About accessing Vertex AI services through Private Service Connect endpoints

Some Vertex AI service producers require you to connect to their services through Private Service Connect endpoints. These services are listed in the Vertex AI access methods table. They support unidirectional communication from a service consumer's on-premises, multicloud, and VPC workloads to Google-managed Vertex AI services. Clients connect to the endpoint by using internal IP addresses. Private Service Connect performs network address translation (NAT) to route requests to the service.

Service consumers can use their own internal IP addresses to access these Vertex AI services without leaving their VPC networks or using external IP addresses by creating a consumer endpoint. The endpoint connects to services in another VPC network using a Private Service Connect forwarding rule.

On the service producer's side of the private connection, there is a VPC network where your service resources are provisioned. This network is created exclusively for you and contains only your resources.

The following diagram shows a Vector Search architecture in which the Vector Search API is enabled and managed in a service project (serviceproject) as part of a Shared VPC deployment. The Vector Search Compute Engine resources are deployed as a Google-managed Infrastructure-as-a-Service (IaaS) in the service producer's VPC network.

Private Service Connect endpoints are deployed in the service consumer's VPC network (hostproject) for index query, in addition to Private Service Connect endpoints for Google APIs for private index creation.

For more information, see Private Service Connect endpoints.

image

Before you configure Private Service Connect endpoints, learn about access considerations.

Private Service Connect endpoint deployment options

A Private Service Connect service attachment is generated from the producer service (such as Vertex AI). As a consumer, you can gain access to the service producer by deploying a consumer endpoint in one or more VPC networks.

Deployment considerations

The following sections discuss considerations for communication from your on-premises, multicloud, and VPC workloads to Google-managed Vertex AI services.

Private Service Connect backends

Google does not support using Private Service Connect backends with Vertex AI online prediction endpoints.

IP advertisement

  • When you use Private Service Connect to connect to services in another VPC network, you choose an IP address from a regular subnet in your VPC network.

  • By default, the Cloud Router will advertise regular VPC subnets unless custom advertisement mode is configured. For more information, see Custom advertisement mode.

  • The IP address for the consumer endpoint must be in the same region as the service producer's service attachment. For more information, see Service attachments and Access published services through endpoints.

Firewall rules

You must update the firewall rules for the VPC network that connects your on-premises and multicloud environments to Google Cloud to allow egress traffic to the Private Service Connect endpoint subnet. For more information, see Firewall rules.