Create a private IP Looker (Google Cloud core) instance

Private IP connections make services reachable without going through the internet or using external IP addresses. Because they don't traverse the internet, connections over private IP typically provide lower latency and limited attack vectors. Private IP connections allow your Looker (Google Cloud core) instance to communicate with other resources in your Virtual Private Cloud (VPC) but don't allow inbound communication from the public internet.

Private IP connectivity isn't compatible with some Looker (Google Cloud core) features. See the feature compatibility table for more information.

Looker (Google Cloud core) supports private IP for instances that meet the following criteria:

To set up a private IP instance, you must have the following IAM permissions:

Before you begin

  1. To get the permissions that you need to create allocated IP address ranges and manage private connections, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on the project. For more information about granting roles, see Manage access.

    This predefined role contains the permissions required to create allocated IP address ranges and manage private connections. To see the exact permissions that are required, expand the Required permissions section:

    Required permissions

    The following permissions are required to create allocated IP address ranges and manage private connections:

    • See available networks in the Network drop-down:
      • compute.addresses.list
      • compute.globalAddresses.list
      • compute.networks.list
      • compute.globalAddresses.list
    • Create a new VPC network:
      • compute.addresses.create
      • compute.globalAddresses.create
      • serviceusage.services.enable
    • Allocate a private IP range and set up a private services access connection: compute.networks.addPeering

    You might also be able to get these permissions with custom roles or other predefined roles.

    If you are creating a private IP instance with Terraform or Google Cloud CLI and are using a private network that has already been set up, you don't need these permissions.

  2. Enable the Compute Engine API for your project in the Google Cloud console. When you enable the API, you may need to refresh the console page to confirm that the API has been enabled.

    Enable the API

Create and configure a VPC network

Before you can create a private IP connection, you must first create and configure a Virtual Private Cloud (VPC) network. Looker (Google Cloud core) supports multiple private IP instances in the same VPC, either in the same region or in different regions.

  1. Create a VPC network in your project. Alternatively, if you are using a Shared VPC instead of creating a new VPC network, complete the steps in the following section, Creating an instance in a Shared VPC, in addition to completing the remaining steps in this section for the Shared VPC.
  2. Allocate an IPv4 IP range (CIDR block) in your VPC for a private connection to Looker (Google Cloud core).
    • Before allocating your range, consider the constraints.
    • When setting the IP address range size, be aware that the minimum size is a /22 block.
    • Looker (Google Cloud core) supports all IPv4 ranges within RFC 1918, which specifies IP addresses that are assigned to be used internally (that is, within an organization) and won't route on the Internet. Specifically, these are:
      • 10.0.0.0/8
      • 172.16.0.0/12
      • 192.168.0.0/16
    • Class E IPv4 ranges (240.0.0.0/4) are reserved for future use as noted in RFC 5735 and RFC 1112 and aren't supported for Looker (Google Cloud core).
    When a Looker (Google Cloud core) instance is created for the first time in a region within a VPC, Looker creates a proxy-only subnet in the Service Networking tenant project's VPC. The proxy-only subnet uses a /26 range subnet of the /22 subnet that you reserve when you create the Looker (Google Cloud core) instance. Any subsequent private IP Looker (Google Cloud core) instances in the same VPC and in the same region use the same proxy-only subnet.
  3. Add the private services access connection to your VPC network using the IP range allocated in the previous step for the Assigned allocation.
  4. Once your VPC network is created, return to the Create Looker instance page in your Google Cloud project. You may need to refresh the page so that your VPC network is recognized.

Once you have completed these steps, you can begin to create your instance by following the steps on the Create a Looker (Google Cloud core) instance documentation page, starting with the Before you begin section.

Creating an instance in a Shared VPC

If you are creating a Looker (Google Cloud core) instance in a Shared VPC, complete the following steps in the Shared VPC's host project:

  1. Enable the Looker API in the Shared VPC's host project in the Google Cloud console. When you enable the API, you may need to refresh the console page to confirm that the API has been enabled.

    Enable the API

  2. Create a service account in the Shared VPC's host project, using the gcloud services identity create command:

    gcloud beta services identity create --service=looker.googleapis.com --project=SHARED_HOST_PROJECT_ID
    

    Replace SHARED_HOST_PROJECT_ID with the Shared VPC's host project.

  3. Grant the compute.globalAddresses.get IAM permission to the service account in the host project.

After creating the service account and granting it the IAM permission, wait a few minutes for the service account and permission to propagate.

In addition, allocate an IPv4 IP range in the Shared VPC and add the private services access connection to the Shared VPC as described in the previous section, Create and configure a VPC network.

Network configuration during instance creation

To configure private IP during instance creation, select one of the following options:

console

If you select only Private IP or both Private IP and Public IP during instance creation, use the following to finish configuration:

  1. If an Enable Required APIs pop-up is displayed, you must enable additional APIs for your Google Cloud project. To enable the required APIs for a private network connection, click ENABLE ALL.
  2. In the Network drop-down, select your VPC network. Private IP networks require a private services access connection, which enables your services to communicate exclusively by using internal IP addresses. See the Configure private services access documentation page for more information about setting up a private IP connection. If you did not set up a private services connection when you created your VPC network, you can click SET UP CONNECTION under the message Private services access connection required. This opens a side panel where you can allocate an IP range and create a connection.
  3. Under Allocated an IP range, you can select a range of IP addresses within the VPC in which Google will provision a subnetwork for your Looker (Google Cloud core) instance. Subnetworks reserve an IP range that cannot be used by other resources in the VPC network. You won't be able to modify this IP range after you create the Looker (Google Cloud core) instance. IP range allocation includes these options:
    • Select Use automatically assigned IP range to have Google allocate an IP range automatically to provision a subnetwork for the VPC.
    • Select an IP range that was defined during the private services access setup.
  4. Complete instance creation, and click Create to create the instance.

gcloud

  gcloud looker instances create INSTANCE_NAME \
  --project=PROJECT_ID \
  --oauth-client-id=OAUTH_CLIENT_ID \
  --oauth-client-secret=OAUTH_CLIENT_SECRET \
  --region=REGION \
  --edition=EDITION \
  --consumer-network=CONSUMER_NETWORK --private-ip-enabled --reserved-range=RESERVED_RANGE
  [--no-public-ip-enabled]
  [--public-ip-enabled]

Replace the following:

  • INSTANCE_NAME: a name for your Looker (Google Cloud core) instance; it isn't associated with the instance URL.
  • PROJECT_ID: the name of the Google Cloud project in which you are creating the Looker (Google Cloud core) instance.
  • OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET: the OAuth client ID and OAuth secret that you created when you set up your OAuth client. After the instance has been created, enter the instance's URL in the Authorized redirect URIs section of the OAuth client.
  • REGION: the region in which your Looker (Google Cloud core) instance is hosted. Select the region that matches the region in the subscription contract. Available regions are listed on the Looker (Google Cloud core) locations documentation page.
  • EDITION: the edition for the instance. Its possible values are core-standard-annual, core-enterprise-annual, or core-embed-annual. Editions cannot be changed after instance creation. If you want to change an edition, you can use import and export to move your Looker (Google Cloud core) instance data into a new instance that is configured with a different edition.
  • CONSUMER_NETWORK: your VPC network or Shared VPC. Must be set if you're creating a private IP instance.
  • RESERVED_RANGE: the range of IP addresses within the VPC in which Google will provision a subnetwork for your Looker (Google Cloud core) instance. Don't define a range if you're enabling a private IP network connection for your instance.

You may include the following flags:

  • --private-ip-enabled enables private IP.
  • --public-ip-enabled enables public IP.
  • --no-public-ip-enabled disables public IP.

Instance configuration after instance creation

If you create an instance that is enabled only for private IP, you will not receive a URL for the instance. To access the instance, you must do both of the following:

You may also want to further configure your private IP instance by doing the following:

  • Remove the default route if you are using VPC Service controls.
  • Create an email domain allowlist to restrict email deliveries to external domains.
  • Configure your private IP instance to allow or restrict communication with the internet or external resources.

What's next