Use a notebook instance within a service perimeter

This page describes how to use VPC Service Controls to set up an AI Platform Notebooks instance within a service perimeter.

Before you begin

1. Read the Overview of VPC Service Controls.

2. Create a new AI Platform Notebooks instance. Note that this AI Platform Notebooks instance is not within a service perimeter yet.

3. Create a service perimeter using VPC Service Controls. This service perimeter protects the Google-managed resources of services that you specify. While you create your service perimeter, do the following:

   1. When it's time to add projects to your service perimeter, add the project that contains your AI Platform Notebooks instance.

   2. When it's time to add services to your service perimeter, add the AI Platform Notebooks API.

   If you created your service perimeter without adding the projects and services you need, see Managing service perimeters to learn how to update your service perimeter.

Configure your DNS entries using Cloud DNS

AI Platform Notebooks uses several domains that a Virtual Private Cloud network doesn't handle by default. Using Cloud DNS, add DNS records to ensure that your VPC network correctly handles requests sent to those domains. To learn more about VPC routes, read the Routes overview.

Use the following steps to create a managed zone for a domain, add a DNS entry that will route the request, and execute the transaction. Repeat these steps for each of several domains that you need to handle requests for, starting with *.notebooks.googleapis.com.

To do the following, you can use the gcloud command-line tool with your preferred terminal or use Cloud Shell, which has the gcloud tool preinstalled.

1. Gather the following information. You must use these values throughout the following commands to configure your DNS entries.

   • PROJECT_ID is the ID of the project that hosts your VPC network.

   • NETWORK_NAME is the name of the VPC network that you created earlier.

   • ZONE_NAME is a name for the zone that you are creating. You must use a separate zone for each domain. This zone name will be used in each of the following steps.

   • DNS_NAME is the part of the domain that comes after the *.. For example, *.notebooks.googleapis.com has a DNS_NAME of notebooks.googleapis.com.

2. Create a private managed zone for one of the domains that your VPC network needs to handle.

   gcloud dns managed-zones create ZONE_NAME \
    --visibility=private \
    --networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME \
    --dns-name=DNS_NAME \
    --description="Description of your managed zone"
   

3. Start a transaction.

   gcloud dns record-sets transaction start --zone=ZONE_NAME
   

4. Add the following DNS A record. This reroutes traffic to Google's restricted IP addresses.

   gcloud dns record-sets transaction add \
    --name=DNS_NAME. \
    --type=A 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7 \
    --zone=ZONE_NAME \
    --ttl=300
   

5. Add the following DNS CNAME record to point to the A record that you just added. This redirects all traffic matching the domain to the IP addresses listed in the previous step.

   gcloud dns record-sets transaction add \
    --name=*.DNS_NAME. \
    --type=CNAME DNS_NAME. \
    --zone=ZONE_NAME \
    --ttl=300
   

6. Execute the transaction.

   gcloud dns record-sets transaction execute --zone=ZONE_NAME
   

7. Repeat these steps for each of the following domains. For each repetition, change ZONE_NAME and DNS_NAME to the appropriate values for that domain. Keep PROJECT_ID and NETWORK_NAME the same each time. You already completed these steps for *.notebooks.googleapis.com.

   • *.notebooks.googleapis.com

   • *.datalab.cloud.google.com

   • *.notebooks.cloud.google.com

   • *.notebooks.googleusercontent.com

Using Container Registry within your service perimeter

If you want to use Container Registry within your service perimeter, follow these steps for configuring your DNS entries and service perimeter.

Using a shared VPC

If you're using a shared VPC, you must add the host and the service projects to the service perimeter. See Managing service perimeters.

Access your AI Platform Notebooks instance

Follow the steps for opening a notebook.

Installing Jupyter Extensions in your AI Platform Notebooks

If you attempt to install JupyterLab extensions and the Google Cloud Storage API is restricted, you may see a NETWORK_NOT_IN_SAME_SERVICE_PERIMETER error. AI Platform Notebooks extensions are currently stored in the deeplearning-platform-ui-public public bucket.

What's next

• See Managing service perimeters to add more resources to your service perimeter.
• Install dependencies on your new AI Platform Notebooks instance.