Configure a private IP Looker (Google Cloud core) instance

Once you have set up a Looker (Google Cloud core) instance with a private IP connection, you may want to configure your instance or Google Cloud project to use certain Looker (Google Cloud core) features or to allow or restrict communication with external services or the internet.

Restricting email deliveries to external domains

By default, Looker (Google Cloud core) instances that use a private IP configuration allow email deliveries to external domains. To restrict the domains to which Looker users can send email deliveries, you can set up an email domain allowlist.

Connecting a private IP Looker (Google Cloud core) instance to external services

Looker (Google Cloud core) instances that use a private IP network may require additional configuration of the Google Cloud project to connect to services or resources outside of a VPC Service Controls perimeter. Configuration options are described in the following sections.

Connecting to a Google Cloud resource or service

To connect to another Google Cloud resource or service, you may need to set up ingress and egress rules if the project that the resource is in is located outside the VPC Service Controls perimeter. For information on setting up a private connection to data sources that are hosted by another cloud service provider, see Connecting to databases hosted by other cloud service providers on this page.

Connecting to databases hosted by other cloud service providers

For you to be able to set up a private connection to databases or services that are hosted by other cloud service providers, your Google Cloud project must be configured to route traffic to those cloud service providers to allow for data exchange. Learn more about connecting cloud environments on the Patterns for connecting other cloud service providers with Google Cloud documentation page.

Connecting to on-premises resources

To set up a private connection to on-premises databases, use Cloud VPN. You will need to configure a dynamic route in your VPC for each on-premises database. If you have configured DNS forwarding for the project in which the Looker (Google Cloud core) instance resides, Looker will be able to connect to any on-prem resources.

Connecting to other internet services

To connect to internet-based services, you will need to configure a dynamic route in your VPC for each service. You may additionally use Cloud NAT to create outbound connections.

Grant public access to private IP instances

To allow parties external to your VPC to interface with a Looker (Google Cloud core) instance that has only Private IP enabled, you can set up a proxy server and a custom domain. The remainder of this section provides an example of how to set up a proxy server.

Before you begin

Before you can set up a proxy server, you must install or update to the latest version of the Google Cloud CLI.

Set up a proxy server

The following example shows how to use the command line to set up an NGINX proxy server for an existing Looker (Google Cloud core) instance that has a Private IP network connection enabled. Although NGINX servers can be instantiated with either public IP or private IP (with VPN access allowed) configurations, this example demonstrates a public IP configuration.

You can use any web server that can be configured as a reverse proxy server. You do not have to set up an NGINX server specifically.

1. Open the Cloud Shell.

   Go to Cloud Shell

2. Create a subnetwork and an Ubuntu 18 NGINX VM with public IP enabled in your VPC network by running the following commands:

   • Set your variables:

     PROJECT="PROJECT"
     NETWORK="NETWORK"
     SUBNETNAME="SUBNETNAME"
     IP_RANGE=IP_RANGE
     REGION="REGION
     ZONE="ZONE"
     INSTANCE_NAME="INSTANCE_NAME"
     

     Replace the following:

     • PROJECT: The ID of the Google Cloud project in which you created your Looker (Google Cloud core) instance.
     • NETWORK: The name of the VPC network that you configured for your Looker (Google Cloud core) instance.
     • SUBNETNAME: Can be a new subnet you create in this procedure or any subnet in your VPC network; does not have to match the subnet name of your Looker (Google Cloud core) instance.
     • IP_RANGE: Any nonconflicting range. Use at least /22 (for example, 10.10.0.0/22).
     • REGION: The region you want to create the proxy server in.
     • ZONE: The zone you want to create the proxy server in. Available zones can be determined by running gcloud compute zones list.
     • INSTANCE_NAME: The name for the proxy server.

   • Create the subnet (alternatively, you can use a subnet that was created when you created your VPC network, if you used auto mode to create your VPC network):

     gcloud compute networks subnets create $SUBNETNAME --network=$NETWORK \
     --range=$IP_RANGE --region=$REGION --project=$PROJECT
     

   • Create the proxy instance:

     INSTANCE_EXTERNAL_IP=$(gcloud compute instances create $INSTANCE_NAME \
     --project=$PROJECT --zone=$ZONE --network=$NETWORK --subnet=$SUBNETNAME \
     --format="json" | jq '.[].networkInterfaces[].accessConfigs[].natIP')
     

   • After creating the proxy instance, run this command to generate the public IP address of your proxy instance:

     echo $INSTANCE_EXTERNAL_IP
     

     Note the external IP for later in the procedure.

3. Create a firewall to allow traffic to your instance on ports 80, 443, and 22 (or other ports that NGINX is going to listen on) by running these commands:

   gcloud compute firewall-rules create managementnet-allow-http-https-ssh \
   --direction=INGRESS --priority=1000 --network=$NETWORK --action=ALLOW \
   --rules=tcp:80,tcp:443,tcp:22 --source-ranges=0.0.0.0/0 --project=$PROJECT
   

4. Create a public DNS record using the domain you'd like for your Looker (Google Cloud core) instance and pointing to NGINX VM's public IP address that was output after VM creation. This record can also be created during the process of setting up a custom domain within the Google Cloud console.

5. Create a third-party certificate for accessing the public URL. This example uses NGINX's Let's Encrypt to generate a Let's Encrypt certificate, but you can use any encryption certificate.

   • Connect to the NGINX VM.

   • Install the Let's Encrypt tool:

     sudo apt-get update
     sudo apt-get install certbot python3-certbot-nginx
     

   • Access the nginx.config file:

     sudo vi /etc/nginx/sites-available/default
     

   • In the nginx.config file, replace the existing server configuration to set up the server and port 80 for listening:

     server {
       listen 80 default_server;
       listen [::]:80 default_server;
       root /var/www/html;
       server_name SERVER_NAME;
     }
     

     Replace SERVER_NAME with the DNS record name.

   • Reload NGINX:

     sudo nginx -t && sudo nginx -s reload
     

   • Generate a certificate:

     sudo certbot --nginx -d SERVER_NAME
     

     Replace SERVER_NAME with the DNS record name.

6. In the nginx.config file, replace the server configuration from Step 5 with the following server configuration, to pass traffic to your Looker (Google Cloud core) instance:

   server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
     server_name SERVER_NAME
     ssl_certificate /etc/letsencrypt/live/SERVER_NAME/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/SERVER_NAME/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
   
     location / {
       set $priv_dns "private.lookerapp";
       proxy_pass https://PRIVATE_IP_ADDRESS/$request_uri;
       proxy_set_header Host $server_name;
       proxy_set_header X-Forwarded-Host $host:$server_port;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_ssl_protocols TLSv1.3;
       proxy_ssl_verify off;
       proxy_http_version 1.1;
       proxy_pass_request_headers on;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_redirect https://$priv_dns/ https://SERVER_NAME/;
     }
   }
   server {
     if ($host = SERVER_NAME) {
       return 301 https://$host$request_uri;
     }
       listen 80 default_server;
       listen [::]:80 default_server;
       server_name SERVER_NAME;
     return 404;
   }
   

   Replace the following:

   • PRIVATE_IP_ADDRESS: The private IP address assigned to your Looker (Google Cloud core) instance, which you can view on the instance's DETAILS page in the Google Cloud console
   • SERVER_NAME: The DNS record name.

7. Validate the nginx.config file and reload it:

   sudo nginx -t && sudo nginx -s reload
   

8. After the configuration has been validated and traffic is routing to the Looker (Google Cloud core) instance and you have set up your custom domain, you can enter the instance's custom domain in the Authorized redirect URIs section of the OAuth client. Then you can view the instance by navigating to the instance URL, add users, and continue instance setup.

   What's next?

   • VPC Service Controls support for Looker (Google Cloud core)
   • Set up your Looker (Google Cloud core) instance