Some Vertex AI service producers require you to connect to their services through Private Service Connect interfaces. These services are listed in the Vertex AI access methods table.
When a Private Service Connect interface is created, a VM instance with at least two network interfaces is also created. The first interface connects to a subnet in a producer VPC network. The second interface requests a connection to the network attachment subnet in a consumer network. If accepted, this interface is assigned an internal IP address from the consumer subnet.
On the service producer's side of the private connection, there is a VPC network where your service resources are provisioned. This network is created exclusively for you and contains only your resources. Connectivity between the producer and consumer network is established through the Private Service Connect interface.
The following diagram shows a Vertex AI Pipelines architecture in which the Vertex AI API is enabled and managed in the consumer's network. The Vertex AI Pipelines resources are deployed as a Google-managed infrastructure as a service (IaaS) in the service producer's VPC network. Since the Private Service Connect interface is deployed with an IP address from the consumer's subnet, the producer's network has access to the consumer's learned routes that can span VPC networks, multicloud environments, and on-premises networks.
Private Service Connect interface deployment options
To create a Private Service Connect interface, first deploy a subnet within the consumer VPC that shares the same region as your producer service. Check the specific service requirements to make sure there are no subnet ranges that you should avoid. Then create a network attachment that references the subnet. We recommend that you dedicate the subnet allocated for the network attachment exclusively to Private Service Connect interface deployments.
The following pages discuss specific use cases for Vertex AI Private Service Connect interfaces:
- Configure Private Service Connect interface for a pipeline
- Use Private Service Connect interface for Vertex AI Training
- Create a Ray cluster on Vertex AI
Deployment considerations
The following are considerations for communication from your on-premises, multicloud, and VPC workloads to Google-managed Vertex AI services.
Vertex AI subnet recommendations
The following table lists the recommended subnet ranges for Vertex AI services that support Private Service Connect interfaces.
| Vertex AI feature | Recommended subnet range |
|---|---|
| Vertex AI Pipelines | /28 |
| Custom training jobs | /28 |
| Ray on Vertex AI | /28 |
IP advertisement
- When you use the Private Service Connect interface to connect to services in the consumer VPC network, you choose an IP address from a regular subnet in your VPC network.
- By default, the Cloud Router will advertise regular VPC subnets unless custom advertisement mode is configured. For more information, see Custom advertisement.
- A connection between a network attachment and a Private Service Connect interface is transitive. Workloads in the producer VPC network can communicate with workloads that are connected to the consumer VPC network.
Firewall rules
Private Service Connect interfaces are created and managed by a producer organization, but they are located in a consumer VPC network. For consumer-side security, we recommend firewall rules that are based on IP address ranges from the consumer VPC network. You must update firewall rules to allow the network attachment subnet access to the consumer's network. For more information, see Limit producer-to-consumer ingress.
Domain name resolution
When using Vertex AI APIs that support Private Service Connect interfaces, domain name resolution lookup isn't supported. If you're using a public domain, DNS lookup is supported within the producer's network. For private DNS lookup, you must define hostname variables that are mapped to consumer Layer 3 IP addresses.
What's next
- Learn about network attachment specifications.
- Try a codelab on using Private Service Connect interfaces with Vertex AI Pipelines.