Console
    Contact Us Start free

    Data Boundary for International Traffic in Arms Regulations (ITAR)

    This page describes the set of controls that are applied on ITAR workloads in Assured Workloads. It provides detailed information about data residency , supported Google Cloud products and their API endpoints, and any applicable restrictions or limitations on those products. The following additional information applies to ITAR:

    Prerequisites

    To remain compliant as a user of the ITAR control package, verify that you satisfy and adhere to the following prerequisites:

    • Create an ITAR folder using Assured Workloads and deploy your ITAR workloads only in that folder.
    • Only enable and use in-scope ITAR services for ITAR workloads.
    • Don't change the default organization policy constraint values unless you understand and are willing to accept the data residency risks that might occur.
    • When accessing the Google Cloud console for ITAR workloads, you must use one of the following Jurisdictional Google Cloud console URLs:
    • When connecting to Google Cloud service endpoints, you must use regional endpoints for services that offer them. In addition:
      • When connecting to Google Cloud service endpoints from non-Google Cloud VMs —such as on-premises or other cloud providers' VMs— you must use one of the available private access options that support connections to non-Google Cloud VMs to route the non-Google Cloud traffic into Google Cloud.
      • When connecting to Google Cloud service endpoints from Google Cloud VMs, you can use any of the available private access options .
      • When connecting to Google Cloud VMs that have been exposed with external IP addresses, refer to Access APIs from VMs with external IP addresses .
    • For all services used in an ITAR folder, don't store technical data in the following user-defined or security configuration information types:
      • Error messages
      • Console output
      • Attribute data
      • Service configuration data
      • Network packet headers
      • Resource identifiers
      • Data labels
    • Use only the specified regional endpoints for services that offer them. For more information, see in-scope ITAR services .
    • Consider adopting the general security best practices provided in the Google Cloud security best practices center .

    Supported products and API endpoints

    Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings , are listed in the following table.

    If a product is not listed, that product is unsupported and has not met the control requirements for ITAR. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model . Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.

    Supported product
    ITAR-compliant API endpoints
    Restrictions or limitations
    Access Approval
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • accessapproval.googleapis.com
    None
    Access Context Manager
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • accesscontextmanager.googleapis.com
    None
    Artifact Registry
    Regional API endpoints:
    • artifactregistry.us-central1.rep.googleapis.com
    • artifactregistry.us-central2.rep.googleapis.com
    • artifactregistry.us-east1.rep.googleapis.com
    • artifactregistry.us-east4.rep.googleapis.com
    • artifactregistry.us-east5.rep.googleapis.com
    • artifactregistry.us-east7.rep.googleapis.com
    • artifactregistry.us-south1.rep.googleapis.com
    • artifactregistry.us-west1.rep.googleapis.com
    • artifactregistry.us-west2.rep.googleapis.com
    • artifactregistry.us-west3.rep.googleapis.com
    • artifactregistry.us-west4.rep.googleapis.com
    • artifactregistry.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • artifactregistry.googleapis.com
    None
    BigQuery
    Regional API endpoints:
    • bigquery.us-central1.rep.googleapis.com
    • bigquery.us-central2.rep.googleapis.com
    • bigquery.us-east1.rep.googleapis.com
    • bigquery.us-east4.rep.googleapis.com
    • bigquery.us-east5.rep.googleapis.com
    • bigquery.us-east7.rep.googleapis.com
    • bigquery.us-south1.rep.googleapis.com
    • bigquery.us-west1.rep.googleapis.com
    • bigquery.us-west2.rep.googleapis.com
    • bigquery.us-west3.rep.googleapis.com
    • bigquery.us-west4.rep.googleapis.com
    • bigquery.us-west8.rep.googleapis.com
    • bigquerydatatransfer.us-central1.rep.googleapis.com
    • bigquerydatatransfer.us-central2.rep.googleapis.com
    • bigquerydatatransfer.us-east1.rep.googleapis.com
    • bigquerydatatransfer.us-east4.rep.googleapis.com
    • bigquerydatatransfer.us-east5.rep.googleapis.com
    • bigquerydatatransfer.us-east7.rep.googleapis.com
    • bigquerydatatransfer.us-south1.rep.googleapis.com
    • bigquerydatatransfer.us-west1.rep.googleapis.com
    • bigquerydatatransfer.us-west2.rep.googleapis.com
    • bigquerydatatransfer.us-west3.rep.googleapis.com
    • bigquerydatatransfer.us-west4.rep.googleapis.com
    • bigquerydatatransfer.us-west8.rep.googleapis.com
    • bigquerymigration.us-central1.rep.googleapis.com
    • bigquerymigration.us-central2.rep.googleapis.com
    • bigquerymigration.us-east1.rep.googleapis.com
    • bigquerymigration.us-east4.rep.googleapis.com
    • bigquerymigration.us-east5.rep.googleapis.com
    • bigquerymigration.us-east7.rep.googleapis.com
    • bigquerymigration.us-south1.rep.googleapis.com
    • bigquerymigration.us-west1.rep.googleapis.com
    • bigquerymigration.us-west2.rep.googleapis.com
    • bigquerymigration.us-west3.rep.googleapis.com
    • bigqueryreservation.us-central1.rep.googleapis.com
    • bigqueryreservation.us-central2.rep.googleapis.com
    • bigqueryreservation.us-east1.rep.googleapis.com
    • bigqueryreservation.us-east4.rep.googleapis.com
    • bigqueryreservation.us-east5.rep.googleapis.com
    • bigqueryreservation.us-east7.rep.googleapis.com
    • bigqueryreservation.us-south1.rep.googleapis.com
    • bigqueryreservation.us-west1.rep.googleapis.com
    • bigqueryreservation.us-west2.rep.googleapis.com
    • bigqueryreservation.us-west3.rep.googleapis.com
    • bigqueryreservation.us-west4.rep.googleapis.com
    • bigqueryreservation.us-west8.rep.googleapis.com
    • bigquerystorage.us-central1.rep.googleapis.com
    • bigquerystorage.us-central2.rep.googleapis.com
    • bigquerystorage.us-east1.rep.googleapis.com
    • bigquerystorage.us-east4.rep.googleapis.com
    • bigquerystorage.us-east5.rep.googleapis.com
    • bigquerystorage.us-east7.rep.googleapis.com
    • bigquerystorage.us-south1.rep.googleapis.com
    • bigquerystorage.us-west1.rep.googleapis.com
    • bigquerystorage.us-west2.rep.googleapis.com
    • bigquerystorage.us-west3.rep.googleapis.com
    • bigquerystorage.us-west4.rep.googleapis.com
    • bigquerystorage.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • bigquery.googleapis.com
    • bigqueryconnection.googleapis.com
    • bigquerydatapolicy.googleapis.com
    • bigquerydatatransfer.googleapis.com
    • bigquerymigration.googleapis.com
    • bigqueryreservation.googleapis.com
    • bigquerystorage.googleapis.com
    Affected features
    Certificate Authority Service
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • privateca.googleapis.com
    None
    Cloud Composer
    Regional API endpoints:
    • composer.us-central1.rep.googleapis.com
    • composer.us-east1.rep.googleapis.com
    • composer.us-east4.rep.googleapis.com
    • composer.us-east5.rep.googleapis.com
    • composer.us-east7.rep.googleapis.com
    • composer.us-south1.rep.googleapis.com
    • composer.us-west1.rep.googleapis.com
    • composer.us-west2.rep.googleapis.com
    • composer.us-west3.rep.googleapis.com
    • composer.us-west4.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • composer.googleapis.com
    None
    Cloud DNS
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • dns.googleapis.com
    Affected features
    Cloud External Key Manager (Cloud EKM)
    Regional API endpoints:
    • cloudkms.us-central1.rep.googleapis.com
    • cloudkms.us-central2.rep.googleapis.com
    • cloudkms.us-east1.rep.googleapis.com
    • cloudkms.us-east4.rep.googleapis.com
    • cloudkms.us-east5.rep.googleapis.com
    • cloudkms.us-east7.rep.googleapis.com
    • cloudkms.us-south1.rep.googleapis.com
    • cloudkms.us-west1.rep.googleapis.com
    • cloudkms.us-west2.rep.googleapis.com
    • cloudkms.us-west3.rep.googleapis.com
    • cloudkms.us-west4.rep.googleapis.com
    • cloudkms.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • cloudkms.googleapis.com
    None
    Cloud HSM
    Regional API endpoints:
    • cloudkms.us-central1.rep.googleapis.com
    • cloudkms.us-central2.rep.googleapis.com
    • cloudkms.us-east1.rep.googleapis.com
    • cloudkms.us-east4.rep.googleapis.com
    • cloudkms.us-east5.rep.googleapis.com
    • cloudkms.us-east7.rep.googleapis.com
    • cloudkms.us-south1.rep.googleapis.com
    • cloudkms.us-west1.rep.googleapis.com
    • cloudkms.us-west2.rep.googleapis.com
    • cloudkms.us-west3.rep.googleapis.com
    • cloudkms.us-west4.rep.googleapis.com
    • cloudkms.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • cloudkms.googleapis.com
    None
    Cloud Interconnect
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    Affected features
    Cloud Key Management Service (Cloud KMS)
    Regional API endpoints:
    • cloudkms.us-central1.rep.googleapis.com
    • cloudkms.us-central2.rep.googleapis.com
    • cloudkms.us-east1.rep.googleapis.com
    • cloudkms.us-east4.rep.googleapis.com
    • cloudkms.us-east5.rep.googleapis.com
    • cloudkms.us-east7.rep.googleapis.com
    • cloudkms.us-south1.rep.googleapis.com
    • cloudkms.us-west1.rep.googleapis.com
    • cloudkms.us-west2.rep.googleapis.com
    • cloudkms.us-west3.rep.googleapis.com
    • cloudkms.us-west4.rep.googleapis.com
    • cloudkms.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • cloudkms.googleapis.com
    None
    Cloud Load Balancing
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    Affected features
    Cloud Logging
    Regional API endpoints:
    • logging.us-central1.rep.googleapis.com
    • logging.us-central2.rep.googleapis.com
    • logging.us-east1.rep.googleapis.com
    • logging.us-east4.rep.googleapis.com
    • logging.us-east5.rep.googleapis.com
    • logging.us-east7.rep.googleapis.com
    • logging.us-south1.rep.googleapis.com
    • logging.us-west1.rep.googleapis.com
    • logging.us-west2.rep.googleapis.com
    • logging.us-west3.rep.googleapis.com
    • logging.us-west4.rep.googleapis.com
    • logging.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • logging.googleapis.com
    Affected features
    Cloud Monitoring
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • monitoring.googleapis.com
    Affected features
    Cloud NAT
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • networkconnectivity.googleapis.com
    Affected features
    Cloud OS Login API
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • oslogin.googleapis.com
    None
    Cloud Router
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • networkconnectivity.googleapis.com
    Affected features
    Cloud Run
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • run.googleapis.com
    Affected features
    Cloud SQL
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • sqladmin.googleapis.com
    Affected features
    Cloud Storage
    Regional API endpoints:
    • storage.us-central1.rep.googleapis.com
    • storage.us-central2.rep.googleapis.com
    • storage.us-east1.rep.googleapis.com
    • storage.us-east4.rep.googleapis.com
    • storage.us-east5.rep.googleapis.com
    • storage.us-east7.rep.googleapis.com
    • storage.us-south1.rep.googleapis.com
    • storage.us-west1.rep.googleapis.com
    • storage.us-west2.rep.googleapis.com
    • storage.us-west3.rep.googleapis.com
    • storage.us-west4.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • storage.googleapis.com
    Affected features
    Cloud VPN
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    Affected features
    Compute Engine
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    Affected features and organization policy constraints
    Dataflow
    Regional API endpoints:
    • dataflow.us-central1.rep.googleapis.com
    • dataflow.us-central2.rep.googleapis.com
    • dataflow.us-east1.rep.googleapis.com
    • dataflow.us-east4.rep.googleapis.com
    • dataflow.us-east5.rep.googleapis.com
    • dataflow.us-east7.rep.googleapis.com
    • dataflow.us-south1.rep.googleapis.com
    • dataflow.us-west1.rep.googleapis.com
    • dataflow.us-west2.rep.googleapis.com
    • dataflow.us-west3.rep.googleapis.com
    • dataflow.us-west4.rep.googleapis.com
    • dataflow.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • dataflow.googleapis.com
    • datapipelines.googleapis.com
    None
    Dataproc
    Regional API endpoints:
    • dataproc.us-central1.rep.googleapis.com
    • dataproc.us-central2.rep.googleapis.com
    • dataproc.us-east1.rep.googleapis.com
    • dataproc.us-east4.rep.googleapis.com
    • dataproc.us-east5.rep.googleapis.com
    • dataproc.us-east7.rep.googleapis.com
    • dataproc.us-south1.rep.googleapis.com
    • dataproc.us-west1.rep.googleapis.com
    • dataproc.us-west2.rep.googleapis.com
    • dataproc.us-west3.rep.googleapis.com
    • dataproc.us-west4.rep.googleapis.com
    • dataproc.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • dataproc-control.googleapis.com
    • dataproc.googleapis.com
    None
    External passthrough Network Load Balancer
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    None
    Filestore
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • file.googleapis.com
    None
    Firebase Security Rules
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • firebaserules.googleapis.com
    None
    GKE Hub (fleets)
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • gkehub.googleapis.com
    None
    Google Cloud Armor
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    • networksecurity.googleapis.com
    Affected features
    Google Kubernetes Engine
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • container.googleapis.com
    • containersecurity.googleapis.com
    Affected features and organization policy constraints
    Identity and Access Management (IAM)
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • iam.googleapis.com
    None
    Identity-Aware Proxy (IAP)
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • iap.googleapis.com
    None
    Jurisdictional Google Cloud console
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • N/A
    None
    Memorystore for Redis
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • redis.googleapis.com
    None
    Network Connectivity Center
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • networkconnectivity.googleapis.com
    Affected features
    Organization Policy Service
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • orgpolicy.googleapis.com
    None
    Persistent Disk
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    None
    Pub/Sub
    Regional API endpoints:
    • pubsub.us-central1.rep.googleapis.com
    • pubsub.us-central2.rep.googleapis.com
    • pubsub.us-east1.rep.googleapis.com
    • pubsub.us-east4.rep.googleapis.com
    • pubsub.us-east5.rep.googleapis.com
    • pubsub.us-south1.rep.googleapis.com
    • pubsub.us-west1.rep.googleapis.com
    • pubsub.us-west2.rep.googleapis.com
    • pubsub.us-west3.rep.googleapis.com
    • pubsub.us-west4.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • pubsub.googleapis.com
    None
    Regional external Application Load Balancer
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    None
    Regional external proxy Network Load Balancer
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    None
    Regional internal Application Load Balancer
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    None
    Regional internal proxy Network Load Balancer
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    None
    Secret Manager
    Regional API endpoints:
    • secretmanager.us-central1.rep.googleapis.com
    • secretmanager.us-central2.rep.googleapis.com
    • secretmanager.us-east1.rep.googleapis.com
    • secretmanager.us-east4.rep.googleapis.com
    • secretmanager.us-east5.rep.googleapis.com
    • secretmanager.us-east7.rep.googleapis.com
    • secretmanager.us-south1.rep.googleapis.com
    • secretmanager.us-west1.rep.googleapis.com
    • secretmanager.us-west2.rep.googleapis.com
    • secretmanager.us-west3.rep.googleapis.com
    • secretmanager.us-west4.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • Not available
    None
    Sensitive Data Protection
    Regional API endpoints:
    • dlp.us-central1.rep.googleapis.com
    • dlp.us-east1.rep.googleapis.com
    • dlp.us-east4.rep.googleapis.com
    • dlp.us-east5.rep.googleapis.com
    • dlp.us-south1.rep.googleapis.com
    • dlp.us-west1.rep.googleapis.com
    • dlp.us-west2.rep.googleapis.com
    • dlp.us-west3.rep.googleapis.com
    • dlp.us-west4.rep.googleapis.com
    • dlp.us-west8.rep.googleapis.com

    Locational API endpoints are not supported.

    Global API endpoints:
    • dlp.googleapis.com
    None
    Service Directory
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • servicedirectory.googleapis.com
    None
    VPC Service Controls
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • accesscontextmanager.googleapis.com
    None
    Virtual Private Cloud (VPC)
    Regional API endpoints are not supported.
    Locational API endpoints are not supported.

    Global API endpoints:
    • compute.googleapis.com
    Affected features

    Restrictions and limitations

    The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on ITAR folders. Other applicable organization policy constraints —even if not set by default— can provide additional defense-in-depth to further protect your organization's Google Cloud resources.

    Google Cloud-wide

    Affected Google Cloud-wide features

    Feature
    Description
    Google Cloud console
    To access the Google Cloud console when using the ITAR control package, you must use one of the following URLs:
    For more information, see the Jurisdictional Google Cloud console page.

    Google Cloud-wide organization policy constraints

    The following organization policy constraints apply across Google Cloud.

    Organization policy constraint
    Description
    gcp.resourceLocations
    Set to the following locations in the allowedValues list:
    • us
    • us-central1
    • us-central2
    • us-east1
    • us-east4
    • us-east5
    • us-south1
    • us-west1
    • us-west2
    • us-west3
    • us-west4
    This value restricts creation of new resources to the selected values. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See Resource locations supported services for a list of resources that can restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and unrestrictable.

    Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
    gcp.restrictCmekCryptoKeyProjects
    Set to under:organizations/your-organization-name , which is your Assured Workloads organization. You can further restrict this value by specifying a project or folder.

    Limits the scope of approved folders or projects that can provide Cloud KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for in-scope services' at-rest data.
    gcp.restrictNonCmekServices
    Set to a list of all in-scope API service names , including:
    • bigquery.googleapis.com
    • compute.googleapis.com
    • container.googleapis.com
    • storage.googleapis.com
    Some features may be affected for each of the services listed above.

    Each listed service requires Customer-managed encryption keys (CMEK) . CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms.

    Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
    gcp.restrictServiceUsage
    Set to allow all supported products and API endpoints .

    Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage .
    gcp.restrictTLSVersion
    Set to deny the following TLS versions:
    • TLS_1_0
    • TLS_1_1
    See the Restrict TLS versions page for more information.

    Google Cloud Armor

    Affected Google Cloud Armor features

    Feature Description
    Globally scoped security policies This feature is disabled by the compute.disableGlobalCloudArmorPolicy organization policy constraint.

    BigQuery

    Affected BigQuery features

    Feature
    Description
    Enabling BigQuery on a new folder
    BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates .
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care .

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

    Compliant BigQuery APIs
    The following BigQuery APIs are ITAR-compliant:
    Regions
    BigQuery is ITAR-compliant for all BigQuery US regions except the US multi-region. ITAR compliance cannot be guaranteed if a dataset is created in a US multi-region, non-US region, or non-US multi-region. It is your responsibility to specify an ITAR-compliant region when creating BigQuery datasets.
    Queries on ITAR datasets from non-ITAR projects
    BigQuery does not prevent ITAR datasets from being queried from non-ITAR projects. You should ensure that any query that uses a read or a join operation on ITAR technical data be placed in an ITAR-compliant folder.
    Connections to external data sources
    Google's compliance responsibility is limited to the BigQuery Connection API capability. It is your responsibility to ensure the compliance of the source products that are used with the BigQuery Connection API.
    Unsupported features
    The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is your responsibility not to use them in BigQuery for Assured Workloads.
    BigQuery CLI
    The BigQuery CLI is supported.

    Google Cloud SDK
    You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, run gcloud --version and then gcloud components update to update to the newest version.
    Administrator controls
    BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard .
    Loading data
    BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for ITAR workloads.
    Third-party transfers
    BigQuery does not verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service.
    Non-compliant BQML models
    Externally-trained BQML models are not supported.
    Query jobs
    Query jobs should only be created within Assured Workloads folders.
    Queries on datasets in other projects
    BigQuery does not prevent Assured Workloads datasets from being queried from non-Assured Workloads projects. You should ensure that any query that has a read or a join on Assured Workloads data be placed in an Assured Workloads folder. You can specify a fully-qualified table name for their query result using projectname.dataset.table in the BigQuery CLI.
    Cloud Logging
    BigQuery utilizes Cloud Logging for some of your log data. You should disable your _default logging buckets or restrict _default buckets to in-scope regions to maintain compliance using the following command:

    gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink

    See Regionalize your logs for more information.

    Compute Engine

    Affected Compute Engine features

    Feature
    Description
    Suspending and resuming a VM instance
    This feature is disabled.

    Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
    Local SSDs
    This feature is disabled.

    You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
    Google Cloud console
    The following Compute Engine features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead:

    Bare Metal Solution VMs
    You cannot use Bare Metal Solution VMs (o2 VMs) because Bare Metal Solution VMs are not compliant with ITAR.

    Google Cloud VMware Engine VMs
    You cannot use Google Cloud VMware Engine VMs, as Google Cloud VMware Engine VMs are not compliant with ITAR.

    Creating a C3 VM instance
    This feature is disabled.

    Using persistent disks or their snapshots without CMEK
    You cannot use persistent disks or their snapshots unless they have been encrypted using CMEK.

    Creating nested VMs or VMs that use nested virtualization
    You cannot create nested VMs or VMs that use nested virtualization.

    This feature is disabled by the compute.disableNestedVirtualization organization policy constraint.
    Adding an instance group to a global load balancer
    You cannot add an instance group to a global load balancer.

    This feature is disabled by the compute.disableGlobalLoadBalancing organization policy constraint.
    Routing requests to a multi-region external HTTPS load balancer
    You cannot route requests to a multi-region external HTTPS load balancer.

    This feature is disabled by the compute.restrictLoadBalancerCreationForTypes organization policy constraint.
    Sharing an SSD persistent disk in multi-writer mode
    You cannot share an SSD persistent disk in multi-writer mode between VM instances.
    Suspending and resuming a VM instance
    This feature is disabled.

    Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot be encrypted using CMEK.

    This feature is disabled by the gcp.restrictNonCmekServices organization policy constraint.
    Local SSDs
    This feature is disabled.

    You will be unable to create an instance with Local SSDs because they cannot be encrypted using CMEK.

    This feature is disabled by the gcp.restrictNonCmekServices organization policy constraint.
    Guest environment
    It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more.

    These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint.

    See the Building a custom image page for more information.
    OS policies in VM Manager
    Inline scripts and binary output files within the OS policy files are not encrypted using customer-managed encryption keys (CMEK). Therefore, don't include any sensitive information in these files. Alternatively, consider storing these scripts and output files in Cloud Storage buckets. For more information, see Example OS policies .

    If you want to restrict the creation or modification of OS policy resources that use inline scripts or binary output files, enable the constraints/osconfig.restrictInlineScriptAndOutputFileUsage organization policy constraint.

    For more information, see Constraints for OS Config .
    instances.getSerialPortOutput()
    This API is disabled; you will be unable to get serial port output from the specified instance using this API.

    Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project .
    instances.getScreenshot()
    This API is disabled; you will be unable to get a screenshot from the specified instance using this API.

    Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project .

    Compute Engine organization policy constraints

    Organization policy constraint
    Description
    compute.enableComplianceMemoryProtection
    Set to True .

    Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.

    Changing this value may affect your workload's data residency or data sovereignty.
    compute.disableGlobalCloudArmorPolicy
    Set to True .

    Disables the creation of new global Google Cloud Armor security policies , and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.

    compute.disableGlobalLoadBalancing
    Set to True .

    Disables creation of global load balancing products.

    Changing this value may affect your workload's data residency or data sovereignty.
    compute.disableGlobalSelfManagedSslCertificate
    Set to True .

    Disables creation of global self-managed SSL certificates.

    Changing this value may affect your workload's data residency or data sovereignty.
    compute.disableInstanceDataAccessApis
    Set to True .

    Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs.

    Enabling this constraint prevents you from generating credentials on Windows Server VMs .

    If you need to manage a username and password on a Windows VM, do the following:
    1. Enable SSH for Windows VMs .
    2. Run the following command to change the VM's password: 
        
gcloud  
compute  
ssh  
 VM_NAME 
  
--command  
 "net user USERNAME 
 PASSWORD 
"
      Replace the following:
      • VM_NAME : The name of the VM you're setting the password for.
      • USERNAME : The username of the user who you're setting the password for.
      • PASSWORD : The new password.
    compute.disableNonFIPSMachineTypes
    Set to True .

    Disables creation of VM instance types that do not comply with FIPS requirements.

    compute.restrictNonConfidentialComputing

    (Optional) Value is not set. Set this value to provide additional defense-in-depth. See the Confidential VM documentation for more information.

    compute.trustedImageProjects

    (Optional) Value is not set. Set this value to provide additional defense-in-depth.

    Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

    Cloud DNS

    Affected Cloud DNS features

    Feature Description
    Google Cloud console Cloud DNS features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

    Google Kubernetes Engine

    Affected Google Kubernetes Engine features

    Feature Description
    Cluster resource restrictions Ensure that your cluster configuration does not use resources for services that are unsupported in the ITAR compliance program. For example, the following configuration is invalid because it requires enabling or using an unsupported service:

    set `binaryAuthorization.evaluationMode` to `enabled`

    Google Kubernetes Engine organization policy constraints

    Organization policy constraint Description
    container.restrictNoncompliantDiagnosticDataAccess Set to True .

    Disables aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload.

    Changing this value may affect your workload's data residency or data sovereignty.

    Cloud Interconnect

    Affected Cloud Interconnect features

    Feature Description
    Google Cloud console Cloud Interconnect features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.
    High-availability (HA) VPN You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in the Affected Cloud VPN features section.

    Cloud Load Balancing

    Affected Cloud Load Balancing features

    Feature
    Description
    Google Cloud console
    Cloud Load Balancing features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.
    Regional load balancers
    You must use only regional load balancers with ITAR. See the following pages for more information about configuring regional load balancers:

    Cloud Logging

    Affected Cloud Logging features

    Feature Description
    Log sinks Filters shouldn't contain Customer Data.

    Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data.
    Live tailing log entries Filters shouldn't contain Customer Data.

    A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data.
    Log-based alerts This feature is disabled.

    You cannot create log-based alerts in the Google Cloud console.
    Shortened URLs for Logs Explorer queries This feature is disabled.

    You cannot create shortened URLs of queries in the Google Cloud console.
    Saving queries in Logs Explorer This feature is disabled.

    You cannot save any queries in the Google Cloud console.
    Log Analytics using BigQuery This feature is disabled.

    You cannot use the Log Analytics feature.
    SQL-based alerting policies This feature is disabled.

    You cannot use the SQL-based alerting policies feature.

    Cloud Monitoring

    Affected Cloud Monitoring features

    Feature Description
    Synthetic Monitor This feature is disabled.
    Uptime checks This feature is disabled.
    Log panel widgets in Dashboards This feature is disabled.

    You cannot add a log panel to a dashboard.
    Error reporting panel widgets in Dashboards This feature is disabled.

    You cannot add an error reporting panel to a dashboard.
    Filter in EventAnnotation for Dashboards This feature is disabled.

    Filter of EventAnnotation cannot be set in a dashboard.
    SqlCondition in alertPolicies This feature is disabled.

    You cannot add a SqlCondition to an alertPolicy .

    Cloud NAT

    Affected Cloud NAT features

    Feature Description
    Google Cloud console Cloud NAT features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

    Network Connectivity Center

    Affected Network Connectivity Center features

    Feature Description
    Google Cloud console Network Connectivity Center features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

    Pub/Sub

    Pub/Sub organization policy constraints

    Organization policy constraint Description
    pubsub.enforceInTransitRegions Set to True .

    Ensures that Customer Data transits only within the allowed regions specified in the message storage policy for the Pub/Sub topic.

    Changing this value may affect your workload's data residency or data sovereignty.

    Cloud Router

    Affected Cloud Router features

    Feature Description
    Google Cloud console Cloud Router features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

    Cloud Run

    Affected Cloud Run features

    Feature
    Description
    Unsupported features
    The following Cloud Run features aren't supported:

    Cloud SQL

    Affected Cloud SQL features

    Feature Description
    Exporting to CSV Exporting to CSV is not compliant with ITAR and shouldn't be used. This feature is disabled in the Google Cloud console.
    executeSql The executeSql method of the Cloud SQL API is not compliant with ITAR and shouldn't be used.

    Cloud Storage

    Affected Cloud Storage features

    Feature
    Description
    Google Cloud console
    To maintain ITAR compliance, it is your responsibility to use the Jurisdictional Google Cloud console . The Jurisdictional console prevents uploading and downloading Cloud Storage objects. To upload and download Cloud Storage objects, see the Compliant API endpoints row in this section.
    Compliant API endpoints
    You must use one of the ITAR-compliant regional endpoints with Cloud Storage. See Cloud Storage regional endpoints and Cloud Storage locations for more information.
    Restrictions
    You must use Cloud Storage regional endpoints to be ITAR-compliant. For more information about Cloud Storage regional endpoints for ITAR, see Cloud Storage regional endpoints .

    The following operations are not supported by regional endpoints. However, these operations don't carry Customer Data as defined in the data residency service terms . Therefore, you can use global endpoints for these operations as necessary without violating ITAR compliance:
    Copy and rewrite for objects
    Copy and rewrite operations for objects are supported by regional endpoints if both the source and destination buckets are located in the region specified in the endpoint. However, you cannot use regional endpoints to copy or rewrite an object from one bucket to another if the buckets exist in different locations. It is possible to use global endpoints to copy or rewrite across locations, but we don't recommend it as it and may violate ITAR compliance.

    Virtual Private Cloud (VPC)

    Affected VPC features

    Feature Description
    Google Cloud console VPC networking features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

    Cloud VPN

    Affected Cloud VPN features

    Feature Description
    Google Cloud console Cloud VPN features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.
    Encryption You must use only FIPS 140-2 compliant ciphers when creating certificates and configuring your IP security. See the Supported IKE ciphers page for more information about supported ciphers in Cloud VPN. For guidance about selecting a cipher that conforms to FIPS 140-2 standards, see the FIPS 140-2 Validated page.

    You cannot change an existing cipher in Google Cloud. Ensure that you configure your cipher on your third-party appliance that's used with Cloud VPN.
    VPN endpoints You must use only Cloud VPN endpoints that are located in an in-scope region . Ensure that your VPN gateway is configured for use in an in-scope region only.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: