Testing your peering connection for private IP

This guide explains how to test that a training job can access private IPs in your network. First, you need to create a private connection between your VPC network and AI Platform Training,

Overview

Setting up this test has two parts:

  • Set up an endpoint in your network.
  • Submit a test training job to access that endpoint.

Set up an endpoint

To set up an endpoint, set up a local server on a VM instance in your network.

  1. Create a Compute Engine instance in your VPC network.
  2. Check your firewall rules to make sure that they don't restrict ingress from the AI Platform Training network. If so, add a rule to ensure the AI Platform Training network can access the IP range you reserved for AI Platform Training (and other service producers).
  3. Find the private IP address of your VM:

    • Go to the VM instances page
    • Go to the VM instance details page for your instance, and find the internal IP listed on the page.
    • Set the name of your instance, and run the following gcloud command:

      INSTANCE_NAME="your-instance-name"
      gcloud compute instances describe $INSTANCE_NAME \
        --format="value(networkInterfaces.networkIP)"
      
  4. SSH into your VM and install Node JS.

  5. Copy the sample Node JS code and fill in your private IP address:

     const http = require('http');
     // Fill in the value of your vm's private IP
     const hostname = 'your_private_ip';
     const port = 3000;
     const server = http.createServer((req, res) => {
               res.statusCode = 200;
               res.setHeader('Content-Type', 'text/plain');
               res.end('Hello World ' + req.url + '\n');
     });
     server.listen(port, hostname, () => {
               console.log('Server running at http://${hostname}:${port}/');
     });
     ```
    
  6. Run your server:

    nodejs hw.js
    
  7. Switch out of the VM SSH to submit your training job.

Submit a test training job

Instead of training a model, this training job accesses your endpoint to verify that AI Platform Training can access private IP in your network.

  1. Copy the sample Python training application to submit to AI Platform Training.
  2. Update the code to include your private IP address:

    import logging
    import os
    import sys
    def main():
      # Fill in the value of your vm's private IP
      hostname = "your_private_ip"
      response = os.system("curl http://" + hostname + ":3000/you_can_write_your_name_here")
      if response == 0:
        print(hostname, "is up!")
        logging.info("%s is up; Peering successful!", hostname)
        sys.exit(0)
      else:
        logging.error("%s is down; Peering failed!", hostname)
        sys.exit(1)
    if __name__ == "__main__":
      logging.getLogger().setLevel(logging.INFO)
      main()
    
  3. Create a config.yaml to specify the network. If you're using Shared VPC, use your VPC host project number.

    Make sure the network name is formatted correctly:

    PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
    NETWORK=your-network-name
    
    cat << EOF > config.yaml
    trainingInput:
      scaleTier: BASIC
      network: projects/$PROJECT_NUMBER/global/networks/$NETWORK
    EOF
    
  4. Submit the job to AI Platform Training:

    BUCKET_NAME=your_bucket_name
    JOB_ID='test_vpc_peering_job'
    
    gcloud ai-platform jobs submit training $JOB_ID \
      --module-name trainingcode.test_peering \
      --stream-logs \
      --runtime-version 1.15 \
      --job-dir gs://$BUCKET_NAME/$JOB_ID \
      --region us-central1 \
      --package-path trainingcode/ \
      --config config.yaml
    

    Your job should succeed and print "Peering successful" — this validates your peering connection with AI Platform Training.