This topic explains how to configure a new Apigee hybrid installation for data residency compliance.
About data residency
Starting with hybrid version 1.12, you can use data residency with new Apigee hybrid installations. You cannot convert an existing installation to use data residency.
Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored. With data residency, selecting the control plane location ensures that all customer content is stored within the specified region. See also, see Introduction to data residency.
Basic steps for data residency configuration
To configure Apigee hybrid for data residency, you need to follow a few basic steps, including:
- Creating an Apigee organization with data residency
- Creating an environment using the Apigee API
- Enabling the new data pipeline
- Configuring the overrides file(s)
Creating an Apigee organization with data residency
When you create an Apigee organization, you have the option of enabling the org with data residency. Creating an org with data residency requires you to specify two key location attributes: the control plane location and the consumer data region. For details, see Step 2: Create an organization.
Creating an environment using the Apigee API
If you create a new environment using the Apigee API, you must specify the control plane location. See Create an environment. If you use the UI to create an environment, no special steps are needed.
Enabling the new data pipeline
If data residency is enabled for a new hybrid 1.13.1 organization, then you must enable the new data pipeline feature. This feature enables analytics and debug data to be sent to the Apigee control plane. To enable the data pipeline, follow the instructions in Analytics and debug data collection with data residency.
Note that you
Configuring the overrides file(s)
If you are using a new data residency-enabled hybrid v1.13.1 org, you must add these configuration properties to each overrides file and apply them:
contractProvider
: The service endpoint for Apigee management APIs. For example:https://us-apigee.googleapis.com
.newDataPipeline.debugSession
: Set this totrue
to use the new data pipeline.newDataPipeline.analytics
: Set this totrue
to enable analytics to use the new data pipeline.
For example:
instanceID: "my_hybrid_example" namespace: apigee gcp: projectID: hybrid-example region: us-central1 k8sCluster: name: apigee-hybrid region: us-central1 org: hybrid-example contractProvider: https://us-apigee.googleapis.com newDataPipeline: debugSession: true analytics: true
See Step 6: Create the overrides
When calling the Apigee APIs
When you make curl
calls to Apigee APIs to perform tasks in your hybrid installation, you will need to call APIs from within the control plane location:
curl -H "Authorization: Bearer $TOKEN" \ "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/ORG_NAME/envgroups"
For example:
curl -H "Authorization: Bearer $TOKEN" \ "https://us-apigee.googleapis.com/v1/organizations/my-hybrid-org/envgroups"
URL allowlisting
You must enable a non-forward proxy route for Apigee hybrid data residency. This route can be a NAT with allowlisting for:
iamcredentials.googleapis.com
oauth2.googleapis.com
If you are using forward proxy with data residency, you must allowlist:
-
CONTROL_PLANE_LOCATION.apigee-googleapis.com
-
ANALYTICS_REGION-pubsub.googleapis.com
- URLs required by Apigee hybrid, see Google Cloud URLs to allow for Hybrid.
Enable analytics and debug data collection with data residency
To enable analytics and debug data collection, follow the instructions in Analytics and debug data collection with data residency.