This guide shows how to set up a Private Service Connect interface for Vertex AI resources.
You can configure Private Service Connect interface connections for certain resources in Vertex AI, including:
Unlike VPC peering connections, Private Service Connect interface connections can be transitive, requiring fewer IP addresses in the consumer VPC network. This allows greater flexibility in connecting to other VPC networks in your Google Cloud project and on-premises.
This guide is recommended for network administrators who are familiar with Google Cloud networking concepts.
Objectives
This guide covers the following tasks:
- Configure a producer VPC network, subnet, and network attachment.
- Add firewall rules to your Google Cloud network host project.
- Create a Vertex AI resource specifying the network attachment to use PSC-I.
Before you begin
Use the following instructions to create or select a Google Cloud project and configure it for use with Vertex AI and Private Service Connect.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Vertex AI, Compute Engine, and Cloud Storage APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Update and install
gcloudcomponents:gcloud components update
gcloud components install beta -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Vertex AI, Compute Engine, and Cloud Storage APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Update and install
gcloudcomponents:gcloud components update
gcloud components install beta - If you're not the project owner, and you don't have the
Project IAM Admin (
roles/resourcemanager.projectIamAdmin) role, ask the owner to grant you the Compute Network Admin (roles/compute.networkAdmin) role, which includes the required roles you need to manage networking resources. - Assign the Compute Network Admin role of the network host Google Cloud project to the AI Platform Service Agent account of the project where you are using Vertex AI Training services.
Set up a VPC network and subnet
In this section, you can use an existing VPC network or follow the configuration steps to create a new VPC network if you don't have an existing network.
-
gcloud compute networks create NETWORK \ --subnet-mode=customReplace NETWORK with a name for the VPC network.
-
gcloud compute networks subnets create SUBNET_NAME \ --network=NETWORK \ --range=PRIMARY_RANGE \ --region=REGIONReplace the following:
- SUBNET_NAME: a name for the subnet.
PRIMARY_RANGE: the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.
Vertex AI requires a
/28subnetwork.Vertex AI can only reach the RFC 1918 ranges specified in the required PRIMARY_RANGE. See Valid IPv4 ranges for the list of valid RFC 1918 ranges. Vertex AI can't reach the following non-RFC 1918 ranges:
100.64.0.0/10192.0.0.0/24192.0.2.0/24198.18.0.0/15198.51.100.0/24203.0.113.0/24240.0.0.0/4
REGION: the Google Cloud region in which the new subnet is created.
Create a network attachment and add firewall rules to your project
Create a network attachment that manually accepts connections:
gcloud compute network-attachments create NETWORK_ATTACHMENT_NAME \ --region=REGION \ --connection-preference=ACCEPT_MANUAL \ --subnets=SUBNET_NAMEReplace NETWORK_ATTACHMENT_NAME with a name for the network attachment.
Configure firewall rules
Ingress firewall rules are applied in the consumer VPC to enable communication with the Private Service Connect interface network attachment subnet from compute and on-premises endpoints.
Update your firewall rules based on protocol and port requirements.
Create a firewall rule that allows TCP traffic through port 22:
gcloud compute firewall-rules create NETWORK-firewall1 \ --network NETWORK \ --allow tcp:22Create a firewall rule that allows TCP traffic through port 3389:
gcloud compute firewall-rules create NETWORK-firewall2 \ --network NETWORK \ --allow tcp:3389Create a firewall rule that allows TCP traffic through port 443:
gcloud compute firewall-rules create NETWORK-firewall3 \ --network NETWORK \ --allow tcp:icmp
Troubleshooting
This section lists some common issues when configuring the Private Service Connect interface with Vertex AI.
- In the project where you create the network attachment, ensure that
the
compute.networkAdminrole is granted to the AI Platform Service Agent of the same project. You need to enable the Vertex AI API in this project in advance if it's different from the service project where you use Vertex AI. - When you configure Vertex AI to use a
Shared VPC network,
specify the network attachment in the Vertex AI resource. For
example, in a
CustomJobcreation request, use the following format:"projects/YOUR_SHARED_VPC_HOST_PROJECT_NUMBER/regions/REGION/networkAttachments/NETWORK_ATTACHMENT_NAME" - If you specify a Shared VPC
network for Vertex AI to use, then make sure that the
AI Platform Service Agent
in the service project has a
compute.networkUserrole granted in your VPC host project. - Network attachments can't be deleted unless the producer (Vertex AI) deletes the allocated resources. To initiate the delete process, you must contact Vertex AI support.
What's next
- Learn how to use Private Service Connect interface egress for Ray on Vertex AI.
- Learn how to use Private Service Connect interface egress for custom training.
- Learn how to use Private Service Connect interface egress for Vertex AI Pipelines.