docs: port BYOC Azure self-onboarding changes from upstream

products/bring-your-own-cloud/navigation.json

@@ -36,8 +36,7 @@
             "products/bring-your-own-cloud/onboarding/network-gcp"
           ]
         },
-        "products/bring-your-own-cloud/onboarding/new-region",
-        "products/bring-your-own-cloud/onboarding/azure-private-preview"
+        "products/bring-your-own-cloud/onboarding/new-region"
       ]
     },
     {

products/bring-your-own-cloud/onboarding/customization-aws.mdx

@@ -68,13 +68,13 @@ module "clickhouse_onboarding" {
 <Step>
 ### Set up BYOC infrastructure {#set-up-byoc-infrastructure}
 
-In the ClickHouse Cloud console, navigate to the [BYOC setup page](https://console.clickhouse.cloud/byocOnboarding) and configure the following:
+In the ClickHouse Cloud console, configure the following when setting up new infrastructure:
 
-1. Under **VPC Configuration**, select **Use existing VPC**.
+1. Under **VPC configuration**, select **Use existing VPC**.
 2. Enter your **VPC ID** (e.g., `vpc-0bb751a5b888ad123`).
 3. Enter the **Private subnet IDs** for the 3 subnets you configured earlier.
 4. Optionally, enter **Public subnet IDs** if your setup requires public-facing load balancers.
-5. Click **Setup Infrastructure** to begin provisioning.
+5. Click **Set up Infrastructure** to begin provisioning.
 
 <Image img="/images/cloud/reference/byoc-aws-existing-vpc-ui.png" size="lg" alt="ClickHouse Cloud BYOC setup UI with Use existing VPC selected" />
 
@@ -92,9 +92,11 @@ For organizations with advanced security requirements or strict compliance polic
 Customer-managed IAM roles are in private preview. If you require this capability, contact ClickHouse Support to discuss your specific requirements and timeline.
 
 When available, this feature will allow you to:
-* Provide pre-configured IAM roles for ClickHouse Cloud to use
-* Remove write permissions to IAM related permissions for `ClickHouseManagementRole` used for cross-account access
-* Maintain full control over role permissions and trust relationships
+
+- Provide pre-configured IAM roles for ClickHouse Cloud to use
+- Remove write permissions to IAM related permissions for `ClickHouseManagementRole` used for cross-account access
+- Maintain full control over role permissions and trust relationships
+
 </Info>
 
 For information about the IAM roles that ClickHouse Cloud creates by default, see the [BYOC Privilege Reference](/products/bring-your-own-cloud/reference/privilege).

products/bring-your-own-cloud/onboarding/customization-gcp.mdx

@@ -33,16 +33,15 @@ Ensure a [Cloud NAT gateway](https://cloud.google.com/nat/docs/overview) is depl
 Ensure your VPC has working DNS resolution and doesn't block, interfere with, or overwrite standard DNS names. ClickHouse BYOC relies on DNS to resolve Tailscale control servers and ClickHouse service endpoints. If DNS is unavailable or misconfigured, BYOC services may fail to connect or operate properly.
 </Step>
 <Step>
-### Contact ClickHouse support {#contact-clickhouse-support}
+### Set up BYOC infrastructure {#set-up-byoc-infrastructure}
 
-After completing the above configuration steps, create a support ticket with the following information:
+In the ClickHouse Cloud console, configure the following when setting up new infrastructure:
 
-* Your GCP project ID
-* The GCP region where you want to deploy the service
-* Your VPC network name
-* The subnet name you've allocated for ClickHouse
-* (Optional) The secondary IPv4 range names dedicated for ClickHouse. This is only required if the private subnet has multiple secondary IPv4 ranges and not all of them are intended for ClickHouse use
+1. Under **VPC configuration**, select **Use existing VPC**.
+2. Enter your **VPC network name**.
+3. Enter the **Subnet name** you allocated for ClickHouse.
+4. Click **Set up Infrastructure** to begin provisioning.
 
-Our team will review your configuration and complete the provisioning from our side.
+<Image img="/images/cloud/reference/byoc-gcp-existing-vpc-ui.png" size="lg" alt="ClickHouse Cloud BYOC setup UI with Use existing VPC selected for GCP" />
 </Step>
 </Steps>

products/bring-your-own-cloud/onboarding/new-region.mdx

@@ -9,14 +9,14 @@ doc_type: 'reference'
 
 import { Image } from "/snippets/components/Image.jsx";
 
-After completing the initial onboarding, you may wish to deploy additional BYOC infrastructure in a different region or in another AWS account or GCP project.
+After completing the initial onboarding, you may wish to deploy additional BYOC infrastructure in a different region or in another AWS account, GCP project, or Azure subscription.
 
 To add a new BYOC deployment:
 
 1. Navigate to your organization's "Infrastructure" page in the ClickHouse Cloud console.
 
 <Image img="/images/cloud/reference/byoc-new-infra-1.png" size="lg" alt="BYOC infra page" />
 
-2. Select "Add new account" or "Add new infrastructure" and follow the guided interface to complete the setup process.
+1. Select "Add new infrastructure" and follow the guided interface to complete the setup process.
 
 <Image img="/images/cloud/reference/byoc-new-infra-2.png" size="lg" alt="BYOC infra page" />

products/bring-your-own-cloud/onboarding/standard.mdx

@@ -11,11 +11,11 @@ import { Image } from "/snippets/components/Image.jsx";
 
 ## What is standard onboarding? {#what-is-standard-onboarding}
 
-**Standard onboarding** is the default, guided workflow for deploying ClickHouse in your own cloud account using BYOC. In this approach, ClickHouse Cloud provisions all of the core cloud resources required for your deployment—such as the VPC, subnets, security groups, Kubernetes (EKS/GKE) cluster, and supporting IAM roles/service accounts—within your AWS account/GCP project. This ensures consistent, secure configuration, and minimizes the manual steps required from your team.
+**Standard onboarding** is the default, guided workflow for deploying ClickHouse in your own cloud account using BYOC. In this approach, ClickHouse Cloud provisions all of the core cloud resources required for your deployment—such as the VPC/VNet, subnets, security groups, Kubernetes (EKS/GKE/AKS) cluster, and supporting IAM roles/service accounts/service principals—within your AWS account, GCP project, or Azure subscription. This ensures consistent, secure configuration, and minimizes the manual steps required from your team.
 
-With standard onboarding, you simply provide a dedicated AWS account/GCP project, and run an initial stack (via CloudFormation or Terraform) to create the minimum IAM permissions and trust required for ClickHouse Cloud to orchestrate further setup. All subsequent steps—including infrastructure provisioning and service launch—are managed through the ClickHouse Cloud web console.
+With standard onboarding, you simply provide a dedicated AWS account, GCP project, or Azure subscription, and run an initial stack (via CloudFormation or Terraform) to create the minimum permissions and trust required for ClickHouse Cloud to orchestrate further setup. All subsequent steps—including infrastructure provisioning and service launch—are managed through the ClickHouse Cloud web console.
 
-Customers are strongly recommended to prepare a **dedicated** AWS account or GCP project for hosting the ClickHouse BYOC deployment to ensure better isolation in terms of permissions and resources. ClickHouse will deploy a dedicated set of cloud resources (VPC, Kubernetes cluster, IAM roles, S3 buckets, etc.) in your account.
+Customers are strongly recommended to prepare a **dedicated** AWS account, GCP project, or Azure subscription for hosting the ClickHouse BYOC deployment to ensure better isolation in terms of permissions and resources. ClickHouse will deploy a dedicated set of cloud resources (VPC/VNet, Kubernetes cluster, IAM roles/service accounts/service principals, object storage buckets, etc.) in your account.
 
 If you need a more customized setup (for example, deploying into an existing VPC), refer to the [Customized Onboarding](/products/bring-your-own-cloud/onboarding/customization-aws) documentation.
 
@@ -29,9 +29,9 @@ To start the onboarding process, please [contact us](https://clickhouse.com/clou
 
 ## Onboarding {#onboarding-process}
 
-### Prepare an AWS account/GCP project {#prepare-an-aws-account}
+### Prepare an AWS account/GCP project/Azure subscription {#prepare-an-aws-account}
 
-Prepare a fresh AWS account or GCP project under your organization. Visit our web console: https://console.clickhouse.cloud/byocOnboarding to continue the setup. 
+Prepare a fresh AWS account, GCP project, or Azure subscription under your organization.
 
 <Steps>
 <Step>
@@ -40,20 +40,22 @@ Prepare a fresh AWS account or GCP project under your organization. Visit our we
 <Image img="/images/cloud/reference/byoc-onboarding-1.png" size="lg" alt="BYOC choose CSP" background='black'/>
 </Step>
 <Step>
-### Account/Project setup {#account-setup}
+### Account/project/subscription setup {#account-setup}
 
-The initial BYOC setup can be performed using either a [CloudFormation template(AWS)](https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/cf-templates/byoc.yaml) or a [Terraform module(GCP)](https://github.com/ClickHouse/terraform-byoc-onboarding/tree/main/modules/gcp). It creates a high privileged IAM role, enabling BYOC controllers from ClickHouse Cloud to manage your infrastructure. 
+The initial BYOC setup can be performed using a [CloudFormation template (AWS)](https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/cf-templates/byoc.yaml), a [Terraform module (GCP)](https://github.com/ClickHouse/terraform-byoc-onboarding/tree/main/modules/gcp), or a [Terraform module (Azure)](https://github.com/ClickHouse/terraform-byoc-onboarding/tree/main/modules/azure). It creates a highly privileged identity (IAM role/service account/service principal), enabling BYOC controllers from ClickHouse Cloud to manage your infrastructure.
 
 <Image img="/images/cloud/reference/byoc-onboarding-2.png" size="lg" alt="BYOC initialize account" background='black'/>
 
 <Note>
-Storage buckets, VPC, Kubernetes cluster, and compute resources required for running ClickHouse aren't included in this initial setup. They will be provisioned in the next step.
+Storage buckets, VPC/VNet, Kubernetes cluster, and compute resources required for running ClickHouse aren't included in this initial setup. They will be provisioned in the next step.
 </Note>
+
 #### Alternative Terraform Module for AWS {#terraform-module-aws}
 
 If you prefer to use Terraform instead of CloudFormation for AWS deployments, we also provide a [Terraform module for AWS](https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/tf/byoc.tar.gz).
 
 Usage:
+
 ```hcl
 module "clickhouse_onboarding" {
   source   = "https://s3.us-east-2.amazonaws.com/clickhouse-public-resources.clickhouse.cloud/tf/byoc.tar.gz"
@@ -64,15 +66,15 @@ module "clickhouse_onboarding" {
 <Step>
 ### Set up BYOC infrastructure {#setup-byoc-infrastructure}
 
-You will be prompted to set up the infrastructure, including S3 buckets, VPC, and the Kubernetes cluster, from the ClickHouse Cloud console. Certain configurations must be determined at this stage, as they can't be changed later. Specifically:
+You will be prompted to set up the infrastructure, including object storage buckets, VPC/VNet, and the Kubernetes cluster, from the ClickHouse Cloud console. Certain configurations must be determined at this stage, as they can't be changed later. Specifically:
 
 - **Region**: All **public regions** listed in our [supported regions](/products/cloud/reference/supported-regions) documentation are available for BYOC deployments. Private regions aren't currently supported.
 
-- **VPC CIDR range**: By default, we use `10.0.0.0/16` for the BYOC VPC CIDR range. If you plan to use VPC peering with another account, ensure the CIDR ranges don't overlap. Allocate a proper CIDR range for BYOC, with a minimum size of `/22` to accommodate necessary workloads.
+- **VPC/VNet CIDR range**: By default, we use `10.0.0.0/16` for the BYOC VPC (AWS/GCP) or VNet (Azure) CIDR range. If you plan to use VPC/VNet peering with another account, ensure the CIDR ranges don't overlap. Allocate a proper CIDR range for BYOC, with a minimum size of `/23` to accommodate necessary workloads.
 
 - **Availability Zones**: If you plan to use VPC peering, aligning availability zones between the source and BYOC accounts can help reduce cross-AZ traffic costs. For example, in AWS, availability zone suffixes (`a`, `b`, `c`) may represent different physical zone IDs across accounts. See the [AWS guide](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-consistent-availability-zones-in-vpcs-across-different-aws-accounts.html) for details.
 
-<Image img="/images/cloud/reference/byoc-onboarding-3.png" size="lg" alt="BYOC setup infra" background='black'/>
+<Image img="/images/cloud/reference/byoc-onboarding-3.png" size="lg" alt="BYOC set up infrastructure" background='black'/>
 </Step>
 </Steps>