This page shows you how to create an IP allowlist for a Looker (Google Cloud core) instance that uses public secure connections or hybrid connections. An IP allowlist is a networking feature that increases security by restricting access to your instance to only the IP addresses that you specify.
Before you begin
- Ensure that you have an existing Looker (Google Cloud core) instance that uses public secure connections or hybrid connections.
- To get the permissions that you need to modify a Looker instance, ask your administrator to grant you the Looker Admin (
roles/looker.admin) Identity and Access Management (IAM) role on the project.
Configure an IP allowlist
To configure an IP allowlist for your instance, perform the following steps:
Console
In the Google Cloud console, go to the Looker (Google Cloud core) Instances page.
Click the name of the instance that you want to edit.
On the instance Details tab, click Edit.
In the Configure inbound connections section, select the Enable IP allowlist checkbox to create the allowlist.
Click Add Item to add an IP allowlist rule.
In the Rule name field, enter a name for the rule.
In the IP range field, enter the range of approved IP addresses in CIDR notation.
Click Save.
Remove an IP allowlist rule from the allowlist
To remove an IP allowlist rule from the allowlist, perform the following steps:
Console
In the Google Cloud console, go to the Looker (Google Cloud core) Instances page.
Click the name of the instance that you want to edit.
On the instance Details tab, click Edit.
Hold the pointer over the rule you want to remove and click the Delete item trash icon that appears.
Allow connections to Google services
If your Looker (Google Cloud core) instance uses an IP allowlist, you must grant access to the IP ranges used by other Google Cloud services before you can use those services with Looker (Google Cloud core).
Selecting the Link Google services with this instance checkbox adds the following Google services to the instance's IP allowlist:
To connect to other Google Cloud services, you must add their IP ranges to the IP allowlist as new rules.
IP allowlist considerations
When you configure an IP allowlist, keep the following points in mind:
- Allowlist rules apply to all ingress traffic for both UI and API logins.
- Adding more than 50 rules might negatively impact your instance's performance.
- Certain features, such as the Slack integration and OAuth-enabled actions, don't work when the IP allowlist is enabled.
- Enabling an IP allowlist means that you must add to the allowlist the IP ranges for any Google services that you want to use within Looker (Google Cloud core). For some services, you can use the Link Google services with this instance checkbox, but for other services not covered by that checkbox, you must add the service's IP range directly to the allowlist.
What's next
- Learn about setting up a custom domain for your instance.
- Learn about connecting your instance to external services.
- Learn how to manage users in Looker (Google Cloud core).