This page describes how to use VPC Service Controls to set up an AI Platform Notebooks instance within a service perimeter.
Before you begin
Read the Overview of VPC Service Controls.
Create a new AI Platform Notebooks instance. Note that this AI Platform Notebooks instance is not within a service perimeter yet.
Create a service perimeter using VPC Service Controls. This service perimeter protects the Google-managed resources of services that you specify. While you create your service perimeter, do the following:
When it's time to add projects to your service perimeter, add the project that contains your AI Platform Notebooks instance.
When it's time to add services to your service perimeter, add the AI Platform Notebooks API.
If you created your service perimeter without adding the projects and services you need, see Managing service perimeters to learn how to update your service perimeter.
Configure your DNS entries using Cloud DNS
AI Platform Notebooks uses several domains that a Virtual Private Cloud network doesn't handle by default. Using Cloud DNS, add DNS records to ensure that your VPC network correctly handles requests sent to those domains. To learn more about VPC routes, read the Routes overview.
Use the following steps to create a managed zone for
a domain, add a DNS entry that will route the request, and execute
the transaction. Repeat these steps for each of several
domains that you need to handle requests for, starting
with *.notebooks.googleapis.com
.
To do the following, you can use the gcloud
command-line tool with your
preferred terminal or use
Cloud Shell, which has the
gcloud
tool preinstalled.
Gather the following information. You must use these values throughout the following commands to configure your DNS entries.
PROJECT_ID is the ID of the project that hosts your VPC network.
NETWORK_NAME is the name of the VPC network that you created earlier.
ZONE_NAME is a name for the zone that you are creating. You must use a separate zone for each domain. This zone name will be used in each of the following steps.
DNS_NAME is the part of the domain that comes after the
*.
. For example,*.notebooks.googleapis.com
has a DNS_NAME ofnotebooks.googleapis.com
.
Create a private managed zone for one of the domains that your VPC network needs to handle.
gcloud dns managed-zones create ZONE_NAME \ --visibility=private \ --networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME \ --dns-name=DNS_NAME \ --description="Description of your managed zone"
Start a transaction.
gcloud dns record-sets transaction start --zone=ZONE_NAME
Add the following DNS A record. This reroutes traffic to Google's restricted IP addresses.
gcloud dns record-sets transaction add \ --name=DNS_NAME. \ --type=A 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7 \ --zone=ZONE_NAME \ --ttl=300
Add the following DNS CNAME record to point to the A record that you just added. This redirects all traffic matching the domain to the IP addresses listed in the previous step.
gcloud dns record-sets transaction add \ --name=*.DNS_NAME. \ --type=CNAME DNS_NAME. \ --zone=ZONE_NAME \ --ttl=300
Execute the transaction.
gcloud dns record-sets transaction execute --zone=ZONE_NAME
Repeat these steps for each of the following domains. For each repetition, change ZONE_NAME and DNS_NAME to the appropriate values for that domain. Keep PROJECT_ID and NETWORK_NAME the same each time. You already completed these steps for
*.notebooks.googleapis.com
.*.notebooks.googleapis.com
*.datalab.cloud.google.com
*.notebooks.cloud.google.com
*.notebooks.googleusercontent.com
Using Container Registry within your service perimeter
If you want to use Container Registry within your service perimeter, follow these steps for configuring your DNS entries and service perimeter.
Using a shared VPC
If you're using a shared VPC, you must add the host and the service projects to the service perimeter. See Managing service perimeters.
Access your AI Platform Notebooks instance
Follow the steps for opening a notebook.
Installing Jupyter Extensions in your AI Platform Notebooks
If you attempt to install JupyterLab extensions and the Google Cloud Storage API is
restricted, you may see a NETWORK_NOT_IN_SAME_SERVICE_PERIMETER
error.
AI Platform Notebooks extensions are currently stored in the
deeplearning-platform-ui-public
public bucket.
What's next
- See Managing service perimeters to add more resources to your service perimeter.
- Install dependencies on your new AI Platform Notebooks instance.