Set up a Private Service Connect interface for Vertex AI resources

This guide shows how to set up a Private Service Connect interface for Vertex AI resources.

You can configure Private Service Connect interface connections for certain resources in Vertex AI, including:

Unlike VPC peering connections, Private Service Connect interface connections can be transitive, requiring fewer IP addresses in the consumer VPC network. This allows greater flexibility in connecting to other VPC networks in your Google Cloud project.

This guide is recommended for network administrators who are familiar with Google Cloud networking concepts.

Objectives

This guide covers the following tasks:

  • Configure a producer VPC network, subnet, and network attachment.
  • Add firewall rules to your Google Cloud network host project.
  • Create a Vertex AI resource specifying the network attachment to use PSC-I.

Before you begin

Use the following instructions to create or select a Google Cloud project and configure it for use with Vertex AI and Private Service Connect.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Vertex AI, Compute Engine, and Cloud Storage APIs.

    Enable the APIs

  5. Install the Google Cloud CLI.

  6. To initialize the gcloud CLI, run the following command: 

    gcloud init

  7. Update and install gcloud components:

    gcloud components update
    gcloud components install beta
    8.

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  9. Make sure that billing is enabled for your Google Cloud project.

  10. Enable the Vertex AI, Compute Engine, and Cloud Storage APIs.

    Enable the APIs

  11. Install the Google Cloud CLI.

  12. To initialize the gcloud CLI, run the following command: 

    gcloud init

  13. Update and install gcloud components:

    gcloud components update
    gcloud components install beta
    14.
  14. If you're not the project owner, and you don't have the Project IAM Admin (roles/resourcemanager.projectIamAdmin) role, ask the owner to grant you the Compute Network Admin (roles/compute.networkAdmin) role, which includes the required roles you need to manage networking resources.
  15. Assign the Compute Network Admin role of the network host Google Cloud project to the AI Platform Service Agent account of the project where you are using Vertex AI Training services.

Set up a VPC network and subnet

In this section, you can use an existing VPC network, as long as it isn't peered with another VPC network. The following configuration steps are required only if you don't have an existing VPC network.

  1. Create a VPC network:

    gcloud compute networks create NETWORK \
    --subnet-mode=custom

    Replace NETWORK with a name for the VPC network.

  2. Create a subnet:

    gcloud compute networks subnets create SUBNET_NAME \
    --network=NETWORK \
    --range=PRIMARY_RANGE \
    --region=REGION

    Replace the following:

    • SUBNET_NAME: a name for the subnet.

    • PRIMARY_RANGE: the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.

      Vertex AI can only reach the RFC 1918 ranges specified in the required PRIMARY_RANGE. See Valid IPv4 ranges for the list of valid RFC 1918 ranges. Vertex AI can't reach the following non-RFC 1918 ranges:

      • 100.64.0.0/10
      • 192.0.0.0/24
      • 192.0.2.0/24
      • 198.18.0.0/15
      • 198.51.100.0/24
      • 203.0.113.0/24
      • 240.0.0.0/4

    • REGION: the Google Cloud region in which the new subnet is created.

Create a network attachment and add firewall rules to your project

  1. Create a network attachment that manually accepts connections:

    gcloud compute network-attachments create NETWORK_ATTACHMENT_NAME \
    --region=REGION \
    --connection-preference=ACCEPT_MANUAL \
    --subnets=SUBNET_NAME

    Replace NETWORK_ATTACHMENT_NAME with a name for the network attachment.

  2. Create a firewall rule that allows TCP traffic through port 22:

    gcloud compute firewall-rules create NETWORK-firewall1 \
    --network NETWORK \
    --allow tcp:22

  3. Create a firewall rule that allows TCP traffic through port 3389:

    gcloud compute firewall-rules create NETWORK-firewall2 \
    --network NETWORK \
    --allow tcp:3389

  4. Create a firewall rule that allows ICMP traffic:

    gcloud compute firewall-rules create NETWORK-firewall3 \
    --network NETWORK \
    --allow icmp

What's next