	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > Google Gemini API > ADK with VPC and Private Endpoints

ADK with VPC and Private Endpoints

Author: Venkata Sudhakar

Running ADK agents inside a Virtual Private Cloud (VPC) eliminates public internet exposure for internal business workloads. ShopMax India processes payroll and inventory reconciliation using agents that must only reach internal databases and never be accessible from the public internet. VPC-confined agents communicate with Cloud Run, BigQuery, and Pub/Sub through Private Service Connect (PSC) endpoints.

The deployment uses Cloud Run with ingress set to internal-only, a Serverless VPC Access connector to route outbound traffic through the VPC, and Private Service Connect endpoints for Google APIs. No public IP is assigned to the Cloud Run service ï¿½ all traffic flows within the private network boundary.

The below example shows the deployment configuration and a minimal ADK agent designed for internal VPC operation with private BigQuery access.

# 1. Create Serverless VPC Access connector
gcloud compute networks vpc-access connectors create shopmax-connector \
  --region=asia-south1 \
  --subnet=shopmax-private-subnet \
  --subnet-project=shopmax-prod

# 2. Deploy Cloud Run service with internal ingress only
gcloud run deploy shopmax-internal-agent \
  --image=asia-south1-docker.pkg.dev/shopmax-prod/agents/internal-agent:latest \
  --region=asia-south1 \
  --ingress=internal \
  --no-allow-unauthenticated \
  --vpc-connector=shopmax-connector \
  --vpc-egress=all-traffic \
  --set-env-vars=GOOGLE_CLOUD_PROJECT=shopmax-prod \
  --service-account=adk-internal-sa@shopmax-prod.iam.gserviceaccount.com

# 3. Create Private Service Connect endpoint for googleapis.com
gcloud compute addresses create google-apis-psc \
  --region=asia-south1 \
  --subnet=shopmax-private-subnet

gcloud compute forwarding-rules create google-apis-psc-rule \
  --region=asia-south1 \
  --network=shopmax-vpc \
  --address=google-apis-psc \
  --target-google-apis-bundle=all-apis

It gives the following output,

Created connector [shopmax-connector] in [asia-south1].

Deploying container to Cloud Run service [shopmax-internal-agent]...
Service [shopmax-internal-agent] deployed.
URL: https://shopmax-internal-agent-xxxx-el.a.run.app  (internal only)

Created [google-apis-psc] address: 10.10.0.5
Created forwarding rule [google-apis-psc-rule].

from google.adk.agents import LlmAgent
from google.adk.tools import FunctionTool
from google.adk.sessions import InMemorySessionService
from google.adk.runners import Runner
from google.cloud import bigquery
import os

# BigQuery client routes through PSC ï¿½ no public internet
bq = bigquery.Client(
    project=os.environ["GOOGLE_CLOUD_PROJECT"],
    client_options={"api_endpoint": "https://bigquery.googleapis.com"},
)

def get_inventory_summary() -> dict:
    """Return low-stock items from ShopMax internal warehouse."""
    query = (
        "SELECT sku, product_name, stock_qty FROM `shopmax-prod.warehouse.inventory` "
        "WHERE stock_qty < @threshold ORDER BY stock_qty LIMIT 10"
    )
    job_config = bigquery.QueryJobConfig(
        query_parameters=[bigquery.ScalarQueryParameter("threshold", "INT64", 50)]
    )
    rows = list(bq.query(query, job_config=job_config).result())
    return {"low_stock": [dict(r) for r in rows]}

agent = LlmAgent(
    name="shopmax_internal_agent",
    model="gemini-2.0-flash",
    instruction="You are an internal ShopMax warehouse agent. Report low-stock items and help with restocking decisions.",
    tools=[FunctionTool(get_inventory_summary)],
)

session_service = InMemorySessionService()
runner = Runner(agent=agent, session_service=session_service)

events = list(runner.run(
    user_id="warehouse_team",
    session_id="sess_wh_001",
    new_message={"role": "user", "parts": [{"text": "Which items need restocking this week?"}]},
))
print(next(e.content.parts[0].text for e in events if e.is_final_response()))

It gives the following output,

Based on current warehouse data, 4 items need restocking this week:
  SKU-1042  Samsung TV 55"    ï¿½ 12 units remaining
  SKU-2218  Laptop Charger    ï¿½ 23 units remaining
  SKU-3301  USB-C Hub 7-port  ï¿½  8 units remaining
  SKU-4105  HDMI Cable 2m     ï¿½ 41 units remaining
Recommend raising purchase orders for SKU-1042 and SKU-3301 immediately.

After deployment, verify there is no public reachability by running a curl from outside the VPC ï¿½ you should receive a 403 or connection refused. Enable VPC Flow Logs on the shopmax-private-subnet to audit all traffic to and from the agent, and use Cloud Armor security policies on the internal load balancer for an additional layer of request filtering.

Send your comments, suggestions or queries regarding this site to [email protected].