This documentation explains how to use Private Service Connect to configure routing from clients to Looker (Google Cloud core), also called northbound traffic.
Create a custom domain
The first step after the Looker (Google Cloud core) instance is created is to set up a custom domain and update the OAuth credentials for the instance. The next sections walk you through the process.
When you create a custom domain for private IP (Private Service Connect) instances, the custom domain must meet the following requirements:
- The custom domain must consist of at least three parts, including at least one subdomain. For example,
subdomain.domain.com
. - The custom domain must not contain any of the following:
- looker.com
- google.com
- googleapis.com
- gcr.io
- pkg.dev
Set up a custom domain
After your Looker (Google Cloud core) instance has been created, you can set up a custom domain.
Before you begin
Before you can customize the domain of your Looker (Google Cloud core) instance, identify where your domain's DNS records are stored, so that you can update them.
Required roles
To get the permissions that you need to create a custom domain for a Looker (Google Cloud core) instance,
ask your administrator to grant you the
Looker Admin (roles/looker.admin
) IAM role on the project the instance resides in.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a custom domain
In the Google Cloud console, follow these steps to customize the domain of your Looker (Google Cloud core) instance:
- On the Instances page, click the name of the instance for which you would like to set up a custom domain.
- Click the CUSTOM DOMAIN tab.
Click ADD A CUSTOM DOMAIN.
This opens the Add a new custom domain panel.
Using only letters, numbers, and dashes, enter the hostname of up to 64 characters for the web domain that you would like to use — for example:
looker.examplepetstore.com
.Click DONE on the Add a new custom domain panel to return to the CUSTOM DOMAIN tab.
Once set up, your custom domain is displayed in the Domain column on the Custom Domain tab of the instance details page of the Google Cloud console.
After your custom domain has been created, you can view information about it, or delete it.
Update the OAuth credentials
- Access your OAuth client by navigating in the Google Cloud console to APIs & Services > Credentials and selecting the OAuth client ID for the OAuth client that is used by your Looker (Google Cloud core) instance.
Click the Add URI button to update the Authorized JavaScript origins field in your OAuth client to include the same DNS name that your organization will use to access Looker (Google Cloud core). For example, if your custom domain is
looker.examplepetstore.com
, you enterlooker.examplepetstore.com
as the URI.Update or add the custom domain to the list of Authorized redirect URIs for the OAuth credentials that you used when you created the Looker (Google Cloud core) instance. Add
/oauth2callback
to the end of the URI. For example, if your custom domain islooker.examplepetstore.com
, you enterlooker.examplepetstore.com/oauth2callback
.
Access the instance over hybrid networking using an endpoint
After you have set up the custom domain, to access the instance from on-premises or from another cloud provider environment (in other words, through hybrid networking), perform the following steps:
- Expose Looker (Google Cloud core) through a Private Service Connect endpoint.
- Advertise the endpoint to multi-cloud and on-premises environments.
- Set up DNS.
Networking overview
In a hybrid networking environment, the following network components are required:
- Cloud Router
- Hybrid networking products such as HA-VPN, Cloud Interconnect, and SD-WAN
In addition, you will need to set up DNS for access.
Private Service Connect allows consumers to access managed services privately from inside their VPC network or over hybrid networking. It allows managed service producers to host these services in their own separate VPC networks and offer a private connection to their consumers. For example, when you use Private Service Connect to access Looker (Google Cloud core), you are the service consumer, and Looker (Google Cloud core) is the service producer.
Looker (Google Cloud core) deployed with Private Service Connect supports endpoints.
An example of a Private Service Connect endpoint network setup is displayed in the following diagram:
In the example, the on-premises environment is connected to a Google Cloud host project through Cloud Interconnect, routing through a Cloud Router to a Private Service Connect endpoint, which connects to a service attachment in a Google-managed producer VPC. A Shared VPC hosts Cloud DNS, for API resolution.
Required roles
Role |
Description |
Compute Network Admin |
Grants full control over the VPC network that initiates a connection to a Looker (Google Cloud core) instance. |
Service Directory Editor |
Create Private Service Connect endpoints. |
Looker Admin |
Grants full control over Looker (Google Cloud core) resources, including creating an instance that is enabled for Private Service Connect and creating a custom domain. |
DNS Admin |
Grants full control over Cloud DNS resources, including DNS zones and records. |
Create a Private Service Connect endpoint for Looker (Google Cloud core)
Follow the instructions for creating a Private Service Connect endpoint within a VPC network. Make sure the network is allowed ingress to your Looker (Google Cloud core) instance, and follow these guidelines:
Set the Target service field (for the Google Cloud console) or the
SERVICE_ATTACHMENT
variable (if following Google Cloud CLI or API instructions) to the Looker service attachment URI, which you can find by running the following command:gcloud looker instances describe INSTANCE_NAME --region=REGION--format=json
Replace the following:
INSTANCE_NAME
: the name of your Looker (Google Cloud core) instance.REGION
: the region in which your Looker (Google Cloud core) instance is hosted.
You can use any subnet that is hosted in the same region as the Looker (Google Cloud core) instance.
Don't enable global access.
To view the endpoint details after creation, follow the instructions for viewing endpoint details.
Advertise the endpoint to multi-cloud and on-premises environments
Use Cloud Router to advertise the Private Service Connect endpoint's IP address to your on-premises network or other environment.
When you're deploying Private Service Connect endpoints, a regular subnet within the consumer Virtual Private Cloud (VPC) is used. This subnet is automatically advertised by the Cloud Router. However, if you are selectively advertising custom subnets through the Cloud Router, make sure to modify the Cloud Router configuration to include the IP address or subnet of the Private Service Connect endpoint.
Make sure that your on-premises (or other environment's) firewall allows outbound traffic to the Private Service Connect endpoint's IP address or subnet while taking into account hybrid networking considerations.
Set up DNS
When setting up DNS, you can use one of the following two options:
- Update the on-premises DNS to be authoritative for the Looker (Google Cloud core) custom domain that is mapped to the Private Service Connect endpoint IP address.
- Create a Cloud DNS private zone, create a record set using the IP address allocated for the Private Service Connect endpoint, and enable inbound DNS forwarding to allow your VPC to be authoritative for the Looker (Google Cloud core) custom domain that is mapped to the Private Service Connect endpoint IP address.
What's next
- Connect Looker (Google Cloud core) to your database
- Prepare a Looker (Google Cloud core) instance for users
- Manage users within Looker (Google Cloud core)