Create and manage endpoints

This page describes how to create and manage Gemini on Google Distributed Cloud connected API endpoints.

It assumes that you have successfully deployed the Google-certified hardware as described in Installation requirements.

Prerequisites

This section describes the one-time steps you must complete before you can deploy Gemini on GDC connected API endpoints.

Enable the required APIs

You must enable the following APIs on your target Google Cloud project:

  • aiplatform.googleapis.com
  • anthos.googleapis.com
  • anthosaudit.googleapis.com
  • anthosgke.googleapis.com
  • cloudresourcemanager.googleapis.com
  • connectgateway.googleapis.com
  • compute.googleapis.com
  • container.googleapis.com
  • edgecontainer.googleapis.com
  • gdchardwaremanagement.googleapis.com
  • gkeconnect.googleapis.com
  • gkehub.googleapis.com
  • gkeonprem.googleapis.com
  • iam.googleapis.com
  • iamcredentials.googleapis.com
  • kubernetesmetadata.googleapis.com
  • logging.googleapis.com
  • monitoring.googleapis.com
  • multiclustermetering.googleapis.com
  • opsconfigmonitoring.googleapis.com
  • oslogin.googleapis.com
  • serviceusage.googleapis.com
  • stackdriver.googleapis.com
  • storage.googleapis.com
  • sts.googleapis.com

For information about enabling APIs, see Enabling services.

Grant the required roles

You must configure the following required roles:

Get information about the target Distributed Cloud connected zone

To get the name of your target Distributed Cloud connected zone, do the following:

  1. List the Distributed Cloud connected zones in your Google Cloud project as described in List zones.

  2. Get detailed information about the target zone as described in Get information about a zone.

Get information about the certified machines in your Distributed Cloud connected zone

To get the names of the target certified machines in your Distributed Cloud connected zone, do the following:

  1. List the Distributed Cloud connected machines in the target Distributed Cloud connected zone as described in List machines in a zone.

  2. Get detailed information about the target machine as described in Get information about a machine.

Enable the local AI Platform API and Vertex AI API services

  1. Enable the target Google Cloud project in your target Distributed Cloud connected zone:

    gcloud zone-management projects enable PROJECT_ID \
       --organization ORGANIZATION_ID \
       --location REGION \
       --zones ZONE
    

    Replace the following:

    • PROJECT_ID: the ID of the target Google Cloud project.
    • ORGANIZATION_ID: the ID of the target Google Cloud organization.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.
  2. Enable the AI Platform service on the target Google Cloud project:

    gcloud services enable aiplatform.googleapis.com --project PROJECT_ID
    

    Replace PROJECT_ID with the ID of the target Google Cloud project.

  3. Enable the Vertex AI API service on the Distributed Cloud connected zone:

    gcloud zone-management services enable vertex --project PROJECT_ID \
       --location REGION \
       --zones ZONE
    

    Replace the following:

    • PROJECT_ID: the ID of the target Google Cloud project.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.

Configure the endpoint for DNS resolution

  1. Get the managed DNS address, the top-level domain (TLD), and the Certificate Authority (CA) certificate for target Distributed Cloud connected zone:

    gcloud alpha zone-management zones describe ZONE \
      --organization ORGANIZATION_ID \
      --location REGION
    

    Replace the following:

    • ORGANIZATION_ID: the ID of the target Google Cloud organization.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.

    The following example illustrates the output of this command:

    -----BEGIN CERTIFICATE-----
    MIIDATCCAemgAwIBAgIRAOsIG15loHwPBpjQe9FZYUAwDQYJKoZIhvcNAQELBQAw
    GjEYMBYGA1UEAxMPZ2RjZS1jbHVzdGVyLWNhMB4XDTI1MDcyOTEyMTAwNloXDTQ5
    MDcyMzEyMTAwNlowGjEYMBYGA1UEAxMPZ2RjZS1jbHVzdGVyLWNhMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3YdoASubyzHdgZ0vIU5g1dxdFRT1T4wc
    o9FaRXftSTDfiNVNKj/vC+De9EZokpyLZkdZNep6p0TLJAsPZYq+yiTCiaJ6Ihwy
    3LBn8j2PessSIte2LUhkft1yCQqfkgpYfKcjM3IauIXETS961m0uJb4sntgLJ4nM
    Scb5vpW1f70D1V27bqnEsE7+rbxzeFTosHC+DGBcLqIE0ptdionm/4xoltH7yv2O
    qKfcc/46TyPwGRzxifEdNzjKZ1kRdTThESfW+L7TQNv6VF5TC4FPksYX/ID/X7Fz
    G9BRey0mikvc4J7qQIeyMRlpIKqRh/1FCdRDC9vVEQipT2Ls0MwwTwIDAQABo0Iw
    QDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmES2
    pyMLOnnsKug8amFmenOaTr8wDQYJKoZIhvcNAQELBQADggEBADn71zo7cNFZ0kQE
    C2lS6b0DLz4Nd1yCz5fGDvxzcTRdOT60wyq/TAx1YlYse33cGk/cQ7RkVsM56UX1
    T8RMvi09UcEQG3wFrYuU62ZjXF1a3RrOnHxyvVdyvbUYAO5gvzBQrj4tMZYX9kL3
    6H/9FwXuHVyqWAm0xpWvZfszwJjY4C1VxoDwmRiZPYzTrWI6/rY0QmORgcZXLnPL
    OVufbAX30aRGdTRnVXxE0fKmXwzbtbSHilU5hJT7EQWMvV5hJfyNqdXG0gbrhrsk
    sB0yRjk5PHQd9pOMcXcYIgfNnUEcQl4qeSll3g5cZ+cRrcTO1USFLRo8dcbQpJ6Y
    6ykzvKs=
    -----END CERTIFICATE-----
    createTime: '2025-08-25T20:46:50.269384028Z'
    dnsServers:
    - ipAddress: 10.200.1.10
    tld: my-tld.google.private.goog
    name: organizations/my-organization/locations/my-region/zones/my-zone
    state: STATE_RUNNING
    

    Store the certificate into a file. You will use this file in the next steps.

  2. Create the DNS configuration for the endpoint as follows:

    mkdir /etc/systemd/resolved.conf.d
    echo '[Resolve]
    DNS=DNS_SERVER_ADDRESS
    Domains=~TOP_LEVEL_DOMAIN' > /etc/systemd/resolved.conf.d/dns.conf
    sudo systemctl restart systemd-resolved
    

    Replace the following:

    • DNS_SERVER_ADDRESS: the IP address of your DNS server.
    • TOP_LEVEL_DOMAIN: the top-level domain for the endpoint.

Deploy a Gemini on GDC connected API endpoint

To deploy a Gemini on GDC connected API endpoint, do the following:

  1. Create the endpoint:

    gcloud ai endpoints create \
       --project=PROJECT_ID \
       --region=REGION \
       --gdc-zone=ZONE \
       --display_name=ENDPOINT_NAME
    

    Replace the following:

    • PROJECT_ID: the ID of the target Google Cloud project.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.
    • ENDPOINT_NAME: a meaningful name that uniquely identifies this endpoint.
  2. Deploy the model:

    gcloud ai endpoints deploy-model ENDPOINT_NAME \
      --region=REGION \
      --gdc-zone=ZONE \
      --model=MODEL_PUBLIC_ID
    

    Replace the following:

    • ENDPOINT_NAME: the name of the target endpoint.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.
    • MODEL_PUBLIC_ID: the model's public-facing ID. For a list of supported models, see Supported models.
  3. Get the endpoint address:

    gcloud ai endpoints describe ENDPOINT_NAME \
      --project=PROJECT_ID \
      --region=REGION
    

    Replace the following:

    • ENDPOINT_NAME: the name of the target endpoint.
    • PROJECT_ID: the ID of the target Google Cloud project.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
  4. Create the service account for the endpoint in the target Distributed Cloud connected zone:

    gcloud alpha zone-management service-accounts create SERVICE_ACCOUNT \
      --project PROJECT_ID \ 
      --location REGION \
      --zone ZONE 
    

    Replace the following:

    • SERVICE_ACCOUNT: a meaningful name that uniquely identifies this service account.
    • PROJECT_ID: the ID of the target Google Cloud project.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.
  5. Get the Identity and Access Management policy for the target Distributed Cloud connected zone:

    gcloud alpha zone-management zones get-iam-policy ZONE \
      --project PROJECT_ID \ 
      --location REGION
    

    Replace the following:

    • ZONE: the target Distributed Cloud connected zone.
    • PROJECT_ID: the ID of the target Google Cloud project.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
  6. Assign the AI Platform Developer role to the service account:

    gcloud alpha zone-management zones set-iam-policy  \
      --project PROJECT_ID \
      --location REGION \
      --zone ZONE
    

    Replace the following:

    • POLICY_FILE: JSON or YAML file containing the role assignment policy.
    • PROJECT_ID: the ID of the target Google Cloud project.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.

    The following is an example policy in JSON format:

    "bindings": [
       {
          "role": "roles/aiplatform.geminiDeveloper",
          "members": [
          "serviceAccount": "projects/my-project/locations/my-region/serviceAccounts/my-service-account"
          ]
       }
    ],
    "etag": ""
    

    The following is an example policy in YAML format:

    bindings:
    - role: roles/aiplatform.geminiDeveloper
    members:
    - serviceAccount: projects/my-project/locations/my-region/serviceAccounts/my-service-account
    etag: ""
    
  7. Generate a key for the service account:

    gcloud alpha zone-management service-accounts keys create  \
       --service-account  \
       --project  \
       --location  \
       --ca-cert-path 
    

    Replace the following:

    • SA_KEY_FILE: file in which to store the generated service account key.
    • PROJECT_ID: the ID of the target Google Cloud project.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • CA_CERTIFICATE_FILE: the CA certificate file you created earlier.
  8. Print the identity token for the service account:

    gcloud alpha zone-management auth print-identity-token \
      --cred-file=SA_CREDENTIAL_FILE \
      --audience=ENDPOINT_URL
    

    Replace the following:

    • SA_KEY_FILE: the service account key file you created earlier.
    • ENDPOINT_URL: the endpoint's fully qualified URL, including the TLD suffix.

List deployed Gemini on GDC connected API endpoints

To list your deployed Gemini on GDC connected API endpoints, do the following:

gcloud ai endpoints list \
    --project=PROJECT_ID \
    --region=REGION \
   --gdc-zone=ZONE
   

Replace the following:

  • PROJECT_ID: the ID of the target Google Cloud project.
  • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
  • ZONE: the target Distributed Cloud connected zone.

Get information about a Gemini on GDC connected API endpoint

To get information about a deployed Gemini on GDC connected API endpoint, do the following:

gcloud ai endpoints describe ENDPOINT_NAME \
    --project=PROJECT_ID \
    --region=REGION
   

Replace the following:

  • ENDPOINT_NAME: the name of the target endpoint.
  • PROJECT_ID: the ID of the target Google Cloud project.
  • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.

Interact with a Gemini on Google Distributed Cloud connected API endpoint

Your Gemini on GDC connected API endpoint supports interaction through the ChatCompletions API and the ListAvailableModels API. Use these APIs to programmatically interact with your endpoint.

Here's an example of a request through the Chat Completions API:

API_ENDPOINT="https://${IG_FQDN}/v1/projects/${PROJECT}/locations/${LOCATION}/chat/completions"

FLOW_ID="gemini-2.0-flash-001"

REQUEST_BODY='{
>   "model": "'${FLOW_ID}'",
>   "messages": [
>     {
>       "role": "system",
>       "content": "You are a helpful assistant."
>     },
>     {
>       "role": "user",
>       "content": "Hello!"
>     }
>   ],
}'

curl -X POST -vv -k \
  "${API_ENDPOINT}" \
  -d "${REQUEST_BODY}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${BEARER_TOKEN}" \
  -H "x-goog-user-project: projects/${PROJECT}"

The following is an example of a multimodal Chat Completions API request with a document as input:

BASE64_IMAGE=$(base64 -w 0 sample-image.jpg)

{
    "model": "gemini-1.5-flash-002",
    "messages": [
        {
            "role": "user",
            "content": [
                {
                    "type": "text",
                    "text": "What is this image?"
                },
                {
                    "type": "image_url",
                    "image_url": {
                        "url": "data:image/jpeg;base64,'"${BASE64_IMAGE}"'"
                    }
                }
            ]
        }
    ]
}

And this is an example of a ListAllAvailableModels API request:

# The request body -d parameter is intentionally omitted.
grpcurl -insecure \
  -H "Authorization: Bearer ${BEARER_TOKEN}" \
  -H "x-goog-user-project: projects/${PROJECT}" \
  "${IG_FQDN}:443" \
  cloud.gdc.ai.inference.inferencegateway.GeminiMetadataService.ListAvailableModels

For more information on the workloads suitable for Gemini on Google Distributed Cloud connected API, see Gemini overview.

Delete a Gemini on Google Distributed Cloud connected API endpoint

To delete a Gemini on GDC connected API endpoint, do the following:

  1. Undeploy the model:

    gcloud ai endpoints undeploy-model ENDPOINT_NAME \
      --region=REGION \
      --gdc-zone=ZONE \
      --model=MODEL_PUBLIC_ID
    

    Replace the following:

    • ENDPOINT_NAME: the name of the target endpoint.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
    • ZONE: the target Distributed Cloud connected zone.
    • MODEL_PUBLIC_ID: the model's public-facing ID. For a list of supported models, see Supported models.
  2. Delete the endpoint:

    gcloud ai endpoints delete ENDPOINT_NAME \
       --project=PROJECT_ID \
       --region=REGION
    

    Replace the following:

    • PROJECT_ID: the name of the target endpoint.
    • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.

Troubleshoot endpoints

If your a Gemini on GDC connected API endpoint goes down, contact your Google representative to troubleshoot it.