Connecting to Vertex AI Private Endpoint via AWS Site-to-Site VPN

Google Cloud Compute Infrastructure
1

I have set up a Google Cloud VPC with a Private Service Connection endpoint to Vertex AI and am trying to access it from an AWS VPC over a Site-to-Site VPN.

Is this setup possible?

Google Cloud:

Created a VPC with subnets and no internet connection.
Configured a Private Service Connection to Vertex AI.
Verified that instances inside Google Cloud can reach Vertex AI via the private endpoint.

AWS:

Created a VPC with subnets and no internet connection.
Configured a Site-to-Site VPN to Google Cloud.
AWS instances can successfully ping Google Cloud instances.

Routing:

AWS Route Table: Added a route to the private IP of the Vertex AI endpoint, directing traffic to the VPN gateway to Google Cloud.
Google Cloud Route Table: Routes AWS CIDR traffic to the VPN.

DNS:

Since the Vertex AI endpoint uses a private IP, I manually configured a DNS record in AWS to resolve the endpoint name to its private IP.

The Problem

Even though AWS instances can ping Google Cloud instances, they cannot reach Vertex AI via the private endpoint.
I want to know if Vertex AI Private Service Connection endpoints can be accessed through a Site-to-Site VPN.
If this setup should work, what am I missing in my configuration?

Additional Notes

Google Cloud instances can access Vertex AI through the private endpoint as expected.
Verified security groups/firewall rules to allow necessary traffic.

2

Hi @lumos ,

Welcome to Google Cloud Community!

Endpoints don’t respond to ping (ICMP) requests. Run the following command on the AWS instance to verify that the Private Service Connect endpoint is working.

curl -v <ENDPOINT_IP>/generate_204

You can also check this tutorial that can serve as a basis for multi-cloud and on-premises private connectivity.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

1 Like
3

Sorry for the late reply. Thank you so much for your response.

I tried using the curl command but the connection timed out rather than getting 204 response. The result is as below:
Trying <ENDPOINT_IP>:80…

I looked at the the tutorial you provided and saw that the endpoint address type of the endpoint ip is global whereas my is private. Does it make any difference? Would that help if I provide the terraform code that I wrote?