Stay organized with collections
Save and categorize content based on your preferences.
This page provides information on how your data is protected while data moves
between your site and the cloud provider or between two services in the context
of AML AI.
Internal Google services, including those used by AML AI,
generally use ALTS.
ALTS is similar in concept to mTLS but has been optimized for Google's data
center environments. In some cases, TLS is used.
External communications to financialservices.googleapis.com (the
AML AI endpoint) uses TLS to the Google Front End (GFE). The GFE
ensures that all TLS connections are terminated with correct certificates and
that all best practices are followed. Traffic between the GFE and financialservices.googleapis.com
is internal and is encrypted with ALTS.
Traffic from a VM on Google Cloud to the GFE is encrypted with TLS. By default,
this traffic uses external IP addresses but can use internal IP addresses using
Private Google Access.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eAML AI data moving between your site and the cloud or between two services is protected through encryption.\u003c/p\u003e\n"],["\u003cp\u003eInternal Google services, including AML AI, primarily utilize ALTS encryption, which is similar to mTLS but tailored for Google's environment, and in some cases TLS is used.\u003c/p\u003e\n"],["\u003cp\u003eExternal communication to the AML AI endpoint uses TLS to the Google Front End (GFE), with ALTS employed for internal traffic between the GFE and financialservices.googleapis.com.\u003c/p\u003e\n"],["\u003cp\u003eTraffic from a Google Cloud VM to the GFE is encrypted with TLS and can use internal IP addresses via Private Google Access.\u003c/p\u003e\n"],["\u003cp\u003emTLS encryption can be enabled using BeyondCorp Enterprise, with a specific mTLS endpoint, \u003ccode\u003efinancialservices.mtls.googleapis.com\u003c/code\u003e, and a configured VPC-SC access level.\u003c/p\u003e\n"]]],[],null,["# Understand encryption in transit\n\nThis page provides information on how your data is protected while data moves\nbetween your site and the cloud provider or between two services in the context\nof AML AI.\n\n- Internal Google services, including those used by AML AI, generally use [ALTS](/docs/security/encryption-in-transit/application-layer-transport-security). ALTS is similar in concept to mTLS but has been optimized for Google's data center environments. In some cases, TLS is used.\n- External communications to financialservices.googleapis.com (the AML AI endpoint) uses TLS to the Google Front End (GFE). The GFE ensures that all TLS connections are terminated with correct certificates and that all best practices are followed. Traffic between the GFE and financialservices.googleapis.com is internal and is encrypted with ALTS.\n- Traffic from a VM on Google Cloud to the GFE is encrypted with TLS. By default, this traffic uses external IP addresses but can use internal IP addresses using [Private Google Access](/vpc/docs/private-google-access).\n- mTLS can be configured using [BeyondCorp Enterprise](/chrome-enterprise-premium/docs/securing-resources-with-certificate-based-access). Because a [VPC-SC access level](/chrome-enterprise-premium/docs/create-cba-access-levels) must be configured, see documentation on [VPC-SC in AML AI](/financial-services/anti-money-laundering/docs/vpc-service-controls). The mTLS specific endpoint must be used, financialservices.mtls.googleapis.com.\n\nFor more details, see [encryption in transit in Google Cloud](/docs/security/encryption-in-transit)."]]
