From 0be43895494bf1b038b272764ce6b4a3eb80ca89 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Tue, 28 May 2024 15:43:45 -0700 Subject: [PATCH] [DOC-9808] Azure Private Link preview --- src/current/_data/cloud_releases.csv | 1 + .../_includes/releases/cloud/2024-05-30.md | 5 +++ .../cockroachdb-dedicated-on-azure.md | 6 +-- .../cockroachcloud/connect-to-your-cluster.md | 37 ++++++++++++++++--- .../cockroachcloud/network-authorization.md | 5 ++- .../v24.1/cockroachdb-feature-availability.md | 8 ++++ 6 files changed, 50 insertions(+), 12 deletions(-) create mode 100644 src/current/_includes/releases/cloud/2024-05-30.md diff --git a/src/current/_data/cloud_releases.csv b/src/current/_data/cloud_releases.csv index 2e5067965b4..17cad0df94b 100644 --- a/src/current/_data/cloud_releases.csv +++ b/src/current/_data/cloud_releases.csv @@ -86,3 +86,4 @@ date,sha 2024-04-18,null 2024-05-12,null 2024-05-20,null +2024-05-30,null diff --git a/src/current/_includes/releases/cloud/2024-05-30.md b/src/current/_includes/releases/cloud/2024-05-30.md new file mode 100644 index 00000000000..47cc2b16290 --- /dev/null +++ b/src/current/_includes/releases/cloud/2024-05-30.md @@ -0,0 +1,5 @@ +# May 30, 2024 + +

Security updates

+ +- [Configuring private connectivity using Azure Private Link]({% link cockroachcloud/connect-to-your-cluster.md %}#azure-private-link) is available in [preview](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability) for CockroachDB {{ site.data.products.dedicated }} clusters on Azure. [Private connectivity]({% link cockroachcloud/network-authorization.md %}#options-for-controlling-network-access) allows you to establish SQL access to a CockroachDB {{ site.data.products.dedicated }} cluster entirely through cloud provider private infrastructure, without exposing the cluster to the public internet, affording enhanced security and performance. diff --git a/src/current/cockroachcloud/cockroachdb-dedicated-on-azure.md b/src/current/cockroachcloud/cockroachdb-dedicated-on-azure.md index 0107e57e013..f3f28cf1c9a 100644 --- a/src/current/cockroachcloud/cockroachdb-dedicated-on-azure.md +++ b/src/current/cockroachcloud/cockroachdb-dedicated-on-azure.md @@ -17,10 +17,6 @@ CockroachDB {{ site.data.products.dedicated }} clusters on Azure have the follow - A cluster must have at minimum three nodes. A multi-region cluster must have at minimum three nodes per region. Single-node clusters are not supported. - After it is created, a cluster's storage can be increased in place, but cannot subsequently be decreased or removed. -### Networking - -- Azure Private Link is not yet available. [IP Allowlisting]({% link cockroachcloud/network-authorization.md %}#ip-allowlisting) allows you to restrict the IP addresses that can connect to your cluster. - ### Other features [PCI-Ready]({% link cockroachcloud/pci-dss.md %}) features are not yet available on Azure. To express interest, contact your Cockroach Labs account team. @@ -69,7 +65,7 @@ Application users can connect using [JWT tokens](https://www.cockroachlabs.com/d ### Can we use private connectivity methods, such as Private Link, to securely connect to a cluster on Azure? -You can configure IP allowlisting to limit the IP addresses or CIDR ranges that can access a CockroachDB {{ site.data.products.dedicated }} cluster on Azure. [Azure Private Link](https://learn.microsoft.com/azure/private-link/private-link-overview) is not yet available. To express interest, contact your Cockroach Labs account team. +You can configure IP allowlisting to limit the IP addresses or CIDR ranges that can access a CockroachDB {{ site.data.products.dedicated }} cluster on Azure, and you can use [Azure Private Link](https://learn.microsoft.com/azure/private-link/private-link-overview) to connect your applications in Azure to your cluster and avoid exposing your cluster or applications to the public internet. Refer to [Connect to your cluster]({% link cockroachcloud/connect-to-your-cluster.md %}#azure-private-link). ### How are clusters on Azure isolated from each other? Do they follow a similar approach as on AWS and GCP? diff --git a/src/current/cockroachcloud/connect-to-your-cluster.md b/src/current/cockroachcloud/connect-to-your-cluster.md index af311f45cd1..89be474b0f7 100644 --- a/src/current/cockroachcloud/connect-to-your-cluster.md +++ b/src/current/cockroachcloud/connect-to-your-cluster.md @@ -41,17 +41,16 @@ Removing or adding an authorized network on your CockroachDB {{ site.data.produc Private connectivity allows you to establish SQL access to a CockroachDB {{ site.data.products.dedicated }} cluster entirely through cloud provider private infrastructure, without exposing the cluster to the public internet, affording enhanced security and performance. -- Clusters deployed on GCP can connect privately using [GCP Private Service Connect (PSC)](#gcp-private-service-connect) or [GCP VPC peering](#gcp-vpc-peering). PSC allows you to selectively connect your cluster to a VPC within your Google Cloud project, while VPC Peering allows you to connect the Cockroach Cloud's VPC for your cluster to a VPC within your Google Cloud project. -- Clusters deployed on AWS can connect privately using AWS PrivateLink, which allows you to connect Cockroach Cloud's VPC to a VPC within your AWS account. +- Clusters deployed on GCP can connect privately using [GCP Private Service Connect (PSC)](#gcp-private-service-connect) or [GCP VPC peering](#gcp-vpc-peering). PSC allows you to connect your cluster directly to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC in CockroachDB {{ site.data.products.cloud }} to a VPC within your Google Cloud project. +- Clusters deployed on AWS can connect privately using [AWS PrivateLink](#aws-privatelink), which allows you to connect your cluster to a VPC within your AWS account. +- Clusters deployed on Azure can connect privately using [Azure Private Link](#azure-private-link), which allows you to connect your cluster to a virtual network within your Azure tenant. For more information, refer to [Network authorization]({% link cockroachcloud/network-authorization.md %}). {{site.data.alerts.callout_success}} -GCP Private Service Connect and AWS PrivateLink can be configured only after a cluster is created. +GCP Private Service Connect, AWS PrivateLink, and Azure Private Link can be configured only after a cluster is created. {{site.data.alerts.end}} -Azure Private Link is not yet available for [CockroachDB {{ site.data.products.dedicated }} on Azure]({% link cockroachcloud/cockroachdb-dedicated-on-azure.md %}). - {{site.data.alerts.callout_info}} {% include cockroachcloud/cdc/kafka-vpc-limitation.md %} {{site.data.alerts.end}} @@ -107,6 +106,34 @@ Self-service VPC peering setup is not supported for CockroachDB {{ site.data.pro To establish an AWS PrivateLink connection, refer to [Managing AWS PrivateLink for a cluster]({% link cockroachcloud/aws-privatelink.md %}). After the connection is established, you can use it to [connect to your cluster](#connect-to-your-cluster). +#### Azure Private Link + +{{site.data.alerts.callout_success}} +{% include_cached feature-phases/preview.md %} +{{site.data.alerts.end}} + +1. Navigate to your cluster's **Networking > Private endpoint** tab. +1. Click **Add a private endpoint**. Copy the value provided for **Alias**. Do not close this browser window. +1. In a new browser window, log in to Azure Console and create a new private endpoint for your cluster. + - Set the connection method to “by resource ID or alias”. + - Set the resource ID to the **Alias** you previously copied. For details, refer to [Create a private endpoint](https://learn.microsoft.com//azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip) in the Azure documentation. + + After the private endpoint is created, copy its Resource ID. Do not close this browser window. +1. Return to the CockroachDB {{ site.data.products.cloud }} Console browser tab and click **Next**. +1. Paste the resource ID for the Azure private endpoint, then click **Validate**. If validation fails, verify the resource ID and try again. Otherwise, click **Next** to configure private DNS. Make a note of the Internal DNS Name. Do not close this browser window. +1. Return to the Azure Console. Go to the **Private DNS Zone** page and create private DNS records for your cluster in the` region where you will connect privately. + - Create a private DNS zone named with the Internal DNS Name you previously copied. Refer to [Quickstart: Create an Azure private DNS zone using the Azure portal](https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal). + - In the new DNS zone, create an `@` record with the Internal DNS Name you previously copied. + - Click **Complete** to finish creating the DNS records. +1. Associate the new DNS zone with the private endpoint's virtual network. View the private endpoint's configuration, click **Virtual network links**, then click **Add**. + - Name the link, then select the resource group and select the DNS zone you just created. + - Enable auto-registration. + - Click **OK**. + + For details, refer to [Link the virtual network](https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal#link-the-virtual-network). +1. Return to the CockroachDB {{ site.data.products.cloud }} Console browser tab and click **Complete**. +1. On the **Networking** page, verify the connection status is **Available**. + ## Connect to your cluster 1. In the top right corner of the CockroachDB {{ site.data.products.cloud }} Console, click the **Connect** button. diff --git a/src/current/cockroachcloud/network-authorization.md b/src/current/cockroachcloud/network-authorization.md index 606d73959b2..fdbd8e168e6 100644 --- a/src/current/cockroachcloud/network-authorization.md +++ b/src/current/cockroachcloud/network-authorization.md @@ -16,8 +16,9 @@ You can authorize network access to your cluster by: - [Adding an authorized range of public IP addresses](#ip-allowlisting). - Setting up private connectivity so that inbound connections to your cluster from your cloud tenant are made over the cloud provider's private network rather than over the public internet, for enhanced network security and reduced network latency. If you use IP allowlisting rules together with private connectivity, private networks do not need to be added to that allowlist. - - CockroachDB {{ site.data.products.dedicated }} clusters deployed on GCP can connect privately using GCP Private Service Connect (PSC) (Preview) or GCP VPC peering. PSC allows you to selectively connect your cluster to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC managed by Cockroach Cloud's VPC with a VPC within your Google Cloud project. - - CockroachDB {{ site.data.products.dedicated }} clusters deployed on AWS, as well as multi-region CockroachDB {{ site.data.products.serverless }} clusters deployed on AWS, can connect privately using AWS PrivateLink, which allows you to connect your cluster's VPC managed by CockroachDB {{ site.data.products.cloud }} with a VPC within your AWS account. + - CockroachDB {{ site.data.products.dedicated }} clusters deployed on GCP can connect privately using GCP Private Service Connect (PSC) (Preview) or GCP VPC peering. PSC allows you to connect your cluster directly to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC in CockroachDB {{ site.data.products.cloud }} to a VPC within your Google Cloud project. + - CockroachDB {{ site.data.products.dedicated }} clusters deployed on AWS, as well as multi-region CockroachDB {{ site.data.products.serverless }} clusters deployed on AWS, can connect privately using AWS PrivateLink, which allows you to connect your cluster to a VPC within your AWS account. + - CockroachDB {{ site.data.products.dedicated }} clusters deployed on Azure can connect privately using Azure Private Link, which allows you to connect your cluster to a virtual network within your Azure tenant. For detailed instructions, refer to [Establish private connectivity]({% link cockroachcloud/connect-to-your-cluster.md %}#establish-private-connectivity). diff --git a/src/current/v24.1/cockroachdb-feature-availability.md b/src/current/v24.1/cockroachdb-feature-availability.md index 254899d4302..226758ca58a 100644 --- a/src/current/v24.1/cockroachdb-feature-availability.md +++ b/src/current/v24.1/cockroachdb-feature-availability.md @@ -50,6 +50,14 @@ Any feature made available in a phase prior to GA is provided without any warran [Organizing CockroachDB {{ site.data.products.cloud }} clusters using folders]({% link cockroachcloud/folders.md %}) is in preview. Folders allow you to organize and manage access to your clusters according to your organization's requirements. For example, you can create top-level folders for each business unit in your organization, and within those folders, organize clusters by geographic location and then by level of maturity, such as production, staging, and testing. +### GCP Private Service Connect for CockroachDB Dedicated + +[Connecting privately to a CockroachDB {{ site.data.products.dedicated }} cluster using GCP Private Service Connect](https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster#gcp-private-service-connect) is in preview. Private Service Connect allows you to selectively connect your cluster deployed on GCP to a VPC within your Google Cloud project. + +### Azure Private Link for CockroachDB Dedicated + +[Connecting privately to a CockroachDB {{ site.data.products.dedicated }} cluster using Azure Private Link](https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster#azure-private-link) is in preview. Azure Private Link allows you to selectively connect your cluster deployed on Azure to a virtual network within your Azure tenant. + ### Custom Metrics Chart page for CockroachDB {{ site.data.products.cloud }} clusters The [**Custom Metrics Chart** page]({% link cockroachcloud/custom-metrics-chart-page.md %}) for CockroachDB {{ site.data.products.cloud }} clusters allows you to create custom charts showing the time series data for an available metric or combination of metrics.