Create a private IP connection for Looker (Google Cloud core)

Private IP connections make services reachable without going through the internet or using external IP addresses. Because they don't traverse the internet, connections over private IP typically provide lower latency and limited attack vectors. Private IP connections allow your Looker (Google Cloud core) instance to communicate with other resources in your Virtual Private Cloud (VPC) but do not allow inbound communication from the public internet.

Private IP connectivity is not compatible with some Looker (Google Cloud core) features. See the feature compatibility table for more information.

Looker (Google Cloud core) supports private IP for instances that meet the following criteria:

Instance editions must be Enterprise or Embed.

To set up a private IP instance, you must have the following IAM permissions:

Looker Admin
Compute Network Admin (or be an owner for your Google Cloud project)

Before you create a Looker (Google Cloud core) instance

Before a private IP address is available for Google to assign to your instance, you must complete the following steps:

To get the permissions that you need to create allocated IP address ranges and manage private connections, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on the project. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Note: IAM basic roles might also contain permissions to create allocated IP address ranges and manage private connections. You shouldn't grant basic roles in a production environment, but you can grant them in a development or test environment.
Enable the Compute Engine API for your project in the Google Cloud console. When enabling the API, you may need to refresh the console page to confirm that the API has been enabled.
Enable the API
Configure a Virtual Private Cloud network in your project.
Allocate an IP range in your VPC for a private connection to Looker (Google Cloud core). When setting the IP address range size, the minimum size is a /22 block.
Add the private services access connection to your VPC network using the IP range allocated in the previous step for the Assigned allocation.
Once your VPC network is created, return to the Create Looker instance page in your Google Cloud project. You may need to refresh the page so that your VPC network is recognized.

Once you have completed these steps, you can begin to create your instance by following the steps on the Create a Looker (Google Cloud core) instance documentation page, starting with the Before you begin section.

Network configuration during instance creation

Complete the following to configure private IP during instance creation:

console

If you select only Private IP or both Private IP and Public IP during instance creation, use the following to finish configuration:

If an Enable Required APIs pop-up is displayed, you must enable additional APIs for your Google Cloud project. To enable the required APIs for a private network connection, click ENABLE ALL.
In the Network drop-down, select your VPC network. Private IP networks require a private services access connection, which enables your services to communicate exclusively by using internal IP addresses. See the Configure private services access documentation page for more information about setting up a private IP connection. If you did not set up a private services connection when you created your VPC network, you can click SET UP CONNECTION under the message Private services access connection required. This opens a side panel where you can allocate an IP range and create a connection.
Under Allocated an IP range, you can select a range of IP addresses within the VPC in which Google will provision a subnetwork for your Looker (Google Cloud core) instance. Subnetworks reserve an IP range that cannot be used by other resources in the VPC network. You will not be able to modify this IP range after you create the Looker (Google Cloud core) instance. IP range allocation includes these options:
- Select Use automatically assigned IP range to have Google allocate an IP range automatically to provision a subnetwork for the VPC.
- Select an IP range that was defined during the private services access setup.
Complete instance creation, and click Create to create the instance.

gcloud

Use the gcloud looker instances create command and include the following parameters:

--consumer-network=CONSUMER_NETWORK --private-ip-enabled: --reserved-range=RESERVED_RANGE
[--no-public-ip-enabled]
[--public-ip-enabled]

CONSUMER_NETWORK and RESERVED_RANGE must be set if you're creating a private IP instance.
--public-ip-enabled or --no-public-ip-enabled are used to enable or disable public IP.

Instance configuration after instance creation

If you create an instance that is enabled only for private IP, you will not receive a URL for the instance. To access the instance, you must do both of the following:

Set up a proxy server to allow public internet access to an instance that uses a private IP.

Note: If you set up a proxy server, and you set up connections to that proxy server, you must also use a custom domain.
Configure a custom domain and add that domain to the OAuth client for the instance.

You may also want to further configure your private IP instance by doing the following:

Remove the default route if you are using VPC Service controls.
Create an email domain allowlist to restrict email deliveries to external domains.
Configure your private IP instance to allow or restrict communication with the internet or external resources.