Note that you are viewing Looker documentation. For Looker Studio documentation, visit https://support.google.com/looker-studio.

VPC Service Controls support for Looker (Google Cloud core)

VPC Service Controls can improve your ability to mitigate the risk of data exfiltration from Google Cloud services. You can use VPC Service Controls to create service perimeters that help protect the resources and data of services that you explicitly specify.

To add the Looker (Google Cloud core) service to a VPC Service Controls service perimeter, follow the instructions about how to create a service perimeter on the Create a service perimeter documentation page, and select Looker (Google Cloud core) API in the Specify services to restrict dialog. To learn more about using VPC Service Controls, visit the Overview of VPC Service Controls documentation page.

VPC Service Controls supports Looker (Google Cloud core) instances that meet two criteria:

Instance editions must be Enterprise or Embed
Instance network configurations must use private IP only

Required roles

To understand the required IAM roles for setting up VPC Service Controls, visit the Access control with IAM page of the VPC Service Controls documentation.

Removing the default route

When a Looker (Google Cloud core) instance is created inside a Google Cloud project that is within a VPC Service Controls perimeter, or is inside a project that gets added to a VPC Service Controls perimeter, you must remove the default route to the internet.

To remove the default route to the internet, select one of the following options:

gcloud

gcloud services vpc-peerings enable-vpc-service-controls --network=NETWORK --service=servicenetworking.googleapis.com

Replace NETWORK with your Looker (Google Cloud core) instance's VPC network.

For more information, visit the gcloud services vpc-peerings enable-vpc-service-controls documentation page.

REST

HTTP method and URL:

PATCH https://servicenetworking.googleapis.com/v1/{parent=services/*}:enableVpcServiceControls

Request JSON body:

{
"consumerNetwork": NETWORK
}

Replace NETWORK with your Looker (Google Cloud core) instance's VPC network.

For more information, visit the Method: services.enableVpcServiceControls documentation page.

Connecting to resources or services outside the VPC Service Controls perimeter

To connect to another Google Cloud resource or service, you may need to set up ingress and egress rules if the project that the resource is in is located outside the VPC Service Controls perimeter.

For information on accessing other external resources, follow the instructions for the type of resource that you want to connect to on the Private IP networking with Looker (Google Cloud core) documentation page.

Adding CMEK keys to a perimeter

Sometimes, a Looker (Google Cloud core) instance that is enabled with customer-managed encryption keys (CMEK) has the Cloud KMS key hosted in a different Google Cloud project. For this scenario, when you enable VPC Service Controls, you must add the KMS key hosting project to the security perimeter.