Restricting endpoint usage
This page provides an overview of the Restrict Endpoint Usage organization policy constraint, which allows enterprise administrators to control which Google Cloud API endpoints can be used within their Google Cloud resource hierarchy.
Administrators can use this constraint to define hierarchical restrictions on
allowed Google Cloud API endpoints, such as global, locational, or regional
endpoints. For example, you can configure a project to deny requests to the
global bigquery.googleapis.com endpoint, but allow requests to the locational
LOCATION-bigquery.googleapis.com endpoint. By
restricting global API endpoint usage, organizations can meet compliance
requirements by ensuring that only allowed locational or regional endpoints are
used.
The Restrict Endpoint Usage constraint is set using a denylist, allowing requests to any supported services' API endpoints that are not explicitly denied.
This constraint controls the runtime access to all in-scope resources. When the organization policy containing this constraint is updated, it immediately applies to all resources within the scope of the policy, with eventual consistency.
We recommend that administrators carefully manage updates to organization policies containing this constraint. For example, you should consider setting the policy in dry-run mode to monitor how a policy change would impact your existing workflows before it is enforced.
API endpoint types
An API endpoint (or service endpoint) is a URL that specifies the network
address of a Google Cloud API service, such as bigquery.googleapis.com.
Google Cloud services allow access to resources using different types of API
endpoints, including global, locational, and regional endpoints. Support for
each type depends on the service.
- Global API endpoints don't specify the location in the URL hostname. For example: - storage.googleapis.com
- content-bigqueryconnection.googleapis.com
- bigquerydatatransfer.mtls.googleapis.com
- logging.googleapis.com
 - These globally-scoped endpoints provide highly-available service endpoints that terminate the TLS session as close to the client as possible, which minimizes latency when serving API calls from a dispersed client population over the internet. 
- Locational API endpoints specify the location in the URL hostname. For example: - us-storage.googleapis.com
- content-us-west3-bigqueryconnection.googleapis.com
- us-west1-bigquerydatatransfer.mtls.googleapis.com
- us-central1-logging.googleapis.com
 - These locational endpoints offer benefits to customers who require the use of location-specific services, and want to ensure that in-transit data remains in a particular location when accessed through private connectivity. 
- Regional API endpoints specify the location as a sub-domain. For example: - storage.us-east2.rep.googleapis.com
- content-bigqueryconnection.us-west3.rep.googleapis.com
- bigquerydatatransfer.us-west1.rep.mtls.googleapis.com
- logging.us-central1.rep.googleapis.com
 - These regional endpoints offer the most benefits to customers who require the use of location-specific services, and want to have ways to ensure that in-transit data remains in a particular location when accessed through either private connectivity or the public internet. 
Limitations
The Restrict Endpoint Usage constraint controls the ability to use specific API endpoints to access your resources. It shouldn't be confused with other similar constraints, such as:
- Restrict Resource Location constraint, which controls where resources can or cannot be created.
- Restrict Resource Service Usage constraint, which controls which resource services can be used.
To avoid breaking existing serving infrastructure, you should test any new organization policy on non-production projects and folders, then apply the policy gradually within your organization.
This constraint applies to a specific subset of products and resource types. For a list of supported services and details on the behavior of each service, see the Supported API endpoints section.
For data storage commitments, see the Google Cloud Terms of Service and the Service Specific Terms. Organization policies that contain the Restrict Endpoint Usage constraint are not data residency commitments.
Setting the organization policy
To set, change, or delete an organization policy, you must have the Organization Policy Administrator role.
Organization policy constraints can be set at the organization, folder, and project level. Each policy applies to all resources within its corresponding resource hierarchy, but can be overridden at lower levels in the resource hierarchy.
For more information about policy evaluation, see Understanding Hierarchy Evaluation.
The Restrict Endpoint Usage constraint is a type of
list constraint.
You can add and remove endpoints from the denied_values lists of the
constraint.
Console
- Go to the Organization policies page in the Google Cloud console. 
- From the Project picker, select the organization, folder, or project for which you want to set the organization policy. 
- In the table of organization policies, select Restrict endpoint usage to open its Policy details page. 
- Click Manage policy. 
- Under Applies to, select Customize. 
- Under Policy enforcement, choose how to apply inheritance to this policy. - If you want to inherit the organization policy of the parent resource and merge it with this one, select Merge with parent. 
- If you want to override any existing organization policies, select Replace. 
 
- Click Add a rule. 
- Under Policy values, select Custom. 
- Under Policy type, select Deny to create a list of denied endpoints. 
- Under Custom values, add the API endpoint hostname you want to block to the list. - For example, to block BigQuery's global API endpoint, enter - bigquery.googleapis.com.
- To add more endpoints, click Add value. 
 
- To enforce the policy, click Save. 
gcloud
Organization policies can be set through the
gcloud resource-manager org-policies set-policy
command. To enforce an organization policy that includes the
Restrict Endpoint Usage constraint, first create a YAML file with the
policy to be updated:
constraint: constraints/gcp.restrictEndpointUsage
listPolicy:
    deniedValues:
    - storage.googleapis.com
    - content-bigqueryreservation.googleapis.com
    - bigquerystorage.mtls.googleapis.com
    - logging.googleapis.com
Replace the following placeholder values with your own before you run the command:
- RESOURCE_TYPE: The type of resource, either a project or a
folder. For example: project
- RESOURCE_ID: The resource ID of the project or folder. For
example: 8767234
gcloud resource-manager org-policies set-policy \ --RESOURCE_TYPE='RESOURCE_ID' /tmp/policy.yaml
The response contains the newly set organization policy:
constraint: constraints/gcp.restrictEndpointUsage etag: CKCRl6oGEPjG-tMB listPolicy: deniedValues: - storage.googleapis.com - content-bigqueryreservation.googleapis.com - bigquerystorage.mtls.googleapis.com - logging.googleapis.com updateTime: '2023-11-04T04:29:20.444507Z'
If a request to a denied API endpoint attempts to access a resource, the request will fail, and an error is returned that describes the reason for this failure.
Create an organization policy in dry-run mode
An organization policy in dry-run mode is a type of organization policy where violations of the policy are audit logged, but the violating actions aren't denied. You can create an organization policy in dry-run mode using the Restrict Endpoint Usage constraint to monitor how it would affect your organization before you enforce the live policy. For more information, see Create an organization policy in dry-run mode.
Error message
If you set an organization policy to deny an endpoint, operations using that endpoint within your resource hierarchy fail. An error is returned that describes the reason for this failure. Also, an audit log entry is generated for further monitoring, alerting, or debugging.
Example error message
In the following example, a curl request using API endpoint
storage.googleapis.com fails due to policy enforcement:
curl -X GET \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -o "SAVE_TO_LOCATION" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME?alt=media" Access to projects/foo-123 through endpoint storage.googleapis.com was denied by the constraints/gcp.restrictEndpointUsage organization policy constraint. To access this resource, please use an allowed endpoint.
Example audit log entry
The following example audit log entry demonstrates when access to a resource is denied:
{ logName: "projects/my-projectid/logs/cloudaudit.googleapis.com%2Fpolicy" protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" status: { code: 7 message: "Access to projects/my-projectid through endpoint bigquery.googleapis.com was denied by the constraints/gcp.restrictEndpointUsage organization policy constraint. To access this resource, please use an allowed endpoint." } serviceName: "bigquery.googleapis.com" methodName: "google.cloud.bigquery.v2.TableDataService.InsertAll" resourceName: "projects/my-projectid" authenticationInfo: { principalEmail: "user_or_service_account@example.com" } } requestMetadata: { callerIp: "123.123.123.123" } policyViolationInfo: { orgPolicyViolationInfo: { violationInfo: [ { constraint: "constraints/gcp.restrictEndpointUsage" checkedValue: "bigquery.googleapis.com" policyType: LIST_CONSTRAINT } ] } } resource: { type: "audited_resource" labels: { project_id: "224034263908" method: "google.cloud.bigquery.v2.TableDataService.InsertAll" service: "bigquery.googleapis.com" } } severity: "ERROR" timestamp: "2024-12-05T01:15:30.332519510Z" receiveTimestamp: "2024-08-15T17:55:01.159788588Z" insertId: "42" }
Supported API endpoints
The Restrict Endpoint Usage constraint supports API endpoints for the products listed in the following table.
For each product, the table provides the primary global API endpoint. However,
each product may also support a
SERVICE_NAME.mtls.googleapis.com variant or
a content-SERVICE_NAME.googleapis.com variant of their
global API endpoint, such as pubsub.mtls.googleapis.com
or content-pubsub.googleapis.com. To restrict all
variants of a product's global API endpoint, you can use a
value group. Additionally, regional and locational API
endpoints for these products are supported by the Restrict Endpoint Usage
constraint. Refer to the product's API documentation to determine the full list
of global, locational, and regional endpoints available.
| Product | API endpoints | Notes | 
|---|---|---|
| API Gateway | Global API endpoints: 
 | None | 
| API keys | Global API endpoints: 
 | None | 
| Access Approval | Global API endpoints: 
 | None | 
| Access Context Manager | Global API endpoints: 
 | None | 
| Google Agentspace | Global API endpoints: 
 Locational API endpoints: 
 | None | 
| Apigee API hub | Global API endpoints: 
 | None | 
| Apigee API Management API | Global API endpoints: 
 | None | 
| Apigee Connect API | Global API endpoints: 
 | None | 
| Apigee portal API | Global API endpoints: 
 | None | 
| Apigee Registry API | Global API endpoints: 
 | None | 
| App Config Manager API | Global API endpoints: 
 | None | 
| Application Design Center | Global API endpoints: 
 | None | 
| Application Integration | Global API endpoints: 
 | None | 
| Artifact Analysis | Global API endpoints: 
 | None | 
| Artifact Registry | Global API endpoints: 
 | None | 
| Assured Open Source Software | Global API endpoints: 
 | None | 
| Assured Workloads | Global API endpoints: 
 | None | 
| Audit Manager | Global API endpoints: 
 | None | 
| Authorization Toolkit API | Global API endpoints: 
 | None | 
| Backup and DR Service | Global API endpoints: 
 | None | 
| Backup for GKE | Global API endpoints: 
 | None | 
| Batch | Global API endpoints: 
 | None | 
| Chrome Enterprise Premium | Global API endpoints: 
 | None | 
| BigLake | Global API endpoints: 
 | None | 
| BigQuery Connections | Global API endpoints: 
 | None | 
| BigQuery Data Policy | Global API endpoints: 
 | None | 
| BigQuery Data Transfer | Global API endpoints: 
 | None | 
| BigQuery Migration | Global API endpoints: 
 | None | 
| BigQuery Reservation | Global API endpoints: 
 | None | 
| BigQuery Saved Query API | Global API endpoints: 
 | None | 
| BigQuery Storage | Global API endpoints: 
 | None | 
| BigQuery | Global API endpoints: 
 | www.googleapis.com/.../bigquery/...is a legacy API endpoint format. Your
organization should use the newer APIs instead. You can addwww.googleapis.com (BigQuery)to the Restrict Endpoint Usage policy constraint to
avoid accidental use of the old APIs. | 
| Binary Authorization | Global API endpoints: 
 | None | 
| Blockchain Analytics | Global API endpoints: 
 | None | 
| Blockchain Node Engine | Global API endpoints: 
 | None | 
| Blockchain Validator Manager | Global API endpoints: 
 | None | 
| Capacity Planner | Global API endpoints: 
 | None | 
| Certificate Authority Service | Global API endpoints: 
 | None | 
| Certificate Manager | Global API endpoints: 
 | None | 
| Cloud Asset Inventory | Global API endpoints: 
 | None | 
| Cloud Billing | Global API endpoints: 
 | None | 
| Cloud Build | Global API endpoints: 
 | None | 
| Cloud CDN | Global API endpoints: 
 | None | 
| Cloud Commerce Producer API | Global API endpoints: 
 | None | 
| Cloud Controls Partner API | Global API endpoints: 
 | None | 
| Cloud DNS | Global API endpoints: 
 | None | 
| Cloud Data Fusion | Global API endpoints: 
 | None | 
| Cloud Deployment Manager | Global API endpoints: 
 | None | 
| Cloud Domains | Global API endpoints: 
 | None | 
| Cloud Healthcare API | Global API endpoints: 
 | None | 
| Cloud Interconnect | Global API endpoints: 
 | None | 
| Cloud Intrusion Detection System | Global API endpoints: 
 | None | 
| Cloud Key Management Service | Global API endpoints: 
 | None | 
| Cloud Life Sciences | Global API endpoints: 
 | None | 
| Cloud Load Balancing | Global API endpoints: 
 | None | 
| Cloud Logging | Global API endpoints: 
 | None | 
| Cloud Monitoring | Global API endpoints: 
 | None | 
| Cloud NAT | Global API endpoints: 
 | None | 
| Cloud Natural Language API | Global API endpoints: 
 | None | 
| Cloud Next Generation Firewall Enterprise | Global API endpoints: 
 | None | 
| Cloud Next Generation Firewall Essentials | Global API endpoints: 
 | None | 
| Cloud Next Generation Firewall Standard | Global API endpoints: 
 | None | 
| Cloud OS Login API | Global API endpoints: 
 | None | 
| Cloud Router | Global API endpoints: 
 | None | 
| Cloud Run | Global API endpoints: 
 | None | 
| Cloud SQL | Global API endpoints: 
 | None | 
| Cloud Service Mesh | Global API endpoints: 
 | None | 
| Spanner | Global API endpoints: 
 | None | 
| Cloud Storage | Global API endpoints: 
 | The endpoints storage-download.googleapis.com,storage-upload.googleapis.com, andwww.googleapis.com/.../storage/...are legacy API endpoint formats. Your
organization should use the newerstorage.googleapis.comAPI endpoint instead. To
prevent accidental use of the legacy APIs, you can addstorage-download.googleapis.com,storage-upload.googleapis.com, andwww.googleapis.com (Cloud Storage)to the Restrict Endpoint Usage policy constraint
denylist.Some Cloud Storage operations are not supported when using locational endpoints. See Locational endpoints for more information. If you configured the Restrict Endpoint Usage constraint to restrict global endpoints, you can use the Google Cloud console to perform these operations. These operations don't carry Customer Data as defined in the data residency service terms, and you can use them in the Google Cloud console without violating ITAR compliance. Virtual hosted-style endpoints for the global endpoint are not supported at this time (e.g. https://BUCKET_NAME.storage.googleapis.com). | 
| Cloud Support API | Global API endpoints: 
 | None | 
| Cloud Tool Results API | Global API endpoints: 
 | None | 
| Cloud VPN | Global API endpoints: 
 | None | 
| Cloud Workstations | Global API endpoints: 
 | None | 
| Commerce Agreement Publishing API | Global API endpoints: 
 | None | 
| Commerce Business Enablement API | Global API endpoints: 
 | None | 
| Commerce Price Management API | Global API endpoints: 
 | None | 
| Compute Engine | Global API endpoints: 
 | None | 
| Confidential Computing | Global API endpoints: 
 | None | 
| Connect | Global API endpoints: 
 | None | 
| Connect gateway | Global API endpoints: 
 | None | 
| Contact Center AI Platform API | Global API endpoints: 
 | None | 
| Container Threat Detection | Global API endpoints: 
 | None | 
| Content Warehouse API | Global API endpoints: 
 | None | 
| Continuous Validation API | Global API endpoints: 
 | None | 
| Data Labeling API | Global API endpoints: 
 | None | 
| Data Security Posture Management API | Global API endpoints: 
 | None | 
| Database Migration Service | Global API endpoints: 
 | None | 
| Dataform | Global API endpoints: 
 | None | 
| Dataflow | Global API endpoints: 
 | None | 
| Dataplex Universal Catalog | Global API endpoints: 
 | None | 
| Dataproc | Global API endpoints: 
 | None | 
| Dataproc on GDC | Global API endpoints: 
 | None | 
| Google Distributed Cloud | Global API endpoints: 
 | None | 
| Distributed Cloud Edge Container API | Global API endpoints: 
 | None | 
| Distributed Cloud Edge Network API | Global API endpoints: 
 | None | 
| Document AI | Global API endpoints: 
 Locational API endpoints: 
 | None | 
| Enterprise Knowledge Graph | Global API endpoints: 
 | None | 
| Error Reporting | Global API endpoints: 
 | None | 
| Essential Contacts | Global API endpoints: 
 | None | 
| Eventarc API | Global API endpoints: 
 | None | 
| Filestore | Global API endpoints: 
 | None | 
| Firestore | Global API endpoints: 
 Locational API endpoints: 
 | None | 
| Firestore in Datastore mode (Datastore) | Global API endpoints: 
 Locational API endpoints: 
 | None | 
| Financial Services API | Global API endpoints: 
 | None | 
| Firebase App Hosting | Global API endpoints: 
 | None | 
| Firebase Data Connect | Global API endpoints: 
 | None | 
| Firebase Security Rules | Global API endpoints: 
 | None | 
| Generative AI on Vertex AI | Global API endpoints: 
 Locational API endpoints: 
 | None | 
| GKE Dataplane Management | Global API endpoints: 
 | None | 
| GKE Enterprise Edge API | Global API endpoints: 
 | None | 
| Hub (Fleet) | Global API endpoints: 
 | None | 
| GKE Multi-Cloud | Global API endpoints: 
 | None | 
| GKE On-Prem API | Global API endpoints: 
 | None | 
| Gemini for Google Cloud API | Global API endpoints: 
 | None | 
| Google Cloud API | Global API endpoints: 
 | None | 
| Google Cloud Armor | Global API endpoints: 
 | None | 
| Google Cloud Migration Center | Global API endpoints: 
 | None | 
| Google Cloud Observability | Global API endpoints: 
 | None | 
| Google Kubernetes Engine | Global API endpoints: 
 | None | 
| Google Security Operations Partner API | Global API endpoints: 
 | None | 
| Google Security Operations | Restricting global API endpoints isn't supported. Locational API endpoints: 
 Regional API endpoints: 
 | None | 
| Google Workspace add-ons | Global API endpoints: 
 | None | 
| Identity and Access Management | Global API endpoints: 
 | None | 
| Identity-Aware Proxy | Global API endpoints: 
 | None | 
| Image streaming | Global API endpoints: 
 | None | 
| Immersive Stream | Global API endpoints: 
 | None | 
| Infrastructure Manager | Global API endpoints: 
 | None | 
| Integration Connectors | Global API endpoints: 
 | None | 
| KRM API Hosting | Global API endpoints: 
 | None | 
| Live Stream API | Global API endpoints: 
 | None | 
| Looker API | Global API endpoints: 
 | None | 
| AlloyDB for PostgreSQL | Global API endpoints: 
 | None | 
| BigQuery Engine for Apache Flink | Global API endpoints: 
 | None | 
| Managed Kafka API | Global API endpoints: 
 | None | 
| Media Asset Manager | Global API endpoints: 
 | None | 
| Memorystore for Memcached | Global API endpoints: 
 | None | 
| Memorystore for Redis | Global API endpoints: 
 | None | 
| Message Streams API | Global API endpoints: 
 | None | 
| Microservices API | Global API endpoints: 
 | None | 
| Model Armor | Global API endpoints: 
 | None | 
| Network Connectivity Center | Global API endpoints: 
 | None | 
| Network Intelligence Center | Global API endpoints: 
 | None | 
| Network Service Tiers | Global API endpoints: 
 | None | 
| Persistent Disk | Global API endpoints: 
 | None | 
| Oracle Database@Google Cloud | Global API endpoints: 
 | None | 
| Parallelstore | Global API endpoints: 
 | None | 
| Policy Analyzer | Global API endpoints: 
 | None | 
| Policy Troubleshooter | Global API endpoints: 
 | None | 
| Progressive Rollout | Global API endpoints: 
 | None | 
| Pub/Sub | Global API endpoints: 
 | None | 
| Public Certificate Authority | Global API endpoints: 
 | None | 
| Recommender | Global API endpoints: 
 | None | 
| Remote Build Execution | Global API endpoints: 
 | None | 
| Retail API | Global API endpoints: 
 | None | 
| Cyber Insurance Hub | Global API endpoints: 
 | None | 
| SaaS Service Management API | Global API endpoints: 
 | None | 
| SecLM API | Global API endpoints: 
 | None | 
| Secret Manager | Global API endpoints: 
 | None | 
| Secure Web Proxy | Global API endpoints: 
 | None | 
| Security Command Center | Global API endpoints: 
 | None | 
| Cloud Data Loss Prevention | Global API endpoints: 
 | None | 
| Service Account Credentials API | Global API endpoints: 
 | None | 
| Service Directory | Global API endpoints: 
 | None | 
| Personalized Service Health | Global API endpoints: 
 | None | 
| Service Networking | Global API endpoints: 
 | None | 
| Speaker ID | Global API endpoints: 
 | None | 
| Speech-to-Text | Global API endpoints: 
 Locational API endpoints: 
 | None | 
| Storage Insights | Global API endpoints: 
 | None | 
| Storage Transfer Service | Global API endpoints: 
 | None | 
| Text-to-Speech | Global API endpoints: 
 | None | 
| Timeseries Insights API | Global API endpoints: 
 | None | 
| Transcoder API | Global API endpoints: 
 | None | 
| Transfer Appliance | Global API endpoints: 
 | None | 
| VM Manager | Global API endpoints: 
 | None | 
| Vertex AI API | Global API endpoints: 
 Locational API endpoints: 
 | None | 
| Vertex AI Workbench | Global API endpoints: 
 | None | 
| Vertex AI in Firebase | Global API endpoints: 
 | None | 
| Video Search API | Global API endpoints: 
 | None | 
| Video Stitcher API | Global API endpoints: 
 | None | 
| Virtual Private Cloud (VPC) | Global API endpoints: 
 | None | 
| Web Risk | Global API endpoints: 
 | None | 
| Web Security Scanner | Global API endpoints: 
 | None | 
| Workflows | Global API endpoints: 
 | None | 
| Workload Certificate API | Global API endpoints: 
 | None | 
Value groups
Value groups are collections of groups and API endpoints that are curated by Google to provide a simpler way to define your endpoint restrictions. Value groups include many related API endpoints and are expanded over time by Google without needing to change your organization policy to accommodate the new endpoints.
To use value groups in your organization policy, prefix your entries with the
string in:. For more information on using value prefixes, see
Using Constraints.
Group names are validated on the call to set the organization policy. Using an
invalid group name will cause the policy setting to fail.
The following table contains the current list of available groups:
| Group | Details | Direct members | 
|---|---|---|
| global-artifactregistry-endpoints | Artifact Registry global API endpoints: in:global-artifactregistry-endpoints | Values: 
 | 
| global-bigquery-connections-endpoints | BigQuery Connections global API endpoints: in:global-bigquery-connections-endpoints | Values: 
 | 
| global-bigquery-datapolicy-endpoints | BigQuery Data Policy global API endpoints: in:global-bigquery-datapolicy-endpoints | Values: 
 | 
| global-bigquery-datatransfer-endpoints | BigQuery Data Transfer global API endpoints: in:global-bigquery-datatransfer-endpoints | Values: 
 | 
| global-bigquery-migration-endpoints | BigQuery Migration global API endpoints: in:global-bigquery-migration-endpoints | Values: 
 | 
| global-certificatemanager-endpoints | Certificate Manager global API endpoints: in:global-certificatemanager-endpoints | Values: 
 | 
| global-cloudbuild-endpoints | Cloud Build global API endpoints: in:global-cloudbuild-endpoints | Values: 
 | 
| global-compsoer-endpoints | Cloud Composer global API endpoints: in:global-composer-endpoints | Values: 
 | 
| global-compute-endpoints | Cloud Compute Engine global API endpoints: in:global-compute-endpoints | Values: 
 | 
| global-container-endpoints | Google Kubernetes Engine global API endpoints: in:global-container-endpoints | Values: 
 | 
| global-containeranalysis-endpoints | Container Analysis global API endpoints: in:global-containeranalysis-endpoints | Values: 
 | 
| global-containerthreatdetection-endpoints | Container Threat Detection Service global API endpoints: in:global-containerthreatdetection-endpoints | Values: 
 | 
| global-dataflow-endpoints | Dataflow global API endpoints: in:global-dataflow-endpoints | Values: 
 | 
| global-dlp-endpoints | Sensitive Data Protection DLP global API endpoints: in:global-dlp-endpoints | Values: 
 | 
| global-dns-endpoints | Cloud DNS global API endpoints: in:global-dns-endpoints | Values: 
 | 
| global-filestore-endpoints | Filestore global API endpoints: in:global-filestore-endpoints | Values: 
 | 
| global-iam-endpoints | Cloud IAM global API endpoints: in:global-iam-endpoints | Values: 
 | 
| global-iap-endpoints | IAP global API endpoints: in:global-iap-endpoints | Values: 
 | 
| global-kms-endpoints | Cloud Key Management Service global API endpoints: in:global-kms-endpoints | Values: 
 | 
| global-managedkafka-endpoints | Managed Kafka global API endpoints: in:global-managedkafka-endpoints | Values: 
 | 
| global-memcache-endpoints | Memorystore for Memcache global API endpoints: in:global-memcache-endpoints | Values: 
 | 
| global-migrationcenter-endpoints | Migration Center global API endpoints: in:global-migrationcenter-endpoints | Values: 
 | 
| global-networkconnectivity-endpoints | Network Connectivity global API endpoints: in:global-networkconnectivity-endpoints | Values: 
 | 
| global-osconfig-endpoints | VM Manager global API endpoints: in:global-osconfig-endpoints | Values: 
 | 
| global-oslogin-endpoints | OS Login API endpoints: in:global-oslogin-endpoints | Values: 
 | 
| global-policytroubleshooter-endpoints | Policy Troubleshooter global API endpoints: in:global-policytroubleshooter-endpoints | Values: 
 | 
| global-progressiverollout-endpoints | Ripple global API endpoints: in:global-progressiverollout-endpoints | Values: 
 | 
| global-pubsub-endpoints | Pub/Sub global API endpoints: in:global-pubsub-endpoints | Values: 
 | 
| global-redis-endpoints | Memorystore for Redis global API endpoints: in:global-redis-endpoints | Values: 
 | 
| global-run-endpoints | Cloud Run global API endpoints: in:global-run-endpoints | Values: 
 | 
| global-secretmanager-endpoints | Secret Manager global API endpoints: in:global-secretmanager-endpoints | Values: 
 | 
| global-securityposture-endpoints | Security Posture global API endpoints: in:global-securityposture-endpoints | Values: 
 | 
| global-servicenetworking-endpoints | Service Networking global API endpoints: in:global-servicenetworking-endpoints | Values: 
 | 
| global-websecurityscanner-endpoints | Web Security Scanner global API endpoints: in:global-websecurityscanner-endpoints | Values: 
 | 
| global-workstations-endpoints | Cloud Workstations global API endpoints: in:global-workstations-endpoints | Values: 
 | 
| global-bigquery-endpoints | BigQuery global API endpoints: in:global-bigquery-endpoints | Values: 
 | 
| global-bigqueryreservation-endpoints | BigQuery Reservation global API endpoints: in:global-bigqueryreservation-endpoints | Values: 
 | 
| global-bigquerystorage-endpoints | BigQuery Storage global API endpoints: in:global-bigquerystorage-endpoints | Values: 
 | 
| global-logging-endpoints | Cloud Logging global API endpoints: in:global-logging-endpoints | Values: 
 | 
| global-storage-endpoints | Cloud Storage global API endpoints: in:global-storage-endpoints | Values: 
 |