console

1. Navigate to the Looker (Google Cloud core) product page from your project in the Google Cloud console. If you have already created a Looker (Google Cloud core) instance within this project, theInstances page will open.

   Go to Looker (Google Cloud core)

2. ClickCREATE INSTANCE.
3. In theInstance name section, provide a name for your Looker (Google Cloud core) instance. The instance name isn't associated with the URL of the Looker (Google Cloud core) instance once it is created. The instance name cannot be changed after instance creation.
4. In theOAuth Application Credentials section, enter the OAuth client ID and OAuth secret that you created when youset up your OAuth client.

5. In theRegion section, select the appropriate option from the drop-down menu to host your Looker (Google Cloud core) instance. Select the region that matches the region in the subscription contract, which is where thequota for your project is allocated. Available regions are listed on theLooker (Google Cloud core) locations documentation page.

   You cannot change the region once the instance has been created.

6. In theEdition section, choose anEnterprise orEmbed (production or non-production) edition option. The edition type affects some of thefeatures that are available for the instance. Make sure that you choose the same edition type as listed in yourannual contract and that you havequota allocated for that edition type.

   • Enterprise: Looker (Google Cloud core) platform with enhanced security features for addressing a wide variety of internal BI and analytics use cases
   • Embed: Looker (Google Cloud core) platform for deploying and maintaining reliable external analytics and custom applications at scale
   • Non-production editions: If you want a staging and testing environment, select one of the non-production editions. For more information, see theNon-production instances documentation.
   • Trial editions: Atrial edition has the same feature support as its corresponding production edition, with the exception that trial editions are valid for 90 days.

   Editions cannot be changed after instance creation. If you want to change an edition, you can useimport and export to move your Looker (Google Cloud core) instance data into a new instance that is configured with a different edition.

   Tip: If your project doesn't have quota, you won't be able to select an edition type.Contact Sales to allocate quota to your project.

7. In theCustomize your instance section, clickShow configuration options to display a group of additional settings that you can customize for the instance.

8. In theConnections section, underInstance IP assignment, choose eitherUse hybrid connections orUse private connections. The type of network connection that you select impacts theLooker features that are available to the instance. The following network connection options are available:

   • Use public secure connections: Looker will have a public URL and use a public network for outbound connections.

   • Use hybrid connections: Looker will have a public URL and use PSC endpoints for outbound connections.

     Note: If hybrid connections are assigned at the time of instance creation, you can change tousing private connections later.

   • Use private connections: Assigns an internal, customer-defined IP address that is accessible in aVirtual Private Cloud (VPC) for ingress. To communicate to VPC and on-premises or multi-cloud workloads, you must deploy service attachments for egress traffic. If you want to use VPC Service Controls, you must selectUse private connections.

9. If you are creating an instance that uses only private connections, set at least one allowed VPC that will be grantedinbound connections into the instance. UnderConfigure inbound connections, in theProject 1 field, select the project in which this network was created.

   To add additional inbound connections, clickAdd Item to add each VPC. In theProject X field, select the project in which the network was created. In theNetwork drop-down menu, select the network.

   If you selectUse hybrid connections in theConnections section, theConfigure inbound connections section doesn't appear. You can set up access to the instance through the instance's web URL.

10. In theLocal FQDN section, specify one or more service attachments that expose an endpoint for outbound connections that Looker can connect to. In theLocal FQDN 1 field, enter the fully qualified domain name of the service, and in theTarget Service Attachment URI 1 field, enter thefull service attachment URI for the external service.

    To add additional service attachments, clickAdd Item to add each service attachment. In theLocal FQDN field, enter the fully qualified domain name of the service. In theTarget Service Attachment URI field, enter thefull service attachment URI for the external service.

11. In theEncryption section, you can select the type of encryption to use on your instance. The following encryption options are available:

    • Google-managed encryption key: This option is the default and doesn't require any additional configuration.
    • Customer-managed encryption key (CMEK): See theUsing customer-managed encryption keys with Looker (Google Cloud core) documentation page for more information on CMEK and how to configure it during instance creation. The type of encryption cannot be changed after instance creation.
    • EnableFIPS 140-2 Validated Encryption: See theEnable FIPS 140-2 level 1 compliance on a Looker (Google Cloud core) instance documentation page for more information on FIPS 140-2 support on Looker (Google Cloud core).

12. In theMaintenance Window section, you can optionallyspecify the day of the week and the hour in which Looker (Google Cloud core) schedules maintenance. Maintenance windows last for one hour. By default, thePreferred Window option in theMaintenance Window is set toAny window.

13. In theDeny Maintenance Period section, you can optionallyspecify a block of days on which Looker (Google Cloud core) doesn't schedule maintenance. Deny maintenance periods can be up to 60 days long. You must allow at least 14 days of maintenance availability between any 2 deny maintenance periods.

14. In theGemini in Looker section, you can optionally makeGemini in Looker features available for the Looker (Google Cloud core) instance. To enable Gemini in Looker, selectGemini, and then selectTrusted Tester features. WhenTrusted Tester features is enabled, users can access the Trusted Tester capabilities of Gemini in Looker. You may request access to the non-public Trusted Tester capabilities through theGemini in Looker preview form on a per-user basis. You must enable this setting to use Gemini during the pre-GA preview. Optionally, selectTrusted Tester data use. When this setting is enabled, you consent to your data being used by Google as described in theGemini for Google Cloud Trusted Tester Program termsTo disable Gemini for a Looker (Google Cloud core) instance, clear theGemini setting.

15. ClickCreate.

gcloud

To create a Private Service Connect instance, run thegcloud looker instances create command with all the following flags:

gcloud looker instances createINSTANCE_NAME \--psc-enabled \--oauth-client-id=OAUTH_CLIENT_ID \--oauth-client-secret=OAUTH_CLIENT_SECRET \--region=REGION \--edition=EDITION \[--psc-allowed-vpcs=ALLOWED_VPC,ADDITIONAL_ALLOWED_VPCS][--no-public-ip-enabled][--public-ip-enabled]--async

Replace the following:

• INSTANCE_NAME: a name for your Looker (Google Cloud core) instance; it is not associated with the instance URL.
• OAUTH_CLIENT_ID andOAUTH_CLIENT_SECRET: the OAuth client ID and OAuth secret that you created when youset up your OAuth client. After the instance has been created,enter the instance's URL in theAuthorized redirect URIs section of the OAuth client.
• REGION: the region in which your Looker (Google Cloud core) instance is hosted. Select the region that matches the region in the subscription contract. Available regions are listed on theLooker (Google Cloud core) locations documentation page.
• EDITION: the edition, environment type (production ornon-production), and whether this is atrial edition for the instance. Its possible values arecore-enterprise-annual,core-embed-annual,nonprod-core-enterprise-annual,nonprod-core-embed-annual,core-trial-enterprise, orcore-trial-embed. Editions cannot be changed after instance creation. If you want to change an edition, you can useimport and export to move your Looker (Google Cloud core) instance data into a new instance that is configured with a different edition.

• ALLOWED_VPC: If you are creating an instance that uses only private connections, list a VPC that will be allowedinbound (ingress) access into Looker (Google Cloud core). To access the instance from outside the VPC that the instance is located in, you must list at least one VPC. Specify a VPC using one of the following formats:

  • projects/{project}/global/networks/{network}
  • https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}

  If you are creating an instance that uses hybrid connections, you don't need to set an allowed VPC.

• ADDITIONAL_ALLOWED_VPCS: any additional VPCs to be allowed inbound access into Looker (Google Cloud core) can be added to the--psc-allowed-vpcs flag in a comma-separated list.

You must also includeone of the following flags to enable or disable public connections:

• --public-ip-enabled enables public connections. If you enable public connections for the instance, incoming traffic will be routed through public connections, and outgoing traffic will be routed through Private Service Connect.
• --no-public-ip-enabled disables public connections.

If you want, you can add more parameters to apply other instance settings:

  [--maintenance-window-day=MAINTENANCE_WINDOW_DAY          --maintenance-window-time=MAINTENANCE_WINDOW_TIME]  [--deny-maintenance-period-end-date=DENY_MAINTENANCE_PERIOD_END_DATE          --deny-maintenance-period-start-date=DENY_MAINTENANCE_PERIOD_START_DATE          --deny-maintenance-period-time=DENY_MAINTENANCE_PERIOD_TIME]  --kms-key=KMS_KEY_ID  [--fips-enabled]

• MAINTENANCE_WINDOW_DAY: must be one of the following:friday,monday,saturday,sunday,thursday,tuesday,wednesday. See theManage maintenance policies for Looker (Google Cloud core) documentation page for more information about maintenance window settings.
• MAINTENANCE_WINDOW_TIME andDENY_MAINTENANCE_PERIOD_TIME: must be in UTC in 24-hour format (for example, 13:00, 17:45).
• DENY_MAINTENANCE_PERIOD_START_DATE andDENY_MAINTENANCE_PERIOD_END_DATE: must be in the formatYYYY-MM-DD.
• KMS_KEY_ID: must be the key that is created when setting upcustomer-managed encryption keys (CMEK).

You may include the--fips-enabled flag toenable FIPS 140-2 level 1 compliance.

The process for creating a Private Service Connect instance differs from the process for creating a Looker (Google Cloud core) (private services access) instance in the following ways:

• With Private Service Connect setup, the--consumer-network and--reserved-range flags are not necessary.
• Private Service Connect instances require an additional flag:--psc-enabled.

• The--psc-allowed-vpcs flag is a comma-separated list of VPCs. You can specify as many VPCs as you like in the list.

  Tip: You must havequota for the proper edition type to create an instance. If you don't have quota,contact Sales to allocate quota to your project.

Terraform

Use the followingTerraform resource to provision aEnterprise Looker (Google Cloud core) instance that uses PSC:

# Create an ENTERPRISE edition Looker (Google Cloud core) instance that has PSC enabled.resource "google_looker_instance" "default" {  name               = "my-instance"  platform_edition   = "LOOKER_CORE_ENTERPRISE_ANNUAL"  region             = "us-central1"  private_ip_enabled = false  public_ip_enabled  = false  psc_enabled        = true  oauth_config {    client_id     = "my-client-id"    client_secret = "my-client-secret"  }  psc_config {    # allowed_vpcs = ["projects/{project}/global/networks/{network}"]    # (Optional) List of VPCs that are allowed ingress into the Looker instance. Set an allowed VPC if you are creating an instance that uses only private IP.  }}

Enter values for the following:

• name: a name for your Looker (Google Cloud core) instance; it is not associated with the instance URL.
• platform_edition: the edition, environment type (production ornon-production), and whether this is atrial edition for the instance. Its possible values areLOOKER_CORE_ENTERPRISE_ANNUAL,LOOKER_CORE_EMBED_ANNUAL,LOOKER_NONPROD_CORE_ENTERPRISE_ANNUAL,LOOKER_NONPROD_CORE_EMBED_ANNUAL,LOOKER_CORE_TRIAL_ENTERPRISE, orLOOKER_CORE_TRIAL_EMBED. This example usesLOOKER_CORE_ENTERPRISE_ANNUAL. Editions cannot be changed after instance creation. If you want to change an edition, you can useimport and export to move your Looker (Google Cloud core) instance data into a new instance that is configured with a different edition.
• region: the region in which your Looker (Google Cloud core) instance is hosted. Select the region that matches the region in the subscription contract. This example usesus-central1. Available regions are listed on theLooker (Google Cloud core) locations documentation page.
• client_id andclient_secret: the OAuth client ID and OAuth secret that you created when youset up your OAuth client. After the instance has been created,enter the instance's URL in theAuthorized redirect URIs section of the OAuth client.

• allowed_vpcs: If you are creating an instance that uses only private connections, list a VPC that will be allowedinbound (ingress) access into the Looker (Google Cloud core) instance. To access the instance from outside the VPC that the instance is located in, you must list at least one VPC. Specify a VPC using one of the following formats:

  • projects/{project}/global/networks/{network}
  • https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}

  If you are creating an instance that uses hybrid connections, you don't need to set an allowed VPC. You can update and add additional VPC IPs later.

  You will also need to update the instance tomake outbound connections.

console

As the instance is being created, you can view its status on theInstances page within the console. You can also see your instance creation activity by clicking on the notifications icon in the Google Cloud console menu. On theDetails page for the instance, its status will showActive once it's created.

gcloud

To check the status, use thegcloud looker instances describe command:

gcloud looker instances describeINSTANCE_NAME --region=REGION

Replace the following:

• INSTANCE_NAME: the name of your Looker (Google Cloud core) instance.
• REGION: the region in which your Looker (Google Cloud core) instance is hosted.

The instance is ready once it reaches theACTIVE state.

console

1. On theInstances page, click the name of the instance for which you want to update the VPCs that are allowed inbound access.
2. ClickEdit.
3. Expand theConnections section.
4. Navigate to theConfigure inbound connections section.
5. ClickAdd Item. Then, select the project in which the VPC is located in theProject field, and select the network from theNetwork drop-down menu.
6. To delete a VPC, click theDelete item trash icon that appears when you hold the pointer over the network.
7. ClickSave.

gcloud

Use the--psc-allowed-vpcs flag to update the list of VPCs that have authorized inbound access into the instance.

When you update the allowed VPCs, you must specify the entire list that you want to be in effect after your update. For example, suppose VPCALLOWED_VPC_1 is already allowed, and you want to add VPCALLOWED_VPC_2. To add VPCALLOWED_VPC_1 while making sure that VPCALLOWED_VPC_2 continues to be allowed, add the--psc-allowed-vpcs flag as follows:

gcloud looker instances updateINSTANCE_NAME \--psc-allowed-vpcs=ALLOWED_VPC_1,ALLOWED_VPC_2 --region=REGION

Replace the following:

• INSTANCE_NAME: the name of your Looker (Google Cloud core) instance.
• ALLOWED_VPC_1 andALLOWED_VPC_2: the VPCs that will be allowed ingress into Looker (Google Cloud core). Specify each allowed VPC using one of the following formats:
  • projects/{project}/global/networks/{network}
  • https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}
• REGION: the region in which your Looker (Google Cloud core) instance is hosted.

console

1. On theInstances page, click the name of the instance for which you want to enableoutbound (egress) connections.
2. ClickEdit.
3. Expand theConnections section.
4. Navigate to theConfigure outbound connections section.
5. Select theEnable Looker to connect to external services checkbox.
6. Select theEnable connection to Looker Marketplace checkbox.
7. ClickConfirm on the dialog explaining that connecting to Marketplace allows egress to github.com.
8. ClickSave.

console

1. On theInstances page, click the name of the instance for which you want to enableoutbound (egress) connections.
2. ClickEdit.
3. Expand theConnections section.
4. Navigate to theConfigure outbound connections section.
5. Select theEnable Looker to connect to external services checkbox.
6. In theGlobal FQDN section, enter the fully-qualified domain name you want to connect to.
7. ClickAdd Item if you want to add another domain.
8. ClickSave.

console

1. On theInstances page, click the name of the instance for which you want to enableoutbound (egress) connections.
2. ClickEdit.
3. Expand theConnections section.
4. Navigate to theLocal FQDN section.
5. To edit an existing service attachment, update the fully qualified domain name of the service in theLocal FQDN field and theservice attachment URI in theTarget Service Attachment URI field.
6. To add a new service attachment, clickAdd Item. Next, enter the fully qualified domain name of the service in theLocal FQDN field and the service attachment URI in theTarget Service Attachment URI field.
7. ClickSave.

gcloud

Use--psc-service-attachment flags to enableoutbound (egress) connections to external services for which you have alreadyset up Private Service Connect:

gcloud looker instances updateINSTANCE_NAME \--psc-service-attachment  domain=DOMAIN_1,attachment=SERVICE_ATTACHMENT_URI_1 \--psc-service-attachment domain=DOMAIN_2,attachment=SERVICE_ATTACHMENT_URI_2 \--region=REGION

Replace the following:

• INSTANCE_NAME: the name of your Looker (Google Cloud core) instance.

• DOMAIN_1 andDOMAIN_2: If you are connecting to a public service, use the service's domain name. If you are connecting to a private service, use your choice of a fully qualified domain name. The following restrictions apply to the domain name:

• Each outbound connection supports a single domain.

• The domain name must consist of at least three parts. For example,mydomain.github.com is acceptable, butgithub.com is not acceptable.

• The last part of the name cannot be any the following:

  • googleapis.com
  • google.com
  • gcr.io
  • pkg.dev

  When you set up a connection to your service from within your Looker (Google Cloud core) instance, use this domain as the alias for your service.

• SERVICE_ATTACHMENT_1 andSERVICE_ATTACHMENT_2: the fullservice attachment URI for the published service you are connecting to. Each service attachment URI can be accessed by a single domain.

• REGION: the region in which your Looker (Google Cloud core) instance is hosted.

Include all connections that should be enabled

Each time you run an update command with--psc-service-attachment flags, you must include every connection that you want to be enabled, including connections that were already enabled previously. For example, suppose you have previously connected an instance calledmy-instance to thewww.cloud.com domain as follows:

gcloud looker instances update my-instance --psc-service-attachment \domain=www.cloud.com,attachment=projects/123/regions/us-central1/serviceAttachment/cloud

Running the following command to add a newwww.me.com connection would delete thewww.cloud.com connection:

gcloud looker instances update my-instance --psc-service-attachment \domain=www.me.com,attachment=projects/123/regions/us-central1/serviceAttachment/my-sa

To prevent deletion of thewww.cloud.comconnection when you add the newwww.me.com connection, include a separatepsc-service-attachment flag for both the existing connection and the new connection within the update command as follows:

gcloud looker instances update my-instance --psc-service-attachment \domain=www.cloud.com,attachment=projects/123/regions/us-central1/serviceAttachment/cloud \--psc-service-attachment domain=www.me.com,attachment=projects/123/regions/us-central1/serviceAttachment/my-sa

Terraform

Use the following Terraform resource to update your Looker (Google Cloud core) instance to enableoutbound (egress) connections to external services that you have alreadypublished with Private Service Connect:

service_attachments = [{local_fqdn: "www.local-fqdn.com" target_service_attachment_uri: "projects/{project}/regions/{region}/serviceAttachments/{name}}]

Enter values for the following:

• local_fqdn: the fully qualified domain name of the published service.
• target_service_attachment_uri: the fullservice attachment URI for the published service you are connecting to. Each service attachment URI can be accessed by a single domain.

console

View the connection status on theDetails tab of the instance configuration page in the console. ThePSC Configuration fields show the statuses for each type of connection.

gcloud

Run thegcloud looker instances describe --format=json command to check outbound connection status. Each service attachment should be populated with aconnection_status field.