Networking, Identity & Private Connectivity

Enforcing Regional Endpoints with a GCP Org Policy Constraint

Asking developers nicely to avoid the global endpoint is a policy on paper. An organization policy constraint makes it a policy in the control plane — Google Cloud's equivalent of the SCP region-pinning pattern on AWS.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Claude on Vertex AI can be reached through three endpoint types. The global endpoint routes dynamically for maximum availability — Google states it "can process and serve your requests from any region that is supported by the model." Multi-region endpoints (currently us and eu) route dynamically within a geography, for data residency with high availability. Regional endpoints guarantee routing through one specific region.

For teams with residency requirements, the global endpoint is the one to worry about: any developer who sets region="global" — or copies a quickstart that does — sends traffic that may be served from anywhere the model is supported. Google Cloud provides an organization-policy answer.

The constraint: gcp.restrictEndpointUsage

An organization policy constraint is a rule an administrator applies at the organization, folder, or project level that limits how Google Cloud services can be used underneath it — regardless of what IAM permissions individual callers hold. Google's partner-model documentation names the relevant one for this problem: admins can force regional routing by blocking the global endpoint with constraints/gcp.restrictEndpointUsage.

Applied to the resource hierarchy covering your Claude workloads, the constraint turns "please don't use the global endpoint" into an error for any request that tries. Developers get fast, unambiguous feedback instead of silently non-compliant traffic. For the exact policy syntax and scoping options, work from Google's org-policy documentation — the constraint name above is the piece specific to this use case.

Pointing clients at the compliant endpoints

Enforcement without a migration path just breaks things, so pair the constraint with client configuration. The multi-region endpoints use dedicated regional-endpoint domains, different from the default aiplatform.googleapis.com host:

EndpointHost / locationRouting behavior
Globalaiplatform.googleapis.com, location globalAny supported region
US multi-regionaiplatform.us.rep.googleapis.com, location usWithin the US geography
EU multi-regionaiplatform.eu.rep.googleapis.com, location euWithin the EU geography
Regional{region}-aiplatform.googleapis.comOne specific region

In the Python SDK, the switch is the region parameter, which accepts "global", "us"/"eu", or a specific region such as "us-east1" or "europe-west1":

from anthropic import AnthropicVertex

# Multi-region: stays within the US geography
client = AnthropicVertex(project_id="my-project", region="us")

message = client.messages.create(
    model="claude-opus-4-8",
    max_tokens=1024,
    messages=[{"role": "user", "content": "Hello, Claude"}],
)

Know the costs of pinning before you enforce

Three documented trade-offs to put in the design review:

One residency nuance worth quoting to your compliance team verbatim: Google documents that data at rest is stored within the selected region or multi-region for partner models, but "the regionalization of data processing may vary." Confirm what that means for your specific obligations with Google rather than assuming pinning settles every residency question.

Rule of thumb: constraint first, clients second, budget third — apply constraints/gcp.restrictEndpointUsage, move clients to region="us"/"eu" or a named region, and expect the 10% premium on current-generation Claude models.

Where to go next

This is the Vertex sibling of Bedrock's region-pinning story — compare the SCP article. For the rest of the Vertex lockdown kit, see the VPC-SC logging gap and regions and availability.

Sources