Using an SSH Tunnel

For the strongest encryption between Looker and your database, you can create a SSH tunnel to either a tunnel server, or the database server itself.

Step 1: Choose a Host on Which to Terminate the Tunnel

The first step to set up SSH tunnel access for your database is to choose the host that will be used to terminate the tunnel. The tunnel can be terminated on either the database host itself, or on a separate host (the tunnel server).

Using the Database Server

Terminating on the database has the advantage of simplicity. There is one less host involved, so there are no additonal machines and their associated costs. The disadvantage is that your database server may be on a protected network which does not have direct access from the Internet.

Using a Tunnel Server

Terminating the tunnel on a separate server has the advantage of keeping your database server inaccessible from the Internet. If the tunnel server is compromised it is one step removed from the database server. We recommend that you remove all non-essential software and users from the tunnel server and closely monitor it with tools such as an IDS.

The tunnel server can be any Unix/Linux host that:

Can be accessed from the Internet via SSH
Can access the database

Step 2: Create IP Whitelist

The second step is to allow network traffic to reach the tunnel server or database host via SSH, which is generally on TCP port 22.

Please allow network traffic from each of the IP addresses listed below for the region where your Looker instance is hosted. By default this will be the United States.

Legacy Hosting

Use these IP addresses for all instances hosted on AWS that were created before 07/07/2020.

Whitelist the IP addresses that match your region:

United States (AWS default)

54.208.10.167
54.209.116.191
52.1.5.228
52.1.157.156
54.83.113.5

Canada

99.79.117.127
35.182.216.56

Asia

52.68.85.40
52.68.108.109

Ireland

52.16.163.151
52.16.174.170

Germany

18.196.243.94
18.184.246.171
34.89.161.120

Australia

52.65.128.170
52.65.124.87

South America

52.67.8.103
54.233.74.59

Next Generation Hosting

Use these IP addresses for all instances hosted on Google Cloud Platform (GCP) and all instances hosted on Amazon Elastic Kubernetes Service (Amazon EKS) that were created on or after 07/07/2020.

Whitelist the IP addresses that match your region:

Instances Hosted on Google Cloud Platform (GCP)

Looker-hosted instances are hosted on GCP by default. For instances hosted on GCP, whitelist the IP addresses that match your region:

South Carolina (`us-east1`)

35.196.36.95
35.196.243.26
35.196.227.117

Northern Virginia (`us-east4`)

35.186.176.0
35.245.211.109
35.245.121.2
35.236.208.158

Oregon (`us-west1`)

35.185.199.172
34.82.227.133
35.233.172.23
34.83.141.137
34.83.151.46

London (`europe-west2`)

35.246.117.58
34.89.40.253

Frankfurt (`europe-west3`)

34.89.161.120
34.89.225.213

Singapore (`asia-southeast1`)

35.185.184.54

Instances Hosted on Amazon Elastic Kubernetes Service (Amazon EKS)

For instances hosted on Amazon EKS, whitelist the IP addresses that match your region:

US East (N. Virginia) (`us-east-1`)

18.210.137.130
54.204.171.253
50.17.192.87

Canada (Central) (`ca-central-1`)

52.60.157.61
35.182.169.25
52.60.59.128

Europe (Ireland) (`eu-west-1`)

52.210.85.110
52.30.198.163
34.249.159.112

Europe (Frankfurt) (`eu-central-1`)

18.157.231.108
18.157.207.33
18.157.64.198

Asia Pacific (Tokyo) (`ap-northeast-1`)

54.250.91.57
13.112.30.110
54.92.76.241

Asia Pacific (Sydney) (`ap-southeast-2`)

13.238.132.174
3.105.238.71
3.105.113.36

South America (São Paulo) (`sa-east-1`)

54.232.58.181
54.232.58.98
177.71.134.208

Step 3: SSH Tunneling

If you’re connecting Looker to your database without using an SSH tunnel, please proceed on to Database Configuration.

If you’re connecting with a tunnel server, which is the same as your database host, you should provide the following information to your Looker analyst:

IP address or DNS name of the database server
SSH port of the database server
Database port number

If you’re connecting with a tunnel server, which is separate from your database host, you should provide the following information to your Looker analyst:

IP address or DNS name of the database server as seen from the tunnel server
Database port number as seen from the tunnel server
IP address or DNS name of the tunnel server as seen from the public internet
SSH port of the tunnel server as seen from the public internet
Username on the tunnel server for the SSH connection (the standard is looker)

Step 4: Prepare the Tunnel Host

Your Looker analyst will provide you with a unique public key, which will be used to authenticate the SSH tunnel session (we do not support logins via password). You will need to prepare your host (either the database server or tunnel server) by creating a looker user and adding the Looker public key to the Looker .ssh/authorized_keys file. Here’s how:

Create group looker:
```
sudo groupadd looker
```
Create user looker and its home directory:
```
sudo useradd -m  -g looker  looker
```
Switch to the looker user:
```
sudo su - looker
```
Create the .ssh directory:
```
mkdir ~/.ssh
```
Set permissions:
```
chmod 700 ~/.ssh
```
Change to the .ssh directory:
```
cd ~/.ssh
```
Create the authorized_keys file
```
touch authorized_keys
```
Set permissions:
```
chmod 600 authorized_keys
```

Using your favorite text editor, add the SSH key provided by your Looker analyst to the authorized_keys file. The key must be all on one line. In some cases, when you retrieve the key from your email, line breaks will be inserted by your email client. If you do not remove them it will be impossible to establish the SSH tunnel.

Tunnel Security Notes

When an SSH tunnel is terminated on the database server, the connection from Looker appears to be a local connection on the database server. Therefore, it defeats the connection-based security mechanisms built into database platforms such as MySQL. For example, it is very common for local access to be granted to the root user with no password!

By default, opening SSH access also allows forwarding of any ports, circumventing any firewalls between Looker and the database host that is terminating the SSH tunnel. This security risk may well be deemed unacceptable. This port forwarding, and the ability to log in to your tunnel server, can be controlled by properly configuring the .ssh/authorized_keys entry for the Looker public key.

For example, the following text could be prepended to the Looker SSH key in your authorized_keys file. Please note that this text MUST be customized for your environment.

no-pty,no-X11-forwarding,permitopen="localhost:3306",permitopen="localhost:3307",
command="/bin/echo Login Not Permitted"

See the man ssh and man authorized_keys Linux documentation for examples and full details.

Next Steps

At this point, please notify your Looker analyst that you are ready to test the SSH tunnel. Once they confirm that the tunnel is established, they will provide you with the port number for the Looker side of the SSH tunnel.

On your database Connections page:

Enter localhost in the Host field.
In the Port field, enter the port number for the Looker side of the SSH tunnel that was provided by your Looker analyst.
Toggle off Verify SSL Cert on your database Connections page.

SSL Certificates are not supported when setting up an SSH tunnel to your database from Looker. Instead, the SSH key that you added in step 4 provides the handshake security between Looker and your database.