For many industry verticals and enterprises, using a cloud offering results in increased scrutiny from security and compliance teams. The following questions are often asked:
- Where is data stored?
- What data is stored in the cloud?
- Who has access to the data?
- How is data handled during processing or transmission?
In addition to this, many countries have passed data privacy laws that prohibit Personally Identifiable Information (PII) data from being stored outside the country or region.
This document describes data residency for Apigee and how it helps you to meet compliance and regulatory requirements.
Overview
Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is being:
- Stored (at rest)
- Processed (in use)
- Transmitted (in transit)
You enable data residency when provisioning an Apigee organization. During provisioning, you select the region where all customer content is stored. See Provision your organization with data residency .
Once the Apigee organization is provisioned with data residency, Apigee organization admins must do the following:
- Inform Apigee users, including API developers and other admins, about the data residency configuration and requirements. Apigee users must follow the guidelines in Use Apigee with data residency .
- Set the location organization policy as described in Restricting resource locations .
Note the following:
- You can't enable data residency for an Apigee organization that is already provisioned.
- By default, the control plane is a global entity unless you select data residency (regionalization) at the time the Apigee organization is created.
- Once you select data residency and the control plane location, it can't be changed. If you later need a different location, you will need to create a new Google Cloud project.
See also Google Cloud Services with Data Residency .
About advanced data residency
Advanced data residency refers to compliance and regulatory requirements for data that is being processed (in use) or transmitted (in transit) in addition to being stored (at rest).
To comply with advanced data residency, the following actions are required when setting up and using Apigee.
| Create Assured Workloads | Provision your organization | Use Apigee |
|---|---|---|
|
Google Cloud admin creates an Assured Workloads folder
in the Google Cloud organization and applies a control package.
The control package automatically sets the control plane location and organization policy constraints
that enforce the regional data boundaries.
|
Apigee organization admin provisions your paid organization with advanced data residency
using the location-based jurisdictional console
to access the Apigee UI or the regional endpoint
to access the Apigee APIs. See Provision your organization with advanced data residency . |
Apigee users use the jurisdictional console to access the Apigee UI or regional endpoint to access the APIs. |
Support for data residency
The following table summarizes the features that are supported and not supported for Apigee with data residency.
- Apigee organizations (Subscription or Pay-as-you-go)
- Apigee hybrid for data residency at rest only, as described in Apigee hybrid data residency
- Operations anomalies for non-hybrid Subscription organizations
- Monetization
- API analytics
- Advanced API Security
- Apigee API hub .
- Data collectors for Subscription and Pay-as-you-go organizations, and hybrid versions 1.14.0 and later (at rest only)
FedRAMP compliance and data residency
Apigee is authorized as a FedRAMP High service for organizations where data residency is enabled. If you choose to enable data residency when provisioning an Apigee Subscription or Pay-as-you-go organization, the following services are in scope under Apigee's FedRAMP Authority To Operate (ATO):
- The regionalized Apigee organization's control plane, runtime plane, and analytics .
- The regionalized Apigee hybrid organization's control plane and analytics .
The following Apigee offerings are not in scope under Apigee's FedRAMP ATO:
- API analytics
- Advanced API Security
- Integrated portals
- Apigee evaluation organizations
- Apigee data collectors
Apigee hybrid data residency
You can configure new Apigee hybrid installations to use data residency, starting with hybrid version 1.12. See Using data residency with Apigee hybrid .
Apigee hybrid version 1.14.0 and later with data residency enabled supports Advanced API Security , Apigee API analytics , and the Debug tool .
Choose regions for data residency
You choose the regions (physical location) for the control plane data based on your data residency requirements as follows:
| Data residency requirements | How to choose region |
| Data residency at rest only | When provisioning your Apigee organization, your Apigee admin sets the control plane locationto the required region (for example, us
).
See Provision
your organization with data residency at rest only
. |
| Advanced data residency (in use and in transit) | When creating an Assured Workloads folder for the Google Cloud organization, your Google Cloud admin selects a control package to define the regional data boundaries. During provisioning the control plane location is set automatically and other locations are filtered based on the control package selected. See Provision your organization with advanced data residency . |
During provisioning, you must also specify a single region(for example, us-west1
) for other consumer services
that can run only in a single region, such as Analytics reports.
All resources must be within the region specified. For example, if you
select us
for the control plane location, the other Apigee resources,
such as the runtime instance, referencing CMEK, endpoint attachment, and so on,
must also be within the us
region.
Use the jurisdictional console
When provisioning or using Apigee with advanced data residency, you must use one of the jurisdictional Google Cloud consoles to access the Apigee UI based on your location .
For example, the jurisdictional console URL for the United States region is: console.us.cloud.google.com
When provisioning or using Apigee with data residency at rest only, you can use either the global or jurisdictional console. To use the jurisdictional console, the Apigee organization must have been provisioned within one of the supported locations .
The benefits of using the jurisdictional Google Cloud console are as follows:
- Simplifies the provisioning UI by automatically setting the control plane location and filtering the region selectors accordingly.
- Alters the UI interactions with Google Cloud services based on the data residency requirements, such as filtering region selectors and the options available for service endpoint attachments to prevent Apigee from connecting to a private target using Private Service Connect (PSC) if the target is outside the permitted region.
For information about how to access the jurisdictional console, see Jurisdictional Google Cloud console .
Use regional endpoints for data residency
A service endpoint
, or hostname,
is a base URL that specifies the network address of an API service. The Apigee API
service endpoint is apigee.googleapis.com
. This is the global endpoint used when data residency
is not supported.
To support data residency, you'll need to use regional endpoints. The following sections describe how to use regional endpoints for data residency at rest only and advanced data residency .
Use regional endpoints for data residency at rest only
To access the Apigee API with data residency at rest only, use the following regional endpoint: CONTROL_PLANE_LOCATION
-apigee.googleapis.com
Where CONTROL_PLANE_LOCATION is the physical location at which Apigee control plane data will be stored. For a list of available control plane locations, see Apigee locations .
For example, the following shows the curl call used to create an organization using the regional endpoint for the United States:
curl "https:// us-apigee.googleapis.com/v1/organizations?parent=projects/ PROJECT_ID " ...
Use regional endpoints for advanced data residency
To access the Apigee API with advanced data residency, use the following regional endpoint:
apigee. CONTROL_PLANE_LOCATION
.rep.googleapis.com
Where CONTROL_PLANE_LOCATION is the physical location where Apigee control plane data is stored.
The following list the supported control plane locations and their corresponding regional endpoints:
| Location | Regional endpoint |
| United States (US) | apigee.us.rep.googleapis.com
|
| European Union (EU) | apigee.eu.rep.googleapis.com
|
| India (IN) | apigee.in.rep.googleapis.com
|
For example, the following shows the curl call used to create an organization using the regional endpoint for the United States:
curl "https:// apigee.us.rep.googleapis.com/v1/organizations?parent=projects/ PROJECT_ID " ...
Encryption and data residency
By default, Google Cloud automatically encrypts data when it is at rest using encryption keys that are owned and managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK). See Introduction to CMEK .
Use organization policy constraints with data residency
Google Cloud's organization policy constraints
make it possible to define a set of locations where
location-based Google Cloud resources can be created
for your Google Cloud organization. If you have a Google Cloud organization policy
that uses a resource location constraint
( constraints/gcp.resourceLocations
),
the constraint will apply to the following Apigee resources that are created when Apigee is provisioned:
If you are provisioning a new Apigee organization within a Google Cloud project with a resource location constraint applied, you must ensure that the location constraint is compatible with the control plane location specified for your Apigee organization:
- If you provision an Apigee organization without
data residency, the
resource location constraint in your
Google Cloud organization policy must be set to
global. Because the Apigee control plane is a global entity by default, provisioning will fail if a constraint other thanglobalis applied. - If you provision an Apigee organization with data residency, confirm that any resource location constraint that may be set in your Google Cloud organization policy does not exclude the region you select for your control plane data . Otherwise, provisioning will fail.
Data residency and FedRAMP compliance
Apigee is authorized as a FedRAMP High service for organizations where data residency is enabled. If you choose to enable data residency when provisioning an Apigee Subscription or Pay-as-you-go organization, the following services are in scope under Apigee's FedRAMP Authority To Operate (ATO):
- The regionalized Apigee organization's control plane, runtime plane, and analytics .
- The regionalized Apigee hybrid organization's control plane and analytics .
The following Apigee offerings are not in scope under Apigee's FedRAMP ATO:
- API analytics
- Advanced API Security
- Integrated portals
- Apigee evaluation organizations
- Apigee data collectors
Use VPC Service Controls with data residency
To use VPC Service Controls with data residency at rest, you must use the following
regional endpoint: CONTROL_PLANE_LOCATION
-apigee.googleapis.com
At this time, you can't use VPC Service Controls with advanced data residency
.
For advanced data residency, using the apigee. CONTROL_PLANE_LOCATION
.rep.googleapis.com
endpoint will require you to create a private connection between
Apigee and backend target services
use Private Service Connect
.
