Regions and endpoints

Review region and connectivity options for interacting with IBM® Key Protect.

Available regions

Key Protect is available in the following regions. This map might not reflect actual political or geographic boundaries.

Regions where the Key Protect service is available. — Figure 1. Displays the regions where you can create and manage Key Protect resources.

You can create Key Protect resources in one of the supported IBM Cloud regions, which represent the geographic area where your Key Protect requests are handled and processed. To learn more, see Locations, tenancy, and availability.

Connectivity options

Key Protect offers two connectivity options for interacting with its service APIs.

Public endpoints

By default, you can connect to resources in your account over the IBM Cloud public network. Your data is encrypted in transit by using supported ciphers of the Transport Security Layer (TLS) 1.2 and 1.3 protocol. For more information about TLS and these ciphers, check out Data encryption.

Private endpoints

For added benefits, you can also enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account.

When you enable VRF for your account, you can connect to Key Protect by using a private IP that is accessible only through the IBM Cloud private network.

To learn more about VRF, see Virtual routing and forwarding on IBM Cloud.

To learn how to connect to Key Protect by using a private endpoint, see Using private endpoints.

Service endpoints

If you are managing your Key Protect resources programmatically, see the following table to determine the API endpoints to use when you connect to the Key Protect API.

Table 1. Lists public endpoints for interacting with Key Protect APIs over IBM Cloud's public network
Region	Public endpoints
Dallas	`us-south.kms.cloud.ibm.com`
Washington DC	`us-east.kms.cloud.ibm.com`
London	`eu-gb.kms.cloud.ibm.com`
Frankfurt	`eu-de.kms.cloud.ibm.com`
Sydney	`au-syd.kms.cloud.ibm.com`
Tokyo	`jp-tok.kms.cloud.ibm.com`
Osaka	`jp-osa.kms.cloud.ibm.com`
Toronto	`ca-tor.kms.cloud.ibm.com`
São-Paulo	`br-sao.kms.cloud.ibm.com`
Madrid	`eu-es.kms.cloud.ibm.com.`

Table 2. Lists private endpoints for interacting with Key Protect APIs over IBM Cloud's private network
Region	Private endpoints
Dallas	`private.us-south.kms.cloud.ibm.com`
Washington DC	`private.us-east.kms.cloud.ibm.com`
London	`private.eu-gb.kms.cloud.ibm.com`
Frankfurt	`private.eu-de.kms.cloud.ibm.com`
Sydney	`private.au-syd.kms.cloud.ibm.com`
Tokyo	`private.jp-tok.kms.cloud.ibm.com`
Osaka	`private.jp-osa.kms.cloud.ibm.com`
Toronto	`private.ca-tor.kms.cloud.ibm.com`
São-Paulo	`private.br-sao.kms.cloud.ibm.com`
Madrid	`private.eu-es.kms.cloud.ibm.com.`

For more information about authenticating with Key Protect, see Accessing the API.