This page describes how to create and manage Gemini on Google Distributed Cloud connected API endpoints.
It assumes that you have successfully deployed the Google-certified hardware as described in Installation requirements.
Prerequisites
This section describes the one-time steps you must complete before you can deploy Gemini on GDC connected API endpoints.
Enable the required APIs
You must enable the following APIs on your target Google Cloud project:
aiplatform.googleapis.comanthos.googleapis.comanthosaudit.googleapis.comanthosgke.googleapis.comcloudresourcemanager.googleapis.comconnectgateway.googleapis.comcompute.googleapis.comcontainer.googleapis.comedgecontainer.googleapis.comgdchardwaremanagement.googleapis.comgkeconnect.googleapis.comgkehub.googleapis.comgkeonprem.googleapis.comiam.googleapis.comiamcredentials.googleapis.comkubernetesmetadata.googleapis.comlogging.googleapis.commonitoring.googleapis.commulticlustermetering.googleapis.comopsconfigmonitoring.googleapis.comoslogin.googleapis.comserviceusage.googleapis.comstackdriver.googleapis.comstorage.googleapis.comsts.googleapis.com
For information about enabling APIs, see Enabling services.
Grant the required roles
You must configure the following required roles:
For accounts used to manage your Gemini on GDC connected API deployment, grant the roles listed in Distributed Cloud Edge Container API roles and permissions.
For accounts used to interact with Gemini on GDC connected API endpoints, grant the roles listed in Vertex AI API roles and permissions.
Get information about the target Distributed Cloud connected zone
To get the name of your target Distributed Cloud connected zone, do the following:
List the Distributed Cloud connected zones in your Google Cloud project as described in List zones.
Get detailed information about the target zone as described in Get information about a zone.
Get information about the certified machines in your Distributed Cloud connected zone
To get the names of the target certified machines in your Distributed Cloud connected zone, do the following:
List the Distributed Cloud connected machines in the target Distributed Cloud connected zone as described in List machines in a zone.
Get detailed information about the target machine as described in Get information about a machine.
Enable the local AI Platform API and Vertex AI API services
Enable the target Google Cloud project in your target Distributed Cloud connected zone:
gcloud zone-management projects enable PROJECT_ID \ --organization ORGANIZATION_ID \ --location REGION \ --zones ZONE
Replace the following:
PROJECT_ID: the ID of the target Google Cloud project.ORGANIZATION_ID: the ID of the target Google Cloud organization.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.
Enable the AI Platform service on the target Google Cloud project:
gcloud services enable aiplatform.googleapis.com --project PROJECT_ID
Replace
PROJECT_IDwith the ID of the target Google Cloud project.Enable the Vertex AI API service on the Distributed Cloud connected zone:
gcloud zone-management services enable vertex --project PROJECT_ID \ --location REGION \ --zones ZONE
Replace the following:
PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.
Configure the endpoint for DNS resolution
Get the managed DNS address, the top-level domain (TLD), and the Certificate Authority (CA) certificate for target Distributed Cloud connected zone:
gcloud alpha zone-management zones describe ZONE \ --organization ORGANIZATION_ID \ --location REGION
Replace the following:
ORGANIZATION_ID: the ID of the target Google Cloud organization.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.
The following example illustrates the output of this command:
-----BEGIN CERTIFICATE----- MIIDATCCAemgAwIBAgIRAOsIG15loHwPBpjQe9FZYUAwDQYJKoZIhvcNAQELBQAw GjEYMBYGA1UEAxMPZ2RjZS1jbHVzdGVyLWNhMB4XDTI1MDcyOTEyMTAwNloXDTQ5 MDcyMzEyMTAwNlowGjEYMBYGA1UEAxMPZ2RjZS1jbHVzdGVyLWNhMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3YdoASubyzHdgZ0vIU5g1dxdFRT1T4wc o9FaRXftSTDfiNVNKj/vC+De9EZokpyLZkdZNep6p0TLJAsPZYq+yiTCiaJ6Ihwy 3LBn8j2PessSIte2LUhkft1yCQqfkgpYfKcjM3IauIXETS961m0uJb4sntgLJ4nM Scb5vpW1f70D1V27bqnEsE7+rbxzeFTosHC+DGBcLqIE0ptdionm/4xoltH7yv2O qKfcc/46TyPwGRzxifEdNzjKZ1kRdTThESfW+L7TQNv6VF5TC4FPksYX/ID/X7Fz G9BRey0mikvc4J7qQIeyMRlpIKqRh/1FCdRDC9vVEQipT2Ls0MwwTwIDAQABo0Iw QDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmES2 pyMLOnnsKug8amFmenOaTr8wDQYJKoZIhvcNAQELBQADggEBADn71zo7cNFZ0kQE C2lS6b0DLz4Nd1yCz5fGDvxzcTRdOT60wyq/TAx1YlYse33cGk/cQ7RkVsM56UX1 T8RMvi09UcEQG3wFrYuU62ZjXF1a3RrOnHxyvVdyvbUYAO5gvzBQrj4tMZYX9kL3 6H/9FwXuHVyqWAm0xpWvZfszwJjY4C1VxoDwmRiZPYzTrWI6/rY0QmORgcZXLnPL OVufbAX30aRGdTRnVXxE0fKmXwzbtbSHilU5hJT7EQWMvV5hJfyNqdXG0gbrhrsk sB0yRjk5PHQd9pOMcXcYIgfNnUEcQl4qeSll3g5cZ+cRrcTO1USFLRo8dcbQpJ6Y 6ykzvKs= -----END CERTIFICATE----- createTime: '2025-08-25T20:46:50.269384028Z' dnsServers: - ipAddress: 10.200.1.10 tld: my-tld.google.private.goog name: organizations/my-organization/locations/my-region/zones/my-zone state: STATE_RUNNINGStore the certificate into a file. You will use this file in the next steps.
Create the DNS configuration for the endpoint as follows:
mkdir /etc/systemd/resolved.conf.d echo '[Resolve] DNS=DNS_SERVER_ADDRESS Domains=~TOP_LEVEL_DOMAIN' > /etc/systemd/resolved.conf.d/dns.conf sudo systemctl restart systemd-resolved
Replace the following:
DNS_SERVER_ADDRESS: the IP address of your DNS server.TOP_LEVEL_DOMAIN: the top-level domain for the endpoint.
Deploy a Gemini on GDC connected API endpoint
To deploy a Gemini on GDC connected API endpoint, do the following:
Create the endpoint:
gcloud ai endpoints create \ --project=PROJECT_ID \ --region=REGION \ --gdc-zone=ZONE \ --display_name=ENDPOINT_NAME
Replace the following:
PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.ENDPOINT_NAME: a meaningful name that uniquely identifies this endpoint.
Deploy the model:
gcloud ai endpoints deploy-model ENDPOINT_NAME \ --region=REGION \ --gdc-zone=ZONE \ --model=MODEL_PUBLIC_ID
Replace the following:
ENDPOINT_NAME: the name of the target endpoint.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.MODEL_PUBLIC_ID: the model's public-facing ID. For a list of supported models, see Supported models.
Get the endpoint address:
gcloud ai endpoints describe ENDPOINT_NAME \ --project=PROJECT_ID \ --region=REGION
Replace the following:
ENDPOINT_NAME: the name of the target endpoint.PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
Create the service account for the endpoint in the target Distributed Cloud connected zone:
gcloud alpha zone-management service-accounts create SERVICE_ACCOUNT \ --project PROJECT_ID \ --location REGION \ --zone ZONE
Replace the following:
SERVICE_ACCOUNT: a meaningful name that uniquely identifies this service account.PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.
Get the Identity and Access Management policy for the target Distributed Cloud connected zone:
gcloud alpha zone-management zones get-iam-policy ZONE \ --project PROJECT_ID \ --location REGION
Replace the following:
ZONE: the target Distributed Cloud connected zone.PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
Assign the AI Platform Developer role to the service account:
gcloud alpha zone-management zones set-iam-policy
\ --project PROJECT_ID \ --location REGION \ --zone ZONE Replace the following:
POLICY_FILE: JSON or YAML file containing the role assignment policy.PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.
The following is an example policy in JSON format:
"bindings": [ { "role": "roles/aiplatform.geminiDeveloper", "members": [ "serviceAccount": "projects/my-project/locations/my-region/serviceAccounts/my-service-account" ] } ], "etag": ""The following is an example policy in YAML format:
bindings: - role: roles/aiplatform.geminiDeveloper members: - serviceAccount: projects/my-project/locations/my-region/serviceAccounts/my-service-account etag: ""Generate a key for the service account:
gcloud alpha zone-management service-accounts keys create
\ --service-account \ --project \ --location \ --ca-cert-path Replace the following:
SA_KEY_FILE: file in which to store the generated service account key.PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.CA_CERTIFICATE_FILE: the CA certificate file you created earlier.
Print the identity token for the service account:
gcloud alpha zone-management auth print-identity-token \ --cred-file=SA_CREDENTIAL_FILE \ --audience=ENDPOINT_URL
Replace the following:
SA_KEY_FILE: the service account key file you created earlier.ENDPOINT_URL: the endpoint's fully qualified URL, including the TLD suffix.
List deployed Gemini on GDC connected API endpoints
To list your deployed Gemini on GDC connected API endpoints, do the following:
gcloud ai endpoints list \
--project=PROJECT_ID \
--region=REGION \
--gdc-zone=ZONE
Replace the following:
PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.
Get information about a Gemini on GDC connected API endpoint
To get information about a deployed Gemini on GDC connected API endpoint, do the following:
gcloud ai endpoints describe ENDPOINT_NAME \
--project=PROJECT_ID \
--region=REGION
Replace the following:
ENDPOINT_NAME: the name of the target endpoint.PROJECT_ID: the ID of the target Google Cloud project.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
Interact with a Gemini on Google Distributed Cloud connected API endpoint
Your Gemini on GDC connected API endpoint supports interaction through the ChatCompletions API
and the ListAvailableModels API. Use these APIs to programmatically interact with your endpoint.
Here's an example of a request through the Chat Completions API:
API_ENDPOINT="https://${IG_FQDN}/v1/projects/${PROJECT}/locations/${LOCATION}/chat/completions"
FLOW_ID="gemini-2.0-flash-001"
REQUEST_BODY='{
> "model": "'${FLOW_ID}'",
> "messages": [
> {
> "role": "system",
> "content": "You are a helpful assistant."
> },
> {
> "role": "user",
> "content": "Hello!"
> }
> ],
}'
curl -X POST -vv -k \
"${API_ENDPOINT}" \
-d "${REQUEST_BODY}" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${BEARER_TOKEN}" \
-H "x-goog-user-project: projects/${PROJECT}"
The following is an example of a multimodal Chat Completions API request with a document as input:
BASE64_IMAGE=$(base64 -w 0 sample-image.jpg)
{
"model": "gemini-1.5-flash-002",
"messages": [
{
"role": "user",
"content": [
{
"type": "text",
"text": "What is this image?"
},
{
"type": "image_url",
"image_url": {
"url": "data:image/jpeg;base64,'"${BASE64_IMAGE}"'"
}
}
]
}
]
}
And this is an example of a ListAllAvailableModels API request:
# The request body -d parameter is intentionally omitted.
grpcurl -insecure \
-H "Authorization: Bearer ${BEARER_TOKEN}" \
-H "x-goog-user-project: projects/${PROJECT}" \
"${IG_FQDN}:443" \
cloud.gdc.ai.inference.inferencegateway.GeminiMetadataService.ListAvailableModels
For more information on the workloads suitable for Gemini on Google Distributed Cloud connected API, see Gemini overview.
Delete a Gemini on Google Distributed Cloud connected API endpoint
To delete a Gemini on GDC connected API endpoint, do the following:
Undeploy the model:
gcloud ai endpoints undeploy-model ENDPOINT_NAME \ --region=REGION \ --gdc-zone=ZONE \ --model=MODEL_PUBLIC_ID
Replace the following:
ENDPOINT_NAME: the name of the target endpoint.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.ZONE: the target Distributed Cloud connected zone.MODEL_PUBLIC_ID: the model's public-facing ID. For a list of supported models, see Supported models.
Delete the endpoint:
gcloud ai endpoints delete ENDPOINT_NAME \ --project=PROJECT_ID \ --region=REGION
Replace the following:
PROJECT_ID: the name of the target endpoint.REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
Troubleshoot endpoints
If your a Gemini on GDC connected API endpoint goes down, contact your Google representative to troubleshoot it.