GCP Private Service Connect
Connecting to Cast AI through GCP Private Service Connect
Cast AI supports connection through GCP Private Service Connect for GKE clusters without direct internet access. This enables secure communication between your private GKE cluster and Cast AI without exposing traffic to the public internet.
Reference ImplementationFor Terraform examples and code samples, refer to the GKE Private Service Connect example in the Cast AI Terraform provider repository.
Prerequisites
- A GKE cluster in a private VPC
- GCP project ID for creating the Private Service Connect endpoint
- Appropriate GCP permissions to create VPC endpoints and configure DNS
- Choice of Cast AI region: prod-master (US) or prod-eu (Europe)
Architecture
Private Service Connect uses a single endpoint in your GCP network to route all Cast AI traffic privately. Unlike AWS PrivateLink, which requires multiple VPC endpoints, GCP Private Service Connect uses a single endpoint with wildcard DNS routing to serve all Cast AI services.
Private Service Connect connection between customer GKE cluster and Cast AI platform (diagram source: GCP documentation)
In this architecture diagram:
- Consumer VPC: Your GCP environment where your GKE cluster runs
- Endpoint: The Private Service Connect endpoint you create in your VPC
- Clients: Cast AI components running in your GKE cluster
- Service attachment: Cast AI's Service Attachment that your endpoint targets
- Producer VPC: Cast AI's infrastructure hosting the platform services
- Service: Cast AI platform APIs (api.cast.ai, grpc.cast.ai, kvisor.cast.ai, etc.)
The Private Service Connect connection enables your cluster to communicate with all Cast AI services through a single endpoint using private IP addresses, without traffic traversing the public internet.
Setup Process
Step 1: Request access from Cast AI
Contact Cast AI Customer Success and provide:
- Your GCP project ID that will host the Private Service Connect endpoint
- Your preferred Cast AI region (prod-master or prod-eu)
Cast AI will allowlist your project and provide the Service Attachment ID needed for the next step.
Step 2: Create a Private Service Connect endpoint
Create a Private Service Connect endpoint in your GCP project. The endpoint must be created in the same region as the Cast AI Service Attachment.
Region Requirements:
| Cast AI Region | GCP Region | Hosts |
|---|---|---|
| prod-master | us-east4 | *.psc.prod-master.cast.ai |
| prod-eu | europe-west1 | *.psc.prod-eu.cast.ai |
- Navigate to Network Services > Private Service Connect
- Click Connect Endpoint
- Configure the endpoint:
- Target: Paste the Service Attachment ID provided by Cast AI
- Endpoint name: Choose a descriptive name (e.g.,
castai-psc-endpoint) - Region: Select
us-east4(for prod-master) oreurope-west1(for prod-eu) - Network: Select your VPC
- Subnetwork: Select an appropriate subnet
- (Optional) Enable Global access if you need to access Cast AI from multiple regions
- Click Add Endpoint
- Note the assigned IP address
For detailed console instructions, see Access published services through endpoints in the GCP documentation.
Step 3: Configure DNS
Configure DNS to route Cast AI hostnames through your Private Service Connect endpoint.
Create a wildcard DNS record that maps*.psc.prod-master.cast.ai (for prod-master) or*.psc.prod-eu.cast.ai (for prod-eu) to your PSC endpoint IP address.
Using Cloud DNS
- Create a private DNS zone:
gcloud dns managed-zones create castai-psc-zone \
--description="Cast AI PSC" \
--dns-name=psc.prod-master.cast.ai \
--networks=your-vpc \
--visibility=private- Add a wildcard A record:
gcloud dns record-sets create "*.psc.prod-master.cast.ai." \
--zone=castai-psc-zone \
--type=A \
--ttl=300 \
--rrdatas=PSC_ENDPOINT_IPReplace prod-master with prod-eu if connecting to the EU region.
Ensure the DNS zone is accessible from the network where your GKE cluster runs.
For more information on Cloud DNS private zones, see Create a private managed zone in the GCP documentation.
Step 4: Verify the connection
Test connectivity from within your Kubernetes cluster before proceeding with the full cluster onboarding.
Deploy a test pod:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: castai-psc-test
spec:
containers:
- name: netshoot
image: nicolaka/netshoot:latest
command: ["sleep", "infinity"]
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
EOFRun verification commands:
# Set the hostname (use prod-eu if connecting to EU region)
CAST_HOST="api.psc.prod-master.cast.ai"
# Verify DNS resolution
# Expected: Your PSC endpoint IP address
kubectl exec castai-psc-test -- dig +short $CAST_HOST
# Verify connectivity
# Expected: Connection succeeded
kubectl exec castai-psc-test -- nc -zv $CAST_HOST 443
# Verify SSL certificate
# Expected: Certificate with CN=*.psc.cast.ai from Let's Encrypt
kubectl exec castai-psc-test -- openssl s_client -showcerts \
-servername $CAST_HOST \
-connect $CAST_HOST:443 </dev/nullTroubleshooting:
- DNS resolution fails: Verify your DNS zone configuration and confirm it's associated with the correct VPC. See Troubleshooting Cloud DNS for additional guidance.
- Connection fails: Check firewall rules allow traffic to the PSC endpoint. See VPC firewall rules overview for configuring firewall rules.
- SSL certificate fails: Contact Cast AI Customer Success, as this indicates an issue with the Cast AI infrastructure
Step 5: Connect your cluster
Once connectivity is verified, connect your cluster using one of these methods:
Use the complete Terraform example that handles both PSC setup and cluster onboarding:
Your cluster should now be connected to Cast AI through Private Service Connect.
Additional Resources
Updated about 21 hours ago