Add Azure support to egress private endpoints documentation#23391
Open
mikeCRL wants to merge 4 commits into
Open
Add Azure support to egress private endpoints documentation#23391mikeCRL wants to merge 4 commits into
mikeCRL wants to merge 4 commits into
Conversation
Add Azure Private Link Service throughout the egress private endpoints doc following the same structure and level of detail as AWS/GCP. Changes: - Add Azure to supported services list - Add Azure prerequisites section with approval process - Add Azure to target_service_identifier and target_service_type parameters - Add Azure example API request - Update Confluent Cloud section to include Azure All Azure additions include detailed TODO comments with self-contained context so they can be reviewed without referring to supporting documents. Each TODO includes: - Exact line references to AWS/GCP equivalents in the same file - Context showing what AWS and GCP do for the same scenario - Specific questions with clear options - Guidance on what content is needed based on the answer The 6 TODOs cover: 1. Supported services list wording (generic vs specific) 2. Pre-authorization requirement (compare to AWS principal, GCP approval) 3. Additional prerequisites (compare to AWS/GCP bullets) 4. Target service identifier format (resource ID vs alias + how to find) 5. Service type confirmation (PRIVATE_SERVICE vs Azure-specific types) 6. Example values (region format, realistic placeholders) Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
Files changed: |
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
Contributor
Author
|
@sanchit-CRL Would you mind reviewing the TODOs and providing the info we need to fill the gaps for each? Happy to collaborate in other ways, too, if preferable - just let me know. Thanks! |
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
sanchit-CRL
reviewed
May 22, 2026
| Context: AWS lists MSK specifically (line 18: "Amazon Managed Streaming for Apache Kafka (MSK)") with caveats, while GCP is generic (line 19: "Google Cloud VPC Private Service Connect"). | ||
| Options: | ||
| 1. Keep generic: "Azure Private Link Service" | ||
| 2. List specific tested services: "Self-hosted Kafka on Azure VMs via Private Link Service" or "Azure Event Hubs via Private Link Service" |
There was a problem hiding this comment.
Azure hub is not covered in this phase. We can keep it as Azure Private link service, since only generic self hosted kafka on Azure VM is covered in the is release, same as GCP
|
|
||
| The following prerequisites apply to Azure Private Link Service: | ||
|
|
||
| <!-- TODO: Does CockroachDB Cloud's Azure subscription need to be pre-authorized on the customer's Private Link Service (PLS)? |
There was a problem hiding this comment.
The Private Link Service's visibility must permit the CockroachDB Cloud Azure subscription to connect. Either:
- Add the CockroachDB Cloud Azure subscription to the PLS's Restricted by subscription visibility list (and to Auto-approval to skip manual approval), or
- Leave the default RBAC-only visibility and manually approve each connection request after CockroachDB Cloud creates the private endpoint.
We can state something similar to
The CockroachDB Cloud Azure subscription does not need to be pre-authorized on your Private Link Service. After CockroachDB Cloud creates the private endpoint, the connection
appears in Pending state on your PLS and must be approved manually. To skip the manual approval step, you can add CockroachDB Cloud's Azure subscription ID to your PLS auto-approval list during PLS creation.
| Question: Does Azure work the same way (pre-authorization required), or is post-creation manual approval sufficient? | ||
|
|
||
| If PRE-AUTHORIZATION is required: | ||
| - What is the CC Azure subscription ID? (or is it per-cluster via account_id API?) |
There was a problem hiding this comment.
yes, subscription ID is the account_id in the Get cluster API
Comment on lines
+167
to
+169
| Azure options from design doc: | ||
| 1. Full resource ID: /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/privateLinkServices/{pls-name} | ||
| 2. Alias format: {guid}.{region}.azure.privatelinkservice |
There was a problem hiding this comment.
we support both as the target_service-identifier
Azure Private Link Service: Either the Azure Private Link Service resource ID (recommended) or the PLS alias.
- Resource ID format: /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/privateLinkServices/{pls-name}
- Alias format: {prefix}.{guid}.{region}.azure.privatelinkservice
To find these values:
- Portal: Navigate to your Private Link Service → Settings → Properties for the resource ID, or Overview → Alias for the alias.
- CLI: az network private-link-service show --name {pls-name} --resource-group {rg} --query '{id:id, alias:alias}'
Comment on lines
+123
to
+125
| - Azure Portal: **Private Link Center** → **Private Link Services** → select your service → **Private endpoint connections** → **Approve** | ||
| - Azure CLI: `az network private-endpoint-connection approve` | ||
| - See the [Azure Private Link documentation](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint) for detailed steps. |
| - Any Azure-specific networking or security settings? | ||
|
|
||
| If yes: Add them as bullet points similar to GCP's second bullet. | ||
| If no: No changes needed - current prerequisites are complete. --> |
There was a problem hiding this comment.
- The Private Link Service must be in the same Azure region as the CockroachDB Cloud cluster region where the endpoint is created. Cross-region connections are not supported in Azure
- The PLS must be backed by a Standard SKU Internal Load Balancer (Basic SKU does not support Private Link).
|
|
||
| Question: Does Azure follow GCP's pattern (always `PRIVATE_SERVICE`), or does it need service-specific types like AWS MSK? | ||
| - For self-hosted Kafka on Azure VMs: `PRIVATE_SERVICE`? | ||
| - For Azure Event Hubs (if supported): `PRIVATE_SERVICE` or something specific like `AZURE_EVENT_HUBS`? |
There was a problem hiding this comment.
we have not worked on Azure event hubs in this phase, just PRIVATE_SERVICE is supported for both self hosted on VM and confluent cloud
| - GCP region format (line 210): "us-east1" (lowercase with no hyphens between region and number) | ||
|
|
||
| Questions for region: | ||
| - Is "eastus" the correct Azure region format? (vs "East US" or "east-us") |
There was a problem hiding this comment.
Azure region codes are lowercase, and eastus is correct for an example
…endpoints Applied all feedback from PR review to finalize Azure documentation. Changes: - Supported services: Keep generic "Azure Private Link Service" wording - Pre-authorization: Added explanation that CC subscription doesn't need pre-authorization, but manual approval is required (with optional auto-approval setup). Added API call to retrieve Azure subscription ID. - Prerequisites: Added same-region requirement, enhanced ILB bullet to specify Standard SKU requirement and note Basic SKU is not supported. - Target identifier: Expanded to show both resource ID (recommended) and alias formats with Portal and CLI instructions for finding values. - Service type: Confirmed PRIVATE_SERVICE is correct for Azure. - Example values: Confirmed "eastus" region format is correct. All 6 TODOs resolved and removed. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
Refinements to the Azure prerequisites section: - Add link to "Standard SKU Internal Load Balancer" pointing to Azure's SKU comparison page for customers who want to understand the difference - Clarify Basic SKU limitation: "Basic SKU load balancers do not support the Private Link Service" (more explicit than "Basic SKU does not support Private Link") - Add "By default," to approval text for clarity on when manual approval is needed - Standardize navigation arrows to > throughout Azure sections Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
mikeCRL
force-pushed
the
DOC-16027_azure-egress-private-endpoints
branch
from
ad02f67 to
951c8a7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds Azure Private Link Service support to egress private endpoints documentation, matching the level of detail provided for AWS and GCP. Resolves DOC-16027.
Azure coverage includes:
PRIVATE_SERVICE)