Create a private IP connection for Looker (Google Cloud core)

Private IP connections make services reachable without going through the internet or using external IP addresses. Because they don't traverse the internet, connections over private IP typically provide lower latency and limited attack vectors. Private IP connections allow your Looker (Google Cloud core) instance to communicate with other resources in your Virtual Private Cloud (VPC) but do not allow inbound communication from the public internet.

Private IP connectivity is not compatible with some Looker (Google Cloud core) features. See the feature compatibility table for more information.

Looker (Google Cloud core) supports private IP for instances that meet the following criteria:

To set up a private IP instance, you must have the following IAM permissions:

Before you begin

  1. To get the permissions that you need to create allocated IP address ranges and manage private connections, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on the project. For more information about granting roles, see Manage access.

    This predefined role contains the permissions required to create allocated IP address ranges and manage private connections. To see the exact permissions that are required, expand the Required permissions section:

    Required permissions

    The following permissions are required to create allocated IP address ranges and manage private connections:

    • See available networks in the Network drop-down:
      • compute.addresses.list
      • compute.globalAddresses.list
    • Create a new VPC network:
      • compute.addresses.create
      • compute.globalAddresses.create
      • serviceusage.services.enable
    • Allocate a private IP range and set up a private services access connection: compute.networks.addPeering

    You might also be able to get these permissions with custom roles or other predefined roles.

    If you are creating a private IP instance with Terraform or Google Cloud CLI and are using a private network that has already been set up, you don't need these permissions.

  2. Enable the Compute Engine API for your project in the Google Cloud console. When enabling the API, you may need to refresh the console page to confirm that the API has been enabled.

    Enable the API

Create and configure a VPC network

Before you can create a private IP connection, you must first create and configure a Virtual Private Cloud (VPC) network.

  1. Create a VPC network in your project. Alternatively, if you are using a Shared VPC instead of creating a new VPC network, complete the steps in the following section, Creating an instance in a Shared VPC, in addition to completing the remaining steps in this section for the Shared VPC.
  2. Allocate an IPv4 IP range (CIDR block) in your VPC for a private connection to Looker (Google Cloud core).
    • Before allocating your range, consider the constraints.
    • When setting the IP address range size, be aware that the minimum size is a /22 block.
    • Looker (Google Cloud core) supports all IPv4 ranges within RFC 1918, which specifies IP addresses that are assigned to be used internally (that is, within an organization) and will not route on the Internet. Specifically, these are:
      • 10.0.0.0/8
      • 172.16.0.0/12
      • 192.168.0.0/16
    • Class E IPv4 ranges (240.0.0.0/4) are reserved for future use as noted in RFC 5735 and RFC 1112 and are not supported for Looker (Google Cloud core).
    When a Looker (Google Cloud core) instance is created for the first time in a VPC, Looker creates a proxy-only subnet. Any subsequent private IP Looker (Google Cloud core) instances in the same VPC use the same subnet.
  3. Add the private services access connection to your VPC network using the IP range allocated in the previous step for the Assigned allocation.
  4. Once your VPC network is created, return to the Create Looker instance page in your Google Cloud project. You may need to refresh the page so that your VPC network is recognized.

Once you have completed these steps, you can begin to create your instance by following the steps on the Create a Looker (Google Cloud core) instance documentation page, starting with the Before you begin section.

Creating an instance in a Shared VPC

If you are creating a Looker (Google Cloud core) instance in a Shared VPC, complete the following steps in the shared VPC's host project:

  1. Enable the Looker API in the shared VPC's host project in the Google Cloud console. When enabling the API, you may need to refresh the console page to confirm that the API has been enabled.

    Enable the API

  2. Create a service account in the host project, using the gcloud services identity create command:

    gcloud beta services identity create --service=looker.googleapis.com --project=PROJECT_ID
    
  3. Grant the compute.globalAddresses.get IAM permission to the service account in the host project.

After creating the service account and granting it the IAM permission, wait a few minutes for the service account and permission to propagate.

In addition, allocate an IPv4 IP range in the Shared VPC and add the private services access connection to the Shared VPC as described in the previous section, Create and configure a VPC network.

Network configuration during instance creation

Complete the following to configure private IP during instance creation:

console

If you select only Private IP or both Private IP and Public IP during instance creation, use the following to finish configuration:

  1. If an Enable Required APIs pop-up is displayed, you must enable additional APIs for your Google Cloud project. To enable the required APIs for a private network connection, click ENABLE ALL.
  2. In the Network drop-down, select your VPC network. Private IP networks require a private services access connection, which enables your services to communicate exclusively by using internal IP addresses. See the Configure private services access documentation page for more information about setting up a private IP connection. If you did not set up a private services connection when you created your VPC network, you can click SET UP CONNECTION under the message Private services access connection required. This opens a side panel where you can allocate an IP range and create a connection.
  3. Under Allocated an IP range, you can select a range of IP addresses within the VPC in which Google will provision a subnetwork for your Looker (Google Cloud core) instance. Subnetworks reserve an IP range that cannot be used by other resources in the VPC network. You will not be able to modify this IP range after you create the Looker (Google Cloud core) instance. IP range allocation includes these options:
    • Select Use automatically assigned IP range to have Google allocate an IP range automatically to provision a subnetwork for the VPC.
    • Select an IP range that was defined during the private services access setup.
  4. Complete instance creation, and click Create to create the instance.

gcloud

gcloud looker instances create --consumer-network=CONSUMER_NETWORK --private-ip-enabled: --reserved-range=RESERVED_RANGE
[--no-public-ip-enabled]
[--public-ip-enabled]
  • CONSUMER_NETWORK and RESERVED_RANGE must be set if you're creating a private IP instance.
  • --public-ip-enabled or --no-public-ip-enabled are used to enable or disable public IP.

Instance configuration after instance creation

If you create an instance that is enabled only for private IP, you will not receive a URL for the instance. To access the instance, you must do both of the following:

You may also want to further configure your private IP instance by doing the following:

  • Remove the default route if you are using VPC Service controls.
  • Create an email domain allowlist to restrict email deliveries to external domains.
  • Configure your private IP instance to allow or restrict communication with the internet or external resources.

What's next