Vector Search Private Service Connect

Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. You can publish and consume services using IP addresses that you define and that are internal to your VPC network, and for Vector Search endpoints to perform vector similarity searches.

Enabling Private Service Connect on a Vector Search endpoint is suited for use cases that:

  1. Require low latency and a secure connection to Vector Search serving backends.
  2. Have limited IP space for exclusive VPC peering reservation.
  3. Need to access the serving backends from multiple user VPC networks.

To learn more about setting up Private Service Connect, see the Private Service Connect Overview from the Virtual Private Cloud (VPC) documentation.

Create the index endpoint

To create an endpoint with Private Service Connect enabled you must define it when you create the endpoint. This is similar to creating other endpoints in Vertex AI.

  • PROJECT: The service project where you are creating Vertex AI resources.
  • VPC_PROJECT: The project where your client VPC lives. For simple VPC setup, this will be the same as $PROJECT. For shared VPC setup, this will be the VPC host project.
  • PROJECT=<your-service-project>
    VPC_PROJECT=<your-vpc-project>
    REGION=us-central1
    VERTEX_ENDPOINT=$REGION-aiplatform.googleapis.com
    curl -H "Content-Type: application/json" \
      -H "Authorization: Bearer `gcloud auth print-access-token`" \
      https://$VERTEX_ENDPOINT/v1/projects/$PROJECT/locations/$REGION/indexEndpoints \
      -d '{displayName: "<your-index-endpoint-name>", privateServiceConnectConfig:
      { enablePrivateServiceConnect: true, projectAllowlist: ["'$VPC_PROJECT'", "'$PROJECT'"] }}'
    

    Deploy the index

    Now that the index is ready, in this step, you deploy the index to the endpoint you created with Private Service Connect enabled.

    gcloud

    This example uses the gcloud ai index-endpoints deploy-index command:

    gcloud ai index-endpoints deploy-index INDEX_ENDPOINT_ID \
      --deployed-index-id=DEPLOYED_INDEX_ID \
      --display-name=DEPLOYED_INDEX_NAME \
      --index=INDEX_ID \
      --project=PROJECT_ID \
      --region=LOCATION
    

    Replace the following:

    • INDEX_ENDPOINT_ID: The ID of the index endpoint.
    • DEPLOYED_INDEX_ID: A user specified string to uniquely identify the deployed index. It must start with a letter and contain only letters, numbers or underscores. See DeployedIndex.id for format guidelines.
    • DEPLOYED_INDEX_NAME: Display name of the deployed index.
    • INDEX_ID: The ID of the index.
    • PROJECT_ID: The ID of the project.
    • LOCATION: The region where you are using Vertex AI.

    REST

    Before using any of the request data, make the following replacements:

    • LOCATION: The region where you are using Vertex AI.
    • PROJECT: Your project ID.
    • INDEX_ENDPOINT_ID: The ID of the index endpoint.
    • DEPLOYED_INDEX_ID: A user specified string to uniquely identify the deployed index. It must start with a letter and contain only letters, numbers or underscores. See DeployedIndex.id for format guidelines.
    • DEPLOYED_INDEX_NAME: Display name of the deployed index.
    • INDEX_ID: The ID of the index.
    • PROJECT_NUMBER: Project number for your project

    HTTP method and URL:

    POST https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex

    Request JSON body:

    {
      "deployedIndex": {
        "id": "DEPLOYED_INDEX_ID",
        "index": "projects/PROJECT/locations/LOCATION/indexes/INDEX_ID",
        "displayName": "DEPLOYED_INDEX_NAME"
      }
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
      "name": "projects/PROJECT_ID/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID/operations/OPERATION_ID",
      "metadata": {
        "@type": "type.googleapis.com/google.cloud.aiplatform.v1.DeployIndexOperationMetadata",
        "genericMetadata": {
          "createTime": "2020-10-19T17:53:16.502088Z",
          "updateTime": "2020-10-19T17:53:16.502088Z"
        },
        "deployedIndexId": "DEPLOYED_INDEX_ID"
      }
    }
    
    You can poll for the status of the operation until the response includes "done": true.

    Create a forwarding rule in the VPC project

    After index deployment is done, the index endpoint returns a service attachment URI instead of an IP address. You need to create a forwarding rule in the VPC project targeting the service attachment. To create a forwarding rule, use the following example:

    gcloud compute addresses create ${ADDRESS_NAME:?} \
        --region=${REGION:?} \
        --subnet=${SUBNET_NAME:?} \
        --project=${VPC_PROJECT:?}
    
    SERVICE_ATTACHMENT_URI=`gcloud ai index-endpoints describe {INDEX_ENDPOINT_ID}
    --format="value(deployedIndexes.privateEndpoints.serviceAttachment)"`
    
    gcloud compute forwarding-rules create ${ENDPOINT_NAME:?} \
        --network=${NETWORK_NAME:?} \
        --address=${ADDRESS_NAME:?} \
        --target-service-attachment=${SERVICE_ATTACHMENT_URI:?} \
        --project=${VPC_PROJECT:?} \
        --region=${REGION:?}
    

    (Optional) Create DNS record for the IP address

    If you want to connect and load without memorizing the actual IP address, you can create a DNS record. This step is optional.

    DNS_NAME_SUFFIX=matchingengine.vertexai.goog. # Don't forget the "." in the end.
    DNS_NAME=${INDEX_ENDPOINT_ID:?}.${REGION:?}.${DNS_NAME_SUFFIX:?}
    
    gcloud dns managed-zones create ${DNS_ZONE_NAME:?} \
        --dns-name=${DNS_NAME_SUFFIX:?} \
        --visibility=private \
        --project=${VPC_PROJECT:?} \
        --region=${REGION:?}
    
    gcloud dns record-sets create ${DNS_NAME:?} \
        --rrdatas=${IP_ADDRESS:?} \
        --type=A --ttl=60 \
        --zone=${DNS_ZONE_NAME:?} \
        --project=${VPC_PROJECT:?} \
        --region=${REGION:?}
    

    Send queries to the index endpoint

    Now that you've created an endpoint with Private Service Connect and created the index, you can begin running queries.

    To query your index, see Query indexes to get nearest neighbors.

    What's next