docs: document private load balancer and DNS credentials

cloud-accounts/advanced-cluster-settings.mdx

@@ -45,6 +45,22 @@ When **ALB** is selected, the following additional settings become available. Se
 | **WAFv2 enabled** | Attaches a Regional WAFv2 web ACL to the ALB. |
 | **WAFv2 ARN** | ARN of the Regional WAFv2 web ACL to attach. Only Regional WAFv2 is supported. |
 
+### Private load balancer
+
+In addition to the default public cluster load balancer, you can provision a **private load balancer** that only accepts traffic from inside your VPC (or networks peered to it). Use this when you want to expose services to internal clients — for example, an internal admin tool, a service consumed only by other VPCs, or a workload that must not be reachable from the public internet.
+
+| Setting | Description |
+|---------|-------------|
+| **Add private load balancer** | Provisions a private NLB alongside the existing public cluster load balancer. Only NLB private load balancers are supported. |
+
+Once enabled, you must configure DNS provider credentials so Porter can issue and renew TLS certificates for ingress hostnames attached to the private load balancer over ACME DNS-01. HTTP-01 challenges cannot reach a private load balancer, so DNS-01 is required.
+
+| Setting | Description |
+|---------|-------------|
+| **DNS credentials** | API token for your DNS provider. Cloudflare is currently the only supported provider. The token must have permission to create and delete `TXT` records on the zones used by your private ingress hostnames. |
+
+Save the credentials before applying the cluster contract. You can rotate the token later with **Edit credentials**, or remove the integration entirely with **Remove** — note that removing credentials stops certificate issuance and renewal for private load balancer ingress.
+
 ## Observability
 
 ### CloudWatch control plane logs