This documentation page describes how to set up a custom domain and set up access to a Looker (Google Cloud core) instance that meets the following criteria:
- The instance is private IP only.
- The instance was set up to use private services access at the time of creation.
- Traffic to the instance originates either from the same region as the instance or through hybrid networking.
To access this kind of instance, perform the following steps:
- Set up a custom domain.
- Create a Cloud DNS private zone.
- Add the DNS A record.
- Update the OAuth credentials.
Set up a custom domain
After your Looker (Google Cloud core) instance has been created, you can set up a custom domain.
Before you begin
Before you can customize the domain of your Looker (Google Cloud core) instance, identify where your domain's DNS records are stored, so that you can update them.
Required roles
To get the permissions that you need to create a custom domain for a Looker (Google Cloud core) instance,
ask your administrator to grant you the
Looker Admin (roles/looker.admin
) IAM role on the project the instance resides in.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a custom domain
In the Google Cloud console, follow these steps to customize the domain of your Looker (Google Cloud core) instance:
- On the Instances page, click the name of the instance for which you would like to set up a custom domain.
- Click the CUSTOM DOMAIN tab.
Click ADD A CUSTOM DOMAIN.
This opens the Add a new custom domain panel.
Using only letters, numbers, and dashes, enter the hostname of up to 64 characters for the web domain that you would like to use — for example:
looker.examplepetstore.com
.Click DONE on the Add a new custom domain panel to return to the CUSTOM DOMAIN tab.
Once your custom domain is set up, it is displayed in the Domain column on the CUSTOM DOMAIN tab of the Looker (Google Cloud core) instance details page in the Google Cloud console.
After your custom domain has been created, you can view information about it, or delete it.
Enable access to the custom domain
When traffic to a private IP only Looker (Google Cloud core) instance originates from the same region that the instance is in, you can ensure secure access to the instance through proper DNS and credential setup.
Before you begin
To get the permissions that you need to set up access to a private IP custom domain, ask your administrator to grant you the following IAM roles on the project the instance resides in:
-
Looker Admin (
roles/looker.admin
) -
DNS Admin (
roles/dns.admin
) -
Use Google OAuth:
OAuth Config Editor (
roles/oauthconfig.editor
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Networking overview
Looker (Google Cloud core) with a private IP network configuration is a regional deployment model that lets you seamlessly connect to the Looker (Google Cloud core) UI from various environments, such as on-premises, multicloud, and compute instances.
To establish connectivity from on-premises or multicloud environments to Looker (Google Cloud core), modify the service networking VPC peering connection in your VPC to export custom routes to the Google-managed VPC that hosts Looker (Google Cloud core). This action sends all eligible static and dynamic routes from your VPC to Looker (Google Cloud core). The service producer's network automatically imports these routes, enabling traffic to be sent back to your on-premises network through the VPC network.
By default, the connection from host devices is established within the same region as Looker (Google Cloud core), as illustrated in the following diagram:
Create the Cloud DNS private zone
Create a Cloud DNS private zone that is visible to the VPC in which the Looker (Google Cloud core) instance is located. The Cloud DNS private zone will be used by the VPC and the on-premises hosts for DNS resolution to reach the Looker (Google Cloud core) UI. The name of the zone should match the custom domain.
gcloud dns managed-zones create NAME \ --description=DESCRIPTION \ --dns-name=DNS_SUFFIX \ --networks=VPC_NETWORK_LIST \ --labels=LABELS \ --visibility=private
Replace the following:
NAME
: A name for your zone.DESCRIPTION
: A description for your zone.DNS_SUFFIX
: The DNS suffix for your zone, such asexamplepetstore.com
.VPC_NETWORK_LIST
: A comma-delimited list of VPC networks that are authorized to query the zone. Make sure to include the VPC that contains your Looker (Google Cloud core) instance.LABELS
: An optional comma-delimited list of key-value pairs such asdept=marketing
orproject=project1
; for more information, see the SDK documentation.
Once the zone is set up, if you navigate to the zone on the Cloud DNS zones page of the Google Cloud console, you can see that it's private, it's named after the custom domain, and it has record sets for the custom domain.
Add the Cloud DNS A record
Complete the following steps to add the Cloud DNS A record:
Since you will be using a load balancer, the A record in the Cloud DNS private zone will map to the load balancer IP address.
Add a DNS A record for the custom domain in the private zone, consisting of the ingress IP address of the Looker (Google Cloud core) instance. The A record uses the Fully Qualified Domain Name (FQDN), the same as what you configured as the Looker (Google Cloud core) custom domain.
The complete setup should show the A record for the custom domain when you view the private zone details on the Cloud DNS zones page of the Google Cloud console.
To make a VPC network's name resolution services available to on-premises networks that are connected to the VPC network by using Cloud VPN tunnels, Cloud Interconnect VLAN attachments, or Router appliances, you can use an inbound server policy.
Once your domain's DNS records are updated and your domain has been verified in the Google Cloud console, the status of the custom domain that is mapped to the instance will be updated from Unverified to Available on the Custom Domain tab of the Instances page.
Update the OAuth credentials
- Access your OAuth client by navigating in the Google Cloud console to APIs & Services > Credentials and selecting the OAuth client ID for the OAuth client that is used by your Looker (Google Cloud core) instance.
Click the Add URI button to update the Authorized JavaScript origins field in your OAuth client. Use the same DNS name that your organization will use to access Looker (Google Cloud core). For example, if your custom domain is
looker.examplepetstore.com
, you would enterlooker.examplepetstore.com
as the URI.Update or add the custom domain to the list of Authorized redirect URIs for the OAuth credentials that were used when the Looker (Google Cloud core) instance was created. Add
/oauth2callback
to the end of the URI. For example, if your custom domain islooker.examplepetstore.com
, you would enterlooker.examplepetstore.com/oauth2callback
.
Add users
Once the preceding steps are completed, the custom domain URL is accessible to users.
Ensure that the user authentication method is completely set up for the Looker (Google Cloud core) instance before adding users to the instance.
What's next
- Connect Looker (Google Cloud core) to your database
- Prepare your Looker (Google Cloud core) instance for users
- Manage users within Looker (Google Cloud core)