home User Guide Getting Started Help Center Documentation Community Training Certification
Looker keyboard_arrow_down
language keyboard_arrow_down
Enabling Secure Database Access

This step is unnecessary for Google BigQuery and Amazon Athena databases. BigQuery and Athena users should skip directly to database configuration.

Looker-hosted instances: Many companies prefer to use a Looker-hosted instance for the simplicity, ease of implementation, and reduced support costs. In this case, the data that passes between Looker and the database travels over the public Internet, on shared infrastructure. Consequently, it is important to ensure data security. Use one of the options below to ensure your network can connect securely to your Looker-hosted instance.

Customer-hosted instances: Customers who are hosting their own Looker instance may be on the same private network as their database. However, if that is not the case, please be sure to secure your data as well, perhaps using the types of options suggested below. For an IP address allowlist, allowlist the IP address or addresses where your Looker instance is hosted.

The options, from easiest to most difficult, are:

Option 1: IP Address Allowlist

The first step is to limit access to your data from the network layer. We recommend granting access to your database only from specific, trusted hosts.

All network traffic from Looker will come from one of the following IP addresses, based on the region where your Looker instance is hosted. By default, this will be the United States. Please allowlist each of the IP addresses in the appropriate region listed below. Prohibiting traffic to your database, except from these and other trusted IP addresses, is an easy way to limit data access.

These allowlist IP addresses also apply for SFTP and SMTP destinations. If you are using custom mail settings for SMTP, be sure to add Looker’s IP addresses to your SMTP server’s IP allowlist. Also, if you want to send data from Looker to an SFTP server or schedule Looker data deliveries to an SFTP server, be sure to add Looker’s IP addresses to your SFTP server’s IP allowlist or inbound traffic rules.

Legacy Hosting

Use these IP addresses for all instances hosted on AWS that were created before 07/07/2020.

Allowlist the IP addresses that match your region:

United States (AWS default)






South America

Next Generation Hosting

Use these IP addresses for all instances hosted on Google Cloud Platform (GCP) and all instances hosted on Amazon Elastic Kubernetes Service (Amazon EKS) that were created on or after 07/07/2020.

Allowlist the IP addresses that match your region:

Instances Hosted on Google Cloud Platform (GCP)

Looker-hosted instances are hosted on GCP by default. For instances hosted on GCP, allowlist the IP addresses that match your region:

Moncks Corner, South Carolina, USA (us-east1)

Ashburn, Northern Virginia, USA (us-east4)

Council Bluffs, Iowa, USA (us-central1)

The Dalles, Oregon, USA (us-west1)

Montréal, Québec, Canada (northamerica-northeast1)

London, England, UK (europe-west2)

Frankfurt, Germany (europe-west3)

Eemshaven, Netherlands (europe-west4)

Changhua County, Taiwan (asia-east1)

Tokyo, Japan (asia-northeast1)

Jurong West, Singapore (asia-southeast1)

Jakarta, Indonesia (asia-southeast2)

Sydney, Australia (australia-southeast1)

Osasco (São Paulo), Brazil (southamerica-east1)

Instances Hosted on Amazon Elastic Kubernetes Service (Amazon EKS)

For instances hosted on Amazon EKS, allowlist the IP addresses that match your region:

US East (N. Virginia) (us-east-1)

Canada (Central) (ca-central-1)

Europe (Ireland) (eu-west-1)

Europe (Frankfurt) (eu-central-1)

Asia Pacific (Tokyo) (ap-northeast-1)

Asia Pacific (Sydney) (ap-southeast-2)

South America (São Paulo) (sa-east-1)

Option 2: SSL Encryption

A second option is to enable SSL encryption on your database. SSL prevents anyone from being able to intercept the data between Looker and your database.

You’ll first need to complete the IP address allowlist instructions above. Further instructions for SSL encryption are dialect specific, so links to SSL instructions are included in the Database Configuration section.

Option 3: SSH Tunnel

The third option you can use to protect your data is a SSH Tunnel. Using a tunnel provides an encrypted connection and extra authentication for enhanced security. Instructions for this option are provided on the Using an SSH Tunnel documentation page.

Next Step

After you have enabled secure database access you’re ready to configure your database for Looker.