Private Access to GCP AI Services within Serverless Environments

Question

Pulumi · Accepted Answer

In order to set up private access to Google Cloud Platform (GCP) AI services within serverless environments, we can use Google Cloud Functions, which is a serverless execution environment for building and connecting cloud services, along with VPC Network Peering and Serverless VPC Access.

VPC Network Peering allows private connectivity across two VPC networks regardless of whether they belong to the same project or the same organization. By setting up VPC Network Peering, you can connect your serverless VPC to the Google services VPC that hosts AI services.

Serverless VPC Access enables you to create a connection between your serverless environment and your VPC network, which allows your serverless environment to communicate with resources in your VPC network using internal IPs.

Here are the steps and an example Pulumi program in Python to set up this configuration:

1. Ensure that the VPC network and subnets are set up.
2. Enable the necessary Google Cloud APIs for AI Services, VPC Network, and Cloud Functions.
3. Create a Serverless VPC Access connector that connects the Cloud Functions (or other serverless services) to your VPC network.
4. Deploy a Cloud Function within the same region as your VPC network and Serverless VPC Access Connector.
5. Ensure that your VPC network has Private Google Access enabled to allow the Cloud Function to access Google services via an internal IP.

Below is a program that sets up a serverless environment with private access to GCP AI services:

```python
import pulumi
import pulumi_gcp as gcp

# Set the project and the region for the resources
project_id = "your-gcp-project-id"
region = "us-central1"  # Example region - choose the one that suits your needs

# Enable necessary GCP services for Cloud Functions and VPC Connectivity
gcp.services.Service("enable-cloudfunctions-service",
    service="cloudfunctions.googleapis.com")

gcp.services.Service("enable-vpcaccess-service",
    service="vpcaccess.googleapis.com")

# Create a VPC network if it doesn't exist
network = gcp.compute.Network("private-network",
    auto_create_subnetworks=False)

# Create a subnet for the VPC network with Private Google Access enabled
subnet = gcp.compute.Subnetwork("private-subnet",
    ip_cidr_range="10.0.0.0/24",        # Example range - choose a range that does not overlap with your existing networks
    region=region,
    network=network.id,
    private_ip_google_access=True)       # Enable access to Google services without assigning external IP addresses

# Create a Serverless VPC Access Connector to connect serverless environment to the VPC
vpc_connector = gcp.vpcaccess.Connector("serverless-connector",
    region=region,
    network=network.id,
    ip_cidr_range="10.8.0.0/28")        # Example range - choose a range that does not overlap with your existing networks

# Deploy a Google Cloud Function that connects to the VPC network privately
cloud_function = gcp.cloudfunctions.Function("private-ai-function",
    runtime="python37",                  # Choose your preferred runtime
    available_memory_mb=256,
    source_archive_bucket=gcp.storage.Bucket("cloud-function-source-bucket").name,
    source_archive_object=gcp.storage.BucketObject("source-archive",
        bucket=gcp.storage.Bucket("cloud-function-source-bucket").name,
        source=pulumi.FileAsset("path-to-your-source-zip-file")).name,
    entry_point="your_function_entrypoint",
    trigger_http=True,
    vpc_connector=vpc_connector.id,
    service_account_email=gcp.serviceaccount.Account("cloud-function-sa",
        account_id="cloud-function-sa",
        display_name="Cloud Function Service Account").email)

# Export the URL of the deployed Cloud Function
pulumi.export("function_url", cloud_function.https_trigger_url)
```

In this program:
- We enable the service APIs that are required for Cloud Functions and VPC Access.
- We define a new VPC network (`private-network`) and a subnet (`private-subnet`) that has Private Google Access enabled, which allows the function to access Google services without external IPs.
- We set up a Serverless VPC Access Connector (`serverless-connector`) which lets the cloud functions connect to the VPC network.
- We create a Google Cloud Function (`private-ai-function`) that is connected to the VPC via the specified VPC connector. The functions inside it have access to GCP AI services using the private IPs facilitated by the Serverless VPC Access Connector.
- The `service_account_email` attribute in the Cloud Function resource specifies the service account that the function will run as. This service account must have the necessary IAM permissions to access the AI services you plan to utilize.
- The source code for the Cloud Function is provided as a zip file in a Google Cloud Storage bucket, specified as `source_archive_bucket` and `source_archive_object`.
- The function's entry point is defined as `your_function_entrypoint`, which should match the name of the function within your code.
- Finally, we export the HTTPS trigger URL of the deployed Cloud Function to test and invoke it.

Be sure to replace placeholders (like `"your-gcp-project-id"`, `"path-to-your-source-zip-file"`, and `"your_function_entrypoint"`) with actual values that are relevant to your GCP setup. Also, you'll need to have the source zip file of your cloud function code already prepared and stored in a GCS bucket.