Set up private ingress

To set up private ingress into a Contact Center AI Platform (CCAI Platform) instance, you configure it for private ingress at the time you create it. This blocks access to the instance from the internet. You can then set up a Private Service Connect connection, which uses your own internal IP address to access your instance. This keeps your traffic private and within Google Cloud. For more information, see Private Service Connect.

Create a CCAI Platform instance configured for private ingress

You can create a CCAI Platform instance configured for private ingress, which restricts access to your instance from the internet. To access the private instance, you need to set up a Private Service Connect connection.

To create a CCAI Platform instance configured for private ingress, follow these steps:

  1. Create an instance as described in Get started with Contact Center AI Platform while meeting these requirements:

    • Configure your instance for private ingress with a component type of AGENT.

    • In the Allowed project IDs field, specify the project ID of the project that you want to set up a Private Service Connect connection from.

    After your private ingress settings are saved, they appear under Private access on your instance's detail page.

  2. Save the service attachment URI generated by your new instance for use when you set up a Private Service Connect endpoint. For more information, see Set up a Private Service Connect connection.

You have created a CCAI Platform instance that is configured for the following:

  • Private ingress, which prevents access from the internet.

  • A component type of AGENT, which you can use if you create a custom constraint.

To access your instance, see Set up a Private Service Connect connection.

Set up a Private Service Connect connection

You can set up a Private Service Connect connection to access your private CCAI Platform instance. This connection accesses your instance using an internal IP address, keeping your traffic within Google Cloud. Agents, managers, and CCAI Platform administrators can securely access your instance using a private domain name.

The Private Service Connect documentation explains how to set up a Private Service Connect connection. The following sections highlight the key steps in creating this connection in the context of CCAI Platform.

Create an endpoint

Create a Private Service Connect endpoint that uses an internal IP address and points to the service attachment of the instance that you created in Create an instance configured for private access. For more information, see Create an endpoint.

Configure your Domain Name System (DNS) infrastructure

Configure your DNS infrastructure so that it resolves the private domain name of your CCAI Platform instance to the internal IP address of your Private Service Connect endpoint. The private domain name of the CCAI Platform instance is the public domain name with a .p added. For example, if the public domain name of your instance is {my_prefix}-{my_instance_id}.{location_code}.ccaiplatform.com, then the private domain name would be {my_prefix}-{my_instance_id}.{location_code}.p.ccaiplatform.com. You can use DNS forwarding from your premises to the p.ccaiplatform.com DNS zone and then use Inbound server policies to configure Cloud DNS to resolve those addresses using response policy rules. You should configure a rule mapping each Private Service Connect endpoint IP address to the corresponding p.ccaiplatform.com domain. For more information, see Private Service Connect.

To set up and test a Private Service Connect connection, see Set up a test connection.

Set up a test connection

If you created a private CCAI Platform instance in Create an instance configured for private access, you can set up a test Private Service Connect connection to access your private instance.

Set up a test Private Service Connect connection

To set up a test Private Service Connect connection, follow these steps:

  1. In Google Cloud console, on the project selector page, create a Google Cloud project. Use a project ID that you specified as an allowed project ID in Create an instance configured for private access.

    Go to project selector

  2. Create a VM while meeting the following requirements. For more information, see Create and start a Compute Engine instance.

  3. Reserve a regional IP address as described in Reserve a new static internal IPv4 or IPv6 address. Populate the following fields as shown:

  4. Create a Private Service Connect endpoint as directed in Create an endpoint. Populate the following fields as shown:

You have set up a test Private Service Connect connection. See Access your CCAI Platform instance to use this connection to access your private CCAI Platform instance.

Access your private CCAI Platform instance

This section demonstrates how to to use a Private service connect connection to access the private CCAI Platform instance that you created in Set up a test Private Service Connect connection.

To access your private CCAI Platform instance from the command line, follow these steps:

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To make an SSH connection to the VM that you created in Set up a test Private Service Connect connection, enter the following code into the terminal:

    gcloud compute ssh --zone "ZONE" "INSTANCE" --project "PROJECT_ID"
    

    Replace the following:

    • ZONE: the zone that your VM instance is in

    • INSTANCE: the name of your VM instance

    • PROJECT_ID: the project ID of the project that your VM instance is in

    After the code runs, your command prompt should look similar to the following, indicating that you have made an SSH connection to your VM instance:

    {your_home_directory}@INSTANCE:~$
    
  3. To map the internal IP address of your Private Service Connect endpoint to the private domain name of your private CCAI Platform instance, do the following:

    1. Using a command-line text editor, add the following line to the /etc/hosts file:

      IP_ADDRESS PRIVATE_DOMAIN_NAME
      

      Replace the following:

      This step performs a function similar to configuring your DNS infrastructure.

  4. To access your private CCAI Platform instance, enter the following curl command into the terminal. The curl command contains the private domain name.

    curl https://PREFIX-INSTANCE_ID.p.ccaiplatform.com
    

    Replace the following:

    • PREFIX: the prefix of your CCAI Platform instance

    • INSTANCE_ID: the ID of your CCAI Platform instance

    The response should be HTML code for displaying a page of the private CCAI Platform instance. This indicates that you successfully accessed the private instance.

You have set up a test CCAI Platform connection and have accessed your private CCAI Platform instance using the private domain name. If you attempt to access the private instance through the public internet—using the public domain name (with no .p in the URL)—the attempt fails, as expected. Further, a private domain name only succeeds in connecting to a private CCAI Platform instance if you have set up a Private Service Connect connection.

What's next