Canada Regions and Support control package

This page describes the set of controls that are applied on Canada Regions and Support workloads in Assured Workloads. It provides detailed information about data residency, supported Google Cloud products and their API endpoints, and any applicable restrictions or limitations on those products. The following additional information applies to Canada Regions and Support:

  • Data residency: The Canada Regions and Support control package sets data location controls to support Canada-only regions. See the Google Cloud-wide organization policy constraints section for more information.
  • Support: Technical support services for Canada Regions and Support workloads are available with Enhanced or Premium Cloud Customer Care subscriptions. Canada Regions and Support workloads support cases are routed to Canadian personnel located in Canada; see Getting support for more information.
  • Pricing: The Canada Regions and Support control package is included in Assured Workloads' Premium tier, which incurs an 20% additional charge. See Assured Workloads pricing for more information.

Supported products and API endpoints

Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings, are listed in the following table.

If a product is not listed, that product is unsupported and has not met the control requirements for Canada Regions and Support. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model. Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.

Supported product API endpoints Restrictions or limitations
Access Approval accessapproval.googleapis.com
None
Access Context Manager accesscontextmanager.googleapis.com
None
Access Transparency accessapproval.googleapis.com
None
AlloyDB for PostgreSQL alloydb.googleapis.com
None
Cloud Service Mesh mesh.googleapis.com
meshca.googleapis.com
meshconfig.googleapis.com
None
Apigee apigee.googleapis.com
None
Artifact Registry artifactregistry.googleapis.com
None
BigQuery bigquery.googleapis.com
bigqueryconnection.googleapis.com
bigquerydatapolicy.googleapis.com
bigquerydatatransfer.googleapis.com
bigquerymigration.googleapis.com
bigqueryreservation.googleapis.com
bigquerystorage.googleapis.com
Affected features
Bigtable bigtable.googleapis.com
bigtableadmin.googleapis.com
None
Certificate Authority Service privateca.googleapis.com
None
Cloud Composer composer.googleapis.com
None
Cloud DNS dns.googleapis.com
None
Cloud Data Fusion datafusion.googleapis.com
None
Cloud External Key Manager (Cloud EKM) cloudkms.googleapis.com
None
Cloud Run functions cloudfunctions.googleapis.com
None
Cloud HSM cloudkms.googleapis.com
None
Cloud Interconnect networkconnectivity.googleapis.com
None
Cloud Key Management Service (Cloud KMS) cloudkms.googleapis.com
None
Cloud Load Balancing compute.googleapis.com
None
Cloud Logging logging.googleapis.com
Affected features
Cloud Monitoring monitoring.googleapis.com
None
Cloud NAT networkconnectivity.googleapis.com
None
Cloud Router networkconnectivity.googleapis.com
None
Cloud Run run.googleapis.com
None
Cloud SQL sqladmin.googleapis.com
None
Cloud Storage storage.googleapis.com
None
Cloud Tasks cloudtasks.googleapis.com
None
Cloud VPN compute.googleapis.com
None
Cloud Vision API vision.googleapis.com
None
Compute Engine compute.googleapis.com
Affected features and organization policy constraints
Connect gkeconnect.googleapis.com
None
Sensitive Data Protection dlp.googleapis.com
None
Dataflow dataflow.googleapis.com
datapipelines.googleapis.com
None
Dataform dataform.googleapis.com
None
Dataproc dataproc-control.googleapis.com
dataproc.googleapis.com
None
Eventarc eventarc.googleapis.com
None
Filestore file.googleapis.com
None
Firestore firestore.googleapis.com
None
GKE Hub gkehub.googleapis.com
None
GKE Identity Service anthosidentityservice.googleapis.com
None
Generative AI on Vertex AI aiplatform.googleapis.com
None
Google Cloud Armor compute.googleapis.com
networksecurity.googleapis.com
None
Google Kubernetes Engine (GKE) container.googleapis.com
containersecurity.googleapis.com
None
Google Security Operations SIEM chronicle.googleapis.com
chronicleservicemanager.googleapis.com
None
Identity and Access Management (IAM) iam.googleapis.com
None
Identity-Aware Proxy (IAP) iap.googleapis.com
None
Memorystore for Redis redis.googleapis.com
None
Network Connectivity Center networkconnectivity.googleapis.com
None
Persistent Disk compute.googleapis.com
None
Pub/Sub pubsub.googleapis.com
None
Resource Manager cloudresourcemanager.googleapis.com
None
Secure Source Manager securesourcemanager.googleapis.com
None
Speech-to-Text speech.googleapis.com
None
Cloud Service Mesh trafficdirector.googleapis.com
None
VPC Service Controls accesscontextmanager.googleapis.com
None
Vertex AI Search discoveryengine.googleapis.com
None
Virtual Private Cloud (VPC) compute.googleapis.com
None

Restrictions and limitations

The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Canada Regions and Support folders. Other applicable organization policy constraints —even if not set by default— can provide additional defense-in-depth to further protect your organization's Google Cloud resources.

Google Cloud-wide

Google Cloud-wide organization policy constraints

The following organization policy constraints apply across Google Cloud.

Organization policy constraint Description
gcp.resourceLocations Set to the following locations in the allowedValues list:
  • northamerica-northeast1
  • northamerica-northeast2
This value restricts creation of any new resources to the selected value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary. See the Organization policy value groups documentation for more information.
gcp.restrictServiceUsage Set to allow all supported products and API endpoints.

Determines which services can be enabled and used. For more information, see Restricting resource usage.
gcp.restrictTLSVersion Set to deny the following TLS versions:
  • TLS_1_0
  • TLS_1_1
See the Restrict TLS versions page for more information.

BigQuery

Affected BigQuery features

Feature Description
Enabling BigQuery on a new folder BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
  1. In the Google Cloud console, go to the Assured Workloads page.

    Go to Assured Workloads

  2. Select your new Assured Workloads folder from the list.
  3. On the Folder Details page in the Allowed services section, click Review Available Updates.
  4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

    If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

Gemini in BigQuery is not supported by Assured Workloads.

Unsupported features The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is your responsibility not to use them in BigQuery for Assured Workloads.
BigQuery CLI The BigQuery CLI is supported.

Google Cloud SDK You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, run gcloud --version and then gcloud components update to update to the newest version.
Administrator controls BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard.
Loading data BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Canada Regions and Support workloads.
Third-party transfers BigQuery does not verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service.
Non-compliant BQML models Externally-trained BQML models are not supported.
Query jobs Query jobs should only be created within Assured Workloads folders.
Queries on datasets in other projects BigQuery does not prevent Assured Workloads datasets from being queried from non-Assured Workloads projects. You should ensure that any query that has a read or a join on Assured Workloads data be placed in an Assured Workloads folder. You can specify a fully-qualified table name for their query result using projectname.dataset.table in the BigQuery CLI.
Cloud Logging BigQuery utilizes Cloud Logging for some of your log data. You should disable your _default logging buckets or restrict _default buckets to in-scope regions to maintain compliance using the following command:

gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink

See Regionalize your logs for more information.

Compute Engine

Affected Compute Engine features

Feature Description
Guest environment It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more.

These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint.

See the Building a custom image page for more information.

Compute Engine organization policy constraints

Organization policy constraint Description
compute.disableGlobalCloudArmorPolicy Set to True.

Disables creating Google Cloud Armor security policies.

compute.restrictNonConfidentialComputing

(Optional) Value is not set. Set this value to provide additional defense-in-depth. See the Confidential VM documentation for more information.

compute.trustedImageProjects

(Optional) Value is not set. Set this value to provide additional defense-in-depth.

Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

Cloud Logging

Affected Cloud Logging features

Feature Description
Log sinks Filters shouldn't contain Customer Data.

Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data.
Live tailing log entries Filters shouldn't contain Customer Data.

A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data.

What's next