Specifying processing locations

With the ability to specify a region in which to perform your Sensitive Data Protection operations, you can control where your potentially sensitive data is processed. This topic explains the concept of Sensitive Data Protection processing location and shows you how to specify a region.

About regions and multi-regions

A region is a specific geographic place, such as the western United States or northeast Asia. A multi-region location (or just multi-region) is a large geographic area, such as the European Union, that contains two or more geographic regions.

Location considerations

A good location balances latency, availability, and bandwidth costs.

  • Use a region to help optimize latency and network bandwidth.

  • Use a multi-region when you want to process data from outside of the Google network and distributed across large geographic areas, or when you want the higher availability that comes with being redundant across regions.

  • Generally, you should process your data in a location that is convenient or contains the majority of the users of your data.

Specify a region

To specify a region in which Sensitive Data Protection will process your request:

Console

Choose a region when setting up your Sensitive Data Protection operation.

For example, when creating a job trigger, choose a location from the Resource location menu, as shown here:

If data residency is not a concern, use the Global region and Google chooses the location where processing should take place. Global is the default region choice.

Protocol

Insert region information into the request endpoint URL. If data residency is not a concern, use the global region and Google chooses the location where processing should take place. Note that any resources created by a request that specifies the global region are stored under the global region.

Following are some example requests, sent first to the global region, and then to a region for the west coast of the United States.

Global region request:

The following two requests have the same effect. Not including a region is the same as specifying locations/global/.

POST https://www.googleapis.com/dlp/v2/projects/PROJECT_ID/locations/global/content:inspect
POST https://www.googleapis.com/dlp/v2/projects/PROJECT_ID/content:inspect

Region-specific request:

To specify a region for processing, within the resource URL, insert locations/ and then the region name.

POST https://www.googleapis.com/dlp/v2/projects/PROJECT_ID/locations/us-west2/content:inspect

Co-location considerations

When you scan a storage repository such as Cloud Storage or BigQuery, you should specify the same location in your Sensitive Data Protection request as the location of the repository you're scanning. For example, if the BigQuery dataset is in the European Union multi-region location, specify the European Union multi-region (europe) when configuring the Sensitive Data Protection job.

If you do not co-locate your Sensitive Data Protection request with the storage repository you're scanning, processing of your request may be split between the location of the data and the location specified in the request.

What's next