Migrating Private Service Connect connections to the new service attachment URI

Recently Looker (Google Cloud core) released a new type of service attachment URI that facilitates global access and Google-managed certificates with custom domains.

This page provides a step-by-step guide for migrating your existing Private Service Connect endpoints or backends to the new service attachment URI for Looker (Google Cloud core).

Looker (Google Cloud core) instances created before the enhanced service attachments were introduced likely need to undergo this migration in order to use global access and Google-managed certificates. Check the Looker (Google Cloud core) backend to determine if you need to migrate the instance.

Before you begin

This guide assumes you have an existing Looker (Google Cloud core) instance with a private IP configuration that uses Private Service Connect.

To identify which type of service attachment your instance is using, you must have the Looker Viewer (roles/looker.viewer) Identity and Access Management (IAM) role.

See the Private Service Connect documentation for endpoints or backends to determine which IAM role or roles you need to create or view Private Service Connect endpoints or configure Cloud DNS for endpoints.

Identifying your service attachment URI

First, you need to identify which type of service attachment your instance is using.

  1. In the Google Google Cloud console, go to the Instances page for Looker (Google Cloud core).
  2. Click the name of your instance to open its Details page.

  3. In the Instance details section, look for the Looker Service Attachment URI.

    • If the URI contains ...looker-psc-gateway-HASHSTRING and is in the format projects/TENANT_PROJECT/regions/REGION/serviceAttachments/looker-psc-gateway-HASHSTRING, you are already using the new enhanced service attachment and no further action is needed.
    • If the URI contains ...looker-psc-HASHSTRING and is in the format projects/TENANT_PROJECT/regions/REGION/serviceAttachments/looker-psc-HASHSTRING, you are using the legacy backend and should migrate.

Migration steps

To migrate your PSC endpoints, you will create a new Private Service Connect endpoint pointing to the new service attachment URI and then update your network configuration to use the new endpoint.

Get the new service attachment URI

If the Looker (Google Cloud core) instance isn't using the Gateway backend, the new service attachment URI isn't displayed in the Google Cloud console. However, you can construct it by replacing looker-psc with looker-psc-gateway in your existing URI.

For example, if your old URI is:

projects/t4dd1c6219b22b382p-tp/regions/us-central1/serviceAttachments/looker-psc-2a94bb22-9b8a-4b62-9262-2337a47d15ed

Your new URI will be:

projects/t4dd1c6219b22b382p-tp/regions/us-central1/serviceAttachments/looker-psc-gateway-2a94bb22-9b8a-4b62-9262-2337a47d15ed

Private Service Connect endpoint

To migrate an existing Private Service Connect endpoint:

  1. Create a new Private Service Connect endpoint: Identify your existing northbound connections by reviewing the Allowed VPCs field in the Google Cloud console. For each allowed Virtual Private Cloud (VPC), create a new Private Service Connect endpoint that targets the service attachment URI created in the previous step.

  2. Create a private Cloud DNS zone for *.private.looker.app domain.

  3. Test the new endpoint: After creating the endpoint, verify connectivity to your Looker (Google Cloud core) instance. Run a curl command from a VM located in the same VPC network, targeting your specific *.private.looker.app domain (for example, my-instance.private.looker.app).

    1. From a VM in your VPC network, run the following curl command:
    curl -v https://your_looker_custom_domain.private.looker.app \
    --resolve your_looker_custom_domain.private.looker.app:443:psc_endpoint_ip_address
    1. Replace the following:
    • <your_looker_custom_domain.private.looker.app> with the actual custom domain for your Looker instance.
    • <psc_endpoint_ip_address> with the internal IP address of the PSC endpoint in your VPC.
    • If the curl command returns a 200 status code, the new endpoint is working correctly.

Private Service Connect backend

The recommended configuration for Looker (Google Cloud core) uses an Internal Application Load Balancer with a Private Service Connect network endpoint group (NEG) backend. This architecture supports custom domains and provides TLS termination for private connections.

To migrate an existing Private Service Connect NEG to one created with an enhanced service attachment, you must first create a new Private Service Connect NEG that targets the enhanced service attachment. Once created, update your load balancer configuration as follows:

  1. In the Google Cloud console, go to the Load balancing page.
  2. Click the name of your load balancer and click Edit.
  3. Navigate to Backend configuration and select the backend service associated with your Looker (Google Cloud core) instance.
  4. Click Edit backend service.
  5. In the Backends section, select the new enhanced Private Service Connect NEG from the drop-down menu to replace the existing Private Service Connect NEG.
  6. Click Done
  7. Click Update.

Test the new endpoint

The Internal Application Load Balancer update that you made targeted the backend service for the enhanced service attachment. Consequently, the frontend configuration—including the IP address, Cloud DNS, and certificates—remains unchanged. Users can now validate the setup by accessing the Looker (Google Cloud core) instance using a browser.

What's next

After migrating your instance's Private Service Connect endpoints, you can take advantage of the following new features:

  • Global access: Create PSC endpoints in any region, regardless of where your Looker (Google Cloud core) instance is located.
  • Google-managed certificates: Use the *.private.looker.app domain for your custom domain and let Google manage the SSL certificate.