(DOCPS-13251) AWS PrivateLink (#5)

* (DOCPS-13251) AWS PrivateLink

* Create stepfiles

* Try 100% diagrams

* Restructure privatelink steps

* Add ui-org-menu to snooty.toml

* To test links

* wip

* Remove interface endpoint term link

* wip

* wip

* Editing

* Editing

* Editing

* fix bullets

* fix bullets

Author: zach-carr

snooty.toml

@@ -6,9 +6,9 @@ intersphinx = ["https://docs.mongodb.com/manual/objects.inv","https://docs.atlas
 toc_landing_pages = ["/tutorial/getting-started"]
 
 [constants]
+aws-pl = "AWS PrivateLink"
 
 [substitutions]
-
 govcloud = "MongoDB Cloud for Government"
 govcloud-short = "MongoDB CloudGov"
 2fa = ":abbr:`2FA (Two Factor Authentication)`"
@@ -108,6 +108,7 @@ tls-ssl = ":abbr:`TLS (Transport Layer Security)` :abbr:`SSL (Secure Sockets Lay
 tls = ":abbr:`TLS (Transport Layer Security)`"
 totp = ":abbr:`TOTP (Time-based One-time Password Algorithm)`"
 udp = ":abbr:`UDP (User Datagram Protocol)`"
+ui-org-menu = ":icon-mms:`office` :guilabel:`Organizations` menu"
 upn = ":abbr:`UPN (User Principal Name)`"
 uri = ":abbr:`URI (Uniform Resource Identifier)`"
 url = ":abbr:`URL (Uniform Resource Locator)`"

source/images/aws-privatelink-directconnect.svg

@@ -1,5 +1,5 @@
 |govcloud| clusters support :ref:`Cluster Auto-Scaling
-<cluster-autoscaling>`. When auto-scaling is enabled, |service|
+<cluster-autoscaling>`. When auto-scaling is enabled, |govcloud-short|
 automatically scales your cluster tier, storage capacity, or both in
 response to cluster usage. Consider enabling auto-scaling to allow your
 cluster to adapt to your current workload and reduce the need to make

source/images/aws-privatelink.svg

@@ -3,6 +3,6 @@
    For replica sets, the data-bearing servers are the servers hosting 
    the replica set nodes. For sharded clusters, the data-bearing 
    servers are the servers hosting the shards. For sharded clusters, 
-   |service| also deploys servers for the 
+   |govcloud-short| also deploys servers for the 
    :ref:`config servers <sharding-config-server>`; these are charged at 
    a rate separate from the cluster costs.

source/includes/facts/auto-scaling-brief.rst

@@ -0,0 +1,210 @@
+title: "Navigate to the :guilabel:`Network Access` page for your project."
+ref: project-nav-nw-access-page
+level: 4
+stepnum: 1
+content: |
+
+  a. If it is not already displayed, select the organization that
+     contains your desired project from the |ui-org-menu| in the
+     navigation bar.
+
+  #. If it is not already displayed, select your desired project
+     from the :guilabel:`Projects` menu in the navigation bar.
+
+  #. Click :guilabel:`Network Access` in the sidebar.
+
+---
+title: "Create a private endpoint."
+ref: create-private-endpoint
+level: 4
+stepnum: 2
+content: |
+
+  a. Click the :guilabel:`Private Endpoint` tab.
+
+  #. Click :guilabel:`Add Private Endpoint`.
+
+---
+title: "Choose a cloud provider."
+ref: select-cloud-provider
+level: 4
+stepnum: 3
+content: |
+
+  Click the |aws| logo, then click :guilabel:`Next`.
+
+---
+title: "Choose a region."
+ref: select-region
+level: 4
+stepnum: 4
+content: |
+
+  a. From the :guilabel:`Atlas Region` list, select the region
+     in which you want to create the private endpoint.
+
+  #. Click :guilabel:`Next`.
+
+  |govcloud-short| creates |vpc| resources in the region
+  you selected. This might take several minutes to complete.
+
+---
+title: "Configure your private endpoint."
+ref: configure-private-endpoint-aws
+level: 4
+stepnum: 5
+content: |
+
+    a. Enter the following details about your |aws| |vpc|:
+
+       .. list-table::
+          :widths: 20 80
+
+          * - :guilabel:`Your VPC ID`
+            - Unique identifier of the peer |aws| |vpc|. Find this 
+              value on the |vpc| dashboard in your |aws| account.
+
+          * - :guilabel:`Your Subnet IDs`
+            - Unique identifiers of the subnets your |aws| |vpc| uses. 
+              Find these values on the :guilabel:`Subnet` dashboard in 
+              your |aws| account.
+
+              .. important::
+
+                You must specify at least one subnet. If you don't, 
+                |aws| won't provision an interface endpoint in
+                your |vpc|. An  is required for 
+                clients in your |vpc| to send traffic to the private endpoint.
+
+    #. Copy the command the dialog displays and run it using the |aws| 
+       CLI.
+
+       .. note::
+        
+          You can't copy the command until |govcloud-short| finishes
+          creating |vpc| resources in the background.
+
+          See :aws:`Creating an Interface Endpoint </vpc/latest/userguide/vpce-interface.html#create-interface-endpoint>` to perform this task using the |aws| CLI.
+      
+    #. You might receive an error like the following when you create 
+       the private endpoint:
+
+       .. code-block:: sh
+          :copyable: false
+
+          An error occurred (InvalidParameter) when calling the CreateVpcEndpoint 
+          operation: The VPC endpoint service com.amazonaws.vpce.us-east-1.vpce-svc-<...> 
+          does not support the availability zone of the subnet: subnet-<...>.
+
+       If you receive this error, |govcloud-short| has deployed |vpc| 
+       resources into different availability zones than the ones to 
+       which you deployed your |vpc| subnets. 
+       Please contact MongoDB Support for assistance resolving this 
+       error. To contact support, click :guilabel:`Support` from the left-hand navigation bar of the |govcloud-short| UI.
+            
+    #. Click :guilabel:`Next`.
+
+---
+title: "Finalize your private endpoint connection."
+ref: finalize-private-endpoint
+level: 4
+stepnum: 6
+content: |
+
+    a. Enter your :guilabel:`VPC Endpoint ID`. This is a 
+       22-character alphanumeric string that identifies your private 
+       endpoint. Find this value on the |aws| VPC Dashboard under 
+       :guilabel:`Endpoints` > :guilabel:`VPC ID`.
+
+    #. Click :guilabel:`Create`.
+
+
+---
+title: "Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint." 
+level: 4
+ref: resource-sg-pl
+stepnum: 7
+content: |
+
+  For each resource that needs to connect to your |govcloud-short| 
+  clusters using {+aws-pl+}, the resource's security group must allow 
+  outbound traffic to the interface endpoint's private IP(s) on all 
+  ports.
+
+  See :aws:`Adding Rules to a Security Group </AWSEC2/latest/UserGuide/ec2-security-groups.html#adding-security-group-rule>` in the |aws| 
+  documentation for more information.
+
+---
+title: "Create a security group for your interface endpoint to allow resources to access it."
+ref: attach-sg-pl
+level: 4
+stepnum: 8
+content: |
+
+  This security group must allow inbound traffic on all ports from each 
+  resource that needs to connect to your |govcloud-short| clusters 
+  using {+aws-pl+}:
+
+  a. In the |aws| console, navigate to the :guilabel:`VPC Dashboard`. 
+  
+  #. Click :guilabel:`Security Groups`, then click 
+     :guilabel:`Create security group`.
+
+  #. Use the wizard to create a security group. Make sure you select 
+     your VPC from the :guilabel:`VPC` list.
+
+  #. Select the security group you just created, then click the 
+     :guilabel:`Inbound Rules` tab.
+
+  #. Click :guilabel:`Edit Rules`.
+
+  #. Add rules to allow all inbound traffic from each resource in your
+     VPC that you want to connect to your |govcloud-short| cluster.
+
+  #. Click :guilabel:`Save Rules`.
+
+  #. Click :guilabel:`Endpoints`, then click the endpoint for your
+     VPC.
+
+  #. Click the :guilabel:`Security Groups` tab, then click 
+     :guilabel:`Edit Security Groups`.
+
+  #. Add the security group you just created, then click 
+     :guilabel:`Save`.
+
+  See :aws:`VPC security groups 
+  </vpc/latest/userguide/VPC_SecurityGroups.html>` in the |aws| 
+  documentation for more information.
+
+---
+title: "Verify that the private endpoint is available."
+ref: verify-active-pl-aws
+level: 4
+stepnum: 9
+content: |
+
+  You can connect to a |govcloud-short| cluster using the {+aws-pl+} 
+  private endpoint when all of the resources are configured and the 
+  private endpoint becomes available.
+
+  To verify that the {+aws-pl+} private endpoint is available:
+
+  a. In the :guilabel:`Security` section of the left navigation,
+     click :guilabel:`Network Access`.
+  #. On the :guilabel:`Private Endpoint` tab, verify the following 
+     statuses for the region that contains the cluster 
+     you want to connect to using {+aws-pl+}:
+
+     .. list-table::
+        :widths: 20 80
+
+        * - :guilabel:`Atlas Endpoint Service Status`
+          - Ready for connection requests
+           
+        * - :guilabel:`Endpoint Status`
+          - Available
+
+  If you do not see these statuses, see 
+  :ref:`privatelink-troubleshooting` for additional information.
+
+...

source/includes/footnotes/data-bearing.rst

@@ -0,0 +1,80 @@
+ref: go-clusters-view-cluster-pl
+level: 4
+stepnum: 1
+title: "Click :guilabel:`Connect`."
+content: |
+
+  In the :guilabel:`Clusters` view, click :guilabel:`Connect`
+  for the cluster to which you want to connect.
+
+---
+ref: select-private-endpoint-pl
+level: 4
+stepnum: 2
+title: "Select the :guilabel:`Private Endpoint` connection type."
+
+---
+ref: select-private-endpoint-connect-pl
+level: 4
+stepnum: 3
+title: "Select the private endpoint to which you want to connect."
+
+---
+ref: create-mongodb-user-cluster-pl
+level: 4
+stepnum: 4
+title: "Create a Database User."
+content: |
+
+  .. important::
+
+     **Skip this step** if |govcloud-short| indicates in the
+     :guilabel:`Setup connection security` step that you have at least
+     one database user configured in your project. To manage existing
+     database users, see :ref:`configure-dbusers`.
+
+  To access the cluster, you need a MongoDB user with access to the
+  desired database or databases on the cluster in your project. If your
+  project has no MongoDB users, |govcloud-short| prompts you to create 
+  a new user with the :ref:`Atlas Admin <atlas-user-privileges>` role.
+
+  a. Enter the new user's :guilabel:`Username`.
+  b. Enter a :guilabel:`Password` for this new user or click
+     :guilabel:`Autogenerate Secure Password`.
+  c. Click :guilabel:`Create Database User` to save the user.
+
+  Use this user to connect to your cluster in the following step.
+
+  Once you have added an IP address to your IP access list and added a
+  database user, click :guilabel:`Choose Your Connection Method`.
+
+---
+ref: connect-details-pl
+level: 4
+stepnum: 5
+title: "Click :guilabel:`Choose a connection method`."
+content: |
+
+  Private endpoint-aware connection strings are available in one 
+  of the following formats:
+
+  - DNS seedlist connection
+
+    .. code-block:: none
+       :copyable: false
+
+       mongodb+srv://cluster0-pl-0-auylw.mongodb.net
+
+  - Standard connection string
+
+    .. code-block:: none
+       :copyable: false
+
+       mongodb://pl-0-us-east-1-auylw.mongodb.net:1024,pl-0-us-east-1-auylw.mongodb.net:1025,pl-0-us-east-1-auylw.mongodb.net:1026/?ssl=true&authSource=admin&replicaSet=Cluster0-shard-0-shard-0
+
+  MongoDB recommends that your clients use the DNS seedlist connection
+  string format. If your driver doesn't support this format, select an
+  older version of your driver or version :guilabel:`3.4 or earlier` of
+  the |mongo| shell from the :guilabel:`Connect` tab to use the
+  standard connection string format.
+...

source/includes/privatelink/steps-configure-privatelink-aws.yaml

@@ -0,0 +1,37 @@
+ref: network-access-pl
+level: 4
+stepnum: 1
+title: "Navigate to the :guilabel:`Network Access` page for your project."
+content: |
+
+  a. If it is not already displayed, select the organization that
+     contains your desired project from the |ui-org-menu| in the
+     navigation bar.
+
+  #. If it is not already displayed, select your desired project
+     from the :guilabel:`Projects` menu in the navigation bar.
+
+  #. Click :guilabel:`Network Access` in the sidebar.
+---
+ref: remove-private-endpoint-aws
+level: 4
+stepnum: 2
+title: "Remove the private endpoint from |govcloud-short|."
+content: |
+
+  a. Click the :guilabel:`Private Endpoint` tab.
+
+  #. Next to the private endpoint you want to remove, click
+     :guilabel:`Terminate`.
+
+  #. To confirm, click :guilabel:`Confirm` in the dialog.
+
+  .. note::
+
+     When you delete a private endpoint from a region in
+     |govcloud-short|, you must manually 
+     :aws:`delete the private endpoint </vpc/latest/userguide/delete-vpc-endpoint.html>` 
+     in |aws|. |aws| lists the endpoint as ``rejected``. 
+     |govcloud-short| can't delete this resource because it lacks the 
+     required permissions.
+...

source/includes/privatelink/steps-connect-to-cluster-privatelink.yaml

@@ -0,0 +1,28 @@
+---
+stepnum: 1
+ref: nav-to-project-settings
+level: 4
+title: "Navigate to the :guilabel:`Settings` page for your project."
+content: |
+
+  a. If it is not already displayed, select the organization that
+     contains your desired project from the |ui-org-menu| in the
+     navigation bar.
+
+  #. If it is not already displayed, select your desired project
+     from the :guilabel:`Projects` menu in the navigation bar.
+
+  #. Next to the :guilabel:`Projects` menu, expand the
+     :guilabel:`Options` menu, then click :guilabel:`Project Settings`.
+
+---
+stepnum: 2
+ref: enable-regionalized-pl
+level: 4
+title: "Enable the setting."
+content: |
+
+  Toggle the :guilabel:`Multiple Regionalized Private Endpoints` setting
+  to :guilabel:`Yes`.
+
+...