A 15 de setembro de 2026, todos os ambientes do Cloud Composer 1 e do Cloud Composer 2 versão 2.0.x vão atingir o fim da vida útil planeado e não vai poder usá-los. Recomendamos que planeie a migração para o Cloud Composer 3.
Esta página mostra como configurar
restrições de localização de recursos
para que os seus dados armazenados pelo Cloud Composer sejam mantidos nas
localizações que especificar.
Como funcionam as restrições de localização
As restrições de localização do Cloud Composer são determinadas com base
na política organizacional aplicada ao projeto onde
o ambiente do Cloud Composer é criado. Esta política é atribuída
no projeto ou é herdada da organização.
Com as restrições de localização ativadas, não é possível criar um ambiente numa região proibida pela política. Se uma região estiver na lista de recusa ou não estiver na lista de permissão, não pode criar ambientes nesta região.
Para permitir a criação de ambientes, a política tem de permitir toda a região e não uma zona específica dentro desta região. Por exemplo, a região europe-west3
tem de ser permitida pela política para criar
ambientes do Cloud Composer nesta região.
O Cloud Composer verifica as restrições de localização nos seguintes locais:
Criação de ambientes.
Atualização do ambiente, se forem criados recursos adicionais durante a operação.
Atualização do ambiente para ambientes mais antigos que não aplicam restrições de localização nas dependências do Cloud Composer.
Além de verificar as restrições de localização, o Cloud Composer
faz o seguinte:
Armazena imagens do Airflow personalizadas pelo utilizador em repositórios regionais do Artifact Registry. Por exemplo, estas imagens são criadas quando instala imagens PyPI personalizadas no seu ambiente.
Se a US multirregião for explicitamente proibida pela política, a utilização do Cloud Build é desativada. Neste caso, as imagens do Airflow personalizadas pelo utilizador são criadas no cluster do seu ambiente.
Instale uma dependência do Python num ambiente de IP privado com restrições de localização de recursos
Se definir restrições de localização de recursos para o seu projeto, não é possível usar o Cloud Build para instalar pacotes Python. Consequentemente, o acesso direto aos repositórios na Internet pública é desativado.
Para instalar dependências do Python num ambiente de IP privado quando as suas restrições de localização não permitem a US multirregião, use uma das seguintes opções:
Use um
servidor proxy
na sua rede VPC para se ligar a um repositório do PyPI na Internet
pública. Especifique o endereço do proxy no ficheiro /config/pip/pip.conf no contentor do Cloud Storage.
Se a sua política de segurança permitir o acesso à sua rede VPC a partir de endereços IP externos, pode configurar o Cloud NAT.
Armazene as dependências do Python na pasta dags no contentor do Cloud Storage para as instalar como bibliotecas locais.
Esta pode não ser uma boa opção se a árvore de dependências for grande.
Restrinja as localizações dos registos do Cloud Composer
Se os seus registos do Cloud Composer contiverem dados confidenciais, recomendamos que
redirecione os registos do Cloud Composer para um contentor do
Cloud Storage regional. Para o fazer, use um destinatário de registos. Depois de redirecionar os registos para um contentor do Cloud Storage, os registos não são enviados para o Cloud Logging.
LOCATION com a região onde o ambiente está localizado.
BUCKET_NAME com o nome do contentor. Por exemplo,
composer-logs-us-central1-example-environment.
Crie um novo destino de registo.
gcloudloggingsinkscreate\
composer-log-sink-ENVIRONMENT_NAME\
storage.googleapis.com/BUCKET_NAME\
--log-filter"resource.type=cloud_composer_environment AND \resource.labels.environment_name=ENVIRONMENT_NAME AND \resource.labels.location=LOCATION"
Substituir:
ENVIRONMENT_NAME com o nome do ambiente.
BUCKET_NAME com o nome do contentor.
LOCATION com a região onde o ambiente está localizado.
O resultado do comando anterior contém o número da conta de serviço. Conceda a função Criador de objetos de armazenamento a esta conta de serviço:
SA_NUMBER com o número da conta de serviço fornecido pelo comando gcloud logging sinks create no passo anterior.
Exclua os registos do seu ambiente do Registo.
gcloudloggingsinksupdate_Default\
--add-exclusionname=ENVIRONMENT_NAME-exclusion,filter=\"resource.type=cloud_composer_environment AND \resource.labels.environment_name=ENVIRONMENT_NAME AND \resource.labels.location=LOCATION"
Substituir:
ENVIRONMENT_NAME com o nome do ambiente.
LOCATION com a região onde o ambiente está localizado.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-28 UTC."],[[["\u003cp\u003eCloud Composer's resource location restrictions are based on organizational policies applied to the project, ensuring data remains within specified locations.\u003c/p\u003e\n"],["\u003cp\u003eEnabling location restrictions prevents environment creation in regions not listed in the Allow list or listed in the Deny list of the organizational policy.\u003c/p\u003e\n"],["\u003cp\u003eWhen location restrictions prevent the use of the \u003ccode\u003eUS\u003c/code\u003e multi-region, installing Python dependencies in private IP environments requires alternative methods like private PyPI repositories, proxy servers, Cloud NAT, or storing dependencies locally.\u003c/p\u003e\n"],["\u003cp\u003eFor sensitive data, Cloud Composer logs can be redirected to a regional Cloud Storage bucket via a log sink, removing them from Cloud Logging.\u003c/p\u003e\n"],["\u003cp\u003eTo redirect logs to a Cloud Storage bucket, you need to create a log sink and give it storage object creator permissions for the newly created bucket, as well as exclude the environment from the default logging.\u003c/p\u003e\n"]]],[],null,["# Configure resource location restrictions\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/configure-resource-location-restrictions \"View this page for Cloud Composer 3\") \\| **Cloud Composer 2** \\| [Cloud Composer 1](/composer/docs/composer-1/configure-resource-location-restrictions \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page shows how to configure\n[resource location restrictions](/resource-manager/docs/organization-policy/defining-locations)\nso that your data stored by Cloud Composer is kept within\nthe locations you specify.\n\nHow location restrictions work\n------------------------------\n\nLocation restrictions for Cloud Composer are determined based\non the organizational policy that is applied to the project where\nthe Cloud Composer environment is created. This policy is assigned\neither within the project or is inherited from the organization.\n\nWith location restrictions enabled, it is not possible to create\nan environment in a region that is prohibited by the policy. If a region\nis listed in the Deny list, or is not listed in the Allow list, then you\ncannot create environments in this region.\n\nTo enable the creation of environments, the policy must allow the whole region\nand not a specific zone within this region. For example, the `europe-west3`\nregion must be allowed by the policy in order to create\nCloud Composer environments in this region.\n\nCloud Composer checks location restrictions at:\n\n- Environment creation.\n- Environment upgrade, if any additional resources are created during the operation.\n- Environment update, for older environments that do not enforce location restrictions on Cloud Composer dependencies.\n\nIn addition to checking the location restrictions, Cloud Composer\ndoes the following:\n\n- Stores user-customized Airflow images in regional Artifact Registry repositories. As an example, such images are created when you install custom PyPI images in your environment.\n- If the [`US` multi-region](/storage/docs/locations#location-mr) is explicitly prohibited by the policy, Cloud Build use is disabled. In this case, user-customized Airflow images are built in your environment's cluster.\n\nInstall a Python dependency to a private IP environment with resource location restrictions\n-------------------------------------------------------------------------------------------\n\nIf you set resource location restrictions for your project, then\nCloud Build can't be used to install Python packages. As a consequence,\ndirect access to repositories on the public internet is disabled.\n\nTo install Python dependencies in a Private IP environment when your\nlocation restrictions don't allow the [`US` multi-region](/storage/docs/locations#location-mr), use\none of the following options:\n\n- Use a private\n [PyPI repository hosted in your VPC network](/composer/docs/composer-2/install-python-dependencies#install-private-repo).\n\n- Use a\n [proxy server](https://pip.pypa.io/en/stable/user_guide/#using-a-proxy-server)\n in your VPC network to connect to a PyPI repository on the public\n internet. Specify the proxy address in the `/config/pip/pip.conf` file in\n the Cloud Storage bucket.\n\n- If your security policy permits access to your VPC network from external\n IP addresses, you can configure [Cloud NAT](/nat/docs/overview).\n\n- Store the Python dependencies in the `dags` folder in\n the Cloud Storage bucket, to\n [install them as local libraries](/composer/docs/composer-2/install-python-dependencies#install-local).\n This might not be a good option if the dependency tree is large.\n\nRestrict locations for Cloud Composer logs\n------------------------------------------\n\nIf your Cloud Composer logs contain sensitive data, you might want\nto redirect Cloud Composer logs to a regional\nCloud Storage bucket. To do so, use\na [log sink](/logging/docs/export/configure_export_v2). After you redirect logs to\na Cloud Storage bucket, your logs are not sent to Cloud Logging.\n**Caution:** To get support from Cloud Customer Care, you might need to grant Google support engineers access to the Cloud Composer logs stored in Cloud Storage. \n\n### gcloud\n\n1. Create a new Cloud Storage bucket.\n\n gcloud storage buckets create gs://\u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e --location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\n\n Replace:\n - `LOCATION` with the region where the environment is located.\n - `BUCKET_NAME` with the name of the bucket. For example, `composer-logs-us-central1-example-environment`.\n2. Create a new log sink.\n\n gcloud logging sinks create \\\n composer-log-sink-\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n storage.googleapis.com/\u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e \\\n --log-filter \"resource.type=cloud_composer_environment AND \\\n resource.labels.environment_name=\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e AND \\\n resource.labels.location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n\n Replace:\n - `ENVIRONMENT_NAME` with the name of the environment.\n - `BUCKET_NAME` with the name of the bucket.\n - `LOCATION` with the region where the environment is located.\n3. The output of the previous command contains the service\n account number. Grant the **Storage Object Creator** role to this\n service account:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:\u003cvar translate=\"no\"\u003eSA_NUMBER\u003c/var\u003e@gcp-sa-logging.iam.gserviceaccount.com\" \\\n --role='roles/storage.objectCreator' \\\n --condition=None\n\n Replace:\n - `PROJECT_ID` with the [Project ID](/resource-manager/docs/creating-managing-projects).\n - `SA_NUMBER` with the service account number provided by the `gcloud logging sinks create` command on the previous step.\n4. Exclude the logs for your environment from Logging.\n\n **Caution:** [Audit logs](/logging/docs/audit) cannot be excluded. They are always sent to the default storage. \n\n gcloud logging sinks update _Default \\\n --add-exclusion name=\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e-exclusion,filter=\\\n \"resource.type=cloud_composer_environment AND \\\n resource.labels.environment_name=\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e AND \\\n resource.labels.location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n\n Replace:\n - `ENVIRONMENT_NAME` with the name of the environment.\n - `LOCATION` with the region where the environment is located.\n\nWhat's next\n-----------\n\n- [Cloud Composer security overview](/composer/docs/composer-2/composer-security-overview)\n- [Access control](/composer/docs/composer-2/access-control)"]]
