Gemini Enterprise Agent Platform supports enterprise networking options for accessing Gemini Enterprise Agent Platform endpoints and services that help you:
- Safely access your Gemini Enterprise Agent Platform resources from an on-premises or multi cloud environment.
- Protect your Gemini Enterprise Agent Platform artifacts from exfiltration.
- Configure network traffic for your Gemini Enterprise Agent Platform resources.
This page is intended for enterprise networking architects and administrators who are already familiar with Google Cloud networking concepts.
Public access for Gemini Enterprise Agent Platform
Gemini Enterprise Agent Platform services that are accessible from the internet
have a checkmark
in the Public internetcolumn of the Accessing Gemini Enterprise Agent Platform from on-premises and multi cloud
table. The APIs for these services resolve to the fully
qualified domain name REGION
-aiplatform.googleapis.com
, which returns publicly
routable IP addresses.
Private access options for Gemini Enterprise Agent Platform
Gemini Enterprise Agent Platform supports the following options for accessing Gemini Enterprise Agent Platform endpoints and services privately, without assigning external IP addresses to your Google Cloud resources:
- Gemini Enterprise Agent Platform deployed with Private Service Connect (PSC)
enables secure, private,
and explicit access to Gemini Enterprise Agent Platform services, eliminating the need for
complex configurations like VPC peering that result in peered
network route table exchange and IP address allocation. This makes it easier
to connect to services. It's a key solution for both service consumers and
producers, simplifying network management and enhancing security.
Private Service Connect
offers the following features:
- PSC Endpoints: A consumer can create a forwarding rule in their VPC that references the service attachment. This creates a private IP address within their network, allowing internal resources (like VMs) and cross-cloud clients over hybrid networking to access Gemini Enterprise Agent Platform.
- PSC Backends: A consumer can use a PSC network endpoint group (NEG) as a backend for an internal or external regional load balancer. This unlocks load balancer features such as:
- Logging and monitoring of ingress traffic
- Traffic management
- Google Cloud Armor integration
- Transitivity over VPC peering
- Private Service Connect endpoints for Google APIs let your Google Cloud resources or on-premises systems connect to an endpoint in your VPC network, which forwards requests to Google APIs and services.
- Private Google Access
:
- Lets your Google Cloud resources connect to the standard external IP addresses or Private Google Access domains and virtual IP (VIP) addresses for Google APIs and services through the VPC network's default internet gateway.
- Lets your on-premises hosts connect to Google APIs and services through a Cloud VPN tunnel or VLAN attachment by using one of the Private Google Access-specific domains and VIPs .
- Gemini Enterprise Agent Platform deployed with private services access (PSA)
enables a private connection between your Virtual Private Cloud (VPC) network and
service producer's (Gemini Enterprise Agent Platform) VPC network.
The underlying infrastructure of private services access is VPC
peering between the consumer and producer network, allowing route exchange
between the networks.
Following are features and limitations of private services access (PSA):
- PSA is built on top of VPC Network Peering. When you set up PSA, Google Cloud establishes a peering connection between your VPC network and the service producer's VPC network.
- A key requirement of PSA is that you, the service consumer, must allocate a dedicated internal IP address range for the service producer's use. This range is reserved and cannot be used in your own VPC, which helps prevent IP address conflicts.
- Once the connection is established, the service producer provisions your requested resources within their own VPC network, using an IP address from the address range you allocated. These resources are isolated to your project.
- VPC peering is not transitive.
- Private Service Connect, through endpoints, backends, or an interface, provides significant enhancements compared to private services access, including network transitivity and lower consumption of IP addresses. Therefore, Private Service Connect is the recommended solution.
- Gemini Enterprise Agent Platform deployed with PSC interface enables traffic flows from the service producer's (Gemini Enterprise Agent Platform) network out to the consumer's network. This is useful for scenarios where a managed service needs to interact with resources in the customer's VPC, on-premises, or multicloud networks.
Gemini Enterprise Agent Platform access methods
The following table shows the supported access methods for connecting from on-premises and multi cloud environments to Gemini Enterprise Agent Platform services. In this table, a checkmark indicates that an access method is supported. For more information about using an access method with a specific Gemini Enterprise Agent Platform service, click the Learn more link.
| Gemini Enterprise Agent Platform product | Public internet | Private Service Connect for Google APIs | Private Google Access | Private services access | Private Service Connect endpoint | Private Service Connect interface |
|---|---|---|---|---|---|---|
|
Batch inferences
|
||||||
|
Datasets
|
||||||
|
Vertex AI Feature Store (Bigtable online serving)
|
||||||
|
Learn more |
||||||
|
Claude / Anthropic on Agent Platform
|
||||||
|
Generative AI on Gemini Enterprise Agent Platform (Gemini)
|
||||||
|
Model Registry
|
||||||
|
Online inference - dedicated public endpoint
|
||||||
|
Online inference - shared public endpoint
|
||||||
|
Online inference - dedicated private endpoint
|
Learn more |
|||||
|
Online inference - private endpoint
|
Learn more |
|||||
|
Vector Search (index creation)
|
||||||
|
Vector Search (index query)
|
Learn more |
|||||
|
Ray on Vertex AI (data plane)
|
Learn more |
|||||
|
Vertex AI Pipelines, custom training, Ray on Vertex AI (control plane)
|
||||||
|
Custom training (data plane)
|
Learn more |
Learn more |
||||
|
Vertex AI Pipelines
|
Learn more |
|||||
|
Agent Runtime
|
Learn more |
Securing your Gemini Enterprise Agent Platform resources
To reduce the risk of data exfiltration for your Gemini Enterprise Agent Platform resources, you can place them within a service perimeter using VPC Service Controls.
- To understand VPC Service Controls, see Overview of VPC Service Controls .
- For detailed guidance, see VPC Service Controls with Gemini Enterprise Agent Platform .
- To understand costs, review pricing .
What's next
- Learn how to Set up VPC Network Peering for Gemini Enterprise Agent Platform.
- Learn how to Set up connectivity from Gemini Enterprise Agent Platform to Other Networks .
- For general guidance and best practices for configuring your VPC networks, see Connecting multiple VPC networks .
-
Learn more about using Google Cloud Network Connectivity products such as Cloud VPN, Cloud Interconnect, and Cloud Router to connect your non-Google Cloud (on-premises or multi cloud) network to a Google Cloud Virtual Private Cloud (VPC) host network.
