Set up private ingress (original) (raw)

To set up private ingress into a Contact Center AI Platform (CCAI Platform) instance, you configure it for private ingress at the time you create it. This blocks access to the instance from the internet. You can then set up a Private Service Connect connection, which uses your own internal IP address to access your instance. This keeps your traffic private and within Google Cloud. For more information, seePrivate Service Connect.

Create a CCAI Platform instance configured for private ingress

You can create a CCAI Platform instance configured for private ingress, which restricts access to your instance from the internet. To access the private instance, you need to set up a Private Service Connect connection.

To create a CCAI Platform instance configured for private ingress, follow these steps:

Create an instance as described in Get started with Contact Center AI Platform while meeting these requirements:
- Configure your instance for private ingress with a component type ofAGENT.
- In the Allowed project IDs field, specify the project ID of the project that you want to set up a Private Service Connect connection from.
  After your private ingress settings are saved, they appear under Private access on your instance's detail page.
Save the service attachment URI generated by your new instance for use when you set up a Private Service Connect endpoint. For more information, see Set up a Private Service Connect connection.

You have created a CCAI Platform instance that is configured for the following:

Private ingress, which prevents access from the internet.
A component type of AGENT, which you can use if you create a custom constraint.

To access your instance, see Set up a Private Service Connect connection.

Set up a Private Service Connect connection

You can set up a Private Service Connect connection to access your private CCAI Platform instance. This connection accesses your instance using an internal IP address, keeping your traffic within Google Cloud. Agents, managers, and CCAI Platform administrators can securely access your instance using a private domain name.

The Private Service Connect documentation explains how to set up a Private Service Connect connection. The following sections highlight the key steps in creating this connection in the context of CCAI Platform.

Create an endpoint

Create a Private Service Connect endpoint that uses an internal IP address and points to the service attachment of the instance that you created inCreate an instance configured for private access. For more information, see Create an endpoint.

Configure your Domain Name System (DNS) infrastructure

Configure your DNS infrastructure so that it resolves the private domain name of your CCAI Platform instance to the internal IP address of your Private Service Connect endpoint. The private domain name of the CCAI Platform instance is the public domain name with a .p added. For example, if the public domain name of your instance is{my_prefix}-{my_instance_id}.{location_code}.ccaiplatform.com, then the private domain name would be{my_prefix}-{my_instance_id}.{location_code}.p.ccaiplatform.com. You can use DNS forwarding from your premises to the p.ccaiplatform.com DNS zone and then use Inbound server policies to configure Cloud DNS to resolve those addresses using response policy rules. You should configure a rule mapping each Private Service Connect endpoint IP address to the corresponding p.ccaiplatform.com domain. For more information, see Private Service Connect.

To set up and test a Private Service Connect connection, see Set up a test connection.

Set up a test connection

If you created a private CCAI Platform instance in Create an instance configured for private access, you can set up a test Private Service Connect connection to access your private instance.

Set up a test Private Service Connect connection

To set up a test Private Service Connect connection, follow these steps:

In Google Cloud console, on the project selector page, create a Google Cloud project. Use a project ID that you specified as an allowed project ID in Create an instance configured for private access.
Go to project selector
Create a VM while meeting the following requirements. For more information, see Create and start a Compute Engine instance.
- The VM must be in the project that you created in the previous step.
- The VM must be in the same region as the service attachment that you created in Create an instance configured for private access.
Reserve a regional IP address as described in Reserve a new static internal IPv4 or IPv6 address. Populate the following fields as shown:
- IP version: IPv4
- Network: default
- Subnetwork: the default subnetwork in same region as the service attachment that you created in Create an instance configured for private access.
Create a Private Service Connect endpoint as directed in Create an endpoint. Populate the following fields as shown:
- Target service: the service attachment URI that you saved in Create an instance configured for private access.
- Network: default
- Subnetwork: default
- IP address: the IP address that you reserved in the previous step

You have set up a test Private Service Connect connection. See Access your CCAI Platform instance to use this connection to access your private CCAI Platform instance.

Access your private CCAI Platform instance

This section demonstrates how to to use a Private service connect connection to access the private CCAI Platform instance that you created in Set up a test Private Service Connect connection.

To access your private CCAI Platform instance from the command line, follow these steps:

In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To make an SSH connection to the VM that you created in Set up a test Private Service Connect connection, enter the following code into the terminal:

gcloud compute ssh --zone "ZONE" "INSTANCE" --project "PROJECT_ID"

Replace the following:

ZONE: the zone that your VM instance is in
INSTANCE: the name of your VM instance
PROJECT_ID: the project ID of the project that your VM instance is in
After the code runs, your command prompt should look similar to the following, indicating that you have made an SSH connection to your VM instance:

{your_home_directory}@INSTANCE:~$

To map the internal IP address of your Private Service Connect endpoint to the private domain name of your private CCAI Platform instance, do the following:
1. Using a command-line text editor, add the following line to the/etc/hosts file:
```
IP_ADDRESS PRIVATE_DOMAIN_NAME  
```
Replace the following:
* IP_ADDRESS: the IP address that you reserved when you set up a test Private Service Connect connection.
* PRIVATE_DOMAIN_NAME: the private domain name of the private instance that you created in Create an instance configured for private access. For example, {my_prefix}-{my_instance_id}.p.ccaiplatform.com. For more information, see Configure your Domain Name System (DNS) infrastructure.
This step performs a function similar to configuring your DNS infrastructure.
To access your private CCAI Platform instance, enter the following curl command into the terminal. The curl command contains the private domain name.

curl https://PREFIX-INSTANCE_ID.p.ccaiplatform.com