Introduction to data residency

This document describes data residency for Apigee.

Overview

For many industry verticals and enterprises, using a cloud offering results in increased scrutiny from security and compliance teams (what data is stored in the cloud, where it is stored, who has access to it, who can see the data, etc.). In addition to this, many countries have passed data privacy laws that prohibit Personally Identifiable Information (PII) data from being stored outside the country or region.

Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored. Historically, Apigee allowed you to select the instance region and analytics region; however, Apigee also has global infrastructure, such as an API proxy bundle or other customer data. With data residency, selecting the control plane location ensures that all customer content is stored within the specified region.

Apigee has achievedFedRAMP High authorization, successfully meeting standards required for data residency. For more information, seeData residency and FedRAMP compliance.

Data residency compatibility

Data residency can be used with the following:

Data residency is not currently supported for use with:

Key points

If data residency is enabled for your Apigee installation, note the following key points:

  • Data residency must be enabled at the time Apigee is provisioned. You cannot enable data residency for an already-provisioned org.
  • By default, the control plane is a global entity unless you select data residency (regionalization) at the time of Apigee organization creation; it can not be changed later. Once you select data residency and the control plane location, it is cannot be changed. If you later need a different location, you will need to create a new Google Cloud project.
  • When provisioning an org:
    • Without data residency: Specify the region withANALYTICS_REGION.
    • With data residency: Specify the region withCONTROL_PLANE_LOCATION and the sub-region withCONSUMER_DATA_REGION. SeeData residency regions.
  • The admin who provisions Apigee must:
    • Inform Apigee users, such as API developers and other admins, about the data residency configuration
    • Set the location org policy as described in Restricting Resource Locations
  • API developers, admins, or other users of Apigee management APIs must use the new data residency API service endpoint.

Data residency regions

Data residency allows you to choose the region (physical location) during provisioning where data is stored.

When specifying the region (for example,us), you must also specify a single region (for example,us-west1) for other services that can run only in a single region, such as Analytics reports.

All resources must be within the region specified. For example, if you selectus for theCONTROL_PLANE_LOCATION, the other Apigee resources, such as the runtime instance, referencing CMEK, endpoint attachment, etc., must also be within theus region.

The type of data that is stored when you choose data residency is referred to as control plane data and consumer data.

Control plane data is analytics data, API proxies, target servers, truststores and keystores and anything else shared across runtimes. Consumer data is analytics data that is processed by services that run in a single region.

See Apigee locations, for the currently supported control-plane regions.

Data residency service endpoint

Aservice endpoint is a base URL that specifies the network address of an API service.

The Apigee API service endpoint, or hostname, isapigee.googleapis.com.

  • No data residency:

    Use the service endpoint as follows:

    apigee.googleapis.com

    For example:

    curl "https://apigee.googleapis.com/v1/organizations?parent=projects/$PROJECT_ID" ...

  • Data residency:

    Prepend the control plane region to the service endpoint:

    CONTROL_PLANE_LOCATION-apigee.googleapis.com

    For example:

    curl "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations?parent=projects/$PROJECT_ID" ...

    WhereCONTROL_PLANE_LOCATION is the is the physical location, specified during provisioning, at which Apigeecontrol plane data will be stored.

    For example:

    curl "https://us-apigee.googleapis.com/v1/organizations?parent=projects/$PROJECT_ID" ...

How to view the region

If you have already provisioned your org (PROJECT_ID) for use with data residency, you can use the getProjectMapping API to display the regions associated with a project:

  1. Authorizegcloud to access the Cloud Platform with your Google user credentials:
    gcloud auth login
  2. Call the API:
    curl -X GET https://apigee.googleapis.com/v1/organizations/PROJECT_ID:getProjectMapping \    -H "Authorization: Bearer $(gcloud auth print-access-token)"

    WherePROJECT_ID is your Apigee organization name or Google Cloud project ID.

    Something similar to the following is returned:

    {  "organization": "my-project",  "projectIds": [    "my-project"  ],  "projectId": "my-project""location": "us"}

Data residency encryption

See Introduction to CMEK.

Data residency and organization policy constraints

Google Cloud's organization policy constraints make it possible to define a set of locations where location-based Google Cloud resources can be created for your Google Cloud organization. If you have a Google Cloud organization policy that uses aresource location constraint (constraints/gcp.resourceLocations), the constraint will apply to the following Apigee resources that are created when Apigee is provisioned:

If you are provisioning a new Apigee organization within a Google Cloud project with a resource location constraint applied, you must ensure that the location constraint is compatible with the control plane location specified for your Apigee organization:

  • If you provision an Apigee organizationwithout data residency, the resource location constraint in your Google Cloud organization policy must be set toglobal. Because the Apigee control plane is a global entity by default, provisioning will fail if a constraint other thanglobal is applied.
  • If you provision an Apigee organizationwith data residency, confirm that any resource location constraint that may be set in your Google Cloud organization policy does not exclude the region you select for your control plane data. Otherwise, provisioning will fail.

Data residency and FedRAMP compliance

Apigee is authorized as a FedRAMP High service for organizations where data residency is enabled. If you choose to enable data residency when provisioning an Apigee Subscription or Pay-as-you-go organization, the following services are in scope under Apigee's FedRAMP Authority To Operate (ATO):

The following Apigee offerings arenot in scope under Apigee's FedRAMP ATO:

For more information about the significance of a FedRAMP ATO, seeFedRAMP Compliance.

Data residency and Apigee hybrid

You can configure new Apigee hybrid installations to use data residency, starting with hybrid version 1.12. SeeUsing data residency with Apigee hybrid.

Apigee hybridversion 1.14.0 and later with data residency enabled supportsAdvanced API Security,Apigee API analytics, and theDebug tool.

Apigee hybrid with data residency enabled does not support distributed trace. See theKnown Issue.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.