home User Guide Getting Started Help Center Documentation Community Training Certification
menu
close
settings
Looker keyboard_arrow_down
language keyboard_arrow_down
English
Français
Deutsch
日本語
search
print
Enabling secure database access

This step is unnecessary for Google BigQuery and Amazon Athena databases. BigQuery and Athena users should skip directly to database configuration.

Looker-hosted instances: Many companies prefer to use a Looker-hosted instance for the simplicity, ease of implementation, and reduced support costs. In this case, the data that passes between Looker and the database travels over the public Internet, on shared infrastructure. Consequently, it is important to ensure data security. Use one of the options on this page to ensure your network can connect securely to your Looker-hosted instance.

Customer-hosted instances: Customers who are hosting their own Looker instance may be on the same private network as their database. However, if that is not the case, be sure to secure your data as well, perhaps using the types of options suggested on this page. For an IP address allowlist, add to the allowlist the IP address or addresses where your Looker instance is hosted.

The options, from easiest to most difficult, are:

Option 1: IP address allowlist

The first step is to limit access to your data from the network layer. We recommend granting access to your database only from specific, trusted hosts.

All network traffic from Looker will come from one of the following IP addresses, based on the region where your Looker instance is hosted. By default, this will be the United States. Add to the allowlist each of the IP addresses in the appropriate region listed on this page. Prohibiting traffic to your database, except from these and other trusted IP addresses, is an easy way to limit data access.

These allowlist IP addresses also apply for SFTP and SMTP destinations and for LDAP servers that restrict IP traffic. If you are using custom mail settings for SMTP, be sure to add Looker’s IP addresses to your SMTP server’s IP allowlist. Also, if you want to deliver content from Looker to an SFTP server, be sure to add Looker’s IP addresses to your SFTP server’s IP allowlist or inbound traffic rules. If your LDAP server restricts IP traffic, you will need to add Looker’s IP addresses to your LDAP server’s IP allowlist or inbound traffic rules.

Legacy hosting

Use these IP addresses for all instances that are hosted on AWS and that were created before 07/07/2020.

Add to the allowlist the IP addresses that match your region:

United States (AWS default)

Canada

Asia

Ireland

Germany

Australia

South America

Next generation hosting

Use these IP addresses for all instances that are hosted on Google Cloud Platform (GCP) and all instances that are hosted on Amazon Elastic Kubernetes Service (Amazon EKS) and that were created on or after 07/07/2020.

Add to the allowlist the IP addresses that match your region:

Instances hosted on Google Cloud Platform (GCP)

Looker-hosted instances are hosted on GCP by default. For instances that are hosted on GCP, add to the allowlist the IP addresses that match your region:

Moncks Corner, South Carolina, USA (us-east1)

Ashburn, Northern Virginia, USA (us-east4)

Council Bluffs, Iowa, USA (us-central1)

The Dalles, Oregon, USA (us-west1)

Montréal, Québec, Canada (northamerica-northeast1)

London, England, UK (europe-west2)

Frankfurt, Germany (europe-west3)

Mumbai, India (asia-south1)

Eemshaven, Netherlands (europe-west4)

Changhua County, Taiwan (asia-east1)

Tokyo, Japan (asia-northeast1)

Jurong West, Singapore (asia-southeast1)

Jakarta, Indonesia (asia-southeast2)

Sydney, Australia (australia-southeast1)

Osasco (São Paulo), Brazil (southamerica-east1)

Instances hosted on Amazon Elastic Kubernetes Service (Amazon EKS)

For instances that are hosted on Amazon EKS, add to the allowlist the IP addresses that match your region:

US East (N. Virginia) (us-east-1)

For the list of IP addresses to add to your allowlist for this region, contact Looker Support by opening a support request in Looker's Help Center.

US West (Oregon) (us-west-2)

Canada (Central) (ca-central-1)

Europe (Ireland) (eu-west-1)

For the list of IP addresses to add to your allowlist for this region, contact Looker Support by opening a support request in Looker's Help Center.

Europe (Frankfurt) (eu-central-1)

Asia Pacific (Tokyo) (ap-northeast-1)

Asia Pacific (Sydney) (ap-southeast-2)

South America (São Paulo) (sa-east-1)

Instances hosted on Microsoft Azure

For instances that are hosted on Azure, add to the allowlist the IP addresses that match your region:

Virginia, USA (us-east2)

Option 2: SSL encryption

A second option is to enable SSL encryption on your database. SSL prevents anyone from being able to intercept the data between Looker and your database.

You’ll first need to complete the IP address allowlist instructions above. Further instructions for SSL encryption are dialect specific, so links to SSL instructions are included in the Database Configuration section.

Option 3: SSH tunnel

The third option you can use to protect your data is a SSH Tunnel. Using a tunnel provides an encrypted connection and extra authentication for enhanced security. Instructions for this option are provided on the Using an SSH tunnel documentation page.

Next steps

After you have enabled secure database access, you’re ready to configure your database for Looker.

Top