User Guide Getting Started Help Center Documentation Community Training
Enabling Secure Database Access

This step is unnecessary for Google BigQuery and Amazon Athena databases. BigQuery and Athena users should skip directly to database configuration.

Looker-hosted instances: Many companies prefer to use a Looker-hosted instance for the simplicity, ease of implementation, and reduced support costs. In this case, the data that passes between Looker and the database travels over the public Internet, on shared infrastructure. Consequently, it is important to ensure data security.

Customer-hosted instances: Customers who are hosting their own Looker instance may be on the same private network as their database. However, if that is not the case, please be sure to secure your data as well, perhaps using the types of options suggested below.

The options, from easiest to most difficult, are:

Option 1: IP Address Whitelist

The first step is to limit access to your data from the network layer. We recommend granting access to your database only from specific, trusted hosts.

All network traffic from Looker will come from one of the following IP addresses, based on the region where your Looker instance is hosted. By default this will be the United States. Please whitelist each of the IP addresses in the appropriate region listed below.

These whitelist IP addresses also apply for SFTP and SMTP destinations. If you are using custom mail settings for SMTP, be sure to add Looker’s IP addresses to your SMTP server’s IP whitelist. Also, if you want to send data from Looker to an SFTP server or schedule Looker data deliveries to an SFTP server, be sure to add Looker’s IP addresses to your SFTP server’s IP whitelist or inbound traffic rules.

Instances Hosted on Google Cloud Platform (GCP)

Looker-hosted instances are hosted on GCP by default. For instances hosted on GCP, whitelist the IP addresses that match your region:

United States

South Carolina

Northern Virginia





Asia Pacific


Instances Hosted on Amazon Web Services (AWS)

For instances hosted on AWS, whitelist the IP addresses that match your region:

United States (AWS default)






South America

Prohibiting traffic to your database, except from these and other trusted IP addresses, is an easy way to limit data access.

Option 2: SSL Encryption

A second option is to enable SSL encryption on your database. SSL prevents anyone from being able to intercept the data between Looker and your database.

You’ll first need to complete the IP address whitelist instructions above. Further instructions for SSL encryption are dialect specific, so links to SSL instructions are included in the Database Configuration section.

Option 3: SSH Tunnel

The third option you can use to protect your data is a SSH Tunnel. Using a tunnel provides an encrypted connection and extra authentication for enhanced security. Instructions for this option are provided here.

Next Step

After you have enabled secure database access you’re ready to configure your database for Looker.