This page describes the data residency support for backup vault, including supported workloads and limitations.
Data residency for backup vault meets compliance and regulatory requirements by allowing you to limit the geographic locations (regions) where Google Cloud data is stored at rest according to Service Specific Terms. With data residency, organization policy administrators can enforce geographic locations where backup data can be stored.
Organizations with data residency requirements can set up a Resource Locations organization policy constraint that restricts the location of new backup resources at the organization, project, or folder level of their resource hierarchy.
Data residency and organization policy constraints
With Google Cloud's organization policy constraints, you can define the geographic locations where your resources are created. If your organization policy uses the resource location constraint (constraints/gcp.resourceLocations), any new Backup and DR Service resources you create must adhere to this constraint.
This location constraint is only checked when new resources are created. For example, if you apply the policy after you've already created some Backup vaults, those existing resources won't be affected. However, the policy does apply to the following:
- New resources created by existing backup plans.
- Manually triggered restore operations.
- New backup plans.
Any of these operations will fail if it violates the resource location constraint.
Data residency compatibility
Data residency enforcement can be used with all workloads that don't depend on a management server and backup/recovery appliance.
Customers still have complete control over the location of backups managed by management servers and backup/recovery appliances, through the configuration options in the management server. However, these workloads are not constrained by the organizational policies.