cloud: Azure CMEK configuration guide

[ginkgoch]

What is changed, added or deleted? (Required)

• Add Azure CMEK configuration guide
• Update existing AWS CMEK for relaxing some of the limitations
• Add new doc to TOC.

Which TiDB version(s) do your changes apply to? (Required)

Tips for choosing the affected version(s):

By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.

For details, see tips for choosing the affected versions.

• master (the latest development version)
• v9.0 (TiDB 9.0 versions)
• v8.5 (TiDB 8.5 versions)
• v8.1 (TiDB 8.1 versions)
• v7.5 (TiDB 7.5 versions)
• v7.1 (TiDB 7.1 versions)
• v6.5 (TiDB 6.5 versions)
• v6.1 (TiDB 6.1 versions)
• v5.4 (TiDB 5.4 versions)

What is the related PR or file link(s)?

• This PR is translated from:
• Other reference link(s):

Do your changes match any of the following descriptions?

• Delete files
• Change aliases
• Need modification after applied to another branch
• Might cause conflicts after applied to another branch

[ti-chi-bot]

Hi @ginkgoch. Thanks for your PR.

I'm waiting for a pingcap member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gemini-code-assist]

Summary of Changes

Hello @ginkgoch, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly expands the documentation for Customer-Managed Encryption Keys (CMEK) in TiDB Cloud by introducing a dedicated guide for Azure. It also refines the existing AWS CMEK documentation, making it more inclusive and removing previous limitations, thereby enhancing the security options available to users for their TiDB Cloud Dedicated clusters.

Highlights

• New Azure CMEK Configuration Guide: A comprehensive guide has been added detailing how to configure Customer-Managed Encryption Keys (CMEK) for TiDB Cloud Dedicated clusters on Azure, covering steps from project creation to key rotation and access management.
• Updated AWS CMEK Documentation: The existing AWS CMEK documentation has been updated to reflect broader availability by removing the 'available upon request' restriction and clarifying support for both AWS and Azure CMEK within the same project across multiple regions.
• Table of Contents Update: The Table of Contents for TiDB Cloud documentation has been updated to include the new Azure CMEK guide and to differentiate the existing CMEK guide specifically for AWS.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive guide for configuring Customer-Managed Encryption Keys (CMEK) on Azure and updates the existing AWS documentation to reflect multi-cloud support. The changes are well-structured and clear. I've added several minor suggestions to the new Azure guide to enhance clarity, correct minor grammatical points, and fix a technical issue with the tabbed content, ensuring a smoother experience for the user.

[ti-chi-bot]

@ideascf: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2025-09-16 06:12:16.966437142 +0000 UTC m=+946603.526318649: ☑️ agreed by Oreoxmt.
• 2025-09-16 07:49:01.300535418 +0000 UTC m=+952407.860416925: ☑️ agreed by hfxsd.

[hfxsd]

/retest

[hfxsd]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hfxsd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [hfxsd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hfxsd]

/retest

[hfxsd]

/approve