This topic explains how to configure a new Apigee hybrid installation for data residency compliance.
About data residency
Starting with hybrid version 1.12, you can use data residency with new Apigee hybrid installations. You cannot convert an existing installation to use data residency.
Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored. With data residency, selecting the control plane location ensures that all customer content is stored within the specified region. See also, see Introduction to data residency.
Basic steps for data residency configuration
To configure Apigee hybrid for data residency, you need to follow a few basic steps, including:
- Creating an Apigee organization with data residency
- Creating an environment using the Apigee API
- Enabling the new data pipeline
- Configuring the overrides file(s)
Creating an Apigee organization with data residency
When you create an Apigee organization, you have the option of enabling the org with data residency. Creating an org with data residency requires you to specify two key location attributes: the control plane location and the consumer data region. You will also need to specify the billing type. For details, see Step 2: Create an organization.
-
Control plane location: You need to specify the location where customer core content like proxy bundles are stored. For a list see Available Apigee API control plane regions.
The control plane location is the location of the service endpoint location, for example
usfor United States.The following table lists available hosting jurisdictions and regions for the Apigee control plane.
Americas
Control plane hosting jurisdiction description Control plane hosting jurisdiction name Details United States us (multiple regions in United States)Service endpoint: us-apigee.googleapis.comCanada ca (multiple regions in Canada)Service endpoint: ca-apigee.googleapis.comConsumer data region description Consumer data region name Details Iowa us-central1
Low CO2
Oregon us-west1 Low CO2Los Angeles us-west2Salt Lake City us-west3Las Vegas us-west4South Carolina us-east1Northern Virginia us-east4Columbus us-east5Dallas us-south1Montréal northamerica-northeast1 Low CO2
Toronto northamerica-northeast2 Low CO2
Europe
Control plane hosting jurisdiction description Control plane hosting jurisdiction name Details European Union eu (multiple regions in the European Union)Service endpoint: eu-apigee.googleapis.comGermany de (multiple regions in Germany)Service endpoint: de-apigee.googleapis.comFrance fr (single region europe-west9)Service endpoint: fr-apigee.googleapis.comSwitzerland ch (single region europe-west6)Service endpoint: ch-apigee.googleapis.comConsumer data region description Consumer data region name Details Belgium europe-west1 Low CO2
Frankfurt europe-west3 Low CO2
Netherlands europe-west4Zurich europe-west6 Low CO2
Milan europe-west8Paris europe-west9 Low CO2
Turin europe-west12Warsaw europe-central2Madrid europe-southwest1 Low CO2
Finland europe-north1 Low CO2
Asia-Pacific
Control plane hosting jurisdiction description Control plane hosting jurisdiction name Details Australia au (multiple regions in Australia)Service endpoint: au-apigee.googleapis.comIndia in (multiple regions in India)Service endpoint: in-apigee.googleapis.comJapan jp (multiple regions in Japan)Service endpoint: jp-apigee.googleapis.comConsumer data region description Consumer data region name Details Sydney australia-southeast1Melbourne australia-southeast2Mumbai asia-south1Delhi asia-south2Tokyo asia-northeast1Osaka asia-northeast2Middle East
Control plane hosting juridiction description Control plane hosting jurisdiction name Details Saudi Arabia sa (single region me-central2)Service endpoint: sa-apigee.googleapis.comIsrael il (single region me-west1)Service endpoint: il-apigee.googleapis.comConsumer data region description Consumer data region name Details Dammam me-central2Tel Aviv me-west1 - Consumer data region: You need to specify a region where API consumer data is stored. This must be a sub-region of the control plane region. For a list of available consumer data regions, see Apigee locations.
- Billing type: You can only use data residency with paid subscription orgs.
Creating an environment using the Apigee API
If you create a new environment using the Apigee API, you must specify the control plane location. See Create an environment. If you use the UI to create an environment, no special steps are needed.
Enabling the new data pipeline
When data residency is enabled for a new organization, you must enable the new data pipeline feature. This feature enables analytics and debug data to be sent to the Apigee control plane. To enable the data pipeline, follow the instructions in Analytics and debug data collection with data residency.
Overrides changes to enable the new data pipeline
Add the following configuration properties to each overrides file and apply them:
contractProvider: The service endpoint for Apigee management APIs. For example:https://us-apigee.googleapis.com.newDataPipeline.debugSession: Set this totrueto use the new data pipeline.newDataPipeline.analytics: Set this totrueto enable analytics to use the new data pipeline.
For example:
instanceID: "my_hybrid_example" namespace: apigee gcp: projectID: hybrid-example region: us-central1 k8sCluster: name: apigee-hybrid region: us-central1 org: hybrid-example contractProvider: https://us-apigee.googleapis.com newDataPipeline: debugSession: true analytics: true
See Step 6: Create the overrides
When calling the Apigee APIs
When you make curl calls to Apigee APIs to perform tasks in your hybrid installation, you will need to call APIs from within the control plane location:
curl -H "Authorization: Bearer $TOKEN" \ "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/ORG_NAME/envgroups"
For example:
curl -H "Authorization: Bearer $TOKEN" \ "https://us-apigee.googleapis.com/v1/organizations/my-hybrid-org/envgroups"
URL allowlisting
If you are using forward proxies with data residency, you must additionally allowlist in the forward proxy:
-
CONTROL_PLANE_LOCATION.apigee-googleapis.com -
ANALYTICS_REGION-pubsub.googleapis.com - URLs required by Apigee hybrid, see Google Cloud URLs to allow for Hybrid.
Enable analytics and debug data collection with data residency
To enable analytics and debug data collection, follow the instructions in Analytics and debug data collection with data residency.