Looker (Google Cloud core) instances deployed with Private Service Connect (PSC) offer enhanced network isolation by using private connections for inbound access and database connections. A key consideration for these secure, privately-connected instances is managing outbound access, often referred to as egress or southbound access. This becomes especially relevant for services that require external connections, such as the Looker Marketplace.
The Challenge: Balancing Isolation and Functionality
When a Looker (Google Cloud core) PSC instance is provisioned, its network configuration is designed to be highly restrictive to meet enterprise security requirements. This isolation is fantastic for reducing the attack surface, but it can initially block access to external services like the Looker Marketplace, which hosts valuable Blocks, Applications, and Visualizations.
The Looker Marketplace requires outbound access over HTTPS to specific FQDNs (Fully Qualified Domain Names) to fetch and manage content.
- For Looker versions 23.10 and later: The primary FQDN is typically
static-a.cdn.looker.app:443. - For older versions (23.8 and earlier): The primary FQDN was
marketplace-api.looker.com:443. - Git Connectivity: Components like the API Explorer may also require Git connectivity for full functionality, often involving endpoints like
*.github.com:443HTTPS FQDNs.
The Solution: Enabling Controlled Egress
To enable necessary outbound access while maintaining the strict security posture of a PSC instance, Looker (Google Cloud core) provides a feature called Controlled Egress. This allows administrators to explicitly define and enable secure, outbound connections.
How Controlled Egress Works
Controlled Egress is the mechanism for a Looker (Google Cloud core) PSC instance (acting as the Service Consumer) to initiate connections to external public services (like the Looker Marketplace) or global FQDNs.
- Configuration Setting: On the Looker (Google Cloud core) instance detail page in the Google Cloud console, there are fields like Controlled Egress Enabled and Marketplace Enabled.
- Marketplace Egress: To enable the Marketplace, an egress connection must be explicitly created. This allows the Looker instance to reach the necessary global FQDNs for Marketplace content over HTTPS.
Important Consideration: The Port 443 Limitation
“The Controlled Egress configuration for Global FQDNs (including the Marketplace) only permits connections over HTTPS (Port 443). If you require egress to an external service on a different port—such as Git over SSH (Port 22) for custom repository access—you must use the classic PSC Southbound configuration involving an Internal TCP Proxy Load Balancer and an Internet NEG.”
Actionable Takeaway for Admins
If you have a Looker (Google Cloud core) PSC instance and the Marketplace icon is missing, or attempts to install blocks fail with network errors, you must:
-
Verify Marketplace Egress: Check the Looker (Google Cloud core) instance details in the Google Cloud console to confirm that Controlled Egress is True and Marketplace Enabled is True. If not, update the instance configuration to enable this required egress connection. Updating this as True means you are going to allow egress connection with github.com as well and the same will be displayed on pop-up when you are enabling this.
-
Next Course of Action: You have to be Looker Native Admin [Not AdminViaIAM] to enable Marketplace at the instance level via
Admin >> Marketplace. Save the settings and then Marketplace will be accessed and components or Blocks or Visualisations can be installed from Marketplace. -
Consider Other Dependencies: If you are using Marketplace components that connect to external Git repositories [Not a publicly hosted github.com] or third-party services, you may need to set up additional PSC Southbound connections using Internet NEGs for those specific FQDNs.
By leveraging Controlled Egress, organizations can adhere to strict security policies that demand private connections while still accessing the powerful extensions and content offered by the Looker Marketplace.