Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. You can publish and consume services using IP addresses that you define and that are internal to your VPC network, and for Vector Search endpoints to perform vector similarity searches.
Enabling Private Service Connect on a Vector Search endpoint is suited for use cases that:
- Require low latency and a secure connection to Vector Search serving backends.
- Have limited IP space for exclusive VPC peering reservation.
- Need to access the serving backends from multiple user VPC networks.
To learn more about setting up Private Service Connect, see the Private Service Connect Overview from the Virtual Private Cloud (VPC) documentation.
Create the index endpoint
To create an endpoint with Private Service Connect enabled you must define it when you create the endpoint. This is similar to creating other endpoints in Vertex AI.
PROJECT=<your-service-project>
VPC_PROJECT=<your-vpc-project>
REGION=us-central1
VERTEX_ENDPOINT=$REGION-aiplatform.googleapis.com
curl -H "Content-Type: application/json" \
-H "Authorization: Bearer `gcloud auth print-access-token`" \
https://$VERTEX_ENDPOINT/v1/projects/$PROJECT/locations/$REGION/indexEndpoints \
-d '{displayName: "<your-index-endpoint-name>", privateServiceConnectConfig:
{ enablePrivateServiceConnect: true, projectAllowlist: ["'$VPC_PROJECT'", "'$PROJECT'"] }}'
Deploy the index
Now that the index is ready, in this step, you deploy the index to the endpoint you created with Private Service Connect enabled.
gcloud
This example uses the gcloud ai index-endpoints deploy-index
command:
gcloud ai index-endpoints deploy-index INDEX_ENDPOINT_ID \
--deployed-index-id=DEPLOYED_INDEX_ID \
--display-name=DEPLOYED_INDEX_NAME \
--index=INDEX_ID \
--project=PROJECT_ID \
--region=LOCATION
Replace the following:
- INDEX_ENDPOINT_ID: The ID of the index endpoint.
- DEPLOYED_INDEX_ID: A user specified string to uniquely identify the deployed index. It must start with a letter and contain only letters, numbers or underscores. See DeployedIndex.id for format guidelines.
- DEPLOYED_INDEX_NAME: Display name of the deployed index.
- INDEX_ID: The ID of the index.
- PROJECT_ID: The ID of the project.
- LOCATION: The region where you are using Vertex AI.
REST
Before using any of the request data, make the following replacements:
- LOCATION: The region where you are using Vertex AI.
- PROJECT: Your project ID.
- INDEX_ENDPOINT_ID: The ID of the index endpoint.
- DEPLOYED_INDEX_ID: A user specified string to uniquely identify the deployed index. It must start with a letter and contain only letters, numbers or underscores. See DeployedIndex.id for format guidelines.
- DEPLOYED_INDEX_NAME: Display name of the deployed index.
- INDEX_ID: The ID of the index.
- PROJECT_NUMBER: Project number for your project
HTTP method and URL:
POST https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex
Request JSON body:
{ "deployedIndex": { "id": "DEPLOYED_INDEX_ID", "index": "projects/PROJECT/locations/LOCATION/indexes/INDEX_ID", "displayName": "DEPLOYED_INDEX_NAME" } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID/operations/OPERATION_ID", "metadata": { "@type": "type.googleapis.com/google.cloud.aiplatform.v1.DeployIndexOperationMetadata", "genericMetadata": { "createTime": "2020-10-19T17:53:16.502088Z", "updateTime": "2020-10-19T17:53:16.502088Z" }, "deployedIndexId": "DEPLOYED_INDEX_ID" } }
"done": true
.
Create a forwarding rule in the VPC project
After index deployment is done, the index endpoint returns a service attachment URI instead of an IP address. You need to create a forwarding rule in the VPC project targeting the service attachment. To create a forwarding rule, use the following example:
gcloud compute addresses create ${ADDRESS_NAME:?} \
--region=${REGION:?} \
--subnet=${SUBNET_NAME:?} \
--project=${VPC_PROJECT:?}
SERVICE_ATTACHMENT_URI=`gcloud ai index-endpoints describe {INDEX_ENDPOINT_ID}
--format="value(deployedIndexes.privateEndpoints.serviceAttachment)"`
gcloud compute forwarding-rules create ${ENDPOINT_NAME:?} \
--network=${NETWORK_NAME:?} \
--address=${ADDRESS_NAME:?} \
--target-service-attachment=${SERVICE_ATTACHMENT_URI:?} \
--project=${VPC_PROJECT:?} \
--region=${REGION:?}
(Optional) Create DNS record for the IP address
If you want to connect and load without memorizing the actual IP address, you can create a DNS record. This step is optional.
DNS_NAME_SUFFIX=matchingengine.vertexai.goog. # Don't forget the "." in the end.
DNS_NAME=${INDEX_ENDPOINT_ID:?}.${REGION:?}.${DNS_NAME_SUFFIX:?}
gcloud dns managed-zones create ${DNS_ZONE_NAME:?} \
--dns-name=${DNS_NAME_SUFFIX:?} \
--visibility=private \
--project=${VPC_PROJECT:?} \
--region=${REGION:?}
gcloud dns record-sets create ${DNS_NAME:?} \
--rrdatas=${IP_ADDRESS:?} \
--type=A --ttl=60 \
--zone=${DNS_ZONE_NAME:?} \
--project=${VPC_PROJECT:?} \
--region=${REGION:?}
Send queries to the index endpoint
Now that you've created an endpoint with Private Service Connect and created the index, you can begin running queries.
To query your index, see Query indexes to get nearest neighbors.
What's next
- Learn how to Update and rebuild your index
- Learn how to Monitor the index endpoint