ClickHouse · Blargian · Jun 12, 2026 · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026
@@ -0,0 +1,4 @@
+{
+  "singleQuote": true,
+  "trailingComma": "none"
+}
@@ -22,7 +22,6 @@ keywords: ['cloud guides', 'documentation', 'how-to', 'cloud features', 'tutoria
 | [AWS customized setup](/cloud/reference/byoc/onboarding/customization-aws) | Deploy ClickHouse BYOC into your existing AWS VPC |
 | [AWS PrivateLink](/manage/security/aws-privatelink) | This document describes how to connect to ClickHouse Cloud using AWS PrivateLink. |
 | [Azure Private Link](/cloud/security/azure-privatelink) | How to set up Azure Private Link |
-| [Azure Private Preview](/cloud/reference/byoc/onboarding/azure-private-preview) | Onboard ClickHouse BYOC on Azure using the Terraform module and cross-tenant authentication |
 | [Billable AWS services](/cloud/reference/byoc/billable-aws-services) | AWS services provisioned by ClickHouse BYOC, classified as mandatory or optional, with notes on which ones contribute to your AWS bill |
 | [BYOC AWS private networking setup](/cloud/reference/byoc/onboarding/network-aws) | Set up VPC Peering or PrivateLink for BYOC on AWS |
 | [BYOC cost model (AWS)](/cloud/reference/byoc/cost-model-aws) | How ClickHouse Cloud charges and AWS infrastructure charges combine into total cost of ownership for a BYOC deployment |

@@ -20,17 +20,17 @@
 
 - **ClickHouse Cloud organization:** The top-level entity in ClickHouse Cloud that manages users, billing, and non-BYOC ClickHouse services. Users within an organization can access both standard Cloud services and BYOC services.
 - **ClickHouse BYOC organization:** A separate organization dedicated to managing BYOC deployments. It shares users with the Cloud organization but is linked to one or more cloud accounts where BYOC infrastructure is deployed.
-- **Cloud account / project:** The customer-owned AWS account or GCP project where BYOC infrastructure is provisioned. Each account or project can host BYOC deployments in one or more regions. A dedicated account or project per BYOC deployment is recommended for isolation.
-- **BYOC infrastructure:** The set of cloud resources deployed within a specific region of a cloud account, including a VPC, Kubernetes cluster (EKS/GKE), storage buckets, IAM roles, and supporting services. A single cloud account can contain multiple BYOC infrastructures across different regions.
+- **Cloud account/project/subscription:** The customer-owned AWS account, GCP project, or Azure subscription where BYOC infrastructure is provisioned. Each account/project/subscription can host BYOC deployments in one or more regions. A dedicated account/project/subscription per BYOC deployment is recommended for isolation.
+- **BYOC infrastructure:** The set of cloud resources deployed within a specific region of a cloud account, including a VPC/VNet, Kubernetes cluster (EKS/GKE/AKS), object storage buckets, IAM roles/service accounts/service principals, and supporting services. A single cloud account can contain multiple BYOC infrastructures across different regions.
 - **ClickHouse Service:** An individual ClickHouse cluster running within a BYOC infrastructure. Multiple services can run within the same BYOC infrastructure.
 
 :::note
-Mixing of AWS accounts and GCP projects under the same organization is only possible for customers who are not set up through a [cloud service provider marketplace](/cloud/marketplace/marketplace-billing).
+Mixing of AWS accounts, GCP projects and Azure subscriptions under the same organization is only possible for customers who aren't set up through a [cloud service provider marketplace](/cloud/marketplace/marketplace-billing).
 :::
 
 ## Glossary {#glossary}
 
-- **ClickHouse VPC:**  The VPC owned by ClickHouse Cloud.
+- **ClickHouse VPC:** The VPC owned by ClickHouse Cloud.
 - **Customer BYOC VPC:** The VPC, owned by the customer's cloud account, is provisioned and managed by ClickHouse Cloud and dedicated to a ClickHouse Cloud BYOC deployment.
 - **Customer VPC:** Other VPCs owned by the customer cloud account used for applications that need to connect to the Customer BYOC VPC.
 
@@ -48,10 +48,10 @@
 
 The main cloud resources ClickHouse Cloud will deploy in your account are:
 
-* **VPC:** A Virtual Private Cloud dedicated to your ClickHouse deployment. This can be managed either by ClickHouse or by you, the customer, and is typically peered with your application VPCs.
-* **IAM roles and policies:** Roles and permissions necessary for Kubernetes, ClickHouse services, and the monitoring stack. These can be provisioned by ClickHouse or supplied by the customer.
-* **Storage buckets:** Used for storing data parts, backups, and (optionally) long-term metrics and log archives.
-* **Kubernetes cluster:** This can be Amazon EKS, Google GKE, or Azure AKS, depending on your cloud provider, and hosts the ClickHouse servers and supporting services shown in the architecture diagram.
+- **VPC:** A Virtual Private Cloud dedicated to your ClickHouse deployment. This can be managed either by ClickHouse or by you, the customer, and is typically peered with your application VPCs.
+- **IAM roles and policies:** Roles and permissions necessary for Kubernetes, ClickHouse services, and the monitoring stack. These can be provisioned by ClickHouse or supplied by the customer.
+- **Storage buckets:** Used for storing data parts, backups, and (optionally) long-term metrics and log archives.
+- **Kubernetes cluster:** This can be Amazon EKS, Google GKE, or Azure AKS depending on your cloud provider. It hosts the ClickHouse servers and supporting services shown in the architecture diagram.
 
 By default, ClickHouse Cloud provisions a new, dedicated VPC and sets up the necessary IAM roles to ensure secure operation of Kubernetes services. For organizations with advanced networking or security needs, there is also the option to manage the VPC and IAM roles independently. This approach allows for greater customization of network configurations and more precise control over permissions. However, choosing to self-manage these resources will increase your operational responsibilities.
 
@@ -91,6 +91,7 @@
 - **Infrastructure management**: Management services can coordinate with your BYOC infrastructure for automated operations
 
 The Tailscale connection is **outbound-only** from your BYOC VPC—no inbound connections are required, reducing your security exposure. All access is:
+
 - **Approved and audited**: Engineers must request access through an internal approval system
 - **Time-bound**: Access automatically expires after a set period
 - **Restricted**: Engineers can only access system tables and infrastructure components, never customer data
@@ -110,7 +111,8 @@
 All customer data remains within your cloud account and is never accessed or transmitted through these management channels.
 
 **Additional recommendations and considerations:**
-- Ensure that network CIDR ranges for your BYOC VPC doesn't overlap with any existing VPCs you plan to peer with.
+
+- Ensure that network CIDR ranges for your BYOC VPC don't overlap with any existing VPCs you plan to peer with.
 - Tag your resources clearly to simplify management and support.
 - Plan for adequate subnet sizing and distribution across availability zones for high availability.
 - Consult the [security playbook](https://clickhouse.com/docs/cloud/security/audit-logging/byoc-security-playbook) to understand shared responsibility and best practices when ClickHouse Cloud operates within your environment.

@@ -11,15 +11,15 @@
 import byoc_onboarding_1 from '@site/static/images/cloud/reference/byoc-onboarding-1.png'
 import byoc_onboarding_2 from '@site/static/images/cloud/reference/byoc-onboarding-2.png'
 import byoc_onboarding_3 from '@site/static/images/cloud/reference/byoc-onboarding-3.png'
-import byoc_new_service_1 from '@site/static/images/cloud/reference/byoc-new-service-1.png' 
+import byoc_new_service_1 from '@site/static/images/cloud/reference/byoc-new-service-1.png'
 
 ## What is standard onboarding? {#what-is-standard-onboarding}
 
-**Standard onboarding** is the default, guided workflow for deploying ClickHouse in your own cloud account using BYOC. In this approach, ClickHouse Cloud provisions all of the core cloud resources required for your deployment—such as the VPC, subnets, security groups, Kubernetes (EKS/GKE) cluster, and supporting IAM roles/service accounts—within your AWS account/GCP project. This ensures consistent, secure configuration, and minimizes the manual steps required from your team.
+**Standard onboarding** is the default, guided workflow for deploying ClickHouse in your own cloud account using BYOC. In this approach, ClickHouse Cloud provisions all of the core cloud resources required for your deployment—such as the VPC/VNet, subnets, security groups, Kubernetes (EKS/GKE/AKS) cluster, and supporting IAM roles/service accounts/service principals—within your AWS account, GCP project, or Azure subscription. This ensures consistent, secure configuration, and minimizes the manual steps required from your team.
 
-With standard onboarding, you simply provide a dedicated AWS account/GCP project, and run an initial stack (via CloudFormation or Terraform) to create the minimum IAM permissions and trust required for ClickHouse Cloud to orchestrate further setup. All subsequent steps—including infrastructure provisioning and service launch—are managed through the ClickHouse Cloud web console.
+With standard onboarding, you simply provide a dedicated AWS account, GCP project, or Azure subscription, and run an initial stack (via CloudFormation or Terraform) to create the minimum permissions and trust required for ClickHouse Cloud to orchestrate further setup. All subsequent steps—including infrastructure provisioning and service launch—are managed through the ClickHouse Cloud web console.
 
-Customers are strongly recommended to prepare a **dedicated** AWS account or GCP project for hosting the ClickHouse BYOC deployment to ensure better isolation in terms of permissions and resources. ClickHouse will deploy a dedicated set of cloud resources (VPC, Kubernetes cluster, IAM roles, S3 buckets, etc.) in your account.
+Customers are strongly recommended to prepare a **dedicated** AWS account, GCP project, or Azure subscription for hosting the ClickHouse BYOC deployment to ensure better isolation in terms of permissions and resources. ClickHouse will deploy a dedicated set of cloud resources (VPC/VNet, Kubernetes cluster, IAM roles/service accounts/service principals, object storage buckets, etc.) in your account.
 
 If you need a more customized setup (for example, deploying into an existing VPC), refer to the [Customized Onboarding](/cloud/reference/byoc/onboarding/customization-aws) documentation.
 
@@ -33,30 +33,32 @@
 
 ## Onboarding {#onboarding-process}
 
-### Prepare an AWS account/GCP project {#prepare-an-aws-account}
+### Prepare an AWS account/GCP project/Azure subscription {#prepare-an-aws-account}
 
-Prepare a fresh AWS account or GCP project under your organization. Visit our web console: https://console.clickhouse.cloud/byocOnboarding to continue the setup. 
+Prepare a fresh AWS account, GCP project, or Azure subscription under your organization.
 
 <VerticalStepper headerLevel="h3">
 
 ### Choose a Cloud Provider {#choose-cloud-provider}
 
 <Image img={byoc_onboarding_1} size="lg" alt="BYOC choose CSP" background='black'/>
 
-### Account/Project setup {#account-setup}
+### Account/project/subscription setup {#account-setup}
 
-The initial BYOC setup can be performed using either a [CloudFormation template(AWS)](https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/cf-templates/byoc.yaml) or a [Terraform module(GCP)](https://github.com/ClickHouse/terraform-byoc-onboarding/tree/main/modules/gcp). It creates a high privileged IAM role, enabling BYOC controllers from ClickHouse Cloud to manage your infrastructure. 
+The initial BYOC setup can be performed using a [CloudFormation template (AWS)](https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/cf-templates/byoc.yaml), a [Terraform module (GCP)](https://github.com/ClickHouse/terraform-byoc-onboarding/tree/main/modules/gcp), or a [Terraform module (Azure)](https://github.com/ClickHouse/terraform-byoc-onboarding/tree/main/modules/azure). It creates a highly privileged identity (IAM role/service account/service principal), enabling BYOC controllers from ClickHouse Cloud to manage your infrastructure.
 
 <Image img={byoc_onboarding_2} size="lg" alt="BYOC initialize account" background='black'/>
 
 :::note
-Storage buckets, VPC, Kubernetes cluster, and compute resources required for running ClickHouse aren't included in this initial setup. They will be provisioned in the next step.
+Storage buckets, VPC/VNet, Kubernetes cluster, and compute resources required for running ClickHouse aren't included in this initial setup. They will be provisioned in the next step.
 :::
+
 #### Alternative Terraform Module for AWS {#terraform-module-aws}
 
 If you prefer to use Terraform instead of CloudFormation for AWS deployments, we also provide a [Terraform module for AWS](https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/tf/byoc.tar.gz).
 
 Usage:
+
 ```hcl
 module "clickhouse_onboarding" {
   source   = "https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/tf/byoc.tar.gz"
@@ -66,15 +68,15 @@
 
 ### Set up BYOC infrastructure {#setup-byoc-infrastructure}
 
-You will be prompted to set up the infrastructure, including S3 buckets, VPC, and the Kubernetes cluster, from the ClickHouse Cloud console. Certain configurations must be determined at this stage, as they can't be changed later. Specifically:
+You will be prompted to set up the infrastructure, including object storage buckets, VPC/VNet, and the Kubernetes cluster, from the ClickHouse Cloud console. Certain configurations must be determined at this stage, as they can't be changed later. Specifically:
 
 - **Region**: All **public regions** listed in our [supported regions](https://clickhouse.com/docs/cloud/reference/supported-regions) documentation are available for BYOC deployments. Private regions aren't currently supported.
 
-- **VPC CIDR range**: By default, we use `10.0.0.0/16` for the BYOC VPC CIDR range. If you plan to use VPC peering with another account, ensure the CIDR ranges don't overlap. Allocate a proper CIDR range for BYOC, with a minimum size of `/22` to accommodate necessary workloads.
+- **VPC/VNet CIDR range**: By default, we use `10.0.0.0/16` for the BYOC VPC (AWS/GCP) or VNet (Azure) CIDR range. If you plan to use VPC/VNet peering with another account, ensure the CIDR ranges don't overlap. Allocate a proper CIDR range for BYOC, with a minimum size of `/23` to accommodate necessary workloads.
 
 - **Availability Zones**: If you plan to use VPC peering, aligning availability zones between the source and BYOC accounts can help reduce cross-AZ traffic costs. For example, in AWS, availability zone suffixes (`a`, `b`, `c`) may represent different physical zone IDs across accounts. See the [AWS guide](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-consistent-availability-zones-in-vpcs-across-different-aws-accounts.html) for details.
 
-<Image img={byoc_onboarding_3} size="lg" alt="BYOC setup infra" background='black'/>
+<Image img={byoc_onboarding_3} size="lg" alt="BYOC set up infrastructure" background='black'/>
 
 </VerticalStepper>
 

@@ -68,13 +68,13 @@ module "clickhouse_onboarding" {
 
 ### Set up BYOC infrastructure {#set-up-byoc-infrastructure}
 
-In the ClickHouse Cloud console, navigate to the [BYOC setup page](https://console.clickhouse.cloud/byocOnboarding) and configure the following:
+In the ClickHouse Cloud console, configure the following when setting up new infrastructure:
 
-1. Under **VPC Configuration**, select **Use existing VPC**.
+1. Under **VPC configuration**, select **Use existing VPC**.
 2. Enter your **VPC ID** (e.g., `vpc-0bb751a5b888ad123`).
 3. Enter the **Private subnet IDs** for the 3 subnets you configured earlier.
 4. Optionally, enter **Public subnet IDs** if your setup requires public-facing load balancers.
-5. Click **Setup Infrastructure** to begin provisioning.
+5. Click **Set up Infrastructure** to begin provisioning.
 
 <Image img={byoc_aws_existing_vpc_ui} size="lg" alt="ClickHouse Cloud BYOC setup UI with Use existing VPC selected" />
 
@@ -92,9 +92,11 @@ For organizations with advanced security requirements or strict compliance polic
 Customer-managed IAM roles are in private preview. If you require this capability, contact ClickHouse Support to discuss your specific requirements and timeline.
 
 When available, this feature will allow you to:
-* Provide pre-configured IAM roles for ClickHouse Cloud to use
-* Remove write permissions to IAM related permissions for `ClickHouseManagementRole` used for cross-account access
-* Maintain full control over role permissions and trust relationships
+
+- Provide pre-configured IAM roles for ClickHouse Cloud to use
+- Remove write permissions to IAM related permissions for `ClickHouseManagementRole` used for cross-account access
+- Maintain full control over role permissions and trust relationships
+
 :::
 
 For information about the IAM roles that ClickHouse Cloud creates by default, see the [BYOC Privilege Reference](/cloud/reference/byoc/reference/privilege).
@@ -9,6 +9,7 @@ doc_type: 'reference'
 
 import Image from '@theme/IdealImage';
 import byoc_gcp_subnet from '@site/static/images/cloud/reference/byoc-gcp-subnet.png';
+import byoc_gcp_existing_vpc_ui from '@site/static/images/cloud/reference/byoc-gcp-existing-vpc-ui.png';
 
 ## Customer-managed VPC (BYO-VPC) for GCP {#customer-managed-vpc-gcp}
 
@@ -32,16 +33,15 @@ Ensure a [Cloud NAT gateway](https://cloud.google.com/nat/docs/overview) is depl
 **DNS Resolution**
 Ensure your VPC has working DNS resolution and doesn't block, interfere with, or overwrite standard DNS names. ClickHouse BYOC relies on DNS to resolve Tailscale control servers and ClickHouse service endpoints. If DNS is unavailable or misconfigured, BYOC services may fail to connect or operate properly.
 
-### Contact ClickHouse support {#contact-clickhouse-support}
+### Set up BYOC infrastructure {#set-up-byoc-infrastructure}
 
-After completing the above configuration steps, create a support ticket with the following information:
+In the ClickHouse Cloud console, configure the following when setting up new infrastructure:
 
-* Your GCP project ID
-* The GCP region where you want to deploy the service
-* Your VPC network name
-* The subnet name you've allocated for ClickHouse
-* (Optional) The secondary IPv4 range names dedicated for ClickHouse. This is only required if the private subnet has multiple secondary IPv4 ranges and not all of them are intended for ClickHouse use
+1. Under **VPC configuration**, select **Use existing VPC**.
+2. Enter your **VPC network name**.
+3. Enter the **Subnet name** you allocated for ClickHouse.
+4. Click **Set up Infrastructure** to begin provisioning.
 
-Our team will review your configuration and complete the provisioning from our side.
+<Image img={byoc_gcp_existing_vpc_ui} size="lg" alt="ClickHouse Cloud BYOC setup UI with Use existing VPC selected for GCP" />
 
 </VerticalStepper>
@@ -1,5 +1,5 @@
 {
-  "label": "Customized Setup",
+  "label": "Customized setup",
   "collapsible": true,
   "collapsed": true
 }