Hey , have not tested but to answer your questions directly based on Google Cloud’s official architecture for Vertex AI Agent Engine:
Tenant VPC and Egress Routing: Yes, your agents are deployed within a secure, Google-managed tenant project by default. To force the outbound traffic through your own network instead of the generic Google egress, you must configure a Private Service Connect interface (PSC-I). This creates a secure bridge by provisioning an interface in the Google-owned tenant that connects directly to a network attachment in your VPC.
Static Outbound IP: Yes, there is a fully supported architecture for this. When you route the agent’s traffic into your VPC via PSC-I, it loses its default public internet access. To reach your Global External Load Balancer, you need to build an explicit egress path:
Deploy a dedicated Proxy VM or a Secure Web Proxy (SWP) within your VPC to receive the traffic from the PSC connection.
Route the outbound traffic from this Proxy through a Cloud NAT gateway.
In your Cloud NAT configuration, change the IP address allocation from “Automatic” to “Manual” and assign your own reserved static external IP addresses.
By using this Agent Engine → PSC-I → Proxy VM → Cloud NAT (with Manual IP) pipeline, all outbound traffic from your Gemini Enterprise agents will hit your Global External Load Balancer originating from that exact static IP ?