Private Service Connect allows private consumption of servicesacross VPC networks that belong to different groups, teams, projects,and organizations. You can publish and consume services using IP addresses thatyou define and that are internal to your VPC network, and forVector Search endpoints to perform vector similarity searches.

Enabling Private Service Connect on a Vector Searchendpoint is suited for use cases that:

1. Require low latency and a secure connection to Vector Searchserving backends.
2. Have limited IP space for exclusive VPC peering reservation.
3. Need to access the serving backends from multiple user VPC networks.

To learn more about setting up Private Service Connect, go toPrivate Service Connect Overview in theVirtual Private Cloud (VPC) documentation.

Create the index endpoint

You must enable Private Service Connect when you create your endpoint.This procedure is similar to creating other endpoints in Vertex AI.

PROJECT=PROJECT_IDVPC_PROJECT=VPC_PROJECT_IDREGION=us-central1VERTEX_ENDPOINT=REGION-aiplatform.googleapis.comcurl-H"Content-Type: application/json"\-H"Authorization: Bearer `gcloud auth print-access-token`"\https://REGION-aiplatform.googleapis.com/v1/projects/PROJECT/locations/REGION/indexEndpoints\-d'{"displayName":"DISPLAY_NAME","privateServiceConnectConfig":{"enablePrivateServiceConnect":true,"projectAllowlist":["VPC_PROJECT_1","VPC_PROJECT_2","VPC_PROJECT_N"]}}

About index deployment options

You can deploy your index with automatic or manual service connectivity.

• Deploy with Private Service Connect automation:Set up a service connection policy and deploy your indexes. Setting up aservice connection policy lets you deploy to a specific network withoutcreating a compute address and forwarding rule each time.
• Deploy with manual connection: Deploy your index andmanually create a compute address and forwarding rule. You might choose thisoption if you need to use multiple IP addresses for the same service attachmentURI, although this is not a common use case.

Deploy with Private Service Connect automation

You can set up a service connection policy so that you don't have to manuallycreate a compute address and forwarding rule after each index deployment.

1. First,create a service connection policy that specifies thenetwork, service class, and region to deploy indexes to. This is aone-time setup. If you've already done this, skip to the next procedure.
2. Deploy the index.

Limitations

Automation allows only one IP address per project per network. If you need touse multiple IP addresses, seeManually deploy the index.

Create a service connection policy

You must be a network administrator to create a service connection policy forautomating index deployment.

To automate index deployment, follow these steps:

1. Create your service connection policy.

   • PROJECT: The service project where you are creatingVertex AI resources.

   • VPC_PROJECT: The project where your client VPC is. Forsingle VPC setup, this is the same as $PROJECT. ForShared VPC setup, this is the VPC host project.

   • NETWORK_NAME: The name of the network to deploy to, in theformatprojects//global/networks/.

   • REGION: The network region.

   • PSC_SUBNETS: The Private Service Connectsubnets to use.

   gcloudnetwork-connectivityservice-connection-policiescreate<policy_name>\--project=<vpc_project>--network=<network_name># in the format projects/<project_id>/global/networks/<network_name> \--service-class=gcp-vertexai--region=<region>--subnets=<pscsubnets>

2. View your service connection policy.

   gcloudnetwork-connectivityservice-connection-policieslist--project=<vpc_project>-–region=<region>

For more information about service connection policies, go toConfigure service connection policies.

Deploy the index

PROJECT=PROJECTVPC_PROJECTS=VPC_PROJECTSREGION=REGIONcurl-XPOST-H"Authorization: Bearer$(gcloudauthprint-access-token)"-H"Content-Type: application/json; charset=utf-8""https://LOCATIONAL_ENDPOINT.googleapis.com/v1/projects/PROJECT_NUMBER/locations/REGION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex"-d'{  "deployedIndex": {    "id": "DEPLOYED_INDEX_ID",    "index": "projects/PROJECT/locations/us-central1/indexes/INDEX_ID ",    "displayName": "DISPLAY_NAME",    "psc_automation_configs": [      { "project_id": "PROJECT_1", "network": "NETWORK_NAME_1" },      { "project_id": "PROJECT_2", "network": "NETWORK_NAME_2" },      { "project_id": "PROJECT_N", "network": "NETWORK_NAME_N" }]    }}'

Delete service connection policy

If you need to delete the service connection policy, run the following command:

gcloudnetwork-connectivityservice-connection-policiesdelete--project=<vpc_project>–-region=<region><policy_name>

For more information about service connection policies, go toConfigure service connection policies.

Deploy with manual connection

Deploy the index and create a forwarding rule in your VPC project.

Deploy the index

Now that the index is ready, in this step, you deploy the indexto the endpoint you created with Private Service Connect enabled.

gcloudaiindex-endpointsdeploy-indexINDEX_ENDPOINT_ID\--deployed-index-id=DEPLOYED_INDEX_ID\--display-name=DEPLOYED_INDEX_ENDPOINT_NAME\--index=INDEX_ID\--region=LOCATION\--project=PROJECT_ID

gcloudaiindex-endpointsdeploy-indexINDEX_ENDPOINT_ID`--deployed-index-id=DEPLOYED_INDEX_ID`--display-name=DEPLOYED_INDEX_ENDPOINT_NAME`--index=INDEX_ID`--region=LOCATION`--project=PROJECT_ID

gcloudaiindex-endpointsdeploy-indexINDEX_ENDPOINT_ID^--deployed-index-id=DEPLOYED_INDEX_ID^--display-name=DEPLOYED_INDEX_ENDPOINT_NAME^--index=INDEX_ID^--region=LOCATION^--project=PROJECT_ID

POST https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex

{ "deployedIndex": {   "id": "DEPLOYED_INDEX_ID",   "index": "projects/PROJECT_ID/locations/LOCATION/indexes/INDEX_ID",   "displayName": "DEPLOYED_INDEX_ENDPOINT_NAME" }}

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://LOCATION-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID:deployIndex" | Select-Object -Expand Content

{ "name": "projects/PROJECT_NUMBER/locations/LOCATION/indexEndpoints/INDEX_ENDPOINT_ID/operations/OPERATION_ID", "metadata": {   "@type": "type.googleapis.com/google.cloud.aiplatform.v1.DeployIndexOperationMetadata",   "genericMetadata": {     "createTime": "2022-10-19T17:53:16.502088Z",     "updateTime": "2022-10-19T17:53:16.502088Z"   },   "deployedIndexId": "DEPLOYED_INDEX_ID" }}

provider"google"{region="us-central1"}resource"google_vertex_ai_index_endpoint_deployed_index""default"{depends_on=[google_vertex_ai_index_endpoint.default]index_endpoint=google_vertex_ai_index_endpoint.default.idindex=google_vertex_ai_index.default.iddeployed_index_id="deployed_index_for_psc"}resource"google_vertex_ai_index_endpoint""default"{display_name="sample-endpoint"description="A sample index endpoint with Private Service Connect enabled"region="us-central1"private_service_connect_config{enable_private_service_connect=trueproject_allowlist=[data.google_project.project.project_id,]}}data"google_project""project"{}# Cloud Storage bucket name must be uniqueresource"random_id""default"{byte_length=8}# Create a Cloud Storage bucketresource"google_storage_bucket""bucket"{name="vertex-ai-index-bucket-${random_id.default.hex}"location="us-central1"uniform_bucket_level_access=true}# Create index contentresource"google_storage_bucket_object""data"{name="contents/data.json"bucket=google_storage_bucket.bucket.namecontent=<<EOF{"id":"42", "embedding": [0.5, 1.0], "restricts": [{"namespace": "class", "allow": ["cat", "pet"]},{"namespace": "category", "allow": ["feline"]}]}{"id":"43", "embedding": [0.6, 1.0], "restricts": [{"namespace": "class", "allow": ["dog", "pet"]},{"namespace": "category", "allow": ["canine"]}]}EOF}resource"google_vertex_ai_index""default"{region="us-central1"display_name="sample-index-batch-update"description="A sample index for batch update"labels={foo="bar"}metadata{contents_delta_uri="gs://${google_storage_bucket.bucket.name}/contents"config{dimensions=2approximate_neighbors_count=150distance_measure_type="DOT_PRODUCT_DISTANCE"algorithm_config{tree_ah_config{leaf_node_embedding_count=500leaf_nodes_to_search_percent=7}}}}index_update_method="BATCH_UPDATE"timeouts{create="2h"update="1h"}}

defvector_search_deploy_index(project:str,location:str,index_name:str,index_endpoint_name:str,deployed_index_id:str,)->None:"""Deploy a vector search index to a vector search index endpoint.Args:project(str):Required.ProjectIDlocation(str):Required.Theregionnameindex_name(str):Required.Theindextoupdate.Afully-qualifiedindexresourcenameoraindexID.Example:"projects/123/locations/us-central1/indexes/my_index_id"or"my_index_id".index_endpoint_name(str):Required.Indexendpointtodeploytheindexto.deployed_index_id(str):Required.TheuserspecifiedIDoftheDeployedIndex."""#InitializetheVertexAIclientaiplatform.init(project=project,location=location)#Createtheindexinstancefromanexistingindexindex=aiplatform.MatchingEngineIndex(index_name=index_name)#Createtheindexendpointinstancefromanexistingendpoint.index_endpoint=aiplatform.MatchingEngineIndexEndpoint(index_endpoint_name=index_endpoint_name)#DeployIndextoEndpointindex_endpoint=index_endpoint.deploy_index(index=index,deployed_index_id=deployed_index_id)print(index_endpoint.deployed_indexes)

Create a forwarding rule in the VPC project

After index deployment is done, the index endpoint returns a service attachmentURIinstead of an IP address. You need to create a compute address, as well asa forwarding rule in the VPC project targeting the service attachmentusing the created compute address. To create a compute address, use the following example:

gcloudcomputeaddressescreate${ADDRESS_NAME:?}\--region=${REGION:?}\--subnet=${SUBNET_NAME:?}\--project=${VPC_PROJECT:?}

To create a forwarding rule targeting the service attachment URI using the createdcompute address, use the following example:

SERVICE_ATTACHMENT_URI=`gcloudaiindex-endpointsdescribe{INDEX_ENDPOINT_ID}--format="value(deployedIndexes.privateEndpoints.serviceAttachment)"`gcloudcomputeforwarding-rulescreate${ENDPOINT_NAME:?}\--network=${NETWORK_NAME:?}\--address=${ADDRESS_NAME:?}\--target-service-attachment=${SERVICE_ATTACHMENT_URI:?}\--project=${VPC_PROJECT:?}\--region=${REGION:?}

(Optional) Create DNS record for the IP address

If you want to connect and load without memorizing the actual IP address, you cancreate a DNS record. This step is optional.

DNS_NAME_SUFFIX=matchingengine.vertexai.goog.# Don't forget the "." in the end.DNS_NAME=${INDEX_ENDPOINT_ID:?}.${REGION:?}.${DNS_NAME_SUFFIX:?}gclouddnsmanaged-zonescreate${DNS_ZONE_NAME:?}\--dns-name=${DNS_NAME_SUFFIX:?}\--visibility=private\--project=${VPC_PROJECT:?}\--region=${REGION:?}gclouddnsrecord-setscreate${DNS_NAME:?}\--rrdatas=${IP_ADDRESS:?}\--type=A--ttl=60\--zone=${DNS_ZONE_NAME:?}\--project=${VPC_PROJECT:?}\--region=${REGION:?}

Send queries to the index endpoint

Now that you've created an endpoint with Private Service Connectand created the index, you can begin running queries.

To query your index, seeQuery indexes to get nearest neighbors.

What's next

• Learn how toUpdate and rebuild your index
• Learn how toMonitor the index endpoint