About accessing Vertex AI services through Private Service Connect interfaces

Some Vertex AI service producers require you to connect to their services through Private Service Connect interfaces. These services are listed in the Vertex AI access methods table.

When a Private Service Connect interface is created, a VM instance with at least two network interfaces is also created. The first interface connects to a subnet in a producer VPC network. The second interface requests a connection to the network attachment subnet in a consumer network. If accepted, this interface is assigned an internal IP address from the consumer subnet.

On the service producer's side of the private connection, there is a VPC network where your service resources are provisioned. This network is created exclusively for you and contains only your resources. Connectivity between the producer and consumer network is established through the Private Service Connect interface.

The following diagram shows a Vertex AI Pipelines architecture in which the Vertex AI API is enabled and managed in the consumer's network. The Vertex AI Pipelines resources are deployed as a Google-managed infrastructure as a service (IaaS) in the service producer's VPC network. Since the Private Service Connect interface is deployed with an IP address from the consumer's subnet, the producer's network has access to the consumer's learned routes that can span VPC networks, multicloud environments, and on-premises networks.

image

Private Service Connect interface deployment options

To create a Private Service Connect interface, first deploy a subnet within the consumer VPC that shares the same region as your producer service. Check the specific service requirements to make sure there are no subnet ranges that you should avoid. Then create a network attachment that references the subnet. We recommend that you dedicate the subnet allocated for the network attachment exclusively to Private Service Connect interface deployments.

The following pages discuss specific use cases for Vertex AI Private Service Connect interfaces:

Deployment considerations

The following are considerations for communication from your on-premises, multicloud, and VPC workloads to Google-managed Vertex AI services.

Vertex AI subnet recommendations

The following table lists the recommended subnet ranges for Vertex AI services that support Private Service Connect interfaces.

Vertex AI feature Recommended subnet range
Vertex AI Pipelines /28
Custom training jobs /28
Ray on Vertex AI /28

IP advertisement

  • When you use the Private Service Connect interface to connect to services in the consumer VPC network, you choose an IP address from a regular subnet in your VPC network.
  • By default, the Cloud Router will advertise regular VPC subnets unless custom advertisement mode is configured. For more information, see Custom advertisement.
  • A connection between a network attachment and a Private Service Connect interface is transitive. Workloads in the producer VPC network can communicate with workloads that are connected to the consumer VPC network.

Firewall rules

Private Service Connect interfaces are created and managed by a producer organization, but they are located in a consumer VPC network. For consumer-side security, we recommend firewall rules that are based on IP address ranges from the consumer VPC network. You must update firewall rules to allow the network attachment subnet access to the consumer's network. For more information, see Limit producer-to-consumer ingress.

Domain name resolution

When using Vertex AI APIs that support Private Service Connect interfaces, domain name resolution lookup isn't supported. If you're using a public domain, DNS lookup is supported within the producer's network. For private DNS lookup, you must define hostname variables that are mapped to consumer Layer 3 IP addresses.

What's next