Using data residency with Apigee hybrid

This topic explains how to configure a new Apigee hybrid installation for data residency compliance.

About data residency

Starting with hybrid version 1.12, you can use data residency with new Apigee hybrid installations. You cannot convert an existing installation to use data residency.

Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored. With data residency, selecting the control plane location ensures that all customer content is stored within the specified region. See also, see Introduction to data residency.

Basic steps for data residency configuration

To configure Apigee hybrid for data residency, you need to follow a few basic steps, including:

• Creating an Apigee organization with data residency
• Creating an environment using the Apigee API
• Enabling the new data pipeline
• Configuring the overrides file(s)

Creating an Apigee organization with data residency

When you create an Apigee organization, you have the option of enabling the org with data residency. Creating an org with data residency requires you to specify two key location attributes: the control plane location and the consumer data region. For details, see Step 2: Create an organization.

Creating an environment using the Apigee API

If you create a new environment using the Apigee API, you must specify the control plane location. See Create an environment. If you use the UI to create an environment, no special steps are needed.

Enabling the new data pipeline

If data residency is enabled for a new hybrid 1.13.1 organization, then you must enable the new data pipeline feature. This feature enables analytics and debug data to be sent to the Apigee control plane. To enable the data pipeline, follow the instructions in Analytics and debug data collection with data residency.

Note that you

Configuring the overrides file(s)

If you are using a new data residency-enabled hybrid v1.13.1 org, you must add these configuration properties to each overrides file and apply them:

• contractProvider: The service endpoint for Apigee management APIs. For example: https://us-apigee.googleapis.com.
• newDataPipeline.debugSession: Set this to true to use the new data pipeline.
• newDataPipeline.analytics: Set this to true to enable analytics to use the new data pipeline.

For example:

instanceID: "my_hybrid_example"
namespace: apigee

gcp:
  projectID: hybrid-example
  region: us-central1

k8sCluster:
  name: apigee-hybrid
  region: us-central1

org: hybrid-example

contractProvider: https://us-apigee.googleapis.com
newDataPipeline:
  debugSession: true
  analytics: true

See Step 6: Create the overrides

When calling the Apigee APIs

When you make curl calls to Apigee APIs to perform tasks in your hybrid installation, you will need to call APIs from within the control plane location:

curl -H "Authorization: Bearer $TOKEN" \
  "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/ORG_NAME/envgroups"

For example:

curl -H "Authorization: Bearer $TOKEN" \
  "https://us-apigee.googleapis.com/v1/organizations/my-hybrid-org/envgroups"

URL allowlisting

You must enable a non-forward proxy route for Apigee hybrid data residency. This route can be a NAT with allowlisting for:

• iamcredentials.googleapis.com
• oauth2.googleapis.com

If you are using forward proxy with data residency, you must allowlist:

• CONTROL_PLANE_LOCATION.apigee-googleapis.com
• ANALYTICS_REGION-pubsub.googleapis.com
• URLs required by Apigee hybrid, see Google Cloud URLs to allow for Hybrid.