Skip to main content
This guide is for enterprise customers who want to connect to GCP Vertex AI privately from their GCP Runner. If you’re using Ona Intelligence, this configuration is not required.

AI Model Support

The GCP Runner currently supports the following AI model providers:
  • Anthropic - Claude models via Anthropic API
  • Google Vertex AI - Gemini and other models via Vertex AI API
  • Ona Intelligence - All supported models through Ona’s managed AI service (recommended)
When using Ona Intelligence, you don’t need to configure private connectivity to Vertex AI or Anthropic. Ona Intelligence provides a unified interface to multiple AI providers with built-in security and compliance features.

Overview

Private Service Connect (PSC) endpoints allow you to access Google Vertex AI services from your GCP Runner without traffic leaving your VPC network. This provides enhanced security and compliance for AI workloads running in your development environments.

Benefits

  • Private connectivity: All traffic to Vertex AI stays within your VPC network
  • No external IPs: Access Vertex AI using internal IP addresses
  • Network isolation: Traffic never traverses the public internet
  • Compliance: Meet regulatory requirements for data residency and network isolation

Architecture

When you configure Private Service Connect endpoints for Vertex AI:
  1. A consumer endpoint is created in your VPC network
  2. The endpoint uses an internal IP address from your subnet
  3. Traffic from your GCP Runner to Vertex AI is routed through the PSC endpoint
  4. Google performs network address translation (NAT) to route requests to Vertex AI services

Prerequisites

Before configuring Private Service Connect endpoints for Vertex AI, ensure you have:
  1. GCP Runner deployed - Follow the Setup guide to deploy your runner
  2. Vertex AI API enabled in your GCP project
  3. Subnet with available IPs - You’ll need IP addresses for PSC endpoints
  4. IAM permissions to create forwarding rules and manage Private Service Connect

Configuration Methods

You can configure Private Service Connect endpoints for Vertex AI using either the Google Cloud Console (UI) or the gcloud CLI.

Step 1: Navigate to Private Service Connect

  1. Open the Google Cloud Console
  2. Navigate to Network servicesPrivate Service Connect
  3. Click on the Connected endpoints tab
  4. Click Connect endpoint

Step 2: Configure the Endpoint

  1. Target: Select Published service
  2. Target service: Enter the Vertex AI service attachment for your region: 
    projects/cloud-ai-platform-public/regions/REGION/serviceAttachments/vertex-ai-api
    Replace REGION with your GCP Runner’s region (e.g., us-central1)
  3. Endpoint name: Provide a descriptive name (e.g., vertex-ai-psc-endpoint)
  4. Network: Select your VPC network (the same network where your GCP Runner is deployed)
  5. Subnetwork: Select the subnet where you want to allocate the endpoint IP
    • This should be the same subnet as your runner or a routable subnet
    • Ensure the subnet has available IP addresses
  6. IP address: Choose how to assign the IP:
    • Automatic: Let Google Cloud assign an available IP
    • Manual: Specify a specific IP address from the subnet range
  7. Enable global access (optional): Enable if you need to access the endpoint from other regions
  8. Click Add endpoint

Step 3: Verify the Endpoint

  1. Wait for the endpoint to be created (typically 2-5 minutes)
  2. Note the IP address assigned to the endpoint
  3. Verify the status shows as Accepted

Method 2: Using gcloud CLI

Step 1: Set Environment Variables

# Set your project and region
export PROJECT_ID="your-gcp-project-id"
export REGION="us-central1"
export NETWORK="your-company-vpc"
export SUBNET="dev-environments-subnet"
export ENDPOINT_NAME="vertex-ai-psc-endpoint"

Step 2: Create the PSC Endpoint

# Create the Private Service Connect endpoint
gcloud compute forwarding-rules create $ENDPOINT_NAME \
  --project=$PROJECT_ID \
  --region=$REGION \
  --network=$NETWORK \
  --subnet=$SUBNET \
  --address="" \
  --target-service-attachment=projects/cloud-ai-platform-public/regions/$REGION/serviceAttachments/vertex-ai-api

Step 3: Get the Endpoint IP Address

# Retrieve the assigned IP address
gcloud compute forwarding-rules describe $ENDPOINT_NAME \
  --project=$PROJECT_ID \
  --region=$REGION \
  --format="get(IPAddress)"
Save this IP address for DNS configuration.

DNS Configuration

To use the Private Service Connect endpoint, you need to configure DNS to resolve Vertex AI API hostnames to your PSC endpoint IP address. Create a Cloud DNS private zone to override Vertex AI API DNS resolution: 
# Create a private DNS zone
gcloud dns managed-zones create vertex-ai-private-zone \
  --project=$PROJECT_ID \
  --description="Private DNS zone for Vertex AI PSC" \
  --dns-name="googleapis.com." \
  --networks=$NETWORK \
  --visibility=private

# Add DNS record for Vertex AI API
gcloud dns record-sets create $REGION-aiplatform.googleapis.com. \
  --project=$PROJECT_ID \
  --zone=vertex-ai-private-zone \
  --type=A \
  --ttl=300 \
  --rrdatas="PSC_ENDPOINT_IP"
Replace PSC_ENDPOINT_IP with the IP address from the previous step.

Option 2: Custom DNS Server

If you’re using a custom DNS server in your VPC:
  1. Add an A record for REGION-aiplatform.googleapis.com pointing to your PSC endpoint IP
  2. Ensure your GCP Runner VMs use this DNS server

Firewall Configuration

Ensure your VPC firewall rules allow traffic from your GCP Runner subnet to the PSC endpoint: 
# Create firewall rule to allow traffic to PSC endpoint
gcloud compute firewall-rules create allow-vertex-ai-psc \
  --project=$PROJECT_ID \
  --network=$NETWORK \
  --direction=EGRESS \
  --priority=1000 \
  --action=ALLOW \
  --rules=tcp:443 \
  --destination-ranges="PSC_ENDPOINT_IP/32" \
  --target-tags=gitpod-runner
Replace PSC_ENDPOINT_IP with your endpoint IP address.

Verification

Test Connectivity

From a development environment or runner VM, test connectivity to Vertex AI through the PSC endpoint: 
# Test DNS resolution
nslookup $REGION-aiplatform.googleapis.com

# Expected output should show your PSC endpoint IP

# Test HTTPS connectivity
curl -I https://$REGION-aiplatform.googleapis.com/v1/projects/$PROJECT_ID/locations/$REGION/publishers/google/models

Verify Traffic Routing

Check that traffic is routing through the PSC endpoint: 
# View PSC endpoint metrics in Cloud Console
gcloud compute forwarding-rules describe $ENDPOINT_NAME \
  --project=$PROJECT_ID \
  --region=$REGION

Regional Endpoints

Vertex AI service attachments are regional. You must create a PSC endpoint in the same region as your GCP Runner:
RegionService Attachment
us-central1projects/cloud-ai-platform-public/regions/us-central1/serviceAttachments/vertex-ai-api
us-east1projects/cloud-ai-platform-public/regions/us-east1/serviceAttachments/vertex-ai-api
us-west1projects/cloud-ai-platform-public/regions/us-west1/serviceAttachments/vertex-ai-api
europe-west1projects/cloud-ai-platform-public/regions/europe-west1/serviceAttachments/vertex-ai-api
europe-west4projects/cloud-ai-platform-public/regions/europe-west4/serviceAttachments/vertex-ai-api
asia-southeast1projects/cloud-ai-platform-public/regions/asia-southeast1/serviceAttachments/vertex-ai-api
For other regions, follow the pattern: projects/cloud-ai-platform-public/regions/REGION/serviceAttachments/vertex-ai-api

Cost Considerations

Private Service Connect endpoints incur charges:
  • PSC endpoint: ~$0.01 per hour per endpoint
  • Data processing: ~$0.01 per GB processed through the endpoint
For detailed pricing, see Private Service Connect pricing.

Next Steps

Additional Resources