VPC Service Controls with Vertex AI

VPC Service Controls can help you mitigate the risk of data exfiltration from Vertex AI. Use VPC Service Controls to create a service perimeter that protects the resources and data that you specify. For example, when you use VPC Service Controls to protect Vertex AI, the following artifacts can't leave your service perimeter:

  • Training data for an AutoML model or custom model
  • Models that you created
  • Models that you searched by using Neural Architecture Search
  • Requests for online predictions
  • Results from a batch prediction request

Service perimeter creation

When you create a service perimeter, include Vertex AI (aiplatform.googleapis.com) and Vertex AI Workbench (notebooks.googleapis.com) as protected services. You aren't required to include any additional services for Vertex AI to function. However, Vertex AI won't be able to reach resources outside the perimeter, such as files in a Cloud Storage bucket that is outside the perimeter.

For more information about creating a service perimeter, see Creating a service perimeter in the VPC Service Controls documentation.

Enable VPC Service Controls for peerings to configure the servicenetworking VPC network without a default route. The name is a bit misleading, because it's not explicitly a VPC-SC configuration; rather, it's commonly used when using VPC-SC. Without the default route, from the perspective of the servicenetworking VPC network.

  • Packets to 199.36.153.4/30 (restricted.googleapis.com) are sent to the default internet gateway of the servicenetworking VPC network. This is because the command creates a custom route for this destination.
  • DNS entries for the following domains are added to the servicenetworking VPC network to facility Private Google Access

    • backupdr.cloud.google.com
    • backupdr.googleusercontent.com
    • gcr.io
    • googleapis.com
    • kernels.googleusercontent.com
    • notebooks.cloud.google.com
    • pkg.dev
  • The default route (or broader routes) in the customer's VPC network can be used to route traffic from the servicenetworking VPC network into the customer's VPC network or into an on-premises network connected to the customer's VPC network. For this to work, the following conditions must be met.

    • The routes in the customer's VPC network must use next hops different than the default internet gateway next hop. (Routes using the default internet gateway next hop are never exchanged in a VPC network peering relationship.)
    • The customer's VPC network must be configured to export custom routes in the peering to the servicenetworking VPC network. (The servicenetworking network is already configured to import custom routes in the peering relationship.)

You can query the state of VPC Service Controls for Peerings by running the following command.

gcloud services vpc-peerings get-vpc-service-controls \
  --network YOUR_NETWORK

This will return enabled: true if the configuration is enabled and empty list ({}) if it is disabled.

For further discussion on this, see set up connectivity from Vertex AI to other networks.

VPC Service Controls support for Generative AI tuning pipelines

VPC Service Controls support is provided in the tuning pipeline of the following models:

  • text-bison for PaLM 2
  • BERT
  • T5
  • The textembedding-gecko family of models.

Limitations

The following limitations apply when you use VPC Service Controls:

  • For data labeling, you must add labelers' IP addresses to an access level.
  • For Google Cloud Pipeline Components, the components launch containers that check their base image for all requirements. If requirements are missing, download them from the Python Package Index (PyPI). The KFP package, as well as any packages listed in the packages_to_install argument are the requirements for a container. If a requirement is specified that is not present in the base image (either provided or custom), the component will fail if it isn't able to download the requirement.
  • When using VPC Service Controls with custom kernels in Vertex AI Workbench, you must instead configure DNS peering to send requests for *.notebooks.googleusercontent.com to the subnet 199.36.153.8/30 (private.googleapis.com) instead of 199.36.153.4/30 (restricted.googleapis.com).

What's next