Use Private Service Connect interface for Vertex AI Training

Private Service Connect interface is recommended for private connectivity since it reduces the chance of IP exhaustion and allows for transitive peering.

Private Service Connect interface is supported on Vertex AI custom jobs and persistent resources.

Overview

Private Service Connect interface is supported on Vertex AI Training custom jobs and persistent resources. To use Private Service Connect interface, you need to set up a VPC network, subnetwork, and network attachment in your user project. See Set up a Private Service Connect interface. The network attachment name must be included in the request to create a custom jobs and persistent resources to enable Private Service Connect interface.

Vertex AI Private Service Connect egress connectivity to other networks

Vertex AI has integrated the egress network connectivities that are supported by Private Service Connect, (see Connecting to workloads in other networks), with the following exceptions:

Egress to a customer's Private Google Access isn't supported. Instead Private Service Connect egress would resolve locally for Private Google Access.
Egress to Cloud NAT is supported only when VPC Service Control is enabled.

Limitations

Private Service Connect interfaces don't support external IP addresses.

Pricing

Pricing for Private Service Connect interfaces is described in the "Using a Private Service Connect interface for access to a producer or consumer VPC network" section in the All networking pricing page.

Before you begin

Set up your resources for Private Service Connect interface on your user project.

Create a custom training job with a Private Service Connect interface

You can create a custom training job with Private Service Connect interface by using the REST API.

REST

Before using any of the request data, make the following replacements:

LOCATION: The region where the container or Python package will be run.
PROJECT_ID: Your project ID.
JOB_ID: The numerical ID of your job. This ID is the last part of the job's name field. If you don't know your job's ID, you can run the gcloud ai custom-jobs list command and look for the appropriate job.
Define the custom training job:
- REPLICA_COUNT: The number of worker replicas to use. In most cases, set this to 1 for your first worker pool.
- If your training application runs in a custom container, specify the following:
  - IMAGE_URI: the URI of a Docker container image with your training code. Learn how to create a custom container image.
  - NETWORK_ATTACHMENT_NAME: The NETWORK_ATTACHMENT_NAME that you created when you set up the Private Service Connect interface for your Vertex AI resources.

HTTP method and URL:

POST https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/customJobs

Request JSON body:

{
  custom_job = {
  "display_name": JOB_ID,
  "job_spec": {
     "worker_pool_specs": [
        {
         "machine_spec": {
           "machine_type": "n1-standard-4",
         },
         "replica_count": REPLICA_COUNT,
         "container_spec": {
           "image_uri": IMAGE_URI,
         },
       },
     ],
     "psc_interface_config": {
       "network_attachment": NETWORK_ATTACHMENT_NAME
     },
     "enable_web_access": 1
  }
 }
}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/customJobs"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/customJobs" | Select-Object -Expand Content

You should receive a JSON response similar to the following where "165328523568" is the PROJECT_NUMBER and "7922766354196126367" is the JOB_ID.





Response

  
{
  response: 
  Created Job: projects/1165328523568/locations/us-central1/customJobs/7922766354196126367
}