GCP Private Service Connect - GroqDocs (original) (raw)

Private Service Connect (PSC) enables you to access Groq's API services through private network connections, eliminating exposure to the public internet. This guide explains how to set up Private Service Connect for secure access to Groq services.

Groq exposes its API endpoints in Google Cloud Platform as PSC published services. By configuring PSC endpoints, you can:

Access Groq services through private IP addresses within your VPC
Eliminate public internet exposure
Maintain strict network security controls
Minimize latency
Reduce data transfer costs

Your VPC Network                 Google Cloud PSC                 Groq Network
+------------------+           +------------------+           +------------------+
|                  |           |                  |           |                  |
|  +-----------+   |           |                  |           |   +-----------+  |
|  |           |   |  Private  |     Service      |  Internal |   |   Groq    |  |
|  |   Your    |   | 10.0.0.x  |                  |           |   |   API     |  |
|  |   App     +---+--> IP <---+---> Connect <----+--> LB <---+---+ Service   |  |
|  |           |   |           |                  |           |   |           |  |
|  +-----------+   |           |                  |           |   +-----------+  |
|                  |           |                  |           |                  |
|  DNS Resolution  |           |                  |           |                  |
|  api.groq.com    |           |                  |           |                  |
|  -> 10.0.0.x     |           |                  |           |                  |
|                  |           |                  |           |                  |
+------------------+           +------------------+           +------------------+

A Google Cloud project with Private Service Connect enabled
VPC network where you want to create the PSC endpoint
Appropriate IAM permissions to create PSC endpoints and DNS zones
Enterprise plan with Groq
Provided Groq with your GCP Project ID
Groq has accepted your GCP Project ID to our Private Service Connect

The steps below use us as an example. Make sure you configure your system according to the region(s) you want to use.

Navigate to Network services > Private Service Connect in your Google Cloud Console
Go to the Endpoints section and click Connect endpoint
- Under Target, select Published service
- For Target service, enter a published service target name.
- For Endpoint name, enter a descriptive name (e.g., groq-api-psc)
- Select your desired Network and Subnetwork
- For IP address, create and select an internal IP from your subnet
- Enable Global access if you need to connect from multiple regions
Click Add endpoint and verify the status shows as Accepted
Go to Network services > Cloud DNS in your Google Cloud Console
Create the first zone for groq.com:
- Click Create zone
- Set Zone type to Private
- Enter a descriptive Zone name (e.g., groq-api-private)
- For DNS name, enter groq.com.
- Create an A record:
  * DNS name: api
  * Resource record type: A
  * Enter your PSC endpoint IP address
- Link the private zone to your VPC network
Create the second zone for groqcloud.com:
- Click Create zone
- Set Zone type to Private
- Enter a descriptive Zone name (e.g., groqcloud-api-private)
- For DNS name, enter groqcloud.com.
- Create an A record:
  * DNS name: api.us
  * Resource record type: A
  * Enter your PSC endpoint IP address
- Link the private zone to your VPC network

To verify your setup:

SSH into a VM in your VPC network
Test DNS resolution for both endpoints:

dig +short api.groq.com  
dig +short api.us.groqcloud.com

Both should return your PSC endpoint IP address 3. Test API connectivity (using either endpoint):

curl -i https://api.groq.com  
# or  
curl -i https://api.us.groqcloud.com

Should return a successful response through your private connection

Service	PSC Target Name	Private DNS Names
API	projects/groq-pe/regions/me-central2/serviceAttachments/groqcloud	api.groq.com, api.me-central-1.groqcloud.com
API	projects/groq-pe/regions/us-central1/serviceAttachments/groqcloud	api.groq.com, api.us.groqcloud.com

If you encounter connectivity issues:

Verify DNS resolution is working correctly for both domains
Check that your security groups and firewall rules allow traffic to the PSC endpoint
Ensure your service account has the necessary permissions
Verify the PSC endpoint status is Accepted
Confirm the model you are requesting is operating in the target region

To monitor and alert on an unexpected change in connectivity status for the PSC endpoint, use a Google Cloud log-based alerting policy.

Below is an example of an alert policy that will alert the given notification channel in the case of a connection being Closed. This will require manual intervention to reconnect the endpoint.

resource "google_monitoring_alert_policy" "groq_psc" {
  display_name = "Groq - Private Service Connect"
  combiner     = "OR"

  conditions {
    display_name = "Connection Closed"
    condition_matched_log {
      filter = <<-EOF
        resource.type="gce_forwarding_rule"
        protoPayload.methodName="LogPscConnectionStatusUpdate"
        protoPayload.metadata.pscConnectionStatus="CLOSED"
      EOF
    }
  }

  notification_channels = [google_monitoring_notification_channel.my_alert_channel.id]
  severity              = "CRITICAL"

  alert_strategy {
    notification_prompts = ["OPENED"]

    notification_rate_limit {
      period = "600s"
    }
  }

  documentation {
    mime_type = "text/markdown"
    subject   = "Groq forwarding rule was unexpectedly closed"
    content   = <<-EOF
    Forwarding rule <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow></mrow><annotation encoding="application/x-tex"></annotation></semantics></math></span><span class="katex-html" aria-hidden="true"></span></span>{resource.label.forwarding_rule_id} was unexpectedly closed. Please contact Groq Support ([email protected]) for remediation steps.

    - **Project**: <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow></mrow><annotation encoding="application/x-tex"></annotation></semantics></math></span><span class="katex-html" aria-hidden="true"></span></span>{project}
    - **Alert Policy**: <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow></mrow><annotation encoding="application/x-tex"></annotation></semantics></math></span><span class="katex-html" aria-hidden="true"></span></span>{policy.display_name}
    - **Condition**: <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow></mrow><annotation encoding="application/x-tex"></annotation></semantics></math></span><span class="katex-html" aria-hidden="true"></span></span>{condition.display_name}
    EOF

    links {
      display_name = "Dashboard"
      url          = "https://console.cloud.google.com/net-services/psc/list/consumers?project=${var.project_id}"
    }
  }
}

GCP Private Service Connect - GroqDocs (original) (raw)

Was this page helpful?