate them in your own account, bringing you the best of SaaS with the added benefit of a deployment free of noisy neighbors, enhanced support, and additional security guarantees.
+
+With PlanetScale Managed, it is more than just an on-premises deployment of your database; you are getting the PlanetScale expert team operating your database alongside your team for a _truly_ fully managed database solution. The PlanetScale team is on-call for your databases.
+
+## How does PlanetScale Managed work?
+
+PlanetScale Managed is a packaged [data plane](https://en.wikipedia.org/wiki/Data_plane), built on [Vitess and Kubernetes](/blog/scaling-hundreds-of-thousands-of-database-clusters-on-kubernetes), that's deployed to an AWS sub-account or GCP project that you own and we operate. Your database lives entirely inside your cloud organization. PlanetScale will not have access to any other sub-accounts or projects or your organization level settings. At the same time, you still get to interact with your databases through the web application, pscale CLI, or the PlanetScale API, as you usually would with our hosted product. This includes developer experience features such as non-blocking schema changes, safe migrations, database branching, query insights, and more.
+
+If you are an existing PlanetScale user, moving to PlanetScale Managed requires no changes to your existing developer workflows.
+
+The database is deployed in a single-tenant environment and isolated in a sub-account in AWS or project in GCP from the rest of your organization's infrastructure. By default, all connections are encrypted, but public. You have the option to use private database connectivity through [AWS PrivateLink](/docs/enterprise/managed/aws/privatelink) or [GCP Private Service Connect](/docs/enterprise/managed/gcp/private-service-connect), which are only available on single-tenancy deployment options, including PlanetScale Managed.
+
+Read more on how PlanetScale Managed works inside either cloud provider:
+
+- [PlanetScale Managed on Amazon Web Services](/docs/enterprise/managed/aws/overview)
+- [PlanetScale Managed on Google Cloud Platform](/docs/enterprise/managed/gcp/overview)
+
+## Benefits of PlanetScale Managed
+
+Single-tenancy is one of many benefits when it comes to PlanetScale Managed. Still, with this PlanetScale Enterprise service, you also get:
+
+- [Database sharding](/docs/concepts/sharding) available
+- Option to sign BAAs for [HIPAA compliance](/blog/planetscale-and-hipaa)
+- Deployment to additional regions
+- [PCI compliance](/blog/planetscale-managed-is-now-pci-compliant) (AWS only)
+- Additional [support options](/docs/support/support-overview#enterprise)
+- Available on [AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-luy3krhkpjne4) (AWS only). Your PlanetScale purchase through the AWS Marketplace and the resources you use on PlanetScale will qualify against your EDP commitment.
+
+## How do I get PlanetScale Managed?
+
+If you are interested in seeing if PlanetScale Managed fits your needs, [contact us](/contact), and we can chat more about your requirements and see if PlanetScale Managed is a good fit for you.
diff --git a/docs/enterprise/managed/user-management.md b/docs/enterprise/managed/user-management.md
new file mode 100644
index 00000000..01674a60
--- /dev/null
+++ b/docs/enterprise/managed/user-management.md
@@ -0,0 +1,38 @@
+---
+title: 'User management'
+subtitle: 'Learn how to set up users and access levels in PlanetScale Managed.'
+label: 'Managed'
+date: '2023-11-06'
+---
+
+## Initial onboarding
+
+### Administrative onboarding
+
+The customer's initial administrative user creates an organization on PlanetScale. Administrative accounts have the `Organization Administrator` role assigned.
+
+### User onboarding
+
+Users can be onboarded either manually or using single sign-on. Manual onboarding is handled by the Administrator once they are initially granted access. Users managed via SSO are onboarded once the SSO provider is connected and configured.
+
+### Single sign-on
+
+PlanetScale Managed requires single sign-on (SSO) for the API and web interface, enabling organizations to manage access through their existing directory services.
+
+You can read more about single sign-on and how to set it up in the [PlanetScale single sign-on documentation](/docs/concepts/sso).
+
+## Access levels
+
+PlanetScale currently supports three different roles inside of organizations:
+
+- `Organization Administrator`
+- `Organization Member`
+- `Database Administrator`
+
+See the [PlanetScale access control documentation](/docs/concepts/access-control) for a further breakdown of each role's permissions.
+
+## Separation of accounts
+
+PlanetScale Managed provides integration with numerous single sign-on providers. Users can have entirely separate personal and corporate accounts with PlanetScale when their organization uses SSO.
+
+It is up to the customer to ensure that they maintain their SSO setup and do not invite or allow employees to use any other authentication method to access PlanetScale.