This page applies to Apigee, but not to Apigee hybrid.
View Apigee Edge documentation.
What you're doing in this step
In this step, depending on your specific user journey, you specify hosting locations for your Apigee analytics or control plane, runtime and dataplane instances, and API consumer data region. You also specify encryption key selections.
The difference between each of the user journeys is the selection or creation of encryption keys, whether they are managed by Google or the customer, and whether data residency is enabled or not.
Some features are not supported when data residency is enabled. See Data residency compatibility for details.
The following keys are used during organization creation:
Encryption key | Description |
---|---|
Control plane key |
Encrypts Analytics data that is stored within BigQuery in Apigee tenant project. Encrypts API proxies, Target Servers, Truststores and Keystores and anything else shared across runtimes. |
API consumer data key | Encrypts service infrastructure data. This is required to be a region within the control plane location. |
Runtime database key | Encrypts application data such as KVMs, cache, and client secrets, which is then stored in the database. |
The following key is used during each instance creation:
Encryption key | Description |
---|---|
Runtime disk key | Encrypts KVMs; environment cache; quota buckets and counters.
Encrypts KMS data API products, developers, developer apps, OAuth tokens (including access tokens, refresh tokens, and authorization codes), and API keys. |
Perform the step
To view the steps for your specific user journey, select one of the following user journeys. They are listed in order of complexity, with the easiest being user journey A.
View user journey flow diagram
The following diagram shows the possible user journeys to configure hosting and encryption for a Pay-as-you-go organization using the Cloud console.
The user journeys are noted A through F and are ordered easy to complex, where A is the easiest, and F is the most complex.
User journey | Description | |
---|---|---|
User journey A: Google-managed encryption, no data residency |
Select this option if you:
|
|
User journey B: Google-managed encryption, with data residency |
Select this option if you:
| |
User journey C: Customer-managed encryption, no data residency |
Select this option if you:
|
|
User journey D: Customer-managed encryption, with data residency |
Select this option if you:
|
User journey A: Google-managed encryption, no data residency
In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or click
Edit to open the Hosting and encryption keys panel.- In the Encryption type section, select Google-managed encryption key. This is a Google-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
- Click Next.
- In the Control Plane section:
- Clear the Enable data residency box.
From the Analytics region drop-down list, select the physical location where you want your analytics data stored. For a list of available Apigee API Analytics regions, see Apigee locations.
- Click Confirm.
- In the Runtime section:
- From the Runtime hosting region drop-down list, select the region in which you want your instance hosted.
- Under Runtime database encryption key, Google-managed is listed as the encryption type.
- Under Runtime disk encryption key, Google-managed is listed as the encryption type.
- Click Confirm.
- Click Done.
- Click Next.
Go to the next step, Step 4: Customize access routing.
User journey B: Google-managed encryption, with data residency
In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or click
Edit to open the Hosting and encryption keys panel.- In the Encryption type section, select Google-managed encryption key. This is a Google-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
- Click Next.
- In the Control Plane section:
- Select the Enable data residency box.
- From the Control plane hosting jurisdiction drop-down list that displays, select the physical location where you want your data stored.
- From the Control plane encryption key drop-down list, select or create a key for data stored and replicated across runtime locations.
- Click Grant if prompted.
- In the API consumer data region section:
- From the API consumer data region drop-down list, select the physical location where you want your data stored. For a list of available consumer data regions, see Apigee locations.
- Under API consumer data encryption key, Google-managed is listed as the encryption type.
- Click Confirm.
- In the Runtime section:
- From the Runtime hosting region drop-down list, select the region in which you want your instance hosted. For a list of available runtime regions, see Apigee locations. When using data residency, the runtime location must be within the control plane region.
- Under Runtime database encryption key, Google-managed is listed as the encryption type.
- Under Runtime disk encryption key, Google-managed is listed as the encryption type.
- Click Confirm.
- Click Done.
- Click Next.
Go to the next step, Step 4: Customize access routing.
User Journey C: Customer-managed encryption, no data residency
In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or click
Edit to open the Hosting and encryption keys panel.- In the Encryption type section, select Customer-managed encryption key (CMEK). This is a user-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
- Click Next.
- In the Control Plane section:
- Clear the Enable data residency box.
From the Analytics region drop-down list, select the physical location where you want your analytics data stored. For a list of available Apigee API Analytics regions, see Apigee locations.
- Click Confirm.
- In the Runtime section:
- From the Runtime hosting region drop-down list, select the region in which you want your instance hosted.
- From the Runtime database encryption key drop-down list, select or create a key for data stored and replicated across runtime locations.
- Click Grant if prompted.
- From the Runtime disk encryption key, drop-down list, select or create a key for runtime instance data before it is written to disk. Each instance has its own disk encryption key.
- Click Grant if prompted.
- Click Confirm.
- Click Done.
- Click Next.
Go to the next step, Step 4: Customize access routing.
User journey D: Customer-managed encryption, with data residency
In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or click
Edit to open the Hosting and encryption keys panel.- In the Encryption type section, select Customer-managed encryption key (CMEK). This is a user-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
- Click Next.
- In the Control Plane section:
- Select the Enable data residency box.
- From the Control plane hosting jurisdiction drop-down list that displays, select the physical location where you want your data stored.
- From the Control plane encryption key drop-down list, select or create a key for data stored and replicated across runtime locations.
- Click Grant if prompted.
- In the API consumer data region section:
- From the API consumer data region drop-down list, select the physical location where you want your data stored. For a list of available consumer data regions, see Apigee locations.
- From the API consumer data encryption key drop-down list, select or create a key for data stored for the control plane.
- Click Grant if prompted.
- Click Confirm.
- In the Runtime section:
- From the Runtime hosting region drop-down list, select the region in which you want your instance hosted. When using data residency, the runtime location must be within the control plane region.
- From the Runtime database encryption key drop-down list, select or create a key for data stored and replicated across runtime locations.
- Click Grant if prompted.
- From the Runtime disk encryption key, drop-down list, select or create a key for runtime instance data before it is written to disk. Each instance has its own disk encryption key.
- Click Grant if prompted.
- Click Confirm.
- Click Done.
- Click Next.
Go to the next step, Step 4: Customize access routing.
How to create a key
To create a key:
- Click Create key.
- Select a key ring, or if one doesn't exist, enable Create key ring and enter a key ring name and pick your key ring location. Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
- Click Continue.
- Create a key. Enter a name and protection level. Note that key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted. For protection level, Software is a good choice. This is the same default used by Cloud KMS; however, you can change it if you wish.
- Click Continue and review your selections.
- Click Create.