This page describes how to use VPC Service Controls to set up a user-managed notebooks instance within a service perimeter.
Before you begin
Read the Overview of VPC Service Controls.
Create a new user-managed notebooks instance. This instance is not within a service perimeter yet.
Create a service perimeter using VPC Service Controls. This service perimeter protects the Google-managed resources of services that you specify. While creating your service perimeter, do the following:
When it's time to add projects to your service perimeter, add the project that contains your user-managed notebooks instance.
When it's time to add services to your service perimeter, add the Notebooks API.
If you have created your service perimeter without adding the projects and services you need, see Managing service perimeters to learn how to update your service perimeter.
Configure your DNS entries using Cloud DNS
User-managed notebooks instances use several domains that a Virtual Private Cloud network does not handle by default. Using Cloud DNS, add DNS records to ensure that your VPC network correctly handles requests sent to those domains. To learn more about VPC routes, read the Routes overview.
Use the following steps to create a managed zone for
a domain, add a DNS entry that will route the request, and execute
the transaction. Repeat these steps for each of several
domains that you need to handle requests for, starting
Use the following command to create a private managed zone for one of the domains that your VPC network needs to handle.
gcloud dns managed-zones create ZONE_NAME \ --visibility=private \ --networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME \ --dns-name=DNS_NAME \ --description="Description of your managed zone" --target-network=TARGET_NETWORK --target-project=TARGET_PROJECT
Replace the following:
ZONE_NAME: a name for the zone to create. You must use a separate zone for each domain. This zone name is used in each of the following steps.
PROJECT_ID: the ID of the project that hosts your VPC network
NETWORK_NAME: the name of the VPC network that you created earlier
DNS_NAME: the part of the domain name that comes after the
*.. For example,
*.notebooks.googleapis.comhas a DNS_NAME of
TARGET_NETWORK: the network ID of the private network to forward queries to
TARGET_PROJECT: the project ID of the private network to forward queries to
Start a transaction.
gcloud dns record-sets transaction start --zone=ZONE_NAME
Add the following DNS A record. This reroutes traffic to Google's restricted IP addresses.
gcloud dns record-sets transaction add \ --name=DNS_NAME. \ --type=A 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 \ --zone=ZONE_NAME \ --ttl=300
Add the following DNS CNAME record to point to the A record that you just added. This redirects all traffic matching the domain to the IP addresses listed in the previous step.
gcloud dns record-sets transaction add \ --name=\*.DNS_NAME. \ --type=CNAME DNS_NAME. \ --zone=ZONE_NAME \ --ttl=300
Execute the transaction.
gcloud dns record-sets transaction execute --zone=ZONE_NAME
Repeat these steps for each of the following domains. For each repetition, change ZONE_NAME and DNS_NAME to the appropriate values for that domain. Keep PROJECT_ID and NETWORK_NAME the same each time. You already completed these steps for
Configure the service perimeter
Use Container Registry within your service perimeter
If you want to use Container Registry within your service perimeter, follow these steps for configuring your DNS entries and service perimeter.
Use Shared VPC
If you are using Shared VPC,
you must add the host and the service projects to the service
perimeter. In the host project, you must also grant the
Compute Network User role
roles/compute.networkUser) to the
Notebooks service agent
from the service project. For more information, see Managing
Access your user-managed notebooks instance
Follow the steps for opening a notebook.
Installing Jupyter extensions in your user-managed notebooks
If you attempt to install JupyterLab extensions
but the Cloud Storage API is
restricted, you may see a
User-managed notebooks extensions are currently stored in the
deeplearning-platform-ui-public public bucket.
Accessing the user-managed notebooks proxy from a workstation without internet.
To access user-managed notebooks instances from a workstation with limited internet access, verify with your IT administrator that you can access the following domains:
- Install dependencies on your new user-managed notebooks instance.