Step 3: Configure hosting and encryption

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

What you're doing in this step

In this step, depending on your specific user journey, you specify hosting locations for your Apigee analytics or control plane, runtime and dataplane instances, and API consumer data region. You also specify encryption key selections.

The difference between each of the user journeys is the selection or creation of encryption keys, whether they are managed by Google or the customer, and whether data residency is enabled or not.

Some features are not supported when data residency is enabled. See Data residency compatibility for details.

The following keys are used during organization creation:

Encryption key	Description
Control plane key	Encrypts Analytics data that is stored within BigQuery in Apigee tenant project. Encrypts API proxies, Target Servers, Truststores and Keystores and anything else shared across runtimes.
API consumer data key	Encrypts service infrastructure data. This is required to be a region within the control plane location.
Runtime database key	Encrypts application data such as KVMs, cache, and client secrets, which is then stored in the database.

Encryption key

Description

Control plane key

Encrypts Analytics data that is stored within BigQuery in Apigee tenant project.

Encrypts API proxies, Target Servers, Truststores and Keystores and anything else shared across runtimes.

API consumer data key

Encrypts service infrastructure data. This is required to be a region within the control plane location.

Runtime database key

Encrypts application data such as KVMs, cache, and client secrets, which is then stored in the database.

The following key is used during each instance creation:

Encryption key	Description
Runtime disk key	Encrypts KVMs; environment cache; quota buckets and counters. Encrypts KMS data API products, developers, developer apps, OAuth tokens (including access tokens, refresh tokens, and authorization codes), and API keys.

Perform the step

Permissions required for this task

You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. See Predefined roles and Runtime instance permissions.

To view the steps for your specific user journey, select one of the following user journeys. They are listed in order of complexity, with the easiest being user journey A.

View user journey flow diagram

The following diagram shows the possible user journeys to configure hosting and encryption for a Pay-as-you-go organization using the Cloud console.

The user journeys are noted A through F and are ordered easy to complex, where A is the easiest, and F is the most complex.

	User journey	Description
	User journey A: Google-managed encryption, no data residency	Select this option if you: Want Google to manage encryption keys Are not required to store core content and processing in the same geographic region
	User journey B: Google-managed encryption, with data residency	Select this option if you: Want Google to manage encryption keys Want to store core content and processing in the same geographic region
	User journey C: Customer-managed encryption, no data residency	Select this option if you: Want to manage your own encryption keys Are not required to store core content and processing in the same geographic region
	User journey D: Customer-managed encryption, with data residency	Select this option if you: Want to manage your own encryption keys Want to store your core content and processing in the same geographic region

User journey A: Google-managed encryption, no data residency

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or click Edit to open the Hosting and encryption keys panel.

In the Encryption type section, select Google-managed encryption key. This is a Google-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
Click Next.
In the Control Plane section:
1. Clear the Enable data residency box.
  Note: If you are provisioning a new Apigee organization within a Google Cloud project with a resource location constraint applied in an organization policy, confirm that the location constraint is set to global. Because the Apigee control plane is a global entity by default, provisioning will fail if a constraint other than global is applied. For more information, see Introduction to data residency.
2. From the Analytics region drop-down list, select the physical location where you want your analytics data stored. For a list of available Apigee API Analytics regions, see Apigee locations.
3. Click Confirm.
In the Runtime section:
1. From the Runtime hosting region drop-down list, select the region in which you want your instance hosted.
2. Under Runtime database encryption key, Google-managed is listed as the encryption type.
3. Under Runtime disk encryption key, Google-managed is listed as the encryption type.
4. Click Confirm.
5. Click Done.
Click Next.

Go to the next step, Step 4: Customize access routing.

User journey B: Google-managed encryption, with data residency

In the Encryption type section, select Google-managed encryption key. This is a Google-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
Click Next.
In the Control Plane section:
1. Select the Enable data residency box.
2. In the Control plane hosting location section:
  1. Select your Location type:
    - Region: Your data is stored in a single region, which can reduce latency.
    - Multi-region: You data is stored in more than one region, which can increase availability across a large area.
  2. From the Region or Multi-region drop-down list that displays, select the physical location where you want your data stored. For a list of available control plane regions, see Apigee locations.
  3. Under Control plane encryption key, Google-managed is listed as the encryption type.
    Note: This step is only required if you select us (multiple regions in us) or eu (multiple regions in European Union) as your control plane hosting location. If you select another region, this key is not required.
3. From the API consumer data region drop-down list, select the physical location where you want your data stored. For a list of available control plane regions, see Apigee locations.
4. Under API consumer data encryption key, Google-managed is listed as the encryption type.
5. Click Confirm.
6. In the Runtime section:
  1. From the Runtime hosting region drop-down list, select the region in which you want your instance hosted. For a list of available runtime regions, see Apigee locations. When using data residency, the runtime location must be within the control plane region.
  2. Under Runtime database encryption key, Google-managed is listed as the encryption type.
  3. Under Runtime disk encryption key, Google-managed is listed as the encryption type.
  4. Click Confirm.
  5. Click Done.
7. Click Next.
Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.

Go to the next step, Step 4: Customize access routing.

User Journey C: Customer-managed encryption, no data residency

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or click Edit to open the Hosting and encryption keys panel.
1. In the Encryption type section, select Customer-managed encryption key (CMEK). This is a user-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
2. Click Next.
3. In the Control Plane section:
  1. Clear the Enable data residency box.
    Note: If you are provisioning a new Apigee organization within a Google Cloud project with a resource location constraint applied in an organization policy, confirm that the location constraint is set to global. Because the Apigee control plane is a global entity by default, provisioning will fail if a constraint other than global is applied. For more information, see Introduction to data residency.
  2. From the Analytics region drop-down list, select the physical location where you want your analytics data stored. For a list of available Apigee API Analytics regions, see Apigee locations.
  3. Click Confirm.
4. In the Runtime section:
  1. From the Runtime hosting region drop-down list, select the region in which you want your instance hosted.
  2. From the Runtime database encryption key drop-down list, select or create a key for data stored and replicated across runtime locations.
  3. Click Grant if prompted.
  4. From the Runtime disk encryption key, drop-down list, select or create a key for runtime instance data before it is written to disk. Each instance has its own disk encryption key.
  5. Click Grant if prompted.
  6. Click Confirm.
  7. Click Done.
5. Click Next.
Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.

Go to the next step, Step 4: Customize access routing.

User journey D: Customer-managed encryption, with data residency

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or click Edit to open the Hosting and encryption keys panel.
1. In the Encryption type section, select Customer-managed encryption key (CMEK). This is a user-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
2. Click Next.
3. In the Control Plane section:
  1. Select the Enable data residency box.
  2. In the Control plane hosting location section:
    1. Select your Location type:
      - Region: Your data is stored in a single region, which can reduce latency.
      - Multi-region: You data is stored in more than one region, which can increase availability across a large area.
    2. From the Region or Multi-region drop-down list that displays, select the physical location where you want your data stored. For a list of available control plane regions, see Apigee locations.
    3. From the Control plane encryption key drop-down list, select or create a key for data stored and replicated across runtime locations.
      Note: This step is only required if you select us (multiple regions in us) or eu (multiple regions in European Union) as your control plane hosting location. If you select another region, this key is not required.
    4. Click Grant if prompted.
  3. From the API consumer data region drop-down list, select the physical location where you want your data stored. For a list of available control plane regions, see Apigee locations.
  4. From the API consumer data encryption key drop-down list, select or create a key for data stored for the control plane.
  5. Click Grant if prompted.
  6. Click Confirm.
  7. In the Runtime section:
    1. From the Runtime hosting region drop-down list, select the region in which you want your instance hosted. When using data residency, the runtime location must be within the control plane region.
    2. From the Runtime database encryption key drop-down list, select or create a key for data stored and replicated across runtime locations.
    3. Click Grant if prompted.
    4. From the Runtime disk encryption key, drop-down list, select or create a key for runtime instance data before it is written to disk. Each instance has its own disk encryption key.
    5. Click Grant if prompted.
    6. Click Confirm.
    7. Click Done.
  8. Click Next.
  Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.
  
  Go to the next step, Step 4: Customize access routing.
  
  How to create a key
  
  To create a key:
  1. Click Create key.
  2. Select a key ring, or if one doesn't exist, enable Create key ring and enter a key ring name and pick your key ring location. Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
  3. Click Continue.
  4. Create a key. Enter a name and protection level. Note that key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted. For protection level, Software is a good choice. This is the same default used by Cloud KMS; however, you can change it if you wish.
  5. Click Continue and review your selections.
  6. Click Create.