cloud: add steps for creating private endpoints on Google Cloud and Azure (#22800)

hfxsd · web-flow · commit bb4644fb1b5e · 2026-04-24T10:16:03.000Z
diff --git a/tidb-cloud/set-up-private-endpoint-connections-on-azure.md b/tidb-cloud/set-up-private-endpoint-connections-on-azure.md
@@ -77,23 +77,72 @@ If you have multiple clusters, you need to repeat these steps for each cluster t
     >
     > For each TiDB Cloud Dedicated cluster, the corresponding endpoint service is automatically created 3 to 4 minutes after the cluster creation.
 
-2. Log in to the [Azure portal](https://portal.azure.com/), and then create a private endpoint for your cluster using the copied TiDB Cloud resource ID as follows:
+2. Create the private endpoint by using either the Azure portal or Azure CLI.
 
-    1. In the Azure portal, search for **Private endpoints**, and then select **Private endpoints** in the result.
-    2. On the **Private endpoint** page, click **+ Create**.
-    3. In the **Basics** tab, fill in the project and instance information, and then click **Next: Resource**.
-    4. In the **Resource** tab, choose **Connect to an Azure resource by resource ID or alias** as the **connection method**, and paste the TiDB Cloud resource ID to the **Resource ID or alias** field.
-    5. Continue clicking **Next** to go through the remaining configuration tabs and complete the required settings. Then, click **Create** to create and deploy the private endpoint. It might take a few seconds for Azure to complete the deployment. For more information, see [Create a private endpoint](https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip#create-a-private-endpoint) in Azure documentation.
+<SimpleTab>
+<div label="Use Azure portal">
 
-3. After the private endpoint is created and deployed, click **Go to resource**, and then do the following:
+1. Log in to the [Azure portal](https://portal.azure.com/).
+2. Search for **Private endpoints**, and then select **Private endpoints** in the result.
+3. On the **Private endpoint** page, click **+ Create**.
+4. In the **Basics** tab, fill in the project and instance information, and then click **Next: Resource**.
+5. In the **Resource** tab, choose **Connect to an Azure resource by resource ID or alias** as the **connection method**, and paste the copied TiDB Cloud resource ID to the **Resource ID or alias** field.
+6. Continue clicking **Next** to go through the remaining configuration tabs and complete the required settings. Then, click **Create** to create and deploy the private endpoint. It might take a few seconds for Azure to complete the deployment. For more information, see [Create a private endpoint](https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip#create-a-private-endpoint) in Azure documentation.
+7. After the private endpoint is created and deployed, click **Go to resource**, and then do the following:
 
-     - Click **Settings** > **Properties** in the left navigation pane, and copy its **Resource ID** for later use.
+    - Click **Settings** > **Properties** in the left navigation pane, and copy its **Resource ID** for later use.
 
-         ![Azure private endpoint resource ID](/media/tidb-cloud/azure-private-endpoint-resource-id.png)
+        ![Azure private endpoint resource ID](/media/tidb-cloud/azure-private-endpoint-resource-id.png)
 
-     - Click **Settings** > **DNS configuration** in the left navigation pane, and then copy its **IP address** for later use.
+    - Click **Settings** > **DNS configuration** in the left navigation pane, and then copy its **IP address** for later use.
 
-         ![Azure private endpoint DNS IP](/media/tidb-cloud/azure-private-endpoint-dns-ip.png)
+        ![Azure private endpoint DNS IP](/media/tidb-cloud/azure-private-endpoint-dns-ip.png)
+
+</div>
+<div label="Use Azure CLI">
+
+1. Sign in to Azure CLI and select your subscription:
+
+    ```bash
+    az login
+    az account set --subscription ${your_subscription_id}
+    ```
+
+2. Create the private endpoint by using the TiDB Cloud resource ID that you copied from the **Create Azure Private Endpoint Connection** dialog:
+
+    ```bash
+    az network private-endpoint create \
+      --name ${your_private_endpoint_name} \
+      --resource-group ${your_resource_group_name} \
+      --vnet-name ${your_vnet_name} \
+      --subnet ${your_subnet_name} \
+      --private-connection-resource-id "${your_tidb_cloud_resource_id}" \
+      --connection-name ${your_private_endpoint_connection_name} \
+      --location ${your_region}
+    ```
+
+3. Get the private endpoint **Resource ID**:
+
+    ```bash
+    az network private-endpoint show \
+      --name ${your_private_endpoint_name} \
+      --resource-group ${your_resource_group_name} \
+      --query "id" \
+      --output tsv
+    ```
+
+4. Get the private endpoint **IP address** from DNS configuration:
+
+    ```bash
+    az network private-endpoint show \
+      --name ${your_private_endpoint_name} \
+      --resource-group ${your_resource_group_name} \
+      --query "customDnsConfigs[0].ipAddresses[0]" \
+      --output tsv
+    ```
+
+</div>
+</SimpleTab>
 
 ### Step 3. Accept the endpoint
 
@@ -136,4 +185,4 @@ The endpoint service is created automatically after you open the **Create Azure
 
 The Azure private endpoint connection feature can automatically detect your private endpoints. This means that after [creating an Azure private endpoint](#step-2-create-an-azure-private-endpoint) in the Azure portal, if you click **Cancel** in the **Create Azure Private Endpoint Connection** dialog in the TiDB Cloud console, you can still view the created endpoint on the **Networking** page. If the cancellation is unintentional, you can continue to configure the endpoint to complete the setup. If the cancellation is intentional, you can delete the endpoint directly in the TiDB Cloud console.
 
-[^1]: The diagram of the Azure Private Link architecture is from the [What is Azure Private Link service](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview) document ([source file on GitHub](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/private-link/private-link-service-overview.md)) in Azure documentation, licensed under the Creative Commons Attribution 4.0 International.
+[^1]: The diagram of the Azure Private Link architecture is from the [What is Azure Private Link service](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview) document ([source file on GitHub](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/private-link/private-link-service-overview.md)) in Azure documentation, licensed under the Creative Commons Attribution 4.0 International.
diff --git a/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md b/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md
@@ -117,14 +117,36 @@ Before you begin to create an endpoint:
     - **Google Cloud Subnet Name**: the name of the subnet in the specified VPC. You can find it on the **VPC network details** page.
     - **Private Service Connect Endpoint Name**: enter a unique name for the private endpoint that will be created.
 2. After entering the information, click **Generate Command**.
-3. Copy the generated command.
-4. Open [Google Cloud Shell](https://console.cloud.google.com/home/dashboard) and execute the command to create the private endpoint.
+3. Create the private endpoint by using either the Google Cloud CLI or the Google Cloud console.
+
+<SimpleTab>
+<div label="Use Google Cloud CLI">
+
+1. Copy the generated command.
+2. Open [Google Cloud Shell](https://console.cloud.google.com/home/dashboard) and execute the command to create the private endpoint.
+
+</div>
+<div label="Use Google Cloud console">
+
+1. In the [Google Cloud console](https://console.cloud.google.com/), make sure the current project is the same as the **Google Cloud Project ID** you entered in TiDB Cloud.
+2. Go to **VPC network** > **Private Service Connect** > **Connected endpoints**, and then click **Connect endpoint**.
+3. Configure the endpoint by using the values from the generated command in TiDB Cloud:
+    - **Endpoint name**: use the forwarding rule name from the command.
+    - **Target**: select **Published service**, and then enter the service attachment URI from `--target-service-attachment`.
+    - **Region**: select the region from the command.
+    - **Network**: select your VPC network from `--network`.
+    - **Subnetwork**: select your subnet from `--subnet`.
+4. Click **Add endpoint** to create the endpoint.
+5. In **Connected endpoints**, verify that the new endpoint is created and record its endpoint name.
+
+</div>
+</SimpleTab>
 
 ### Step 3. Accept endpoint access
 
-After executing the command in Google Cloud Shell successfully, go back to the TiDB Cloud console and then click **Accept Endpoint Access**.
+After creating the endpoint in Google Cloud successfully, go back to the TiDB Cloud console, and then click **Accept Endpoint Access**.
 
-If you see an error `not received connection request from endpoint`, make sure that you have copied the command correctly and successfully executed it in your Google Cloud Shell.
+If you see an error `not received connection request from endpoint`, make sure that you have successfully created the endpoint in your Google Cloud project and that its configuration matches the generated command.
 
 ### Step 4. Connect to your TiDB cluster
 
