Use an instance within a service perimeter

This page describes how to use VPC Service Controls to set upa Vertex AI Workbench instance within a service perimeter.

Before you begin

1. Read theOverview ofVPC Service Controls.

2. Create a Vertex AI Workbenchinstance.This instance is not within a serviceperimeter yet.

3. Create a service perimeter usingVPC Service Controls.This service perimeter protects the Google-managed resources of servicesthat you specify. While creating your service perimeter, do the following:

   1. When it's time to add projects to your service perimeter, add theproject that contains your Vertex AI Workbench instance.

   2. When it's time to add services to your service perimeter, add theNotebooks API.

   If you have created your service perimeter without adding theprojects and services you need, seeManaging serviceperimetersto learn how to update your service perimeter.

Configure your DNS entries using Cloud DNS

Vertex AI Workbench instances use several domains that a Virtual Private Cloud network doesn't handle by default. To ensure that your VPC network correctly handles requests sent to those domains, use Cloud DNS to add DNS records. For more information about VPC routes, seeRoutes.

To create amanaged zone for a domain, add a DNS entry that will route the request, and execute the transaction, complete the following steps. Repeat these steps for each ofseveral domains that you need to handle requests for, starting with*.notebooks.googleapis.com.

InCloud Shell or any environment where theGoogle Cloud CLI is installed, enter the followingGoogle Cloud CLI commands.

1. To create a private managed zone for one of the domains that your VPC network needs to handle:

   gclouddnsmanaged-zonescreateZONE_NAME\--visibility=private\--networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME\--dns-name=DNS_NAME\--description="Description of your managed zone"

   Replace the following:

   • ZONE_NAME: a name for the zone to create. You must use a separate zone for each domain. This zone name is used in each of the following steps.
   • PROJECT_ID: the ID of the project that hosts your VPC network
   • NETWORK_NAME: the name of the VPC network that you created earlier
   • DNS_NAME: the part of the domain name that comes after the*., with a period on the end. For example,*.notebooks.googleapis.com has aDNS_NAME ofnotebooks.googleapis.com.

2. Start a transaction.

   gclouddnsrecord-setstransactionstart--zone=ZONE_NAME

3. Add the following DNS A record. This reroutes traffic to Google's restricted IP addresses.

   gclouddnsrecord-setstransactionadd\--name=DNS_NAME.\--type=A199.36.153.4199.36.153.5199.36.153.6199.36.153.7\--zone=ZONE_NAME\--ttl=300

4. Add the following DNS CNAME record to point to the A record that you just added. This redirects all traffic matching the domain to the IP addresses listed in the previous step.

   gclouddnsrecord-setstransactionadd\--name=\*.DNS_NAME.\--type=CNAMEDNS_NAME.\--zone=ZONE_NAME\--ttl=300

5. Execute the transaction.

   gclouddnsrecord-setstransactionexecute--zone=ZONE_NAME

6. Repeat these steps for each of the following domains. For each repetition, changeZONE_NAME andDNS_NAME to the appropriate values for that domain. KeepPROJECT_ID andNETWORK_NAME the same each time. You already completed these steps for*.notebooks.googleapis.com.

   • *.notebooks.googleapis.com
   • *.notebooks.cloud.google.com
   • *.notebooks.googleusercontent.com
   • *.googleapis.com to run code that interacts with other Google APIs and services

Configure the service perimeter

Afterconfiguring the DNS records, eithercreate a serviceperimeterorupdate an existingperimeterto add your project to the service perimeter.

In the VPC network, add a route for the199.36.153.4/30 range with anext hop ofDefault internet gateway.

Note: The199.36.153.4/30 range is forrestricted.googleapis.com to access APIs that are only VPC Service Controls compatible. If you aren't using VPC Service Controls, you can use the199.36.153.8/30 range forprivate.googleapis.com. For more information about Private Google Access, seeConfigure Private Google Access.

Use Artifact Registry within your service perimeter

If you want to use Artifact Registry in your service perimeter,seeConfigure restricted access for GKEprivate clusters.

Use Shared VPC

If you are usingShared VPC,you must add the host and the service projects to the serviceperimeter. In the host project, you must also grant theCompute Network User(roles/compute.networkUser)role to theNotebooks ServiceAgentfrom the service project. For more information, seeManageservice perimeters.

Access your Vertex AI Workbench instance

To open a Jupyter notebook on your new instance:

1. In the Google Cloud console,go to theInstances page.

   Go to Instances

2. Next to your instance's name, clickOpen JupyterLab.

3. In JupyterLab,selectFile > New > Notebook.

4. In theSelect kernel dialog, choose a kernel,and then clickSelect.

   Your new notebook file opens.

Limitations

The following limitations apply when using VPC Service Controls withVertex AI Workbench:

Identity type for ingress and egress policies

When you specify an ingress or egress policy for a service perimeter,you can't useANY_SERVICE_ACCOUNTorANY_USER_ACCOUNT as an identity type forall Vertex AI Workbench operations.

Instead, useANY_IDENTITY as the identity type.

Accessing the Vertex AI Workbench proxy from a workstation without internet

To access Vertex AI Workbench instancesfrom a workstation with limited internet access,verify with your IT administrator that you can access the following domains:

• *.accounts.google.com
• *.accounts.youtube.com
• *.googleusercontent.com
• *.kernels.googleusercontent.com
• *.gstatic.com
• *.notebooks.cloud.google.com
• *.notebooks.googleapis.com

You must have access to these domains for authentication toGoogle Cloud. See the previous section,Configure your DNS entries using Cloud DNS,for further configuration information.