Switzerland Regions control package
This page describes the set of controls that are applied on Switzerland Regions workloads in Assured Workloads. It provides detailed information about data residency, supported Google Cloud products and their API endpoints, and any applicable restrictions or limitations on those products. The following additional information applies to Switzerland Regions:
- Data residency: The Switzerland Regions control package sets data location controls to support Switzerland-only regions. See the Google Cloud-wide organization policy constraints section for more information.
- Support: Technical support services for Switzerland Regions workloads are available with Standard, Enhanced, or Premium Cloud Customer Care subscriptions. Switzerland Regions workloads support cases are routed to global support personnel.
- Pricing: The Switzerland Regions control package is included in Assured Workloads' Free tier, which incurs no additional charges. See Assured Workloads pricing for more information.
Supported products and API endpoints
Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings, are listed in the following table.
If a product is not listed, that product is unsupported and has not met the control requirements for Switzerland Regions. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model. Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.
Supported product | API endpoints | Restrictions or limitations |
---|---|---|
Access Approval |
accessapproval.googleapis.com |
None |
Access Context Manager |
accesscontextmanager.googleapis.com |
None |
Access Transparency |
accessapproval.googleapis.com |
None |
AlloyDB for PostgreSQL |
alloydb.googleapis.com |
None |
Cloud Service Mesh |
mesh.googleapis.com meshca.googleapis.com meshconfig.googleapis.com |
None |
Apigee |
apigee.googleapis.com |
None |
Artifact Registry |
artifactregistry.googleapis.com |
None |
BigQuery |
bigquery.googleapis.com bigqueryconnection.googleapis.com bigquerydatapolicy.googleapis.com bigquerydatatransfer.googleapis.com bigquerymigration.googleapis.com bigqueryreservation.googleapis.com bigquerystorage.googleapis.com |
Affected features |
Bigtable |
bigtable.googleapis.com bigtableadmin.googleapis.com |
None |
Certificate Authority Service |
privateca.googleapis.com |
None |
Cloud Composer |
composer.googleapis.com |
None |
Cloud DNS |
dns.googleapis.com |
None |
Cloud Data Fusion |
datafusion.googleapis.com |
None |
Cloud External Key Manager (Cloud EKM) |
cloudkms.googleapis.com |
None |
Cloud Run functions |
cloudfunctions.googleapis.com |
None |
Cloud HSM |
cloudkms.googleapis.com |
None |
Cloud Interconnect |
networkconnectivity.googleapis.com |
None |
Cloud Key Management Service (Cloud KMS) |
cloudkms.googleapis.com |
None |
Cloud Load Balancing |
compute.googleapis.com |
None |
Cloud Logging |
logging.googleapis.com |
Affected features |
Cloud Monitoring |
monitoring.googleapis.com |
None |
Cloud NAT |
networkconnectivity.googleapis.com |
None |
Cloud Router |
networkconnectivity.googleapis.com |
None |
Cloud Run |
run.googleapis.com |
None |
Cloud SQL |
sqladmin.googleapis.com |
None |
Cloud Storage |
storage.googleapis.com |
None |
Cloud Tasks |
cloudtasks.googleapis.com |
None |
Cloud VPN |
compute.googleapis.com |
None |
Cloud Vision API |
vision.googleapis.com |
None |
Compute Engine |
compute.googleapis.com |
Affected features and organization policy constraints |
Connect |
gkeconnect.googleapis.com |
None |
Sensitive Data Protection |
dlp.googleapis.com |
None |
Dataflow |
dataflow.googleapis.com datapipelines.googleapis.com |
None |
Dataform |
dataform.googleapis.com |
None |
Dataproc |
dataproc-control.googleapis.com dataproc.googleapis.com |
None |
Eventarc |
eventarc.googleapis.com |
None |
Filestore |
file.googleapis.com |
None |
Firestore |
firestore.googleapis.com |
None |
GKE Hub |
gkehub.googleapis.com |
None |
GKE Identity Service |
anthosidentityservice.googleapis.com |
None |
Generative AI on Vertex AI |
aiplatform.googleapis.com |
None |
Google Cloud Armor |
compute.googleapis.com networksecurity.googleapis.com |
None |
Google Kubernetes Engine (GKE) |
container.googleapis.com containersecurity.googleapis.com |
None |
Google Security Operations SIEM |
chronicle.googleapis.com chronicleservicemanager.googleapis.com |
None |
Identity and Access Management (IAM) |
iam.googleapis.com |
None |
Identity-Aware Proxy (IAP) |
iap.googleapis.com |
None |
Looker (Google Cloud core) |
looker.googleapis.com |
None |
Memorystore for Redis |
redis.googleapis.com |
None |
Network Connectivity Center |
networkconnectivity.googleapis.com |
None |
Persistent Disk |
compute.googleapis.com |
None |
Pub/Sub |
pubsub.googleapis.com |
None |
Resource Manager |
cloudresourcemanager.googleapis.com |
None |
Secure Source Manager |
securesourcemanager.googleapis.com |
None |
Speech-to-Text |
speech.googleapis.com |
None |
Cloud Service Mesh |
trafficdirector.googleapis.com |
None |
VPC Service Controls |
accesscontextmanager.googleapis.com |
None |
Vertex AI Search |
discoveryengine.googleapis.com |
None |
Virtual Private Cloud (VPC) |
compute.googleapis.com |
None |
Restrictions and limitations
The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Switzerland Regions folders. Other applicable organization policy constraints —even if not set by default— can provide additional defense-in-depth to further protect your organization's Google Cloud resources.
Google Cloud-wide
Google Cloud-wide organization policy constraints
The following organization policy constraints apply across Google Cloud.
Organization policy constraint | Description |
---|---|
gcp.resourceLocations |
Set to the following locations in the allowedValues list:
|
gcp.restrictServiceUsage |
Set to allow all supported products and API endpoints. Determines which services can be enabled and used. For more information, see Restricting resource usage. |
gcp.restrictTLSVersion |
Set to deny the following TLS versions:
|
BigQuery
Affected BigQuery features
Feature | Description |
---|---|
Enabling BigQuery on a new folder | BigQuery is supported, but it isn't automatically enabled when you create a new
Assured Workloads folder due to an internal configuration process. This process normally
finishes in ten minutes, but can take much longer in some circumstances. To check whether the
process is finished and to enable BigQuery, complete following steps:
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder. Gemini in BigQuery is not supported by Assured Workloads. |
Unsupported features | The following BigQuery features are not supported and should not be used in the
BigQuery CLI. It is your responsibility not to use them in BigQuery for
Assured Workloads.
|
BigQuery CLI | The BigQuery CLI is supported.
|
Google Cloud SDK | You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization
guarantees for technical data. To verify your current Google Cloud SDK version, run
gcloud --version and then gcloud components update to update to
the newest version.
|
Administrator controls | BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard. |
Loading data | BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Switzerland Regions workloads. |
Third-party transfers | BigQuery does not verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service. |
Non-compliant BQML models | Externally-trained BQML models are not supported. |
Query jobs | Query jobs should only be created within Assured Workloads folders. |
Queries on datasets in other projects | BigQuery does not prevent Assured Workloads datasets from being queried
from non-Assured Workloads projects. You should ensure that any query that has a
read or a join on Assured Workloads data be placed in an
Assured Workloads folder. You can specify a
fully-qualified table name
for their query result using projectname.dataset.table in the BigQuery
CLI.
|
Cloud Logging | BigQuery utilizes Cloud Logging for some of your log data. You should disable
your _default logging buckets or restrict _default buckets to
in-scope regions to maintain compliance using the following command:gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink
See Regionalize your logs for more information. |
Compute Engine
Affected Compute Engine features
Feature | Description |
---|---|
Guest environment | It is possible for scripts, daemons, and binaries that are included with the guest
environment to access unencrypted at-rest and in-use data. Depending on your VM
configuration, updates to this software may be installed by default. See
Guest environment for specific
information about each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy
constraint.
See the Building a custom image page for more information. |
Compute Engine organization policy constraints
Organization policy constraint | Description |
---|---|
compute.disableGlobalCloudArmorPolicy
| Set to True. Disables creating Google Cloud Armor security policies. |
compute.restrictNonConfidentialComputing |
(Optional) Value is not set. Set this value to provide additional defense-in-depth. See
the
Confidential VM documentation
for more information. |
compute.trustedImageProjects |
(Optional) Value is not set. Set this value to provide additional defense-in-depth.
Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents. |
Cloud Logging
Affected Cloud Logging features
Feature | Description |
---|---|
Log sinks | Filters shouldn't contain Customer Data. Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data. |
Live tailing log entries | Filters shouldn't contain Customer Data. A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data. |
What's next
- Learn how to create an Assured Workloads folder
- Understand Assured Workloads pricing