Create and manage endpoints

This page describes how to create and manage Gemini on Google Distributed Cloud connected API endpoints.

It assumes that you have successfully deployed the Google-certified hardware as described in Installation requirements.

Prerequisites

This section describes the one-time steps you must complete before you can deploy Gemini on GDC connected API endpoints.

Grant the required roles

You must configure the following required roles:

• For accounts used to manage your Gemini on GDC connected API deployment, grant the roles listed in Distributed Cloud Edge Container API roles and permissions.

• For accounts used to interact with Gemini on GDC connected API endpoints, grant the roles listed in Vertex AI API roles and permissions.

Get information about the target Distributed Cloud connected zone

To get the name of your target Distributed Cloud connected zone, do the following:

1. Get the name of the target Google Cloud organization ID:

   gcloud organizations list
   

2. List the Distributed Cloud connected zones in your Google Cloud organization:

   gcloud alpha zone-management zones list \
      --organization ORGANIZATION_ID \
      --location REGION
   

   Replace the following:

   • ORGANIZATION_ID: the ID of the target Google Cloud organization.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created. During Public Preview, the only supported region is us-west2.

3. Get detailed information about the target zone:

   gcloud alpha zone-management zones describe ZONE \
      --organization ORGANIZATION_ID \
      --location REGION
   

   Replace the following:

   • ZONE: the target Distributed Cloud connected zone.
   • ORGANIZATION_ID: the ID of the target Google Cloud organization.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created. During Public Preview, the only supported region is us-west2.

Get information about the certified machines in your Distributed Cloud connected zone

To get the names of the target certified machines in your Distributed Cloud connected zone, do the following:

1. List the Distributed Cloud connected machines in the target Distributed Cloud connected zone as described in List machines in a zone.

2. Get detailed information about the target machine as described in Get information about a machine.

Enable the local AI Platform API and Vertex AI API services

1. Enable the target Google Cloud project in your target Distributed Cloud connected zone:

   gcloud alpha zone-management projects enable PROJECT_ID \
      --organization ORGANIZATION_ID \
      --location REGION \
      --zone ZONE
   

   Replace the following:

   • PROJECT_ID: the ID of the target Google Cloud project.
   • ORGANIZATION_ID: the ID of the target Google Cloud organization.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • ZONE: the target Distributed Cloud connected zone.

2. Enable the AI Platform service on the target Google Cloud project:

   gcloud services enable aiplatform.googleapis.com --project PROJECT_ID
   

   Replace PROJECT_ID with the ID of the target Google Cloud project.

3. Enable the Vertex AI API service on the Distributed Cloud connected zone:

   gcloud alpha zone-management services enable vertex --project PROJECT_ID \
      --location REGION \
      --zone ZONE
   

   Replace the following:

   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • ZONE: the target Distributed Cloud connected zone.

Configure the endpoint for DNS resolution

1. Get the managed DNS address, the top-level domain (TLD), and the Certificate Authority (CA) certificate for target Distributed Cloud connected zone:

   gcloud alpha zone-management zones describe ZONE \
     --organization ORGANIZATION_ID \
     --location REGION
   

   Replace the following:

   • ORGANIZATION_ID: the ID of the target Google Cloud organization.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • ZONE: the target Distributed Cloud connected zone.

   The following example illustrates the output of this command:

   -----BEGIN CERTIFICATE-----
   MIIDATCCAemgAwIBAgIRAOsIG15loHwPBpjQe9FZYUAwDQYJKoZIhvcNAQELBQAw
   GjEYMBYGA1UEAxMPZ2RjZS1jbHVzdGVyLWNhMB4XDTI1MDcyOTEyMTAwNloXDTQ5
   MDcyMzEyMTAwNlowGjEYMBYGA1UEAxMPZ2RjZS1jbHVzdGVyLWNhMIIBIjANBgkq
   hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3YdoASubyzHdgZ0vIU5g1dxdFRT1T4wc
   o9FaRXftSTDfiNVNKj/vC+De9EZokpyLZkdZNep6p0TLJAsPZYq+yiTCiaJ6Ihwy
   3LBn8j2PessSIte2LUhkft1yCQqfkgpYfKcjM3IauIXETS961m0uJb4sntgLJ4nM
   Scb5vpW1f70D1V27bqnEsE7+rbxzeFTosHC+DGBcLqIE0ptdionm/4xoltH7yv2O
   qKfcc/46TyPwGRzxifEdNzjKZ1kRdTThESfW+L7TQNv6VF5TC4FPksYX/ID/X7Fz
   G9BRey0mikvc4J7qQIeyMRlpIKqRh/1FCdRDC9vVEQipT2Ls0MwwTwIDAQABo0Iw
   QDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmES2
   pyMLOnnsKug8amFmenOaTr8wDQYJKoZIhvcNAQELBQADggEBADn71zo7cNFZ0kQE
   C2lS6b0DLz4Nd1yCz5fGDvxzcTRdOT60wyq/TAx1YlYse33cGk/cQ7RkVsM56UX1
   T8RMvi09UcEQG3wFrYuU62ZjXF1a3RrOnHxyvVdyvbUYAO5gvzBQrj4tMZYX9kL3
   6H/9FwXuHVyqWAm0xpWvZfszwJjY4C1VxoDwmRiZPYzTrWI6/rY0QmORgcZXLnPL
   OVufbAX30aRGdTRnVXxE0fKmXwzbtbSHilU5hJT7EQWMvV5hJfyNqdXG0gbrhrsk
   sB0yRjk5PHQd9pOMcXcYIgfNnUEcQl4qeSll3g5cZ+cRrcTO1USFLRo8dcbQpJ6Y
   6ykzvKs=
   -----END CERTIFICATE-----
   createTime: '2025-08-25T20:46:50.269384028Z'
   dnsServers:
   - ipAddress: 10.200.1.10
   tld: my-tld.google.private.goog
   name: organizations/my-organization/locations/my-region/zones/my-zone
   state: STATE_RUNNING
   

   Store the certificate into a file named CA_CERTIFICATE_FILE. You will use this file later to generate the service account key.

2. Create the DNS configuration for the endpoint as follows:

   mkdir /etc/systemd/resolved.conf.d
   echo '[Resolve]
   DNS=DNS_SERVER_ADDRESS
   Domains=~TOP_LEVEL_DOMAIN' > /etc/systemd/resolved.conf.d/dns.conf
   sudo systemctl restart systemd-resolved
   

   Replace the following:

   • DNS_SERVER_ADDRESS: the IP address of your DNS server.
   • TOP_LEVEL_DOMAIN: the top-level domain for the endpoint.

Deploy a Gemini on GDC connected API endpoint

To deploy a Gemini on GDC connected API endpoint, do the following:

1. Create the endpoint:

   gcloud beta ai endpoints create \
      --project=PROJECT_ID \
      --region=REGION \
      --gdc-zone=ZONE \
      --display-name=ENDPOINT_NAME \
      --endpoint-id=ENDPOINT_ID
   

   Replace the following:

   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • ZONE: the target Distributed Cloud connected zone.
   • ENDPOINT_NAME: a meaningful name for this endpoint.
   • ENDPOINT_ID: (optional) a unique identifier for this endpoint. If omitted, a random identifier is generated.

2. Deploy the model:

   gcloud beta ai endpoints deploy-model ENDPOINT_ID \
     --display-name=ENDPOINT_NAME \
     --model=MODEL_PUBLIC_ID \
     --region=REGION
   

   Replace the following:

   • ENDPOINT_ID: the ID of the target endpoint.
   • ENDPOINT_NAME: the name of the target endpoint.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • MODEL_PUBLIC_ID: the model's public-facing ID. For a list of supported models, see Supported models.

3. List the deployed endpoints:

   gcloud beta ai endpoints list \
     --project=PROJECT_ID \
     --region=REGION
   

   Replace the following:

   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.

   Note the ID of the target endpoint.

4. Get the endpoint address:

   gcloud beta ai endpoints describe ENDPOINT_ID \
     --project=PROJECT_ID \
     --region=REGION
   

   Replace the following:

   • ENDPOINT_ID: the ID of the target endpoint.
   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.

5. Create the service account for the endpoint in the target Distributed Cloud connected zone:

   gcloud alpha zone-management service-accounts create SERVICE_ACCOUNT \
     --project PROJECT_ID \
     --location REGION \
     --zone ZONE
   

   Replace the following:

   • SERVICE_ACCOUNT: a meaningful name that uniquely identifies this service account.
   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • ZONE: the target Distributed Cloud connected zone.

6. Get the Identity and Access Management policy for the target Distributed Cloud connected zone:

   gcloud alpha zone-management zones get-iam-policy ZONE \
     --project PROJECT_ID \
     --location REGION
   

   Replace the following:

   • ZONE: the target Distributed Cloud connected zone.
   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.

7. Assign the AI Platform Developer role to the service account:

   gcloud alpha zone-management zones set-iam-policy POLICY_FILE \
     --project PROJECT_ID \
     --location REGION \
     --zone ZONE
   

   Replace the following:

   • POLICY_FILE: JSON or YAML file containing the role assignment policy.
   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • ZONE: the target Distributed Cloud connected zone.

   The following is an example policy in JSON format:

   "bindings": [
      {
         "role": "roles/aiplatform.geminiDeveloper",
         "members": [
         "serviceAccount": "projects/PROJECT_ID/locations/REGION/serviceAccounts/SERVICE_ACCOUNT"
         ]
      }
   ]
   "etag": ""
   

   The following is an example policy in YAML format:

   bindings:
   - role: roles/aiplatform.geminiDeveloper
   members:
   - serviceAccount: projects/PROJECT_ID/locations/REGION/serviceAccounts/SERVICE_ACCOUNT
   etag: ""
   

   Replace the following:

   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • SERVICE_ACCOUNT: a meaningful name that uniquely identifies this service account.

8. Generate a key for the service account:

   gcloud alpha zone-management service-accounts keys create SA_KEY_FILE \
     --service-account SERVICE_ACCOUNT \
     --project PROJECT_ID \
     --location REGION \
     --ca-cert-path CA_CERTIFICATE_FILE
   

   Replace the following:

   • SA_KEY_FILE: file in which to store the generated service account key.
   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • CA_CERTIFICATE_FILE: the CA certificate file you created earlier.

9. Get the endpoint's fully qualified URL:

   gcloud beta ai endpoints describe ENDPOINT_ID \
     --project=PROJECT_ID \
     --region=REGION
   

10. Print the identity token for the service account:

    gcloud alpha zone-management auth print-identity-token \
      --cred-file=SA_KEY_FILE \
      --audience=ENDPOINT_URL
    

    Replace the following:

    • SA_KEY_FILE: the service account key file you created earlier.
    • ENDPOINT_URL: the endpoint's fully qualified URL, including the TLD suffix.

List deployed Gemini on GDC connected API endpoints

To list your deployed Gemini on GDC connected API endpoints, do the following:

gcloud beta ai endpoints list \
    --project=PROJECT_ID \
    --region=REGION \
    --gdc-zone=ZONE

Replace the following:

• PROJECT_ID: the ID of the target Google Cloud project.
• REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
• ZONE: the target Distributed Cloud connected zone.

Get information about a Gemini on GDC connected API endpoint

To get information about a deployed Gemini on GDC connected API endpoint, do the following:

gcloud beta ai endpoints describe ENDPOINT_ID \
    --project=PROJECT_ID \
    --region=REGION
   

Replace the following:

• ENDPOINT_ID: the ID of the target endpoint.
• PROJECT_ID: the ID of the target Google Cloud project.
• REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.

Interact with a Gemini on Google Distributed Cloud connected API endpoint

Your Gemini on GDC connected API endpoint supports interaction through the ChatCompletions API and the ListAvailableModels API. Use these APIs to programmatically interact with your endpoint.

Here's an example of a request through the ChatCompletions API. The bearer token generated in this request is valid for 12 hours.

1. Set the following variables in your shell environment:

   MODEL_NAME="gemini-2.0-flash-001"
   USER_CONTENT="Who invented the light bulb?"
   PROJECT="PROJECT_ID"
   LOCATION="REGION"
   IG_FQDN="inference-gateway.vai.$ZONE.google.private.goog"
   CRED_FILE="SA_KEY_FILE"
   API_ENDPOINT="https://${IG_FQDN}/v1/projects/${PROJECT}/locations/${LOCATION}/chat/completions"
   

   Replace the following:

   • PROJECT_ID: the ID of the target Google Cloud project.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • SA_KEY_FILE: the service account key file you created earlier.

2. Print the bearer token:

   BEARER_TOKEN=$(gcloud alpha zone-management auth print-identity-token --cred-file="${CRED_FILE}" --audience="https://${IG_FQDN}")
   echo $BEARER_TOKEN
   

3. Build the payload:

   REQUEST_BODY=$(cat <<EOF
   {
   "model": "${MODEL_NAME}",
   "messages": [
      {
         "role": "system",
         "content": "Pizza for everyone!"
      },
      {
         "role": "user",
         "content": "${USER_CONTENT}"
      }
   ],
   "stream": false
   }
   EOF
   )
   

4. Send the request to the endpoint:

   curl -X POST \
   "${API_ENDPOINT}" \
   -d "${REQUEST_BODY}" \
   -H "Content-Type: application/json" \
   -H "Authorization: Bearer ${BEARER_TOKEN}" \
   -H "x-goog-user-project: projects/${PROJECT}"
   

Example multimodal ChatCompletions API request

The following is an example of a multimodal ChatCompletions API request payload with a document as input:

1. Build the payload:

   BASE64_IMAGE=$(base64 -w 0 JPEG_FILE)
   REQUEST_BODY=$(cat <<EOF
   {
   "model": "${MODEL_NAME}",
   "messages": [
      {
         "role": "user",
         "content": [
               {
                  "type": "text",
                  "text": "What is this image?"
               },
               {
                  "type": "image_url",
                  "image_url": {
                     "url": "data:image/jpeg;base64,${BASE64_IMAGE}"
                  }
               }
         ]
      }
   ]
   }
   EOF
   
   )
   

2. Send the request to the endpoint:

   curl -X POST \
   "${API_ENDPOINT}" \
   -d "${REQUEST_BODY}" \
   -H "Content-Type: application/json" \
   -H "Authorization: Bearer ${BEARER_TOKEN}" \
   -H "x-goog-user-project: projects/${PROJECT}"
   

Example ListAllAvailableModels API request

The following is an example of a ListAllAvailableModels API request:

BEARER_TOKEN=$(gcloud alpha zone-management auth print-identity-token --cred-file="${CRED_FILE}" --audience="https://${IG_FQDN}")
# The request body -d parameter is intentionally omitted.
grpcurl -insecure \
  -H "Authorization: Bearer ${BEARER_TOKEN}" \
  -H "x-goog-user-project: projects/${PROJECT}" \
  "${IG_FQDN}" \
  cloud.gdc.ai.inference.inferencegateway.GeminiMetadataService.ListAvailableModels

Delete a Gemini on Google Distributed Cloud connected API endpoint

To delete a Gemini on GDC connected API endpoint, do the following:

1. Undeploy the model:

   gcloud beta ai endpoints undeploy-model ENDPOINT_ID \
     --region=REGION \
     --gdc-zone=ZONE \
     --model=MODEL_PUBLIC_ID
   

   Replace the following:

   • ENDPOINT_ID: the ID of the target endpoint.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.
   • ZONE: the target Distributed Cloud connected zone.
   • MODEL_PUBLIC_ID: the model's public-facing ID. For a list of supported models, see Supported models.

2. Delete the endpoint:

   gcloud beta ai endpoints delete ENDPOINT_ID \
      --project=PROJECT_ID \
      --region=REGION
   

   Replace the following:

   • ENDPOINT_ID: the ID of the target endpoint.
   • PROJECT_ID: the name of the target endpoint.
   • REGION: the Google Cloud region in which the target Distributed Cloud connected zone has been created.

Troubleshoot endpoints

If your a Gemini on GDC connected API endpoint goes down, contact your Google representative to troubleshoot it.