Regional endpoints

This page describes how to use regional endpoints to access resources in Cloud Storage. Using regional endpoints lets you run your workloads in a manner that complies with data residency and data sovereignty requirements, where your request traffic is routed directly to the region specified in the endpoint.

Overview

Regional endpoints are request endpoints that only allow requests to proceed if the affected resource exists in the location specified by the endpoint. For example, when you use the endpoint https://storage.me-central2.rep.googleapis.com in a delete bucket request, the request only proceeds if the bucket is located in ME-CENTRAL2.

Unlike global endpoints, where requests can be processed in a different location from where the resource resides, regional endpoints guarantee that your requests are processed only within the location specified by the endpoint where the resource resides. Regional endpoints terminate TLS sessions in the location specified by the endpoint for requests received from the Internet, other Google Cloud resources (such as Compute Engine virtual machines), on-premise services using VPN or Interconnect, and Virtual Private Clouds (VPCs).

Regional endpoints guarantee data residency by ensuring that your object's data at rest and in transit does not get moved out of the location specified by the endpoint. This guarantee excludes resource metadata, such as object names and bucket IAM policies. For more information, see Note on service data.

Supported locations

You can use regional endpoints to keep your data within the following locations:

  • Dammam, Saudi Arabia (ME-CENTRAL2 region)

Supported operations

Regional endpoints can only be used to perform operations that access or mutate resources within the location specified by the endpoint. Regional endpoints cannot be used to perform operations that access or mutate resources outside of the location specified by the endpoint.

For example, when you use the regional endpoint https://storage.me-central2.rep.googleapis.com, you can read objects in buckets located in ME-CENTRAL2, and copy an object from a source bucket to a destination bucket only when both buckets are located in ME-CENTRAL2. If you attempt to read or copy an object outside of ME-CENTRAL2, you get an error.

Regional endpoints can be used to perform supported bucket, object, and inventory report operations, as long as the operations are performed on resources stored in the location specified by the endpoint.

For a full list of operations that are supported in Cloud Storage, expand the Supported operations section:

Supported operations

  • Object operations
    • Creating objects
    • Composing objects
    • Copying objects1
    • Deleting objects
    • Getting object metadata2
    • Listing objects
    • Patching objects
    • Rewriting objects1
    • Updating objects
  • Bucket operations
    • Creating buckets
    • Deleting buckets
    • Getting bucket metadata2
    • Listing buckets
    • Locking bucket retention policies
    • Patching buckets
    • Updating buckets
  • Operations on IAM policies
    • Getting bucket IAM policies2
    • Updating bucket IAM policies2
    • Testing bucket IAM policies2
  • Operations on ACLs
    • Creating object ACLs2
    • Creating default object ACLs for a bucket2
    • Deleting object ACLs2
    • Deleting default object ACLs for a bucket2
    • Getting object ACLs2
    • Getting default object ACLs for a bucket2
    • Listing object ACLs2
    • Listing default object ACLs for a bucket2
    • Patching object ACLs2
    • Patching default object ACLs for a bucket2
    • Updating object ACLs2
    • Updating default object ACLs for a bucket2
  • Storage Insights operations
    • Creating inventory report configurations
    • Deleting inventory report configurations
    • Getting inventory reports
    • Getting inventory report configurations
    • Listing inventory reports
    • Listing inventory report configurations
    • Patching inventory report configurations

1This operation only succeeds if the source and destination buckets are in the location specified by the endpoint.

2This operation accesses or mutates metadata. Compliance with data residency and data sovereignty requirements are not guaranteed for this operation.

Limitations and restrictions

Regional endpoints cannot be used to perform the following operations:

  • Operations that access or mutate resources outside of the location specified by the endpoint

  • Copying or rewriting resources from one location to another

  • HMAC key operations

  • Service account operations

  • Pub/Sub notification operations

Keep in mind the following restrictions when using regional endpoints:

  • You cannot connect to regional endpoints using mutual TLS (mTLS).

  • Regional endpoints only support HTTPS. HTTP is not supported.

  • Regional endpoints don't support bucket subdomains in the XML API.

Tools for using regional endpoints

Console

To use regional endpoints to access Cloud Storage resources, use the jurisdictional Google Cloud console URLs:

Resource URL
Bucket list for a project https://console.sa.cloud.google.com/storage/browser?project=PROJECT_ID
Object list for a bucket https://console.sa.cloud.google.com/storage/browser/BUCKET_NAME
Details for an object https://console.sa.cloud.google.com/storage/browser/_details/BUCKET_NAME/OBJECT_NAME

Command line

To configure the Google Cloud CLI for use with regional endpoints, complete the following steps:

  1. Make sure you're using the Google Cloud CLI 402.0.0 or newer.

  2. Set the api_endpoint_overrides/storage property to the regional endpoint you want to use:

    gcloud config set api_endpoint_overrides/storage https://storage.LOCATION.rep.googleapis.com/

    Alternatively, you can set the CLOUDSDK_API_ENDPOINT_OVERRIDES_STORAGE environment variable to the endpoint:

    CLOUDSDK_API_ENDPOINT_OVERRIDES_STORAGE=https://storage.LOCATION.rep.googleapis.com/ gcloud ls gs://my-bucket

REST APIs

JSON API

When making requests to regional endpoints, use the following URIs:

  • For general JSON API requests, excluding object uploads, use the following endpoint, replacing LOCATION with a supported bucket location:

    https://storage.LOCATION.rep.googleapis.com

    For example, the following endpoint is used to create a bucket in the ME-CENTRAL2 region:

    https://storage.me-central2.rep.googleapis.com

  • For JSON API object uploads, use the following endpoint:

    https://storage.LOCATION.rep.googleapis.com/upload/storage/v1/b/BUCKET_NAME/o

    Replace:

    • LOCATION with a supported bucket location.

    • BUCKET_NAME with the name of the bucket to which you want to upload an object.

    For example, the following endpoint is used to upload an object to a bucket in the ME-CENTRAL2 region:

    https://storage.me-central2.rep.googleapis.com/upload/storage/v1/b/my-example-bucket/o

  • For JSON API object downloads, use the following endpoint:

    https://storage.LOCATION.rep.googleapis.com/download/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME?alt=media

    Replace:

    • LOCATION with a supported bucket location.

    • BUCKET_NAME with the name of the bucket that contains the object you want to download.

    • OBJECT_NAME with the name of the object you want to download.

XML API

When making requests to regional endpoints, use the following path-style endpoint:

https://storage.LOCATION.rep.googleapis.com/BUCKET_NAME

Replace:

  • LOCATION with a supported bucket location.

  • BUCKET_NAME with the name of a bucket.

For example, the following sample can be used to upload an object to a bucket in the ME-CENTRAL2 region:

https://storage.me-central2.rep.googleapis.com/my-example-bucket