VPC Service Controls support for Looker (Google Cloud core)
VPC Service Controls can improve your ability to mitigate the risk of data exfiltration from Google Cloud services. You can use VPC Service Controls to create service perimeters that help protect the resources and data of services that you explicitly specify.
To add the Looker (Google Cloud core) service to a VPC Service Controls service perimeter, follow the instructions about how to create a service perimeter on theCreate a service perimeter documentation page, and selectLooker (Google Cloud core) API in theSpecify services to restrict dialog. To learn more about using VPC Service Controls, visit theOverview of VPC Service Controls documentation page.
VPC Service Controls supports Looker (Google Cloud core) instances that meet two criteria:
- Instance editions must beEnterprise orEmbed
- Instance network configurations must use private connections
Required roles
To understand the required IAM roles for setting up VPC Service Controls, visit theAccess control with IAM page of the VPC Service Controls documentation.
Removing the default route
When a Looker (Google Cloud core) instance is created inside a Google Cloud project that is within a VPC Service Controls perimeter, or is inside a project that gets added to a VPC Service Controls perimeter, you must remove the default route to the internet.
To remove the default route to the internet, select one of the following options:
gcloud
gcloud services vpc-peerings enable-vpc-service-controls --network=NETWORK --service=servicenetworking.googleapis.com
ReplaceNETWORK with your Looker (Google Cloud core) instance's VPC network.
For more information, visit thegcloud services vpc-peerings enable-vpc-service-controls documentation page.
REST
HTTP method and URL:
PATCH https://servicenetworking.googleapis.com/v1/{parent=services/*}:enableVpcServiceControlsRequest JSON body:
{"consumerNetwork":NETWORK}ReplaceNETWORK with your Looker (Google Cloud core) instance's VPC network.
For more information, visit theMethod: services.enableVpcServiceControls documentation page.
Connecting to resources or services outside the VPC Service Controls perimeter
To connect to another Google Cloud resource or service, you may need to set upingress and egress rules if the project that the resource is in is located outside the VPC Service Controls perimeter.
For information about accessing other external resources, follow the instructions for the type of resource that you want to connect to on either theAccess external services using private services access or theLooker (Google Cloud core) southbound access to external services using Private Service Connect documentation page (depending on whether your instance uses private services access or Private Service Connect).
Note: If you are creating a Looker (Google Cloud core) instance inside a Shared VPC, and the Shared VPC host project and the Looker (Google Cloud core) service project are in different VPC Service Controls perimeters, you must create aVPC Service Controls perimeter bridge between the two perimeters to allow instance creation.Adding CMEK keys to a perimeter
Sometimes, a Looker (Google Cloud core) instance that isenabled with customer-managed encryption keys (CMEK) has the Cloud KMS key hosted in a different Google Cloud project. For this scenario, when you enable VPC Service Controls, you must add the KMS key hosting project to the security perimeter.
What's next?
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.