Specifying processing locations
With the ability to specify a region in which to perform your Sensitive Data Protectionoperations, you can control where your potentially sensitive data is processed.This document explains the concept of Sensitive Data Protection processing locationand shows you how to specify a region.
To see a list of supported regions and multi-regions, seeSensitive Data Protection locations.
About regions and multi-regions
Aregion is a specific geographic place, such as the western United States ornortheast Asia. Amulti-region location (or justmulti-region) is a largegeographic area, such as the European Union, that contains two or moregeographic regions.
Location considerations
A good location balances latency, availability, and bandwidth costs.
Use a region to help optimize latency and network bandwidth.
Use a multi-region when you want to process data from outside of the Googlenetwork and distributed across large geographic areas, or when you want thehigher availability that comes with being redundant across regions.
Generally, you should process your data in a location that is convenient orcontains the majority of the users of your data.
If your organization is required to keep in-transit data within a specifiedlocation, then use only the regions or multi-regions thatsupport regionalendpoints(REP). In thiscase, you need to use the Cloud Data Loss Prevention API, because the regional endpoints forSensitive Data Protection aren't available for use with theGoogle Cloud console.
Specify a region
How you specify the processing region depends on the type of endpoint you aresending the request to—theglobal endpoint or aregional endpoint. Thetype of endpoint you choose depends on whether you're required to keepin-transit data within a specified region. For more information, seeGlobal andregional endpoints forSensitive Data Protection.
Specify a region in a request to the global endpoint
Console
Choose a region when setting up your Sensitive Data Protection operation.
For example, whencreating a job trigger,choose a location from theResource location menu, as shown here:
If the processing location is not a concern, use theGlobal region and Google choosesthe location where processing should take place.Global is the defaultregion choice.
REST
Insert region information into the request endpoint URL. If the processing location isnot a concern, use theglobal region and Google chooses the location whereprocessing should take place. Note that any resources created by a request thatspecifies theglobal region are stored under theglobal region.
The following are some example requests to the global endpoint.
Using the global region
The following two requests have the same effect. Not including a region is thesame as specifyinglocations/global/.
POST https://www.googleapis.com/dlp/v2/projects/PROJECT_ID/locations/global/content:inspect
POST https://www.googleapis.com/dlp/v2/projects/PROJECT_ID/content:inspect
Using a specific region
To specify a region for processing, within the resource URL, insertlocations/ and then theregion name.
POST https://www.googleapis.com/dlp/v2/projects/PROJECT_ID/locations/us-west2/content:inspect
Specify a region in a request to a regional endpoint
Console
For Sensitive Data Protection, regional endpoints aren't available for usewith the Google Cloud console.
C#
To learn how to install and use the client library for Sensitive Data Protection, seeSensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
usingSystem;usingSystem.Collections.Generic;usingSystem.Linq;usingGoogle.Api.Gax.ResourceNames;usingGoogle.Cloud.Dlp.V2;usingstaticGoogle.Cloud.Dlp.V2.InspectConfig.Types;publicclassInspectStringRep{publicstaticInspectContentResponseInspect(stringprojectId,stringrepLocation,stringdataValue,stringminLikelihood,intmaxFindings,boolincludeQuote,IEnumerable<InfoType>infoTypes,IEnumerable<CustomInfoType>customInfoTypes){varinspectConfig=newInspectConfig{MinLikelihood=(Likelihood)Enum.Parse(typeof(Likelihood),minLikelihood,true),Limits=newFindingLimits{MaxFindingsPerRequest=maxFindings},IncludeQuote=includeQuote,InfoTypes={infoTypes},CustomInfoTypes={customInfoTypes}};varrequest=newInspectContentRequest{Parent=newLocationName(projectId,repLocation).ToString(),Item=newContentItem{Value=dataValue},InspectConfig=inspectConfig};vardlp=newDlpServiceClientBuilder{Endpoint=$"dlp.{repLocation}.rep.googleapis.com"}.Build();varresponse=dlp.InspectContent(request);PrintResponse(includeQuote,response);returnresponse;}privatestaticvoidPrintResponse(boolincludeQuote,InspectContentResponseresponse){varfindings=response.Result.Findings;if(findings.Any()){Console.WriteLine("Findings:");foreach(varfindinginfindings){if(includeQuote){Console.WriteLine($" Quote: {finding.Quote}");}Console.WriteLine($" InfoType: {finding.InfoType}");Console.WriteLine($" Likelihood: {finding.Likelihood}");}}else{Console.WriteLine("No findings.");}}}Go
To learn how to install and use the client library for Sensitive Data Protection, seeSensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
import("context""fmt""io"dlp"cloud.google.com/go/dlp/apiv2""cloud.google.com/go/dlp/apiv2/dlppb""google.golang.org/api/option")// inspectString inspects the a given string, and prints results.funcinspectStringRep(wio.Writer,projectID,repLocation,textToInspectstring)error{// projectID := "my-project-id"// textToInspect := "My name is Gary and my email is gary@example.com"ctx:=context.Background()// Assemble the regional endpoint url using provided rep locationrepEndpoint:=fmt.Sprintf("dlp.%s.rep.googleapis.com:443",repLocation)// Initialize client.client,err:=dlp.NewClient(ctx,option.WithEndpoint(repEndpoint))iferr!=nil{returnerr}deferclient.Close()// Closing the client safely cleans up background resources.// Create and send the request.req:=&dlppb.InspectContentRequest{Parent:fmt.Sprintf("projects/%s/locations/%s",projectID,repLocation),Item:&dlppb.ContentItem{DataItem:&dlppb.ContentItem_Value{Value:textToInspect,},},InspectConfig:&dlppb.InspectConfig{InfoTypes:[]*dlppb.InfoType{{Name:"PHONE_NUMBER"},{Name:"EMAIL_ADDRESS"},{Name:"CREDIT_CARD_NUMBER"},},IncludeQuote:true,},}resp,err:=client.InspectContent(ctx,req)iferr!=nil{returnerr}// Process the results.result:=resp.Resultfmt.Fprintf(w,"Findings: %d\n",len(result.Findings))for_,f:=rangeresult.Findings{fmt.Fprintf(w,"\tQuote: %s\n",f.Quote)fmt.Fprintf(w,"\tInfo type: %s\n",f.InfoType.Name)fmt.Fprintf(w,"\tLikelihood: %s\n",f.Likelihood)}returnnil}Java
To learn how to install and use the client library for Sensitive Data Protection, seeSensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
importcom.google.cloud.dlp.v2.DlpServiceClient;importcom.google.cloud.dlp.v2.DlpServiceSettings;importcom.google.privacy.dlp.v2.ByteContentItem;importcom.google.privacy.dlp.v2.ByteContentItem.BytesType;importcom.google.privacy.dlp.v2.ContentItem;importcom.google.privacy.dlp.v2.Finding;importcom.google.privacy.dlp.v2.InfoType;importcom.google.privacy.dlp.v2.InspectConfig;importcom.google.privacy.dlp.v2.InspectContentRequest;importcom.google.privacy.dlp.v2.InspectContentResponse;importcom.google.privacy.dlp.v2.LocationName;importcom.google.protobuf.ByteString;importjava.io.IOException;importjava.util.ArrayList;importjava.util.List;publicclassInspectStringRep{publicstaticvoidmain(String[]args)throwsException{// TODO(developer): Replace these variables before running the sample.StringprojectId="your-project-id";StringrepLocation="regional-endpoint-location-to-use";StringtextToInspect="My name is Gary and my email is gary@example.com";inspectString(projectId,repLocation,textToInspect);}// Inspects the provided text.publicstaticvoidinspectString(StringprojectId,StringrepLocation,StringtextToInspect)throwsIOException{// Assemble the regional endpoint url using provided rep locationStringrepEndpoint=String.format("dlp.%s.rep.googleapis.com:443",repLocation);DlpServiceSettingssettings=DlpServiceSettings.newBuilder().setEndpoint(repEndpoint).build();// Initialize client that will be used to send requests. This client only needs to be created// once, and can be reused for multiple requests. After completing all of your requests, call// the "close" method on the client to safely clean up any remaining background resources.try(DlpServiceClientdlp=DlpServiceClient.create(settings)){// Specify the type and content to be inspected.ByteContentItembyteItem=ByteContentItem.newBuilder().setType(BytesType.TEXT_UTF8).setData(ByteString.copyFromUtf8(textToInspect)).build();ContentItemitem=ContentItem.newBuilder().setByteItem(byteItem).build();// Specify the type of info the inspection will look for.List<InfoType>infoTypes=newArrayList<>();// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info typesfor(StringtypeName:newString[]{"PHONE_NUMBER","EMAIL_ADDRESS","CREDIT_CARD_NUMBER"}){infoTypes.add(InfoType.newBuilder().setName(typeName).build());}// Construct the configuration for the Inspect request.InspectConfigconfig=InspectConfig.newBuilder().addAllInfoTypes(infoTypes).setIncludeQuote(true).build();// Construct the Inspect request to be sent by the client.InspectContentRequestrequest=InspectContentRequest.newBuilder().setParent(LocationName.of(projectId,repLocation).toString()).setItem(item).setInspectConfig(config).build();// Use the client to send the API request.InspectContentResponseresponse=dlp.inspectContent(request);// Parse the response and process resultsSystem.out.println("Findings: "+response.getResult().getFindingsCount());for(Findingf:response.getResult().getFindingsList()){System.out.println("\tQuote: "+f.getQuote());System.out.println("\tInfo type: "+f.getInfoType().getName());System.out.println("\tLikelihood: "+f.getLikelihood());}}}}REST
The following example sends acontent.inspect request to a regional endpoint.Any data attached to this request remains in the specified region while intransit, in use, and at rest.
Before using any of the request data, make the following replacements:
REP_REGION: a region where a regional endpoint (REP) for Sensitive Data Protection is available—for example,us-west2. For a full list of regions, seeSensitive Data Protection locations.PROJECT_ID: your Google Cloud project ID. Project IDs are alphanumeric strings, likeexample-project.
HTTP method and URL:
POST https://dlp.REP_REGION.rep.googleapis.com/v2/projects/PROJECT_ID/locations/REP_REGION/content:inspect
Request JSON body:
{ "inspectConfig": { "infoTypes": [ { "name": "CREDIT_CARD_NUMBER" } ] }, "item": { "value": "hi, my ccn is 4111111111111111" }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedinspect-request.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "x-goog-user-project:PROJECT_ID" \
-H "Content-Type: application/json; charset=utf-8" \
-d @inspect-request.json \
"https://dlp.REP_REGION.rep.googleapis.com/v2/projects/PROJECT_ID/locations/REP_REGION/content:inspect"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedinspect-request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "x-goog-user-project" = "PROJECT_ID" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile inspect-request.json `
-Uri "https://dlp.REP_REGION.rep.googleapis.com/v2/projects/PROJECT_ID/locations/REP_REGION/content:inspect" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "result": { "findings": [ { "infoType": { "name": "CREDIT_CARD_NUMBER", "sensitivityScore": { "score": "SENSITIVITY_HIGH" } }, "likelihood": "LIKELY", "location": { "byteRange": { "start": "14", "end": "30" }, "codepointRange": { "start": "14", "end": "30" } }, "createTime": "2024-08-09T19:54:13.348Z", "findingId": "2024-08-09T19:54:13.352163Z4747901452516738787" } ] }}Co-location considerations
When you scan a storage repository such as Cloud Storage orBigQuery, you should specify the same location in yourSensitive Data Protection request as the location of the repository you'rescanning. For example, if the BigQuery dataset is in the EuropeanUnion multi-region location, specify the European Union multi-region (europe)when configuring the Sensitive Data Protection job.
If you do not co-locate your Sensitive Data Protection request with the storagerepository you're scanning, processing of your request may be split between thelocation of the data and the location specified in the request.
Note: Sensitive Data Protection templates, stored infoTypes, and Cloud KMSkeys can only be used by Sensitive Data Protection jobs, job triggers, and thecontent methods in the same region.What's next
- Learn more aboutgeography and zones.
- See a list ofsupported regions andmulti-regions.
- Learn more aboutGlobal and regional endpoints forSensitive Data Protection.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.