This is not an officially supported Google product documentation. This code creates a secure demo environment for Vertex AI Workbench. This demo code is not built for production workload.
This demo uses terraform to setup secure Vertex AI Wrokbench network security in a project and underlying infrastructure using Google Cloud Services like Vertex-AI, Secure Web Proxy, VPC Service Controls, Cloud Firewall, Identity and Access Management, Cloud Compute Engine and Cloud Logging.
The image below describes the architecture of CSA Vertex AI Workbench demo to deploy a secure Workbench instance for development purposes.
Main resources:
- Two Projects (VertexAI and Data)
- Secure Web Proxy to allow only allowed domains
- Firewall to allow only permitted traffic and deny bad PIs/domains based on threat intel
- Two VPC Service Control Permieter for each project with allowed ingress and egress rules
- Private access for Goolge APIs
- Vertex AI Workbench Instance
- Optional: Firewall+ endpoint with server and client compute instances
The following steps should be executed in Cloud Shell in the Google Cloud Console.
Grant the user running the terraform below roles.
Access Context Manager Editor
Billing Account User
Compute Network Admin
DNS Administrator
Folder Creator
Organization Policy Administrator
Project Creator
Clone this github repository go to the root of the repository.
git clone https://github.com/GCP-Architecture-Guides/GenAI-vertex-security.git
cd GenAI-vertex-security
From the root folder of this repo, run the following commands:
export TF_VAR_organization_id=[YOUR_ORGANIZATION_ID]
export TF_VAR_billing_account=[YOUR_BILLING_ID]
export TF_VAR_vpc_sc_users=["user:[email protected]"]
export TF_VAR_instance_owners=["[email protected]"]
export TF_VAR_firewall_ips_enabled = [false] ## Default is false; set it to 'true' to enable firewall+ resources
terraform init
terraform apply
terraform apply --refresh-only
To find your organization id, run the following command:
gcloud projects get-ancestors [ANY_PROJECT_ID]
Note: All the other variables are give a default value. If you wish to change, update the corresponding variables in variable.tf file.
From the root folder of this repo, run the following command:
terraform destroy
Note: If you get an error while destroying, it is likely due to delay in VPC-SC destruction rollout. Just execute terraform destroy again, to continue clean-up.