Note that you are viewing Looker documentation. For Looker Studio documentation, visit https://support.google.com/looker-studio.

Private IP networking with Looker (Google Cloud core)

Once you have set up a Looker (Google Cloud core) instance to use only private IP or both private IP and public IP, you may want to configure your network to use certain Looker (Google Cloud core) features or to allow or restrict communication with external services or the internet.

Restricting email deliveries to external domains

By default, Looker (Google Cloud core) instances that use only private IP or both private and public IP allow email deliveries to external domains. To restrict the domains to which Looker users can send email deliveries, you can set up an email domain allowlist.

Connecting a private IP Looker (Google Cloud core) instance to external services

Looker (Google Cloud core) instances that use only private IP or both private and public IP may require additional configuration to connect to services or resources outside of the instance's VPC network. The following sections describe additional configuration options.

Connecting to other VPCs using private services access

To use internal IPs to connect to services in other VPCs that are hosted by either Google or third parties, you can use private services access.

During Looker (Google Cloud core) instance creation, you created a private services access connection to connect your VPC to the Looker (Google Cloud core) service. You can also update the IP allocation of an existing private services access connection without disrupting traffic.

To set up a private services access connection:

Allocate an internal IP range in your VPC network.
Set up the private connection between your VPC network and service producer's network, using the allocated IP range. This private connection establishes a VPC Network Peering connection between your VPC and the other network.

Private connections are a one-to-one relationship between your VPC network and a service producer. If a single service producer offers multiple services, you only need one private connection for all of the producer's services.

Connecting to on-premises resources or third-party services

You can use either of the following two options to connect Looker (Google Cloud core) instances using only private IP or both private and public IP to on-premises resources or third-party services:

Cloud Interconnect and Cloud Router
Cloud VPN, specifically HA VPN, and Cloud Router

With either method, you will need to do the following:

Configure a dynamic route in your Looker (Google Cloud core) VPC for each on-premises resource.
Set up a custom route advertisement of the Looker (Google Cloud core) private services access subnet on all Cloud Routers that are deployed in the Looker (Google Cloud core) VPC.
Update your on-premises firewalls to allow traffic with the Looker (Google Cloud core) subnet.
Configure DNS forwarding, which will let Looker (Google Cloud core) connect to any on-premises resources.

Cloud Interconnect and Cloud Router

The following network diagram shows how Cloud Interconnect and Cloud Router interact with the Looker (Google Cloud core) service to connect to an on-premises network:

Private services access connects the Looker (Google Cloud core) service with the VPC over internal IP addresses using VPC peering.
Cloud Router uses Border Gateway Protocol (BGP) to advertise the private IP prefixes and program dynamic routes based on the BGP advertisements it receives from a peer. Cloud Interconnect is used to connect to the on-premises network.

Cloud VPN and Cloud Router

For a walkthrough of how to create a private and public IP Looker (Google Cloud core) instance and connect it to an on-premises database using HA VPN and Cloud Router, see the Connect Looker Cloud over hybrid networking codelab.

Connecting to databases hosted by other cloud service providers

To set up a private connection to databases or services that are hosted by other cloud service providers, your Google Cloud project must be configured to route traffic to those cloud service providers to allow for data exchange. Learn more about connecting cloud environments on the Patterns for connecting other cloud service providers with Google Cloud documentation page.

Grant access to private IP instances

To allow parties external to your VPC to interface with a Looker (Google Cloud core) instance that has only Private IP enabled, you can set up a proxy server and a custom domain. The remainder of this section provides an example of how to set up a proxy server.

Before you begin

Before you can set up a proxy server, you must install or update to the latest version of the Google Cloud CLI.

Set up a proxy server

The following example shows how to use the command line to set up an NGINX proxy server for an existing Looker (Google Cloud core) instance that has a Private IP network connection enabled. Although NGINX servers can be instantiated with either public IP or private IP (with VPN access allowed) configurations, this example demonstrates a public IP configuration.

You can use any web server that can be configured as a reverse proxy server. You do not have to set up an NGINX server specifically.

Open the Cloud Shell.

Go to Cloud Shell
Create a subnetwork and an Ubuntu 18 NGINX VM with public IP enabled in your VPC network by running the following commands:
- Set your variables:
```
PROJECT="PROJECT"
NETWORK="NETWORK"
SUBNETNAME="SUBNETNAME"
IP_RANGE=IP_RANGE
REGION="REGION"
ZONE="ZONE"
INSTANCE_NAME="INSTANCE_NAME"
```
  Replace the following:
  - PROJECT: The ID of the Google Cloud project in which you created your Looker (Google Cloud core) instance.
  - NETWORK: The name of the VPC network that you configured for your Looker (Google Cloud core) instance.
  - SUBNETNAME: Can be a new subnet you create in this procedure or any subnet in your VPC network; does not have to match the subnet name of your Looker (Google Cloud core) instance.
  - IP_RANGE: Any nonconflicting range. Use at least /22 (for example, 10.10.0.0/22).
  - REGION: The region you want to create the proxy server in.
  - ZONE: The zone you want to create the proxy server in. Available zones can be determined by running gcloud compute zones list.
  - INSTANCE_NAME: The name for the proxy server.
- Create the subnet (alternatively, you can use a subnet that was created when you created your VPC network, if you used auto mode to create your VPC network):
```
gcloud compute networks subnets create $SUBNETNAME --network=$NETWORK \
--range=$IP_RANGE --region=$REGION --project=$PROJECT
```
- Create the proxy instance:
```
INSTANCE_EXTERNAL_IP=$(gcloud compute instances create $INSTANCE_NAME \
--project=$PROJECT --zone=$ZONE --network=$NETWORK --subnet=$SUBNETNAME \
--format="json" | jq '.[].networkInterfaces[].accessConfigs[].natIP')
```
- After creating the proxy instance, run this command to generate the public IP address of your proxy instance:
```
echo $INSTANCE_EXTERNAL_IP
```
  Note the external IP for later in the procedure.

Create a firewall to allow traffic to your instance on ports 80, 443, and 22 (or other ports that NGINX is going to listen on) by running these commands:

gcloud compute firewall-rules create managementnet-allow-http-https-ssh \
--direction=INGRESS --priority=1000 --network=$NETWORK --action=ALLOW \
--rules=tcp:80,tcp:443,tcp:22 --source-ranges=0.0.0.0/0 --project=$PROJECT

Create a public DNS record using the domain you'd like for your Looker (Google Cloud core) instance and pointing to NGINX VM's public IP address that was output after VM creation. This record can also be created during the process of setting up a custom domain within the Google Cloud console.
Create a third-party certificate for accessing the public URL. This example uses NGINX's Let's Encrypt to generate a Let's Encrypt certificate, but you can use any encryption certificate.

Warning: Let's Encrypt requires port 80 to be open for verification purposes. If your organization's policies prevent port 80 from being open, another third-party approved certificate should be created and uploaded to this NGINX box.
- Connect to the NGINX VM.
- Install the Let's Encrypt tool:
```
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx
```
- Access the nginx.config file:
```
sudo vi /etc/nginx/sites-available/default
```
- In the nginx.config file, replace the existing server configuration to set up the server and port 80 for listening:
```
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  root /var/www/html;
  server_name SERVER_NAME;
}
```
  Replace SERVER_NAME with the DNS record name.
- Reload NGINX:
```
sudo nginx -t && sudo nginx -s reload
```
- Generate a certificate:
```
sudo certbot --nginx -d SERVER_NAME
```
  Replace SERVER_NAME with the DNS record name.

In the nginx.config file, replace the server configuration from Step 5 with the following server configuration, to pass traffic to your Looker (Google Cloud core) instance:

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name SERVER_NAME
  ssl_certificate /etc/letsencrypt/live/SERVER_NAME/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/SERVER_NAME/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  location / {
    set $priv_dns "private.lookerapp";
    proxy_pass https://PRIVATE_IP_ADDRESS/$request_uri;
    proxy_set_header Host $server_name;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_ssl_protocols TLSv1.3;
    proxy_ssl_verify off;
    proxy_http_version 1.1;
    proxy_pass_request_headers on;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_redirect https://$priv_dns/ https://SERVER_NAME/;
  }
}
server {
  if ($host = SERVER_NAME) {
    return 301 https://$host$request_uri;
  }
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name SERVER_NAME;
  return 404;
}

Replace the following:

PRIVATE_IP_ADDRESS: The private IP address assigned to your Looker (Google Cloud core) instance, which you can view on the instance's DETAILS page in the Google Cloud console
SERVER_NAME: The DNS record name.

Validate the nginx.config file and reload it:
```
sudo nginx -t && sudo nginx -s reload
```
After the configuration has been validated and traffic is routing to the Looker (Google Cloud core) instance and you have set up your custom domain, you can enter the instance's custom domain in the Authorized redirect URIs section of the OAuth client. Then you can view the instance by navigating to the instance URL, add users, connect Looker (Google Cloud core) to your database, and continue instance setup.

What's next?
- Connect Looker Cloud over hybrid networking
- VPC Service Controls support for Looker (Google Cloud core)
- Connect Looker (Google Cloud core) to your database
- Set up your Looker (Google Cloud core) instance
- For an example of how to manually install Looker Marketplace content, see the Looker Community article, Installing the Looker API Explorer on a Looker (Google Cloud core) instance on a private IP network.