[DOC-9808] Azure Private Link preview (#18602)

* [DOC-9808] Azure Private Link preview

src/current/_includes/releases/cloud/2024-06-12.md

@@ -9,3 +9,7 @@
     - `eu-south-1` (Milan)
     - `il-central-1` (Tel Aviv)
     - `me-south-1` (Bahrain)
+
+<h3 id="2024-06-12-security-updates"> Security updates </h3>
+
+- [Configuring private connectivity using Azure Private Link]({% link cockroachcloud/connect-to-your-cluster.md %}#azure-private-link) is available in [preview](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability) for CockroachDB {{ site.data.products.dedicated }} clusters on Azure. [Private connectivity]({% link cockroachcloud/network-authorization.md %}#options-for-controlling-network-access) allows you to establish SQL access to a CockroachDB {{ site.data.products.dedicated }} cluster entirely through cloud provider private infrastructure, without exposing the cluster to the public internet, affording enhanced security and performance.

src/current/cockroachcloud/cloud-org-sso.md

@@ -115,10 +115,6 @@ The following flows are supported:
 - The _service provider-initiated flow_, where you initiate configuration of Cloud Organization SSO through the CockroachDB {{ site.data.products.cloud }} Console.
 - The _identity provider-initiated flow_, where you initiate configuration through an IdP such as Okta.
 
-  {{site.data.alerts.callout_info}}
-  To enable the IdP-initiated flow for your CockroachDB Cloud organization, contact [Cockroach Labs support](https://support.cockroachlabs.com/hc).
-  {{site.data.alerts.end}}
-
 #### What default role is assigned to users when autoprovisioning is enabled in a CockroachDB {{ site.data.products.cloud }} organization?
 
 Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Org Administrator role]({% link cockroachcloud/authorization.md %}#org-administrator).

src/current/cockroachcloud/cockroachdb-dedicated-on-azure.md

@@ -17,10 +17,6 @@ CockroachDB {{ site.data.products.dedicated }} clusters on Azure have the follow
 - A cluster must have at minimum three nodes. A multi-region cluster must have at minimum three nodes per region. Single-node clusters are not supported.
 - After it is created, a cluster's storage can be increased in place, but cannot subsequently be decreased or removed.
 
-### Networking
-
-- Azure Private Link is not yet available. [IP Allowlisting]({% link cockroachcloud/network-authorization.md %}#ip-allowlisting) allows you to restrict the IP addresses that can connect to your cluster.
-
 ### Other features
 
 [PCI-Ready]({% link cockroachcloud/pci-dss.md %}) features are not yet available on Azure. To express interest, contact your Cockroach Labs account team.
@@ -69,7 +65,7 @@ Application users can connect using [JWT tokens](https://www.cockroachlabs.com/d
 
 ### Can we use private connectivity methods, such as Private Link, to securely connect to a cluster on Azure?
 
-You can configure IP allowlisting to limit the IP addresses or CIDR ranges that can access a CockroachDB {{ site.data.products.dedicated }} cluster on Azure. [Azure Private Link](https://learn.microsoft.com/azure/private-link/private-link-overview) is not yet available. To express interest, contact your Cockroach Labs account team.
+You can configure IP allowlisting to limit the IP addresses or CIDR ranges that can access a CockroachDB {{ site.data.products.dedicated }} cluster on Azure, and you can use [Azure Private Link](https://learn.microsoft.com/azure/private-link/private-link-overview) to connect your applications in Azure to your cluster and avoid exposing your cluster or applications to the public internet. Refer to [Connect to your cluster]({% link cockroachcloud/connect-to-your-cluster.md %}#azure-private-link).
 
 ### How are clusters on Azure isolated from each other? Do they follow a similar approach as on AWS and GCP?
 

src/current/cockroachcloud/connect-to-your-cluster.md

@@ -41,17 +41,16 @@ Removing or adding an authorized network on your CockroachDB {{ site.data.produc
 
 Private connectivity allows you to establish SQL access to a CockroachDB {{ site.data.products.dedicated }} cluster entirely through cloud provider private infrastructure, without exposing the cluster to the public internet, affording enhanced security and performance.
 
-- Clusters deployed on GCP can connect privately using [GCP Private Service Connect (PSC)](#gcp-private-service-connect) or [GCP VPC peering](#gcp-vpc-peering). PSC allows you to selectively connect your cluster to a VPC within your Google Cloud project, while VPC Peering allows you to connect the Cockroach Cloud's VPC for your cluster to a VPC within your Google Cloud project.
-- Clusters deployed on AWS can connect privately using AWS PrivateLink, which allows you to connect Cockroach Cloud's VPC to a VPC within your AWS account.
+- Clusters deployed on GCP can connect privately using [GCP Private Service Connect (PSC)](#gcp-private-service-connect) or [GCP VPC peering](#gcp-vpc-peering). PSC allows you to connect your cluster directly to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC in CockroachDB {{ site.data.products.cloud }} to a VPC within your Google Cloud project.
+- Clusters deployed on AWS can connect privately using [AWS PrivateLink](#aws-privatelink), which allows you to connect your cluster to a VPC within your AWS account.
+- Clusters deployed on Azure can connect privately using [Azure Private Link](#azure-private-link), which allows you to connect your cluster to a virtual network within your Azure tenant.
 
 For more information, refer to [Network authorization]({% link cockroachcloud/network-authorization.md %}).
 
 {{site.data.alerts.callout_success}}
-GCP Private Service Connect and AWS PrivateLink can be configured only after a cluster is created.
+GCP Private Service Connect, AWS PrivateLink, and Azure Private Link can be configured only after a cluster is created.
 {{site.data.alerts.end}}
 
-Azure Private Link is not yet available for [CockroachDB {{ site.data.products.dedicated }} on Azure]({% link cockroachcloud/cockroachdb-dedicated-on-azure.md %}).
-
 {{site.data.alerts.callout_info}}
 {% include cockroachcloud/cdc/kafka-vpc-limitation.md %}
 {{site.data.alerts.end}}
@@ -107,6 +106,42 @@ Self-service VPC peering setup is not supported for CockroachDB {{ site.data.pro
 
 To establish an AWS PrivateLink connection, refer to [Managing AWS PrivateLink for a cluster]({% link cockroachcloud/aws-privatelink.md %}). After the connection is established, you can use it to [connect to your cluster](#connect-to-your-cluster).
 
+#### Azure Private Link
+
+{{site.data.alerts.callout_success}}
+{% include_cached feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+1. Navigate to your cluster's **Networking > Private endpoint** tab.
+1. Click **Add a private endpoint**. Copy the value provided for **Alias**. Do not close this browser window.
+1. In a new browser window, log in to Azure Console and create a new private endpoint for your cluster.
+    - Set the connection method to “by resource ID or alias”.
+    - Set the resource ID to the **Alias** you previously copied. For details, refer to [Create a private endpoint](https://learn.microsoft.com//azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip) in the Azure documentation.
+
+    After the private endpoint is created, view it, then click **Properties** and copy its Resource ID.
+
+    {{site.data.alerts.callout_info}}
+    Copy the resource ID for the private endpoint you just created, not for the Private Link resource itself.
+    {{site.data.alerts.end}}
+
+    Do not close this browser window.
+1. Return to the CockroachDB {{ site.data.products.cloud }} Console browser tab and click **Next**.
+1. Paste the resource ID for the Azure private endpoint, then click **Validate**. If validation fails, verify the resource ID and try again. If you encounter the error `This resource is invalid`, be sure that you are using the resource ID for the Azure private endpoint, rather than the resource ID for Azure Private Link itself.
+
+    When validation succeeds, click **Next** to configure private DNS. Make a note of the Internal DNS Name. Do not close this browser window.
+1. Return to the Azure Console. Go to the **Private DNS Zone** page and create private DNS records for your cluster in the` region where you will connect privately.
+    - Create a private DNS zone named with the Internal DNS Name you previously copied. Refer to [Quickstart: Create an Azure private DNS zone using the Azure portal](https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal).
+    - In the new DNS zone, create an `@` record with the Internal DNS Name you previously copied.
+    - Click **Complete** to finish creating the DNS records.
+1. Associate the new DNS zone with the private endpoint's virtual network. View the private endpoint's configuration, click **Virtual network links**, then click **Add**.
+    - Name the link, then select the resource group and select the DNS zone you just created.
+    - Enable auto-registration.
+    - Click **OK**.
+
+    For details, refer to [Link the virtual network](https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal#link-the-virtual-network).
+1. Return to the CockroachDB {{ site.data.products.cloud }} Console browser tab and click **Complete**.
+1. On the **Networking** page, verify the connection status is **Available**.
+
 ## Connect to your cluster
 
 1. In the top right corner of the CockroachDB {{ site.data.products.cloud }} Console, click the **Connect** button.

src/current/cockroachcloud/network-authorization.md

@@ -16,8 +16,9 @@ You can authorize network access to your cluster by:
 - [Adding an authorized range of public IP addresses](#ip-allowlisting).
 - Setting up private connectivity so that inbound connections to your cluster from your cloud tenant are made over the cloud provider's private network rather than over the public internet, for enhanced network security and reduced network latency. If you use IP allowlisting rules together with private connectivity, private networks do not need to be added to that allowlist.
 
-    - <a id="gcp-private-service-connect"></a><a id="gcp-vpc-peering"></a><a id="vpc-peering"></a>CockroachDB {{ site.data.products.dedicated }} clusters deployed on GCP can connect privately using GCP Private Service Connect (PSC) (Preview) or GCP VPC peering. PSC allows you to selectively connect your cluster to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC managed by Cockroach Cloud's VPC with a VPC within your Google Cloud project.
-    - <a id="aws-privatelink"></a>CockroachDB {{ site.data.products.dedicated }} clusters deployed on AWS, as well as multi-region CockroachDB {{ site.data.products.serverless }} clusters deployed on AWS, can connect privately using AWS PrivateLink, which allows you to connect your cluster's VPC managed by CockroachDB {{ site.data.products.cloud }} with a VPC within your AWS account.
+    - <a id="gcp-private-service-connect"></a><a id="gcp-vpc-peering"></a><a id="vpc-peering"></a>CockroachDB {{ site.data.products.dedicated }} clusters deployed on GCP can connect privately using GCP Private Service Connect (PSC) (Preview) or GCP VPC peering. PSC allows you to connect your cluster directly to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC in CockroachDB {{ site.data.products.cloud }} to a VPC within your Google Cloud project.
+    - <a id="aws-privatelink"></a>CockroachDB {{ site.data.products.dedicated }} clusters deployed on AWS, as well as multi-region CockroachDB {{ site.data.products.serverless }} clusters deployed on AWS, can connect privately using AWS PrivateLink, which allows you to connect your cluster to a VPC within your AWS account.
+    - <a id="azure-private-link"></a>CockroachDB {{ site.data.products.dedicated }} clusters deployed on Azure can connect privately using Azure Private Link, which allows you to connect your cluster to a virtual network within your Azure tenant.
 
     For detailed instructions, refer to [Establish private connectivity]({% link cockroachcloud/connect-to-your-cluster.md %}#establish-private-connectivity).
 

src/current/v24.1/cockroachdb-feature-availability.md

@@ -50,6 +50,14 @@ Any feature made available in a phase prior to GA is provided without any warran
 
 [Organizing CockroachDB {{ site.data.products.cloud }} clusters using folders]({% link cockroachcloud/folders.md %}) is in preview. Folders allow you to organize and manage access to your clusters according to your organization's requirements. For example, you can create top-level folders for each business unit in your organization, and within those folders, organize clusters by geographic location and then by  level of maturity, such as production, staging, and testing.
 
+### GCP Private Service Connect for CockroachDB Dedicated
+
+[Connecting privately to a CockroachDB {{ site.data.products.dedicated }} cluster using GCP Private Service Connect](https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster#gcp-private-service-connect) is in preview. Private Service Connect allows you to selectively connect your cluster deployed on GCP to a VPC within your Google Cloud project.
+
+### Azure Private Link for CockroachDB Dedicated
+
+[Connecting privately to a CockroachDB {{ site.data.products.dedicated }} cluster using Azure Private Link](https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster#azure-private-link) is in preview. Azure Private Link allows you to selectively connect your cluster deployed on Azure to a virtual network within your Azure tenant.
+
 ### Custom Metrics Chart page for CockroachDB {{ site.data.products.cloud }} clusters
 
 The [**Custom Metrics Chart** page]({% link cockroachcloud/custom-metrics-chart-page.md %}) for CockroachDB {{ site.data.products.cloud }} clusters allows you to create custom charts showing the time series data for an available metric or combination of metrics.