Use Private Service Connect interface for Vertex AI Training

Private Service Connect interface is recommended for private connectivity since it reduces the chance of IP exhaustion and allows for transitive peering.

Private Service Connect interface is supported on Vertex AI custom jobs and persistent resources.

Overview

Private Service Connect interface is supported on Vertex AI Training custom jobs and persistent resources. To use Private Service Connect interface, you need to set up a VPC network, subnetwork, and network attachment in your user project. See Set up a Private Service Connect interface. The network attachment name must be included in the request to create a custom jobs and persistent resources to enable Private Service Connect interface.

Vertex AI Private Service Connect egress connectivity to other networks

Vertex AI has integrated the egress network connectivities that are supported by Private Service Connect, (see Connecting to workloads in other networks), with the following exceptions:

  • Egress to a customer's Private Google Access isn't supported. Instead Private Service Connect egress would resolve locally for Private Google Access.

  • Egress to Cloud NAT is supported only when VPC Service Control is enabled.

Limitations

  • Private Service Connect interfaces don't support external IP addresses.

Pricing

Pricing for Private Service Connect interfaces is described in the "Using a Private Service Connect interface for access to a producer or consumer VPC network" section in the All networking pricing page.

Before you begin

Set up your resources for Private Service Connect interface on your user project.

Create a custom training job with a Private Service Connect interface

You can create a custom training job with Private Service Connect interface by using the REST API.

REST

Before using any of the request data, make the following replacements:

  • LOCATION: The region where the container or Python package will be run.
  • PROJECT_ID: Your project ID.
  • JOB_ID: The numerical ID of your job. This ID is the last part of the job's name field. If you don't know your job's ID, you can run the gcloud ai custom-jobs list command and look for the appropriate job.
  • Define the custom training job:
    • REPLICA_COUNT: The number of worker replicas to use. In most cases, set this to 1 for your first worker pool.
    • If your training application runs in a custom container, specify the following:

HTTP method and URL:

POST https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/customJobs

Request JSON body:

{
  custom_job = {
  "display_name": JOB_ID,
  "job_spec": {
     "worker_pool_specs": [
        {
         "machine_spec": {
           "machine_type": "n1-standard-4",
         },
         "replica_count": REPLICA_COUNT,
         "container_spec": {
           "image_uri": IMAGE_URI,
         },
       },
     ],
     "psc_interface_config": {
       "network_attachment": NETWORK_ATTACHMENT_NAME
     },
     "enable_web_access": 1
  }
 }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/customJobs"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/customJobs" | Select-Object -Expand Content

You should receive a JSON response similar to the following where "165328523568" is the PROJECT_NUMBER and "7922766354196126367" is the JOB_ID.