Vertex AI supports enterprise networking options for accessing Vertex AI endpoints and services that help you:
- Safely access your Vertex AI resources from an on-premises or multicloud environment.
- Protect your Vertex AI artifacts from exfiltration.
- Configure network traffic for your Vertex AI resources.
This page is intended for enterprise networking architects and administrators who are already familiar with Google Cloud networking concepts.
Public access for Vertex AI
Vertex AI services that are accessible from the internet
have a checkmark
in the Public internet
column of the
Accessing Vertex AI from on-premises and multicloud
table. The APIs for these services resolve to the fully
qualified domain name
REGION-aiplatform.googleapis.com
, which returns publicly
routable IP addresses.
Private access options for Vertex AI
Vertex AI supports the following options for accessing Vertex AI endpoints and services privately, without assigning external IP addresses to your Google Cloud resources:
- Private Service Connect endpoints for Google APIs let your Google Cloud resources or on-premises systems connect to an endpoint in your VPC network, which forwards requests to Google APIs and services.
- Private Google Access:
- Lets your Google Cloud resources connect to the standard external IP addresses or Private Google Access domains and virtual IP (VIP) addresses for Google APIs and services through the VPC network's default internet gateway.
- Lets your on-premises hosts connect to Google APIs and services through a Cloud VPN tunnel or VLAN attachment by using one of the Private Google Access-specific domains and VIPs.
- Private services access:
- Lets your Google Cloud VM instances connect to Google-managed Infrastructure-as-a-Service (IaaS) in the service producer's VPC network through an endpoint.
- Lets your on-premises hosts connect to the service producer through hybrid networking, for example, by using a Cloud VPN tunnel or VLAN attachment once the private service access subnet is advertised from the Cloud Router.
- Lets your Google Cloud VM instances connect to a Google or third-party managed VPC network through a VPC Network Peering connection.
- Private Service Connect lets your Google Cloud consumer projects and VPC networks connect to services in other VPC networks through a forwarding rule that deploys an endpoint.
Accessing Vertex AI from on-premises and multicloud
The following table shows the supported access methods for connecting from on-premises and multicloud environments to Vertex AI services. In this table, a checkmark indicates that an access method is supported. For more information about using an access method with a specific Vertex AI service, click the Learn more link.
Vertex AI product | Public internet | Private Service Connect for Google APIs | Private Google Access | Private services access | Private Service Connect |
---|---|---|---|---|---|
Batch predictions | |||||
Datasets | |||||
Vertex AI Feature Store (Bigtable online serving) | |||||
Vertex AI Feature Store (optimized online serving) | Learn more |
||||
Generative AI on Vertex AI (Gemini) | |||||
Model Registry | |||||
Online prediction | Learn more | ||||
Vector Search (index creation) | |||||
Vector Search (index query) | Learn more |
||||
Custom training (control plane) | |||||
Custom training (data plane) | Learn more |
||||
Vertex AI Pipelines | |||||
Private online prediction endpoints | Learn more |
Securing your Vertex AI resources
To reduce the risk of data exfiltration for your Vertex AI resources, you can place them within a service perimeter using VPC Service Controls.
- To understand VPC Service Controls, see Overview of VPC Service Controls.
- For detailed guidance, see VPC Service Controls with Vertex AI.
- To understand costs, review pricing.
What's next
- Learn how to Set up VPC Network Peering for Vertex AI.
- Learn how to Set up connectivity from Vertex AI to Other Networks.
- For general guidance and best practices for configuring your VPC networks, see Connecting multiple VPC networks.
- Learn more about using Google Cloud Network Connectivity products such as Cloud VPN, Cloud Interconnect, and Cloud Router to connect your non-Google Cloud (on-premises or multicloud) network to a Google Cloud Virtual Private Cloud (VPC) host network.