This page applies toApigee, but not toApigee hybrid.

View Apigee Edge documentation.

What you're doing in this step

In this step, depending on your specific user journey, you specify hosting locations for your Apigee analytics or control plane, runtime and dataplane instances, and API consumer data region. You also specify encryption key selections.

Tip: If you want to get up and running quickly with the simplest configuration, follow the instructions inUser journey A: Google-managed encryption, no data residency.

The difference between each of the user journeys is the selection or creation of encryption keys, whether they aremanaged by Google or thecustomer, and whether data residency is enabled or not.

Some features are not supported when data residency is enabled. See Data residency compatibility for details.

The following keys are used during organization creation:

Encryption key	Description
Control plane key	Encrypts Analytics data that is stored within BigQuery in Apigee tenant project. Encrypts API proxies, Target Servers, Truststores and Keystores and anything else shared across runtimes.
API consumer data key	Encrypts service infrastructure data. This is required to be a region within the control plane location.
Runtime database key	Encrypts application data such as KVMs, cache, and client secrets, which is then stored in the database.

The following key is used during each instance creation:

Encryption key	Description
Runtime disk key	Encrypts KVMs; environment cache; quota buckets and counters. Encrypts KMS data API products, developers, developer apps, OAuth tokens (including access tokens, refresh tokens, and authorization codes), and API keys.

Perform the step

Permissions required for this task

---

You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. See Predefined roles and Runtime instance permissions.

---

To view the steps for your specific user journey, select one of the following user journeys. They are listed in order of complexity, with the easiest being user journey A.

View user journey flow diagram

---

The following diagram shows the possible user journeys to configure hosting and encryption for a Pay-as-you-go organization using the Cloud console.

The user journeys are noted A through F and are ordered easy to complex, where A is the easiest, and F is the most complex.

---

	User journey	Description
	User journey A: Google-managed encryption, no data residency	Select this option if you: Want Google to manage encryption keys Are not required to storecore content and processing in the same geographic region
	User journey B: Google-managed encryption, with data residency	Select this option if you: Want Google to manage encryption keys Want to storecore content and processing in the same geographic region
	User journey C: Customer-managed encryption, no data residency	Select this option if you: Want to manage your own encryption keys Are not required to store core content and processing in the same geographic region
	User journey D: Customer-managed encryption, with data residency	Select this option if you: Want to manage your own encryption keys Want to store your core content and processing in the same geographic region

User journey A: Google-managed encryption, no data residency

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or clickcreateEdit to open theHosting and encryption keys panel.

1. In theEncryption type section, selectGoogle-managed encryption key. This is a Google-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
2. ClickNext.
3. In theControl Plane section:
   1. Clear theEnable data residency box.Note: If you are provisioning a new Apigee organization within a Google Cloud project with aresource location constraint applied in an organization policy, confirm that the location constraint is set toglobal. Because the Apigee control plane is a global entity by default, provisioning will fail if a constraint other thanglobal is applied. For more information, seeIntroduction to data residency.

   2. From theAnalytics region drop-down list, select the physical location where you want your analytics data stored. For a list of available Apigee API Analytics regions, including regions that support API hub, see Apigee locations. If you select a region that does not support API hub, an API hub instance is not created. To learn more about API hub, see What is API hub?

   3. ClickConfirm.
4. In theRuntime section:
   1. From theRuntime hosting region drop-down list, select the region in which you want your instance hosted.
   2. UnderRuntime database encryption key,Google-managed is listed as the encryption type.
   3. UnderRuntime disk encryption key,Google-managed is listed as the encryption type.
   4. ClickConfirm.
   5. ClickDone.
5. ClickNext.

Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.

Go to the next step, Step 4: Customize access routing.

User journey B: Google-managed encryption, with data residency

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or clickcreateEdit to open theHosting and encryption keys panel.

1. In theEncryption type section, selectGoogle-managed encryption key. This is a Google-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
2. ClickNext.
3. In theControl Plane section:
   1. Select theEnable data residency box.
   2. From theControl plane hosting jurisdiction drop-down list that displays, select the physical location where you want your data stored.

      Note: A jurisdiction refers to a location within a geopolitical boundary that may span more than one region. For a list of available control plane hosting jurisdictions, see Apigee locations.

   3. From theControl plane encryption key drop-down list, select orcreate a key for data stored and replicated across runtime locations.Note: This step is only required if you selectus (multiple regions in us) oreu (multiple regions in European Union) as your control plane hosting location. If you select another region, this key is not required.
   4. ClickGrant if prompted.
4. In theAPI consumer data region section:
   1. From theAPI consumer data region drop-down list, select the physical location where you want your data stored. For a list of available consumer data regions, see Apigee locations.
   2. UnderAPI consumer data encryption key,Google-managed is listed as the encryption type.
   3. ClickConfirm.
5. In theRuntime section:
   1. From theRuntime hosting region drop-down list, select the region in which you want your instance hosted. For a list of available runtime regions, see Apigee locations. When using data residency, the runtime location must be within the control plane region.
   2. UnderRuntime database encryption key,Google-managed is listed as the encryption type.
   3. UnderRuntime disk encryption key,Google-managed is listed as the encryption type.
   4. ClickConfirm.
   5. ClickDone.
6. ClickNext.

Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.

Go to the next step, Step 4: Customize access routing.

User Journey C: Customer-managed encryption, no data residency

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or clickcreateEdit to open theHosting and encryption keys panel.

1. In theEncryption type section, selectCustomer-managed encryption key (CMEK). This is a user-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
2. ClickNext.
3. In theControl Plane section:
   1. Clear theEnable data residency box.Note: If you are provisioning a new Apigee organization within a Google Cloud project with aresource location constraint applied in an organization policy, confirm that the location constraint is set toglobal. Because the Apigee control plane is a global entity by default, provisioning will fail if a constraint other thanglobal is applied. For more information, seeIntroduction to data residency.

   2. From theAnalytics region drop-down list, select the physical location where you want your analytics data stored. For a list of available Apigee API Analytics regions, see Apigee locations.

   3. ClickConfirm.
4. In theRuntime section:
   1. From theRuntime hosting region drop-down list, select the region in which you want your instance hosted.
   2. From theRuntime database encryption key drop-down list, select orcreate a key for data stored and replicated across runtime locations.
   3. ClickGrant if prompted.
   4. From theRuntime disk encryption key, drop-down list, select orcreate a key for runtime instance data before it is written to disk. Each instance has its own disk encryption key.
   5. ClickGrant if prompted.
   6. ClickConfirm.
   7. ClickDone.
5. ClickNext.

Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.

Go to the next step, Step 4: Customize access routing.

User journey D: Customer-managed encryption, with data residency

In Step 3, the console displays a list of hosting and encryption configuration options and their default values. You can accept the default configuration, or clickcreateEdit to open theHosting and encryption keys panel.

1. In theEncryption type section, selectCustomer-managed encryption key (CMEK). This is a user-managed, server-side encryption key used to encrypt your Apigee instances and data before it is written to disk.
2. ClickNext.
3. In theControl Plane section:
   1. Select theEnable data residency box.
   2. From theControl plane hosting jurisdiction drop-down list that displays, select the physical location where you want your data stored.

      Note: A jurisdiction refers to a location within a geopolitical boundary that may span more than one region. For a list of available control plane hosting jurisdictions, see Apigee locations.

   3. From theControl plane encryption key drop-down list, select orcreate a key for data stored and replicated across runtime locations.Note: This step is only required if you selectus (multiple regions in us) oreu (multiple regions in European Union) as your control plane hosting jurisdiction. If you select another region, this key is not required.
   4. ClickGrant if prompted.
4. In theAPI consumer data region section:
   1. From theAPI consumer data region drop-down list, select the physical location where you want your data stored. For a list of available consumer data regions, see Apigee locations.
   2. From theAPI consumer data encryption key drop-down list, select orcreate a key for data stored for the control plane.
   3. ClickGrant if prompted.
   4. ClickConfirm.
5. In theRuntime section:
   1. From theRuntime hosting region drop-down list, select the region in which you want your instance hosted. When using data residency, the runtime location must be within the control plane region.
   2. From theRuntime database encryption key drop-down list, select orcreate a key for data stored and replicated across runtime locations.
   3. ClickGrant if prompted.
   4. From theRuntime disk encryption key, drop-down list, select orcreate a key for runtime instance data before it is written to disk. Each instance has its own disk encryption key.
   5. ClickGrant if prompted.
   6. ClickConfirm.
   7. ClickDone.
6. ClickNext.

Warning: When you submit the completed configuration for provisioning Apigee (at the end of Step 4), you cannot go back and change the hosting region and encryption key selections. Apigee does not support updating the hosting region or encryption key selections after provisioning is complete. For example, if you select Google-managed encryption, you cannot change it to Customer-managed encryption later and vice versa.

Go to the next step, Step 4: Customize access routing.

How to create a key

To create a key:

1. ClickCreate key.
2. Select a key ring, or if one doesn't exist, enableCreate key ring and enter a key ring name and pick your key ring location. Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
3. ClickContinue.
4. Create a key. Enter a name and protection level. Note that key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted. For protection level,Software is a good choice. This is the same default used by Cloud KMS; however, you can change it if you wish.
5. ClickContinue and review your selections.
6. ClickCreate.