To set up private ingress into a Contact Center AI Platform (CCAI Platform) instance, you configure it for private ingress at the time you create it. This blocks access to the instance from the internet. You can then set up a Private Service Connect connection, which uses your own internal IP address to access your instance. This keeps your traffic private and within Google Cloud. For more information, see Private Service Connect.
Create a CCAI Platform instance configured for private ingress
You can create a CCAI Platform instance configured for private ingress, which restricts access to your instance from the internet. To access the private instance, you need to set up a Private Service Connect connection.
To create a CCAI Platform instance configured for private ingress, follow these steps:
Create an instance as described in Get started with Contact Center AI Platform while meeting these requirements:
Configure your instance for private ingress with a component type of AGENT.
In the Allowed project IDs field, specify the project ID of the project that you want to set up a Private Service Connect connection from.
After your private ingress settings are saved, they appear under Private access on your instance's detail page.
Save the service attachment URI generated by your new instance for use when you set up a Private Service Connect endpoint. For more information, see Set up a Private Service Connect connection.
You have created a CCAI Platform instance that is configured for the following:
Private ingress, which prevents access from the internet.
A component type of AGENT, which you can use if you create a custom constraint.
To access your instance, see Set up a Private Service Connect connection.
Set up a Private Service Connect connection
You can set up a Private Service Connect connection to access your private CCAI Platform instance. This connection accesses your instance using an internal IP address, keeping your traffic within Google Cloud. Agents, managers, and CCAI Platform administrators can securely access your instance using a private domain name.
The Private Service Connect documentation explains how to set up a Private Service Connect connection. The following sections highlight the key steps in creating this connection in the context of CCAI Platform.
Create an endpoint
Create a Private Service Connect endpoint that uses an internal IP address and points to the service attachment of the instance that you created in Create an instance configured for private access. For more information, see Create an endpoint.
Configure your Domain Name System (DNS) infrastructure
Configure your DNS infrastructure so that it resolves the private domain name of
your CCAI Platform instance to the internal IP address of your
Private Service Connect endpoint. The private domain name of the
CCAI Platform instance is the public domain name with a .p added. For
example, if the public domain name of your instance is
{my_prefix}-{my_instance_id}.{location_code}.ccaiplatform.com, then the
private domain name would be
{my_prefix}-{my_instance_id}.{location_code}.p.ccaiplatform.com. You can use
DNS forwarding from your premises to the p.ccaiplatform.com DNS zone and then
use Inbound server policies to configure
Cloud DNS to resolve those addresses using response policy rules. You should
configure a rule mapping each Private Service Connect endpoint IP
address to the corresponding p.ccaiplatform.com domain. For more information,
see Private Service Connect.
To set up and test a Private Service Connect connection, see Set up a test connection.
Set up a test connection
If you created a private CCAI Platform instance in Create an instance configured for private access, you can set up a test Private Service Connect connection to access your private instance.
Set up a test Private Service Connect connection
To set up a test Private Service Connect connection, follow these steps:
In Google Cloud console, on the project selector page, create a Google Cloud project. Use a project ID that you specified as an allowed project ID in Create an instance configured for private access.
Create a VM while meeting the following requirements. For more information, see Create and start a Compute Engine instance.
The VM must be in the project that you created in the previous step.
The VM must be in the same region as the service attachment that you created in Create an instance configured for private access.
Reserve a regional IP address as described in Reserve a new static internal IPv4 or IPv6 address. Populate the following fields as shown:
IP version:
IPv4Network:
defaultSubnetwork: the
defaultsubnetwork in same region as the service attachment that you created in Create an instance configured for private access.
Create a Private Service Connect endpoint as directed in Create an endpoint. Populate the following fields as shown:
Target service: the service attachment URI that you saved in Create an instance configured for private access.
Network:
defaultSubnetwork:
defaultIP address: the IP address that you reserved in the previous step
You have set up a test Private Service Connect connection. See Access your CCAI Platform instance to use this connection to access your private CCAI Platform instance.
Access your private CCAI Platform instance
This section demonstrates how to to use a Private service connect connection to access the private CCAI Platform instance that you created in Set up a test Private Service Connect connection.
To access your private CCAI Platform instance from the command line, follow these steps:
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To make an SSH connection to the VM that you created in Set up a test Private Service Connect connection, enter the following code into the terminal:
gcloud compute ssh --zone "ZONE" "INSTANCE" --project "PROJECT_ID"Replace the following:
ZONE: the zone that your VM instance is inINSTANCE: the name of your VM instancePROJECT_ID: the project ID of the project that your VM instance is in
After the code runs, your command prompt should look similar to the following, indicating that you have made an SSH connection to your VM instance:
{your_home_directory}@INSTANCE:~$To map the internal IP address of your Private Service Connect endpoint to the private domain name of your private CCAI Platform instance, do the following:
Using a command-line text editor, add the following line to the
/etc/hostsfile:IP_ADDRESS PRIVATE_DOMAIN_NAMEReplace the following:
IP_ADDRESS: the IP address that you reserved when you set up a test Private Service Connect connection.PRIVATE_DOMAIN_NAME: the private domain name of the private instance that you created in Create an instance configured for private access. For example,{my_prefix}-{my_instance_id}.p.ccaiplatform.com. For more information, see Configure your Domain Name System (DNS) infrastructure.
This step performs a function similar to configuring your DNS infrastructure.
To access your private CCAI Platform instance, enter the following curl command into the terminal. The curl command contains the private domain name.
curl https://PREFIX-INSTANCE_ID.p.ccaiplatform.comReplace the following:
PREFIX: the prefix of your CCAI Platform instanceINSTANCE_ID: the ID of your CCAI Platform instance
The response should be HTML code for displaying a page of the private CCAI Platform instance. This indicates that you successfully accessed the private instance.
You have set up a test CCAI Platform connection and have accessed your
private CCAI Platform instance using the private domain name. If you
attempt to access the private instance through the public internet—using
the public domain name (with no .p in the URL)—the attempt fails, as
expected. Further, a private domain name only succeeds in connecting to a
private CCAI Platform instance if you have set up a
Private Service Connect connection.