This document describes how to use the Apigee UI, Apigee API, and MessageLogging and PublishMessage policies with data residency.
For more information about data residency in Apigee, see Introduction to data residency.
Use the Apigee UI with data residency
To access the Apigee UI with data residency, access one of the following consoles based on your data residency requirements:
- Data residency (at rest only): Google Cloud console
- Advanced data residency: Jurisdictional console
The jurisdictional console alters the UI interactions with services as follows:
- You'll only be able to select resource locations that are consistent with your selected control plane location.
- When creating endpoint attachments, you'll only be able to select service attachments consistent with the Resource Location policy of your organization. This prevents access by a private target that isn't in a permitted location.
Use the Apigee API with data residency
To access the Apigee API with data residency, use the following regional endpoints described in Use regional endpoints for data residency.
When using the Apigee API, you will receive a Permission Denied error if
you use a region that
is prohibited by the control package.
Use the MessageLogging and PublishMessage policies with data residency
The following sections describe how to update the policy definitions for the MessageLogging and PublishMessage policies to support data residency.
Use the MessageLogging policy with data residency
When using the MessageLogging policy, to support data residency
update the policy definition to add the <Endpoint> element to the
<CloudLogging> element
and set it to the regional endpoint to use for message logging, as follows:
logging.CONTROL_PLANE_LOCATION.rep.googleapis.com:443.
CONTROL_PLANE_LOCATION is the physical location, specified during provisioning, where Apigee control plane data will be stored.
If you don't add the <Endpoint> element, the policy defaults to the global endpoint.
For example, the following policy definition uses the regional endpoint for message logging in
the us region:
<MessageLogging name="LogToCloudLogging">
<CloudLogging>
<LogName>projects/{organization.name}/logs/{log.id}</LogName>
<Message contentType="application/json">{"{message.queryparam.key}": "{message.queryparam.value}"}</Message>
<Labels>
<Label>
<Key>key1</Key>
<Value>value1</Value>
</Label>
<Label>
<Key>key2</Key>
<Value>value2</Value>
</Label>
</Labels>
<ResourceType>api</ResourceType>
<Endpoint>logging.us.rep.googleapis.com:443</Endpoint>
</CloudLogging>
</MessageLogging>For more information, see MessageLogging policy.
Use the PublishMessage policy with data residency
To support data residency, when using the PublishMessage policy, you must
update the policy definition to add the <Endpoint> element to the
<CloudPubSub> element
and set it to the regional endpoint to use for Pub/Sub messaging, as follows:
pubsub.CONTROL_PLANE_LOCATION.rep.googleapis.com:443.
CONTROL_PLANE_LOCATION is the physical location, specified during provisioning, where Apigee control plane data will be stored.
If you don't add the <Endpoint> element, the policy defaults to the global endpoint.
For example, the following policy definition uses the regional endpoint for Pub/Sub
messaging in the us region:
<PublishMessage async="false" continueOnError="false" enabled="true" name="Publish to Pub/Sub">
<DisplayName>Publish to Pub/Sub</DisplayName>
<Description>Publish to Pub/Sub</Description>
<CloudPubSub>
<Topic>projects/{organization.name}/topics/{topic.name}</Topic>
<Endpoint>pubsub.us.rep.googleapis.com:443</Endpoint>
</CloudPubSub>
</PublishMessage>For more information, see PublishMessage policy.