Anthropic Claude Opus 4.5 & Gemini 3 on Vertex AI with python sdk via Private Service Connect endpoint

1. Overview

Vertex AI API can be accessed over the internet, however, in your enterprise you may want to access the Vertex AI API's privately without going over the internet. In this lab you will first access the Anthropic Claude Opus 4.5 and Gemini 3 Pro on Vertex via python sdk running on a VM instance via public internet.

Then you will create a Private Service Connect endpoint to Googleapis, and change the traffic flow to use the private endpoint to connect to the Vertex API.

The python code sample will take the input questions, pass it to Claude Opus to generate an answer, that output will be passed to Gemini Pro 3 to create a text summary and generate an image.

In this lab, you're going to be creating the following pattern.

Figure1.

c8f37e193349bfd6.png

2. Objectives

In this lab you will learn how to perform the following task:

  • Set up VM instance to use python sdk
  • Enable Anthropic model card in Vertex AI
  • Connect to Anthropic Claude Opus 4.5 and Gemini 3 Pro via python script
  • Configure PSC endpoint to connect to Googleapis
  • Configure manual DNS entries
  • Verify connectivity path to Googleais
  • Execute python script to query the models

Lab setup

Self-paced environment setup

  1. Sign-in to the Google Cloud Console and create a new project or reuse an existing one. If you don't already have a Gmail or Google Workspace account, you must create one.

295004821bab6a87.png

37d264871000675d.png

96d86d3d5655cdbe.png

  • The Project name is the display name for this project's participants. It is a character string not used by Google APIs. You can always update it.
  • The Project ID is unique across all Google Cloud projects and is immutable (cannot be changed after it has been set). The Cloud Console auto-generates a unique string; usually you don't care what it is. In most codelabs, you'll need to reference your Project ID (typically identified as PROJECT_ID). If you don't like the generated ID, you might generate another random one. Alternatively, you can try your own, and see if it's available. It can't be changed after this step and remains for the duration of the project.
  • For your information, there is a third value, a Project Number, which some APIs use. Learn more about all three of these values in the documentation.
  1. Next, you'll need to enable billing in the Cloud Console to use Cloud resources/APIs. Running through this codelab won't cost much, if anything at all. To shut down resources to avoid incurring billing beyond this tutorial, you can delete the resources you created or delete the project. New Google Cloud users are eligible for the $300 USD Free Trial program.

Start Cloud Shell

While Google Cloud can be operated remotely from your laptop, in this codelab you will be using Google Cloud Shell, a command line environment running in the Cloud.

From the Google Cloud Console, click the Cloud Shell icon on the top right toolbar:

Activate Cloud Shell

It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:

Screenshot of Google Cloud Shell terminal showing that the environment has connected

This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on Google Cloud, greatly enhancing network performance and authentication. All of your work in this codelab can be done within a browser. You do not need to install anything.

3. Setup Environment

We will create a custom VPC with Firewall rules. If you have a VPC and Project already you can skip this part.

Open Cloud Shell located at the top of your console on the right. And configure as follows: b51b80043d3bac90.png

  1. Enable some of the apis we will use in this lab
gcloud services enable dns.googleapis.com
gcloud services enable aiplatform.googleapis.com
gcloud services enable servicedirectory.googleapis.com
  1. Set some variables. These variables are the Project ID and Network ID of the custom VPC (you will create the VPC in step 4).
projectid=$(gcloud config get-value project)
networkid=anthropic-net 
echo $projectid
echo $networkid
clear
  1. Now create a custom VPC called anthropic-net.
gcloud compute networks create $networkid \
--project=$projectid \
--subnet-mode=custom \
--mtu=1460 \
--bgp-routing-mode=global
  1. Create the vm1-subnet in the new VPC
gcloud compute networks subnets create vm-subnet \
--project=$projectid --range=10.0.88.0/24 \
--stack-type=IPV4_ONLY --network=$networkid \
--region=us-east1
  1. Add ICMP, SSH and HTTP firewall rules to your VPC
gcloud compute firewall-rules create $networkid-allow-icmp --project=$projectid \
--network=$networkid \
--description="Allows ICMP connections from any source to any instance on the network." \
--direction=INGRESS \
--priority=65534 \
--source-ranges=0.0.0.0/0 \
--action=ALLOW \
--rules=icmp

gcloud compute firewall-rules create $networkid-allow-ssh \
--project=$projectid \
--network=$networkid \
--description="Allows TCP connections from any source to any instance on the network using port 22." \
--direction=INGRESS --priority=65534 \
--source-ranges=0.0.0.0/0 --action=ALLOW \
--rules=tcp:22

gcloud compute firewall-rules create $networkid-allow-web \
--project=$projectid \
--network=$networkid \
--description="Allows TCP connections on port 8080." \
--direction=INGRESS --priority=1000 \
--source-ranges=0.0.0.0/0 --action=ALLOW \
--rules=tcp:8080

4. Enable Anthropic in Vertex model garden

We need to grant outbound external access to the internet so lets create a Cloud NAT gateway and attach it.

  1. Go to Vertex AI dashboard and select Model Garden
  2. Search for Anthropic and select Claude Opus 4.5

d8937fa7d5e216b7.png 3. Select Enable, you will be required to fill out some info. Fill out form an select Next 4. On the final page select Agree to enable Claude 4.5 Opus

6ccda2a237000dea.png

  1. 84fbda607163ab9a.png

5. Create NAT gateway and VMs

We need to grant outbound external access to the internet so lets create a Cloud NAT gateway and attach it.

In Cloud Shell use the following commands

  1. Create the Cloud NAT.
gcloud compute routers create anthro-out-nat \
    --network $networkid \
    --region us-east1
  1. Create the Cloud NAT gateway.
gcloud compute routers nats create anthro-out-nat-gw \
    --router-region us-east1 \
    --router anthro-out-nat \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips

Now let's create one VMs to access the Anthropic on Vertex AI via Python SDK.

We are going to create a vm to test with the following packages installed

  1. In the same Cloud Shell session create anthro-vm using the following.
gcloud compute instances create anthro-vm \
--project=$projectid \
--zone=us-east1-b \
--network-interface=stack-type=IPV4_ONLY,subnet=vm-subnet,no-address,network=$networkid \
--metadata startup-script="#! /bin/bash    
      sudo apt-get update
      sudo apt-get install python3 python3-dev python3-venv -y
      sudo apt-get install tcpdump dnsutils -y
      sudo -i
      sudo mkdir -p ~/py-anthro-env
      cd ~/py-anthro-env
      python3 -m venv env
      source env/bin/activate
      pip install -U ipython google-genai 'anthropic[vertex]'"

You should see a VM created with no public IP addresses. Now let's configure the VM's

6. Configure VM and test

  1. In Google Cloud Shell lets SSH into the new VM called anthro-vm.
gcloud compute ssh anthro-vm \
    --project=$projectid \
    --zone=us-east1-b \
    --tunnel-through-iap \
    -- -L 8080:localhost:8080
  1. Once you SSH into anthro-vm, activate your venv environment:
sudo -i -- bash -c 'cd py-anthro-env && source env/bin/activate && exec bash'
  1. Now let's authenticate this to do some testing later on. Run the following command in the VM, press y when prompted.
gcloud auth application-default login
  1. Next copy the url which appears in the starting with https:// open a new tab in your lab browser window and paste the url. Accept the prompts.
  2. When you see the following select copy, switch back to the vm anthro-vm session and for Enter authorization code: paste the code you copied and press enter to authenticate.

b703db7aa2aa286a.png

  1. Now let's do a quick test to see if we can connect to the Vertex Gemini API.
dig *-aiplatform.googleapis.com
  1. You should see something similar (the addresses will differ). Note the path is via public IP addresses since the API is a public API.
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> *-aiplatform.googleapis.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3728
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;*-aiplatform.googleapis.com.   IN      A

;; ANSWER SECTION:
*-aiplatform.googleapis.com. 300 IN     A       172.217.204.95
*-aiplatform.googleapis.com. 300 IN     A       172.217.203.95
*-aiplatform.googleapis.com. 300 IN     A       173.194.215.95
*-aiplatform.googleapis.com. 300 IN     A       142.250.98.95
*-aiplatform.googleapis.com. 300 IN     A       173.194.217.95
*-aiplatform.googleapis.com. 300 IN     A       142.251.107.95
*-aiplatform.googleapis.com. 300 IN     A       74.125.196.95
  1. Now let's use python. Type ipython to activate the ipython interface.
ipython

845ef4291429888a.png

  1. Now copy and paste the following. This asks Claude Opus 4.5 "What are the key steps to building Agentic AI?" then takes the output and passes it to Gemini 3 pro which creates a summary and generates and image which it saves on the VM.
import os
import sys
import google.auth
from pathlib import Path
from google import genai
from google.genai import types
from anthropic import AnthropicVertex

# 1. Setup & Auth
print("--- Authenticating ---")
creds, project_id = google.auth.default()
LOCATION = "global"

# 2. Initialize Clients
print(f"--- Initializing Clients for Project: {project_id} ---")
google_client = genai.Client(vertexai=True, location=LOCATION, project=project_id)
claude_client = AnthropicVertex(region=LOCATION, project_id=project_id)

# 3. Define the Question
question = "What are the key steps to building Agentic AI?"
print(f"\n--- Asking Claude: {question} ---")

# 4. Get Claude's Research
msg = claude_client.messages.create(
    model="claude-opus-4-5@20251101",
    max_tokens=2048,
    messages=[{"role": "user", "content": question}]
)
claude_text = msg.content[0].text
print(f"✓ Claude Answered ({len(claude_text)} chars)")

# 5. Send to Gemini 3 for Image & Summary
print("\n--- Sending to Gemini 3 (Image + Text) ---")
gemini_prompt = f"""
I am providing you with a technical explanation generated by Claude Opus 4.5.
1. READ the text below.
2. GENERATE a concise, bulleted executive summary.
3. CREATE a high-quality, futuristic illustration for a tech blog header (16:9).

--- INPUT TEXT ---
{claude_text}
"""

response = google_client.models.generate_content(
    model="gemini-3-pro-image-preview",
    contents=gemini_prompt,
    config=types.GenerateContentConfig(
        response_modalities=['TEXT', 'IMAGE'],
        temperature=0.7
    )
)

# 6. Save and Display Results
print("\n--- Results ---")
for part in response.parts:
    if part.text:
        print(f"\n[SUMMARY]:\n{part.text.strip()[:500]}...\n(Summary truncated for brevity)")
    elif image := part.as_image():
        filename = "gemini_agentic_ai.png"
        image.save(filename)
        print(f"\n✓ IMAGE SAVED to: {os.path.abspath(filename)}")
  1. Press enter twice to run and see the text result.
  2. To view the image we need to enable a web service in python. Run the following in the ipython session
!python3 -m http.server 8080
  1. Now go to web preview option in Cloud Shell, select preview on port 8080 6dcb2bf9a08aacaf.png
  2. In the open web session select the gemini_agentic_ai.png to view the image generated. (Sample image below generated by AI)
    fdcb79d8410dadc5.png
  3. In Cloud Shell to exit the session press Ctrl C, then type exit and press enter (repeat three times) to go back to the Cloud Shell home
  4. Let's continue.

7. Create the PSC endpoint to googleapis

To enable private connectivity to our Vertex API endpoint we will create a Private Service Connect endpoint for googleapis. This will allow us to use a private IP address we assign to route traffic to the googleapis we need, in this case Vertex Gemini.

  1. Open Cloud Shell if not open already. Create an IP for the PSC endpoint. We will use 192.168.255.230 in this case.
gcloud compute addresses create anthro-ip \
    --global \
    --purpose=PRIVATE_SERVICE_CONNECT \
    --addresses=192.168.255.230 \
    --network=$networkid
  1. Verify IP created
gcloud compute addresses list --filter="name=( 'anthro-ip' ...)"
  1. Next create the PSC endpoint
gcloud compute forwarding-rules create pscanthrovertex \
    --global \
    --network=$networkid \
    --address=anthro-ip \
    --target-google-apis-bundle=all-apis
  1. This will create an endpoint and a service directory entry. Verify endpoint exist
gcloud compute forwarding-rules describe pscanthrovertex --global

8. Verify endpoint connectivity via automatic service directory zone

Let's connect using the private endpoint to connect to Gemini.

  1. Go to VM Instance anthro-vm1. Select SSH and SSH into the VM
  2. Check the connectivity path to aiplatform-pscanthrovertex.p.googleapis.com using the dig command. You should see the IP of the PSC endpoint 192.168.255.230
dig aiplatform-pscanthrovertex.p.googleapis.com
  1. Exit all SSH sessions

9. Create Manual DNS entry to googleapis

You can create a manual DNS entry to point to the PSC endpoint using private DNS. This would affect all the networks you assign to it.

Run the following commands in Cloud Shell.

  1. Create a private DNS zone for googleapis.com and attach it to the anthropic-net network.
gcloud dns managed-zones create googleapis-private \
    --description="Private DNS zone for googleapis.com" \
    --dns-name="googleapis.com." \
    --visibility="private" \
    --networks="anthropic-net"
  1. Create an A record mapping the root domain to the Private Service Connect endpoint IP (192.168.255.230)
gcloud dns record-sets create "googleapis.com." \
    --zone="googleapis-private" \
    --type="A" \
    --ttl="300" \
    --rrdatas="192.168.255.230"
  1. Create a wildcard CNAME record to redirect all subdomains (e.g., aiplatform.googleapis.com) to the root A record
gcloud dns record-sets create "*.googleapis.com." \
    --zone="googleapis-private" \
    --type="CNAME" \
    --ttl="300" \
    --rrdatas="googleapis.com."
  1. List the record sets in the zone to confirm the A record and CNAME have been created correctly.
gcloud dns record-sets list --zone="googleapis-private"
  1. In the console view it should look like this. You should see a set up with an A record and CNAME like this see a51a8b8caa7a0f1e.png
  2. Next we verify connectivity with these changes on anthro-vm

10. Verify endpoint connectivity via IP address

Let's connect using the private endpoint to connect to Gemini.

  1. In Google Cloud Shell lets SSH into the new VM called anthro-vm.
gcloud compute ssh anthro-vm \
    --project=$projectid \
    --zone=us-east1-b \
    --tunnel-through-iap \
    -- -L 8080:localhost:8080
  1. Once you SSH into anthro-vm, activate your venv environment:
sudo -i -- bash -c 'cd py-anthro-env && source env/bin/activate && exec bash'
  1. Now let's do a dig to see if we can connect to the Vertex Gemini API.
dig *-aiplatform.googleapis.com
  1. You should see something similar (the address will differ). Note the path is via the PSC endpoint IP addresses.
; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> *-aiplatform.googleapis.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33703
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;*-aiplatform.googleapis.com.   IN      A

;; ANSWER SECTION:
*-aiplatform.googleapis.com. 300 IN     CNAME   googleapis.com.
googleapis.com.         300     IN      A       192.168.255.230

;; Query time: 8 msec
;; SERVER: 169.254.169.254#53(169.254.169.254) (UDP)
;; WHEN: Sat Nov 29 15:19:15 UTC 2025
;; MSG SIZE  rcvd: 86
  1. Using the ping command. We can do a quick test. Note: this IP is a PSC endpoint and your pings will be unsuccessful.
ping -c 2 aiplatform.googleapis.com
  1. Now let's use python. Type ipython to activate the ipython interface.
ipython

845ef4291429888a.png

  1. Now copy and paste the following. This asks Claude Opus 4.5 "Give me a step by step recipe to make a roti for a beginner?" then takes the output and passes it to Gemini 3 pro which creates a summary and generates and image which it saves on the VM
import os
import sys
import google.auth
from pathlib import Path
from google import genai
from google.genai import types
from anthropic import AnthropicVertex

# 1. Setup & Auth
print("--- Authenticating ---")
creds, project_id = google.auth.default()
LOCATION = "global"

# 2. Initialize Clients
print(f"--- Initializing Clients for Project: {project_id} ---")
google_client = genai.Client(vertexai=True, location=LOCATION, project=project_id)
claude_client = AnthropicVertex(region=LOCATION, project_id=project_id)

# 3. Define the Question
question = "Give me a step by step recipe to make a roti for a beginner?"
print(f"\n--- Asking Claude: {question} ---")

# 4. Get Claude's Research
msg = claude_client.messages.create(
    model="claude-opus-4-5@20251101",
    max_tokens=2048,
    messages=[{"role": "user", "content": question}]
)
claude_text = msg.content[0].text
print(f"✓ Claude Answered ({len(claude_text)} chars)")

# 5. Send to Gemini 3 for Image & Summary
print("\n--- Sending to Gemini 3 (Image + Text) ---")
gemini_prompt = f"""
I am providing you with a technical explanation generated by Claude Opus 4.5.
1. READ the text below.
2. GENERATE a concise, bulleted executive summary.
3. CREATE a high-quality, futuristic illustration for a tech blog header (16:9).

--- INPUT TEXT ---
{claude_text}
"""

response = google_client.models.generate_content(
    model="gemini-3-pro-image-preview",
    contents=gemini_prompt,
    config=types.GenerateContentConfig(
        response_modalities=['TEXT', 'IMAGE'],
        temperature=0.7
    )
)

# 6. Save and Display Results
print("\n--- Results ---")
for part in response.parts:
    if part.text:
        print(f"\n[SUMMARY]:\n{part.text.strip()[:500]}...\n(Summary truncated for brevity)")
    elif image := part.as_image():
        filename = "cookingroti.png"
        image.save(filename)
        print(f"\n✓ IMAGE SAVED to: {os.path.abspath(filename)}")
  1. Press enter twice to run and see the text result.
  2. To view the image we need to enable a web service in python so run the following in the ipython session
!python3 -m http.server 8080
  1. Now go to web preview option in Cloud Shell, select preview on port 8080
  2. Select the cookingroti.png to view the image generated. (Sample below generated by AI) bcf43fffede275cb.png
  3. In Cloud Shell to exit the session press Ctrl C, then type exit and press enter (repeat three times) to go back to the Cloud Shell home

11. Congratulations

Congratulations, you've had some fun and successfully connected to Anthropic Claude Opus 4.5 & Gemini 3 Pro on Vertex using both public API address and privately using Private Service Connect Endpoint for Googleapis. This functionality can extend private API connectivity into your on-prem/other cloud environment which are connected via (Interconnect, Cross-Cloud Interconnect and VPC).

Clean up

gcloud compute instances delete anthro-vm --zone=us-east1-b --quiet

gcloud compute routers nats delete anthro-out-nat-gw --router=anthro-out-nat --region=us-east1 --quiet

gcloud compute routers delete anthro-out-nat --region=us-east1 --quiet

gcloud compute firewall-rules delete anthropic-net-allow-icmp anthropic-net-allow-ssh anthropic-net-allow-web --quiet

gcloud compute forwarding-rules delete pscanthrovertex --global --quiet

gcloud dns record-sets delete googleapis.com. --zone googleapis-private --type A --quiet

gcloud dns record-sets delete *.googleapis.com --zone googleapis-private --type CNAME --quiet

gcloud dns managed-zones delete googleapis-private --quiet

gcloud compute addresses delete anthro-ip --global --quiet

gcloud compute networks subnets delete vm-subnet --region=us-east1 --quiet

gcloud compute networks delete anthropic-net --quiet

Next steps / Learn more

You can read more about Vertex AI networking

Codelab: Access Gemini 3 Pro chat using python sdk via Private Service Connect endpoint

Codelab: Building AI Agents with ADK:The Foundation

Take your next lab

Continue your quest with Google Cloud, and check out these other Google Cloud Skills Boost labs: