Step 3: Configure hosting and encryption

What you're doing in this step

In this step, you configure hosting locations for your Apigee runtime and dataplane instances. You also configure encryption key selections for your runtime disks and databases.

Perform the step

Permissions required for this task

You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. See Predefined roles and Runtime instance permissions.

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. To edit any of the configuration choices, click Edit to open the Hosting location and encryption keys panel.

You can accept the default configuration or select from the following options in the Hosting location and encryption keys panel:

In the Encryption type section, choose one of the available encryption types:
- Google-managed encryption key: Google-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
- Customer-managed encryption key (CMEK): Import your own cryptographic key into Cloud KMS to encrypt your Apigee instances and data before it is written to disk.
  Click Next.

In the Analytics section:

From the Analytics region drop-down list, select the physical location where you want your analytics data stored. Valid regions include:

`asia-northeast1`	`asia-south1`	`asia-east1`	`asia-southeast1`
`australia-southeast1`	`us-central1`	`us-east1`	`us-west1`
`asia-southeast2`	`europe-west1`	`europe-west2`

Choose a region that is geographically close or one that satisfies your organization's storage requirements.

Click Confirm.

In the Runtime section:
1. From the Runtime hosting region drop-down list, select the region in which you want your instance hosted.
2. Under Runtime database encryption key:
  - If you selected Google-managed encryption keys as the encryption type, no further action is needed.
  - If you selected Customer-managed encryption key (CMEK) encryption key as the encryption type, you can:
    - Select an existing key from the dropdown list of Cloud KMS keys in the location across all key rings.
    - If a key doesn't exist, or if you don't want to use an existing key, you can create a new key. To create a key:
      1. Click Create key.
      2. Select a key ring, or if one doesn't exist, enable Create key ring and enter a key ring name and pick your key ring location. Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
      3. Click Continue.
      4. Create a key. Enter a name and protection level. Note that key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted. For protection level, Software is a good choice. This is the same default used by Cloud KMS; however, you can change it if you wish.
      5. Click Continue and review your selections.
      6. Click Create.
3. Under Runtime disk encryption key:
  - If you selected Google-managed encryption keys as the encryption type, no further action is needed.
  - If you selected Customer-managed encryption key (CMEK) encryption key as the encryption type, you can:
    - Select an existing key from the dropdown list of Cloud KMS keys in the location across all key rings.
    - If a key doesn't exist, or if you don't want to use an existing key, you can create a new key. To create a key:
      1. Click Create key.
      2. Select a key ring, or if one doesn't exist, enable Create key ring and enter a key ring name and pick your key ring location. Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
      3. Click Continue.
      4. Create a key. Enter a name and protection level. Note that key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted. For protection level, Software is a good choice. This is the same default used by Cloud KMS; however, you can change it if you wish.
      5. Click Continue and review your selections.
      6. Click Create.
4. Click Confirm.
  Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.
Click Continue to save the configuration.

Go to the next step, Step 4: Customize access routing.