VPC Service Controls support for Looker (Google Cloud core)
Stay organized with collections
Save and categorize content based on your preferences.
VPC Service Controls can improve your ability to mitigate the risk of data exfiltration from Google Cloud services. You can use VPC Service Controls to create service perimeters that help protect the resources and data of services that you explicitly specify.
To add the Looker (Google Cloud core) service to a VPC Service Controls service perimeter, follow the instructions about how to create a service perimeter on the Create a service perimeter documentation page, and select Looker (Google Cloud core) API in the Specify services to restrict dialog. To learn more about using VPC Service Controls, visit the Overview of VPC Service Controls documentation page.
VPC Service Controls supports Looker (Google Cloud core) instances that meet two criteria:
To understand the required IAM roles for setting up VPC Service Controls, visit the Access control with IAM page of the VPC Service Controls documentation.
Removing the default route
When a Looker (Google Cloud core) instance is created inside a Google Cloud project that is within a VPC Service Controls perimeter, or is inside a project that gets added to a VPC Service Controls perimeter, you must remove the default route to the internet.
To remove the default route to the internet, select one of the following options:
Connecting to resources or services outside the VPC Service Controls perimeter
To connect to another Google Cloud resource or service, you may need to set up ingress and egress rules if the project that the resource is in is located outside the VPC Service Controls perimeter.
Sometimes, a Looker (Google Cloud core) instance that is enabled with customer-managed encryption keys (CMEK) has the Cloud KMS key hosted in a different Google Cloud project. For this scenario, when you enable VPC Service Controls, you must add the KMS key hosting project to the security perimeter.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["VPC Service Controls can improve your ability to mitigate the risk of data exfiltration from Google Cloud services. You can use VPC Service Controls to create service perimeters that help protect the resources and data of services that you explicitly specify.\n\nTo add the Looker (Google Cloud core) service to a VPC Service Controls service perimeter, follow the instructions about how to create a service perimeter on the [Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters#create-perimeter) documentation page, and select **Looker (Google Cloud core) API** in the **Specify services to restrict** dialog. To learn more about using VPC Service Controls, visit the [Overview of VPC Service Controls](/vpc-service-controls/docs/overview) documentation page.\n\nVPC Service Controls supports Looker (Google Cloud core) instances that meet two criteria:\n\n- [Instance editions](/looker/docs/looker-core-instance-create#create_edition) must be **Enterprise** or **Embed**\n- [Instance network configurations](/looker/docs/looker-core-instance-create#set_the_network_connection) must use private connections\n\n| **Note:** If you're using [Shared VPC](/vpc/docs/shared-vpc), ensure that you either include the Looker (Google Cloud core) service project in the same service perimeter as the Shared VPC host project or create a [perimeter bridge](/vpc-service-controls/docs/share-across-perimeters) between the two projects. If the Looker (Google Cloud core) service project and the Shared VPC host project are not in same perimeter or cannot communicate through a perimeter bridge, instance creation could fail or the Looker (Google Cloud core) instance may not function properly.\n| **Caution:** The Looker connector, when used with Looker Studio Pro or Looker reports, can't connect to a Looker (Google Cloud core) instance that is inside of a [VPC Service Controls](/looker/docs/looker-core-vpcsc) perimeter. For more information about limitations of the Looker connector, see the [Limits of the Looker connector](/looker/docs/studio/limits-of-the-looker-connector) documentation page.\n\nRequired roles\n\nTo understand the required IAM roles for setting up VPC Service Controls, visit the [Access control with IAM](/vpc-service-controls/docs/access-control) page of the VPC Service Controls documentation.\n\nRemoving the default route\n\nWhen a Looker (Google Cloud core) instance is created inside a Google Cloud project that is within a VPC Service Controls perimeter, or is inside a project that gets added to a VPC Service Controls perimeter, you must remove the default route to the internet.\n\nTo remove the default route to the internet, select one of the following options: \n\ngcloud \n\n```\ngcloud services vpc-peerings enable-vpc-service-controls --network=NETWORK --service=servicenetworking.googleapis.com\n```\n\nReplace \u003cvar translate=\"no\"\u003e\u003ccode translate=\"no\" dir=\"ltr\"\u003eNETWORK\u003c/code\u003e\u003c/var\u003e with your Looker (Google Cloud core) instance's VPC network.\n\nFor more information, visit the [gcloud services vpc-peerings enable-vpc-service-controls](/sdk/gcloud/reference/services/vpc-peerings/enable-vpc-service-controls) documentation page.\n\nREST\n\nHTTP method and URL: \n\n```\nPATCH https://servicenetworking.googleapis.com/v1/{parent=services/*}:enableVpcServiceControls\n```\n\nRequest JSON body: \n\n```\n{\n\"consumerNetwork\": NETWORK\n}\n```\n\nReplace \u003cvar translate=\"no\"\u003e\u003ccode translate=\"no\" dir=\"ltr\"\u003eNETWORK\u003c/code\u003e\u003c/var\u003e with your Looker (Google Cloud core) instance's VPC network.\n\nFor more information, visit the [Method: services.enableVpcServiceControls](/service-infrastructure/docs/service-networking/reference/rest/v1/services/enableVpcServiceControls) documentation page.\n| **Note:** Removing the default route restricts outgoing traffic to only [VPC Service Controls compliant services](/vpc-service-controls/docs/supported-products). For example, if the default route is removed, sending email will fail because the API used to send email is not VPC Service Controls compliant.\n\nConnecting to resources or services outside the VPC Service Controls perimeter\n\nTo connect to another Google Cloud resource or service, you may need to set up [ingress and egress rules](/vpc-service-controls/docs/ingress-egress-rules) if the project that the resource is in is located outside the VPC Service Controls perimeter.\n\nFor information about accessing other external resources, follow the instructions for the type of resource that you want to connect to on either the [Access external services using private services access](/looker/docs/looker-core-private-ip-config) or the [Looker (Google Cloud core) southbound access to external services using Private Service Connect](/looker/docs/looker-core-psc-southbound) documentation page (depending on whether your instance uses private services access or Private Service Connect).\n| **Note:** If you are creating a Looker (Google Cloud core) instance inside a Shared VPC, and the Shared VPC host project and the Looker (Google Cloud core) service project are in different VPC Service Controls perimeters, you must create a [VPC Service Controls perimeter bridge](/vpc-service-controls/docs/create-perimeter-bridges) between the two perimeters to allow instance creation.\n\nAdding CMEK keys to a perimeter\n\nSometimes, a Looker (Google Cloud core) instance that is [enabled with customer-managed encryption keys (CMEK)](/looker/docs/looker-core-cmek) has the Cloud KMS key hosted in a different Google Cloud project. For this scenario, when you enable VPC Service Controls, you must add the KMS key hosting project to the security perimeter.\n\nWhat's next?\n\n- [Connect Looker (Google Cloud core) to your database](/looker/docs/looker-core-dialects)\n- [Set up the Looker (Google Cloud core) instance](/looker/docs/looker-core-instance-setup)"]]