Restrictions and limitations for Sovereign Controls for Kingdom of Saudi Arabia (KSA)

This page describes the restrictions, limitations, and other configuration options when using the Sovereign Controls for Kingdom of Saudi Arabia (KSA) control package.

Overview

The Sovereign Controls for KSA control package enables data access control and data residency features for supported Google Cloud products. Some of these services' features are restricted or limited by Google to be compatible with Sovereign Controls for KSA. Most of these restrictions and limitations are applied when creating a new Assured Workloads folder for Sovereign Controls for KSA. However, some of them can be changed later by modifying organization policies. Additionally, some restrictions and limitations require user responsibility for adherence.

It's important to understand how these restrictions modify the behavior for a given Google Cloud service or affect data access or data residency. For example, some features or capabilities may be automatically disabled to ensure that data access restrictions and data residency are maintained. Additionally, if an organization policy setting is changed, it might have the unintended consequence of copying data from one region to another.

Supported services

Unless otherwise noted, users can access all supported services through the Google Cloud console.

The following services are compatible with Sovereign Controls for Kingdom of Saudi Arabia (KSA):

Supported product API endpoints Restrictions or limitations
Access Approval Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • accessapproval.googleapis.com
None
Artifact Registry Regional API endpoints:
  • artifactregistry.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
BigQuery Regional API endpoints:
  • bigquery.me-central2.rep.googleapis.com
  • bigqueryconnection.me-central2.rep.googleapis.com
  • bigqueryreservation.me-central2.rep.googleapis.com
  • bigquerystorage.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Bigtable Regional API endpoints:
  • bigtable.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Google Cloud console Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • N/A
None
Compute Engine Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
Affected features and organization policy constraints
Cloud DNS Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • dns.googleapis.com
None
Sensitive Data Protection Regional API endpoints:
  • dlp.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Dataflow Regional API endpoints:
  • dataflow.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Dataproc Regional API endpoints:
  • dataproc.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Essential Contacts Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • essentialcontacts.googleapis.com
None
Filestore Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • file.googleapis.com
None
Cloud Storage Regional API endpoints:
  • storage.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
Affected features
Google Kubernetes Engine Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • container.googleapis.com
  • containersecurity.googleapis.com
Organization policy constraints
GKE Hub Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • gkehub.googleapis.com
None
Google Cloud Armor Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
Cloud HSM Regional API endpoints:
  • cloudkms.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Identity and Access Management (IAM) Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • iam.googleapis.com
None
Identity-Aware Proxy (IAP) Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • iap.googleapis.com
None
Cloud Interconnect Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
Affected features
Cloud Key Management Service (Cloud KMS) Regional API endpoints:
  • cloudkms.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Cloud Load Balancing Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
Cloud Logging Regional API endpoints:
  • logging.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Cloud Monitoring Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • monitoring.googleapis.com
Affected features
Cloud NAT Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
None
Network Connectivity Center Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
None
Organization Policy Service Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • orgpolicy.googleapis.com
None
Persistent Disk Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
Pub/Sub Regional API endpoints:
  • pubsub.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Resource Manager Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • cloudresourcemanager.googleapis.com
None
Resource Settings Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • resourcesettings.googleapis.com
None
Cloud Router Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
None
Cloud Run Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • run.googleapis.com
None
Cloud SQL Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • sqladmin.googleapis.com
None
Secret Manager Regional API endpoints:
  • secretmanager.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Service Directory Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • servicedirectory.googleapis.com
None
Spanner Regional API endpoints:
  • spanner.me-central2.rep.googleapis.com

Locational API endpoints are not supported.
Global API endpoints are not supported.
None
Virtual Private Cloud (VPC) Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
VPC Service Controls Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • accesscontextmanager.googleapis.com
None
Cloud VPN Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
Affected features

Organization policies

This section describes how each service is affected by the default organization policy constraint values when folders or projects are created using Sovereign Controls for KSA. Other applicable constraints—even if not set by default—can provide additional "defense-in-depth" to further protect your organization's Google Cloud resources.

Cloud-wide organization policy constraints

The following organization policy constraints apply across any applicable Google Cloud service.

Organization policy constraint Description
gcp.resourceLocations Set to in:us-locations as the allowedValues list item.

This value restricts creation of any new resources to the me-central2 value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of KSA. See the Organization policy value groups documentation for more information.

Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside the KSA data boundary.
gcp.restrictServiceUsage Set to allow all supported services.

Determines which services can be enabled and used. For more information, see Restrict resource usage for workloads.

Compute Engine organization policy constraints

Organization policy constraint Description
compute.disableInstanceDataAccessApis Set to True.

Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs.

Enabling this organization policy prevents you from generating credentials on Windows Server VMs.

If you need to manage a username and password on a Windows VM, do the following:
  1. Enable SSH for Windows VMs.
  2. Run the following command to change the VM's password:
    gcloud compute ssh
    VM_NAME --command "net user USERNAME PASSWORD"
    
    Replace the following:
    • VM_NAME: The name of the VM you're setting the password for.
    • USERNAME: The username of the user who you're setting the password for.
    • PASSWORD: The new password.
compute.enableComplianceMemoryProtection Set to True.

Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.

Changing this value may affect data residency in your workload; we recommend keeping the set value.

Google Kubernetes Engine organization policy constraints

Organization policy constraint Description
container.restrictNoncompliantDiagnosticDataAccess Set to True.

Used to disable aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload.

Changing this value may affect data sovereignty in your workload; we recommend keeping the set value.

Affected features

This section lists how each service's features or capabilities are affected by Sovereign Controls for KSA, including user requirements when using a feature.

Compute Engine features

Feature Description
Google Cloud console The following Compute Engine features are not available in the Google Cloud console. Use the API or Google Cloud CLI where available:

  1. Health checks
  2. Network endpoint groups
  3. Browser-based SSH is disabled
instances.getSerialPortOutput() This API is disabled; you will be unable to get serial port output from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port.
instances.getScreenshot() This API is disabled; you will be unable to get a screenshot from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port.

Cloud Interconnect features

Feature Description
High-availability (HA) VPN You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in this section.

Cloud Monitoring features

Feature Description
Synthetic Monitor This feature is disabled.
Uptime check This feature is disabled.
Log panel widgets in Dashboards This feature is disabled.

You cannot add a log panel to a dashboard.
Error reporting panel widgets in Dashboards This feature is disabled.

You cannot add an error reporting panel to a dashboard.
Filter in EventAnnotation for Dashboards This feature is disabled.

Filter of EventAnnotation cannot be set in a dashboard.
SqlCondition in alertPolicies This feature is disabled.

You cannot add a SqlCondition to an alertPolicy.

Cloud Storage features

Feature Description
Google Cloud console It is your responsibility to use the Jurisdictional Google Cloud console for Sovereign Controls for KSA. The Jurisdictional console prevents uploading and downloading Cloud Storage objects. To upload and download Cloud Storage objects, see the following Compliant API endpoints row.
Compliant API endpoints It is your responsibility to use one of the locational endpoints with Cloud Storage. See Cloud Storage locations for more information.

Cloud VPN features

Feature Description
Google Cloud console Cloud VPN features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

Footnotes

1. BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:

  1. In the Google Cloud console, go to the Assured Workloads page.

    Go to Assured Workloads

  2. Select your new Assured Workloads folder from the list.
  3. On the Folder Details page in the Allowed services section, click Review Available Updates.
  4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

    If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

Gemini in BigQuery is not supported by Assured Workloads.