Understanding the Right Network Configuration for Looker (Google Cloud core)

When configuring Looker (Google Cloud core), it's essential to select the appropriate network configuration to ensure seamless integration and optimal performance. This page provides a guide to help you choose between public secure connections and the various private connections configurations.

Considerations for network configuration

Before choosing a network configuration, identify the systems Looker (Google Cloud core) will be configured to connect to:

  • Data Sources: What data sources will Looker (Google Cloud core) connect to (e.g., BigQuery, Cloud SQL, on-premises databases)?
  • Git Repository: Where is the Git repository hosted (e.g., public GitHub, private GitHub Enterprise hosted on Google Cloud)?
  • Team Expertise: Does your team have networking expertise?

Foundational information

Consider the following when choosing your network configuration:

  • Connections to BigQuery: All connections to BigQuery use Google's private network, across all network configuration options.
  • SSO Configuration: If a third-party identity provider is configured for SSO, communication is from the user's browser to the identity provider and then redirected to the Looker (Google Cloud core) instance. This will work for all options as long as the redirect URL is accessible to your users.
  • Instance Creation: The network configuration must be chosen at the time of instance creation. It cannot be changed later, except when adding Public IP connectivity to a private services access or Private Service Connect Private IP-only instance, or removing Public IP connectivity from a private services access or Private Service Connect hybrid connections instance, after creation.
  • Feature Availability: Out-of-box feature availability varies by network option. Refer to Looker (Google Cloud core) feature differences for more details.

Network configuration options

The following diagram can help you decide which network configuration option is right for you. The diagram uses the acronyms PSC to refer to Private Service Connect and PSA to refer to private services access.

Public IP Only

  • Explanation: Instance has a public URL and traffic is over the public internet. This is the simplest setup and requires no advanced network configuration. If you require a custom URL, such as looker.mycompany.com, you can set up a custom domain.

Private Service Connect - Private IP Only - Recommended

  • Why choose Private Service Connect?: Private Service Connect is Google's recommended, service-oriented approach for connecting to resources in a private network. It avoids the complexities of network-wide VPC peering, IP range conflicts, and transitive peering limitations. It uses service-oriented connections rather than network-wide peering and is designed to support all new and advanced Looker (Google Cloud core) features.
  • Explanation: With Private Service Connect, Looker (Google Cloud core) connects to your resources through Private Service Connect endpoints, and you connect to your Looker (Google Cloud core) instance through its exposed Private Service Connect endpoint.
  • Limitations: Your instance is only accessible using its Private Service Connect endpoint; it does not have a public IP address. Each distinct data source in your VPC may require a separate endpoint configuration.
  • Requirements: If connecting to resources on the public internet (such as github.com), you can use controlled native egress or configure a southbound Private Service Connect connection using an Internet NEG. For Private Service Connect to function, ensure that the Private Service Connect connection status in the Looker (Google Cloud core) instance details page is Accepted.
  • Learn more:

Private Service Connect - Public and Private IP - Recommended

  • Why choose Private Service Connect?: Private Service Connect is Google's recommended, service-oriented approach for connecting to resources in a private network. It avoids the complexities of network-wide VPC peering, IP range conflicts, and transitive peering limitations. It uses service-oriented connections rather than network-wide peering and is designed to support all new and advanced Looker (Google Cloud core) features. This option provides a public URL for access from the internet, like the Public IP Only option, but routes outgoing traffic from Looker (Google Cloud core) to your data sources or Git repository through your VPC using Private Service Connect connections.
  • Explanation: Your instance has a public URL for access from the internet, but all outgoing traffic from Looker (Google Cloud core) to your data sources or Git repository is routed through Private Service Connect connections to your VPC.
  • Limitations: Each distinct data source in your VPC may require a separate endpoint configuration.
  • Requirements: If connecting to resources on the public internet that are not in your VPC (such as github.com), you can use Controlled Native Egress or configure a southbound Private Service Connect connection using an Internet NEG. For Private Service Connect to function, ensure that the Private Service Connect connection status in the Looker (Google Cloud core) instance details page is Accepted.
  • Learn more:

Private services access - Private IP Only - Legacy

  • Why choose private services access?: Private services access is an older method that relies on VPC Network Peering. It may be suitable if you have an existing VPC peering setup, but it is prone to scaling issues, IP range exhaustion, and lacks support for transitive peering. For more information about private services access, see Create a private connections (private services access) Looker (Google Cloud core) instance.
  • Explanation: Your instance is only accessible from within your VPC or other peered networks using its private IP address; it does not have a public URL. This option requires custom domain configuration for a user-friendly URL. All traffic is routed through your VPC.
  • Limitations: Requires a /22 IP range for setup. Certain BI connectors may not be available. Requires networking expertise for setup. Transitive peering is not supported; if your data source is in a network that is peered with your VPC (as in a hub-and-spoke model), Looker (Google Cloud core) won't be able to reach it using private services access. If you are using a Shared VPC, consult your Network Administrator to discuss the /22 IP range allocation and peering implications within the host project.
  • Requirements: If connecting to a public Git repository (e.g., github.com), requires additional infrastructure such as a Proxy VM or Cloud NAT.

Private services access - Public and Private IP - Legacy

  • Why choose private services access?: Private services access is an older method that relies on VPC Network Peering. It may be suitable if you have an existing VPC peering setup, but it is prone to scaling issues, IP range exhaustion, and lacks support for transitive peering. For more information about private services access, see Create a private connection with Private Service Access for Looker (Google Cloud core).
  • Explanation: Your instance has a public URL for access from the internet, but all outgoing traffic from Looker (Google Cloud core) to your data sources or Git repository is routed through your VPC using VPC Network Peering.
  • Limitations: Requires a /22 IP range for setup. Requires networking expertise for setup. Transitive peering is not supported; if your data source is in a network that is peered with your VPC (as in a hub-and-spoke model), Looker (Google Cloud core) won't be able to reach it using private services access. If you are using a Shared VPC, consult your Network Administrator to discuss the /22 IP range allocation and peering implications within the host project.

What's next