Introduction to data residency

This document describes data residency for Apigee.

Overview

For many industry verticals and enterprises, using a cloud offering results in increased scrutiny from security and compliance teams (what data is stored in the cloud, where it is stored, who has access to it, who can see the data, etc.). In addition to this, many countries have passed data privacy laws that prohibit Personally Identifiable Information (PII) data from being stored outside the country or region.

Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored. Historically, Apigee allowed you to select the instance region and analytics region; however, Apigee also has global infrastructure, such as an API proxy bundle or other customer data. With data residency, selecting the control plane location ensures that all customer content is stored within the specified region.

Apigee is in the process of obtaining FedRAMP high and other certifications. Apigee has implemented the regionalized stack from the engineering side, but cannot contractually guarantee data residency before the actual certification is approved.

Data residency compatibility

Data residency can be used with the following:

• Apigee Organizations (Subscription or Pay-as-you-go)
• Apigee hybrid

Data residency is not currently supported for use with:

• Preview- or Beta-release features, such as the preview release for Looker Studio Integration
• Eval orgs
• Monetization
• Integrated portals
• API Security
• Data collector
• Apigee running in a browser window at apigee.google.com since the regionalized org names are not displayed in the organization selector. You must use Apigee in the Google Cloud console.

Key points

If data residency is enabled for your Apigee installation, note the following key points:

• Data residency must be enabled at the time Apigee is provisioned. You cannot enable data residency for an already-provisioned org.
• By default, the control plane is a global entity unless you select data residency (regionalization) at the time of Apigee organization creation; it can not be changed later. Once you select data residency and the control plane location, it is cannot be changed. If you later need a different location, you will need to create a new Google Cloud project.
• When provisioning an org:
  • Without data residency: Specify the region with ANALYTICS_REGION.
  • With data residency: Specify the region with CONTROL_PLANE_LOCATION and the sub-region with CONSUMER_DATA_REGION. See Data residency regions.
• The admin who provisions Apigee must:
  • Inform Apigee users, such as API developers and other admins, about the data residency configuration
  • Set the location org policy as described in Restricting Resource Locations
• API developers, admins, or other users of Apigee management APIs must use the new data residency API service endpoint.

Data residency regions

Data residency allows you to choose the region (physical location) during provisioning where data is stored.

When specifying the region (for example, us), you must also specify a single region (for example, us-west1) for other services that can run only in a single region, such as Analytics reports.

All resources must be within the region specified. For example, if you select us for the CONTROL_PLANE_LOCATION, the other Apigee resources, such as the runtime instance, referencing CMEK, endpoint attachment, etc., must also be within the us region.

The type of data that is stored when you choose data residency is referred to as control plane data and consumer data.

Control plane data is analytics data, API proxies, target servers, truststores and keystores and anything else shared across runtimes. Consumer data is analytics data that is processed by services that run in a single region.

See Apigee locations, for the currently supported control-plane regions.

Data residency service endpoint

A service endpoint is a base URL that specifies the network address of an API service.

The Apigee API service endpoint, or hostname, is apigee.googleapis.com.

• No data residency:

  Use the service endpoint as follows:

  apigee.googleapis.com

  For example:

  curl "https://apigee.googleapis.com/v1/organizations?parent=projects/$PROJECT_ID" ...

• Data residency:

  Prepend the control plane region to the service endpoint:

  CONTROL_PLANE_LOCATION-apigee.googleapis.com

  For example:

  curl "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations?parent=projects/$PROJECT_ID" ...

  Where CONTROL_PLANE_LOCATION is the is the physical location, specified during provisioning, at which Apigee control plane data will be stored.

  For example:

  curl "https://us-apigee.googleapis.com/v1/organizations?parent=projects/$PROJECT_ID" ...

How to view the region

If you have already provisioned your org (PROJECT_ID) for use with data residency, you can use the getProjectMapping API to display the regions associated with a project:

1. Authorize gcloud to access the Cloud Platform with your Google user credentials:

   gcloud auth login

2. Call the API:

   curl -X GET https://apigee.googleapis.com/v1/organizations/PROJECT_ID:getProjectMapping \
       -H "Authorization: Bearer $(gcloud auth print-access-token)"

   Where PROJECT_ID is your Apigee organization name or Google Cloud project ID.

   Something similar to the following is returned:

   {
     "organization": "my-project",
     "projectIds": [
       "my-project"
     ],
     "projectId": "my-project"
     "location": "us"
   }

Data residency encryption

See Introduction to CMEK.

Data residency and organization policy constraints

Google Cloud's organization policy constraints make it possible to define a set of locations where location-based Google Cloud resources can be created for your Google Cloud organization. If you have a Google Cloud organization policy that uses a resource location constraint (constraints/gcp.resourceLocations), the constraint will apply to the following Apigee resources that are created when Apigee is provisioned:

• Control plane
• Consumer data
• Runtime
• Endpoints attachment
• Analytics

If you are provisioning a new Apigee organization within a Google Cloud project with a resource location constraint applied, you must ensure that the location constraint is compatible with the control plane location specified for your Apigee organization:

• If you provision an Apigee organization without data residency, the resource location constraint in your Google Cloud organization policy must be set to global. Because the Apigee control plane is a global entity by default, provisioning will fail if a constraint other than global is applied.
• If you provision an Apigee organization with data residency, confirm that any resource location constraint that may be set in your Google Cloud organization policy does not exclude the region you select for your control plane data. Otherwise, provisioning will fail.