From 705116e015bd06456989f4ffc9148553d1f69449 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 18:55:39 +0000
Subject: [PATCH 1/2] docs: document private load balancer and DNS credentials

---
 cloud-accounts/advanced-cluster-settings.mdx | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/cloud-accounts/advanced-cluster-settings.mdx b/cloud-accounts/advanced-cluster-settings.mdx
index cabcb5f..dc2d32b 100644
--- a/cloud-accounts/advanced-cluster-settings.mdx
+++ b/cloud-accounts/advanced-cluster-settings.mdx
@@ -45,6 +45,22 @@ When **ALB** is selected, the following additional settings become available. Se
 | **WAFv2 enabled** | Attaches a Regional WAFv2 web ACL to the ALB. |
 | **WAFv2 ARN** | ARN of the Regional WAFv2 web ACL to attach. Only Regional WAFv2 is supported. |
 
+### Private load balancer
+
+In addition to the default public cluster load balancer, you can provision a **private load balancer** that only accepts traffic from inside your VPC (or networks peered to it). Use this when you want to expose services to internal clients — for example, an internal admin tool, a service consumed only by other VPCs, or a workload that must not be reachable from the public internet.
+
+| Setting | Description |
+|---------|-------------|
+| **Add private load balancer** | Provisions a private NLB alongside the existing public cluster load balancer. Only NLB private load balancers are supported. |
+
+Once enabled, you must configure DNS provider credentials so Porter can issue and renew TLS certificates for ingress hostnames attached to the private load balancer over ACME DNS-01. HTTP-01 challenges cannot reach a private load balancer, so DNS-01 is required.
+
+| Setting | Description |
+|---------|-------------|
+| **DNS credentials** | API token for your DNS provider. Cloudflare is currently the only supported provider. The token must have permission to create and delete `TXT` records on the zones used by your private ingress hostnames. |
+
+Save the credentials before applying the cluster contract. You can rotate the token later with **Edit credentials**, or remove the integration entirely with **Remove** — note that removing credentials stops certificate issuance and renewal for private load balancer ingress.
+
 ## Observability
 
 ### CloudWatch control plane logs

From 8fd429c66cc6b76b4f543f058e0511c2ffe79ba4 Mon Sep 17 00:00:00 2001
From: Mauricio Araujo <mauricio.araujo@proton.me>
Date: Mon, 15 Jun 2026 14:38:13 -0400
Subject: [PATCH 2/2] dont mention cluster contract

---
 cloud-accounts/advanced-cluster-settings.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cloud-accounts/advanced-cluster-settings.mdx b/cloud-accounts/advanced-cluster-settings.mdx
index dc2d32b..dd6a7b8 100644
--- a/cloud-accounts/advanced-cluster-settings.mdx
+++ b/cloud-accounts/advanced-cluster-settings.mdx
@@ -47,7 +47,7 @@ When **ALB** is selected, the following additional settings become available. Se
 
 ### Private load balancer
 
-In addition to the default public cluster load balancer, you can provision a **private load balancer** that only accepts traffic from inside your VPC (or networks peered to it). Use this when you want to expose services to internal clients — for example, an internal admin tool, a service consumed only by other VPCs, or a workload that must not be reachable from the public internet.
+In addition to the default public cluster load balancer, you can provision an **internal load balancer** that only accepts traffic from inside your VPC (or networks peered to it). Use this when you want to expose services to internal clients — for example, an internal admin tool, a service consumed only by other VPCs, or a workload that must not be reachable from the public internet.
 
 | Setting | Description |
 |---------|-------------|
@@ -59,7 +59,7 @@ Once enabled, you must configure DNS provider credentials so Porter can issue an
 |---------|-------------|
 | **DNS credentials** | API token for your DNS provider. Cloudflare is currently the only supported provider. The token must have permission to create and delete `TXT` records on the zones used by your private ingress hostnames. |
 
-Save the credentials before applying the cluster contract. You can rotate the token later with **Edit credentials**, or remove the integration entirely with **Remove** — note that removing credentials stops certificate issuance and renewal for private load balancer ingress.
+Save the credentials before updating the cluster. You can rotate the token later with **Edit credentials**, or remove the integration entirely with **Remove**. Note that removing credentials stops certificate issuance and renewal for private load balancer ingress.
 
 ## Observability