Leverage Application Security in different regions

Application Security is available in several regions, providing the ability to deploy the Application Security service while being compliant to data sovereignty requirements.

When an account is created in a given region, all data associated with the account, for example the protection groups and security policy, are all persisted in the specific region, and only in that specific region. Likewise, the agent credentials are only associated with the specific region in which the protection group was created. Therefore, the Application Security agents need to connect to the service in the right region, for connectivity and service to work as expected.

There are two sets of URLs that need to take into account the region where Application Security is used: - The Application Security service APIs - The Agents connectivity

Application Security service APIs and the regions

The regions in which Application Security is used, needs to be taken into account in the base URL when integrating with the service API. The base URL for connecting and using the Application Security API in a given region is:

https://application.<region-code>.cloudone.trendmicro.com

For example, the base URL for connecting to the US region is: https://application.us-1.cloudone.trendmicro.com

All endpoint calls are done using this base URL. Refer to Regions supported by Application Security for list of Regions Codes.

Configure the agents connectivity for regions

The Application Security agents connect back to the Application Security service for reporting the security events, amongst other things. It is therefore important to configure the agents to connect to the right region. For more recent agent versions, the agents have the built-in capability to determine the proper region where to connect. For older versions of agents, which didn't include the multi-region capability, the URL pointing to the proper region needs to be explicitly configured in the agent configuration.

Connectivity for multi-region aware agents

Recent agent versions include the multi-region aware connectivity, which enables the agents to automatically determine which region to connect. For those agents, there is no need to add additional configuration in the agent, that is the hello_url configuration parameter doesn't need to be added to the agent configuration. The multi-region aware connectivity module in the agents enables the agent connections to be redirected to the right region when the closest region is not the right one.

The following table lists the minimum agent versions required for multi-region aware capability on various platforms:

Language Minimum Version required for Multi-Region capability
Python agent 4.6.2 and up
Java agent 4.4.5 and up
NodeJS agent not available yet
PHP agent not available yet
.NET agent not available yet

Configure the connectivity for agents without the multi-region aware capability

The section Connectivity for multi-region aware agents lists the agent versions that support the multi-region redirection.

In the case where the agent is an older version or the multi-region aware agent version for the required programming language is not yet available, the agent can be configured to connect to the appropriate region. The configuration can be added in the agent configuration file or by setting the agent environment variable.

The configuration parameter that needs to be set with the proper region information is hello_url, but it can be configured also as environment variable, TREND_AP_HELLO_URL. The generic URL structure to configure for the agents is:

https://agents.<region code>.application.cloudone.trendmicro.com

The following table provides the list of URLs for the corresponding region.

Region Agent URL
us-1 https://agents.us-1.application.cloudone.trendmicro.com/
in-1 https://agents.in-1.application.cloudone.trendmicro.com/
gb-1 https://agents.gb-1.application.cloudone.trendmicro.com/
au-1 https://agents.au-1.application.cloudone.trendmicro.com/
jp-1 https://agents.jp-1.application.cloudone.trendmicro.com/
de-1 https://agents.de-1.application.cloudone.trendmicro.com/

For example, a protection group created in an account in region in-1, for an agent of version prior to the version in the table, should have the following configuration set:

hello_url = https://agents.in-1.application.cloudone.trendmicro.com/
or environment variable
TREND_AP_HELLO_URL = https://agents.in-1.application.cloudone.trendmicro.com/
Refer to section Regions supported by Application Security for the list of region codes for the regions supported by Application Security.

Regions supported by Application Security

The following table lists the regions currently supported by Application Security

Region Region Code
United States us-1
India in-1
United Kingdom gb-1
Australia au-1
Japan jp-1
Germany de-1