Vector Search Private Service Connect

Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. You can publish and consume services using IP addresses that you define and that are internal to your VPC network, and for Vector Search endpoints to perform vector similarity searches.

Enabling Private Service Connect on a Vector Search endpoint is suited for use cases that:

Require low latency and a secure connection to Vector Search serving backends.
Have limited IP space for exclusive VPC peering reservation.
Need to access the serving backends from multiple user VPC networks.

To learn more about setting up Private Service Connect, see the Private Service Connect Overview from the Virtual Private Cloud (VPC) documentation.

Create the index endpoint

To create an endpoint with Private Service Connect enabled you must define it when you create the endpoint. This is similar to creating other endpoints in Vertex AI.

PROJECT: The service project where you are creating Vertex AI resources.

VPC_PROJECT: The project where your client VPC lives. For simple VPC setup, this will be the same as $PROJECT. For shared VPC setup, this will be the VPC host project.

PROJECT=<your-service-project>
VPC_PROJECT=<your-vpc-project>
REGION=us-central1
VERTEX_ENDPOINT=$REGION-aiplatform.googleapis.com
curl -H "Content-Type: application/json" \
  -H "Authorization: Bearer `gcloud auth print-access-token`" \
  https://$VERTEX_ENDPOINT/v1/projects/$PROJECT/locations/$REGION/indexEndpoints \
  -d '{displayName: "<your-index-endpoint-name>", privateServiceConnectConfig:
  { enablePrivateServiceConnect: true, projectAllowlist: ["'$VPC_PROJECT'", "'$PROJECT'"] }}'

Deploy the index

Now that the index is ready, in this step, you deploy the index to the endpoint you created with Private Service Connect enabled.

gcloud

This example uses the gcloud ai index-endpoints deploy-index command:

gcloud ai index-endpoints deploy-index INDEX_ENDPOINT_ID \
  --deployed-index-id=DEPLOYED_INDEX_ID \
  --display-name=DEPLOYED_INDEX_NAME \
  --index=INDEX_ID \
  --project=PROJECT_ID \
  --region=LOCATION

Replace the following:

INDEX_ENDPOINT_ID: The ID of the index endpoint.
DEPLOYED_INDEX_ID: A user specified string to uniquely identify the deployed index. It must start with a letter and contain only letters, numbers or underscores. See DeployedIndex.id for format guidelines.
DEPLOYED_INDEX_NAME: Display name of the deployed index.
INDEX_ID: The ID of the index.
PROJECT_ID: The ID of the project.
LOCATION: The region where you are using Vertex AI.

REST

Before using any of the request data, make the following replacements:

LOCATION: The region where you are using Vertex AI.
PROJECT: Your project ID.
INDEX_ENDPOINT_ID: The ID of the index endpoint.
DEPLOYED_INDEX_ID: A user specified string to uniquely identify the deployed index. It must start with a letter and contain only letters, numbers or underscores. See DeployedIndex.id for format guidelines.
DEPLOYED_INDEX_NAME: Display name of the deployed index.
INDEX_ID: The ID of the index.
PROJECT_NUMBER: Project number for your project

HTTP method and URL:

POST https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex

Request JSON body:

{
  "deployedIndex": {
    "id": "DEPLOYED_INDEX_ID",
    "index": "projects/PROJECT/locations/LOCATION/indexes/INDEX_ID",
    "displayName": "DEPLOYED_INDEX_NAME"
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login, or by using Cloud Shell, which automatically logs you into the gcloud CLI. You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex"

PowerShell (Windows)

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/PROJECT_ID/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID/operations/OPERATION_ID",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.aiplatform.v1.DeployIndexOperationMetadata",
    "genericMetadata": {
      "createTime": "2020-10-19T17:53:16.502088Z",
      "updateTime": "2020-10-19T17:53:16.502088Z"
    },
    "deployedIndexId": "DEPLOYED_INDEX_ID"
  }
}

You can poll for the status of the operation until the response includes "done": true.

Create a forwarding rule in the VPC project

After index deployment is done, the index endpoint returns a service attachment URI instead of an IP address. You need to create a forwarding rule in the VPC project targeting the service attachment. To create a forwarding rule, use the following example:

gcloud compute addresses create ${ADDRESS_NAME:?} \
    --region=${REGION:?} \
    --subnet=${SUBNET_NAME:?} \
    --project=${VPC_PROJECT:?}

SERVICE_ATTACHMENT_URI=`gcloud ai index-endpoints describe {INDEX_ENDPOINT_ID}
--format="value(deployedIndexes.privateEndpoints.serviceAttachment)"`

gcloud compute forwarding-rules create ${ENDPOINT_NAME:?} \
    --network=${NETWORK_NAME:?} \
    --address=${ADDRESS_NAME:?} \
    --target-service-attachment=${SERVICE_ATTACHMENT_URI:?} \
    --project=${VPC_PROJECT:?} \
    --region=${REGION:?}

(Optional) Create DNS record for the IP address

If you want to connect and load without memorizing the actual IP address, you can create a DNS record. This step is optional.

DNS_NAME_SUFFIX=matchingengine.vertexai.goog. # Don't forget the "." in the end.
DNS_NAME=${INDEX_ENDPOINT_ID:?}.${REGION:?}.${DNS_NAME_SUFFIX:?}

gcloud dns managed-zones create ${DNS_ZONE_NAME:?} \
    --dns-name=${DNS_NAME_SUFFIX:?} \
    --visibility=private \
    --project=${VPC_PROJECT:?} \
    --region=${REGION:?}

gcloud dns record-sets create ${DNS_NAME:?} \
    --rrdatas=${IP_ADDRESS:?} \
    --type=A --ttl=60 \
    --zone=${DNS_ZONE_NAME:?} \
    --project=${VPC_PROJECT:?} \
    --region=${REGION:?}

Send queries to the index endpoint

Now that you've created an endpoint with Private Service Connect and created the index, you can begin running queries.

To query your index, see Query indexes to get nearest neighbors.

What's next

Learn how to Update and rebuild your index
Learn how to Monitor the index endpoint