This page provides information on how your data is protected while data moves between your site and the cloud provider or between two services in the context of AML AI.
- Internal Google services, including those used by AML AI, generally use ALTS. ALTS is similar in concept to mTLS but has been optimized for Google's data center environments. In some cases, TLS is used.
- External communications to financialservices.googleapis.com (the AML AI endpoint) uses TLS to the Google Front End (GFE). The GFE ensures that all TLS connections are terminated with correct certificates and that all best practices are followed. Traffic between the GFE and financialservices.googleapis.com is internal and is encrypted with ALTS.
- Traffic from a VM on Google Cloud to the GFE is encrypted with TLS. By default, this traffic uses external IP addresses but can use internal IP addresses using Private Google Access.
- mTLS can be configured using BeyondCorp Enterprise. Because a VPC-SC access level must be configured, see documentation on VPC-SC in AML AI. The mTLS specific endpoint must be used, financialservices.mtls.googleapis.com.
For more details, see encryption in transit in Google Cloud.