Looker PSC Southbound SSH Internet NEG

1. Introduction

In this codelab you will perform a southbound SSH connection to GitHub using an internal tcp proxy load balancer and internet network endpoint group invoked from Looker PSC as a Service Consumer.

Private Service Connect is a capability of Google Cloud networking that allows consumers to access managed services privately from inside their VPC network. Similarly, it allows managed service producers to host these services in their own separate VPC networks and offer a private connection to their consumers. For example, when you use Private Service Connect to access Looker, you are the service consumer, and Google is the service producer, as highlighted in Figure 1.

Figure 1.

145ea4672c3a3b14.png

Southbound access, also known as reverse PSC, enables the Consumer to create a Published Service as a Producer to allow Looker access to endpoints on-premises, in a VPC, to managed services and the Internet. Southbound connections can be deployed in any region, irrespective of where Looker PSC is deployed, as highlighted in Figure 2.

Figure 2.

259493afd914f68b.png

What you'll learn

  • Network requirements
  • Create a Private Service Connect producer service
  • Create a Private Service Connect endpoint in Looker
  • Establish connectivity to GitHub from Looker using a Test Connection

What you'll need

def88091b42bfe4d.png

2. What you'll build

You'll establish a Producer network, looker-psc-demo, to deploy internal tcp proxy load balancer and Internet NEG published as a service via Private Service Connect (PSC). Once published, you'll perform the following actions to validation access to the Producer service:

  • Create a PSC Endpoint in Looker associated with the Producer Service Attachment
  • Use the Looker Console to create a new project and test SSH connectivity to GitHub.com using the procedure Connecting to Git using SSH

3. Network requirements

Below is the breakdown of network requirements for the Producer network, the consumer in this codelab is the Looker PSC instance.

Producer Network

Components

Description

VPC (looker-psc-demo)

Custom mode VPC

PSC NAT Subnet

Packets from the consumer VPC network are translated using source NAT (SNAT) so that their original source IP addresses are converted to source IP addresses from the NAT subnet in the producer's VPC network.

PSC forwarding rule subnet

Used to allocate an IP address for the Regional Internal TCP Proxy Load Balancer

PSC NEG Subnet

Used to allocate an IP address for the Network Endpoint Group

Proxy Only Subnet

Each of the load balancer's proxies is assigned an internal IP address. Packets sent from a proxy to a backend VM or endpoint has a source IP address from the proxy-only subnet.

Internet NEG

A resource used to define an external backend for the load balancer. The endpoint cannot be reachable only over Cloud VPN or Cloud Interconnect.

Backend Service

A backend service acts as a bridge between your load balancer and your backend resources. In the tutorial, the backend service is associated with the Internet NEG.

Cloud Router

Cloud NAT relies on Cloud Routers for control plane capabilities, but not for BGP session management.

Cloud NAT

The regional internet NEG leverages Cloud NAT for internet egress.

4. Codelab topology

dfa4dd1d681a66da.png

5. Setup and Requirements

Self-paced environment setup

  1. Sign-in to the Google Cloud Console and create a new project or reuse an existing one. If you don't already have a Gmail or Google Workspace account, you must create one.

fbef9caa1602edd0.png

a99b7ace416376c4.png

5e3ff691252acf41.png

  • The Project name is the display name for this project's participants. It is a character string not used by Google APIs. You can always update it.
  • The Project ID is unique across all Google Cloud projects and is immutable (cannot be changed after it has been set). The Cloud Console auto-generates a unique string; usually you don't care what it is. In most codelabs, you'll need to reference your Project ID (typically identified as PROJECT_ID). If you don't like the generated ID, you might generate another random one. Alternatively, you can try your own, and see if it's available. It can't be changed after this step and remains for the duration of the project.
  • For your information, there is a third value, a Project Number, which some APIs use. Learn more about all three of these values in the documentation.
  1. Next, you'll need to enable billing in the Cloud Console to use Cloud resources/APIs. Running through this codelab won't cost much, if anything at all. To shut down resources to avoid incurring billing beyond this tutorial, you can delete the resources you created or delete the project. New Google Cloud users are eligible for the $300 USD Free Trial program.

Start Cloud Shell

While Google Cloud can be operated remotely from your laptop, in this codelab you will be using Google Cloud Shell, a command line environment running in the Cloud.

From the Google Cloud Console, click the Cloud Shell icon on the top right toolbar:

55efc1aaa7a4d3ad.png

It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:

7ffe5cbb04455448.png

This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on Google Cloud, greatly enhancing network performance and authentication. All of your work in this codelab can be done within a browser. You do not need to install anything.

6. Before you begin

Enable APIs

Inside Cloud Shell, make sure that your project id is set up:

gcloud config list project
gcloud config set project [YOUR-PROJECT-ID]
project=[YOUR-PROJECT-ID]
region=[YOUR-REGION]
echo $project
echo $region

Enable all necessary services:

gcloud services enable compute.googleapis.com

7. Create Producer VPC Network

VPC Network

Inside Cloud Shell, perform the following:

gcloud compute networks create looker-psc-demo --subnet-mode custom

Create Subnets

The PSC subnet will be associated with the PSC Service Attachment for the purpose of Network Address Translation.

Inside Cloud Shell, create the PSC NAT Subnet:

gcloud compute networks subnets create producer-psc-nat-subnet --network looker-psc-demo --range 172.16.10.0/28 --region $region --purpose=PRIVATE_SERVICE_CONNECT

Inside Cloud Shell, create the producer forwarding rule subnet:

gcloud compute networks subnets create producer-psc-fr-subnet --network looker-psc-demo --range 172.16.20.0/28 --region $region --enable-private-ip-google-access

Inside Cloud Shell, create the producer regional proxy only subnet:

gcloud compute networks subnets create $region-proxy-only-subnet \
  --purpose=REGIONAL_MANAGED_PROXY \
  --role=ACTIVE \
  --region=$region \
  --network=looker-psc-demo \
  --range=10.10.10.0/24

Create the Public NAT gateway

The NAT Gateway is used by the regional internal tcp proxy load balancer for internet egress with the configuration option, –endpoint-types=ENDPOINT_TYPE_MANAGED_PROXY_LB, therefore the same NATGW will not support GCE/GKE internet egress. Deploy an additional NAT GW with the –endpoint-types=ENDPOINT_TYPE_VM for GCE/GKE internet egress.

Inside Cloud Shell, create the Cloud Router:

gcloud compute routers create looker-psc-demo-cloud-router --network looker-psc-demo --region $region

Inside Cloud Shell, create the Cloud NAT gateway enabling internet egress for the tcp proxy load balancer:

gcloud compute routers nats create looker-psc-demo-natgw \
  --router=looker-psc-demo-cloud-router \
  --endpoint-types=ENDPOINT_TYPE_MANAGED_PROXY_LB \
  --nat-custom-subnet-ip-ranges=$region-proxy-only-subnet \
  --auto-allocate-nat-external-ips \
  --region=$region

Reserve the load balancer's IP address

Inside Cloud Shell, reserve an internal IP address for the load balancer:

gcloud compute addresses create internet-neg-lb-ip \
  --region=$region \
  --subnet=producer-psc-fr-subnet

Inside Cloud Shell, view the reserved IP Address.

gcloud compute addresses describe internet-neg-lb-ip \
  --region=$region | grep -i address:

Example:

user@cloudshell$ gcloud compute addresses describe internet-neg-lb-ip   --region=$region | grep -i address:
address: 172.16.20.2

Set up the Internet NEG

Create an Internet NEG, and set the –network-endpoint-type to internet-fqdn-port (the hostname and port where your external backend can be reached).

Inside Cloud Shell, create a Internet NEG used for github.com

gcloud compute network-endpoint-groups create github-internet-neg-ssh \
    --network-endpoint-type=INTERNET_FQDN_PORT \
    --network=looker-psc-demo \
    --region=$region

Inside Cloud Shell, update the Internet NEG github-internet-neg-ssh with the FQDN github.com and port 22

gcloud compute network-endpoint-groups update github-internet-neg-ssh \
    --add-endpoint="fqdn=github.com,port=22" \
    --region=$region

Create Network Firewall Policy and Firewall Rules

Inside Cloud Shell, perform the following:

gcloud compute network-firewall-policies create looker-psc-demo-policy --global

gcloud compute network-firewall-policies associations create --firewall-policy looker-psc-demo-policy --network looker-psc-demo --name looker-psc-demo --global-firewall-policy

The following firewall rule allows traffic from the PSC NAT Subnet range to all instances in the network.

Inside Cloud Shell, perform the following:

gcloud compute network-firewall-policies rules create 2001 --action ALLOW --firewall-policy looker-psc-demo-policy --description "allow traffic from PSC NAT subnet" --direction INGRESS --src-ip-ranges 172.16.10.0/28 --global-firewall-policy --layer4-configs=tcp

8. Create Producer Service

Create Load Balancer Components

Inside Cloud Shell, perform the following:

gcloud compute backend-services create producer-backend-svc  --protocol=tcp --region=$region --load-balancing-scheme=INTERNAL_MANAGED

gcloud compute backend-services add-backend producer-backend-svc --network-endpoint-group=github-internet-neg-ssh --network-endpoint-group-region=$region --region=$region

In Cloud Shell, Create a target TCP proxy to route requests to your backend service:

gcloud compute target-tcp-proxies create producer-lb-tcp-proxy \
      --backend-service=producer-backend-svc  \
      --region=$region

In the following syntax, create a forwarding rule (internal tcp proxy load balancer).

In Cloud Shell, perform the following:

gcloud compute forwarding-rules create producer-github-fr \
     --load-balancing-scheme=INTERNAL_MANAGED \
     --network-tier=PREMIUM \
     --network=looker-psc-demo \
     --subnet=producer-psc-fr-subnet \
     --address=internet-neg-lb-ip \
     --target-tcp-proxy=producer-lb-tcp-proxy \
     --target-tcp-proxy-region=$region \
     --region=$region \
     --ports=22

Create Service Attachment

Inside Cloud Shell, create the Service Attachment, github-svc-attachment-ssh:

gcloud compute service-attachments create github-svc-attachment-ssh --region=$region --producer-forwarding-rule=producer-github-fr --connection-preference=ACCEPT_AUTOMATIC --nat-subnets=producer-psc-nat-subnet

Next, obtain and note the Service Attachment listed in the selfLink URI starting with projects to configure the PSC endpoint in Looker.

selfLink: projects/<your-project-id>/regions/<your-region>/serviceAttachments/github-svc-attachment-ssh

Inside Cloud Shell, perform the following:

gcloud compute service-attachments describe github-svc-attachment-ssh --region=$region

Example Expected Output

connectionPreference: ACCEPT_AUTOMATIC
creationTimestamp: '2024-08-31T13:43:07.078-07:00'
description: ''
enableProxyProtocol: false
fingerprint: O5OtqHR33v4=
id: '7557641709467614900'
kind: compute#serviceAttachment
name: github-svc-attachment-ssh
natSubnets:
- https://www.googleapis.com/compute/v1/projects/$project/regions/$region/subnetworks/producer-psc-nat-subnet
pscServiceAttachmentId:
  high: '19348441121424360'
  low: '7557641709467614900'
reconcileConnections: false
region: https://www.googleapis.com/compute/v1/projects/$project/regions/$region
selfLink: https://www.googleapis.com/compute/v1/projects/$project/regions/$region/serviceAttachments/github-svc-attachment-ssh
targetService: https://www.googleapis.com/compute/v1/projects/$project/regions/$region/forwardingRules/producer-github-fr

In Cloud Console, navigate to:

Network Services → Private Service Connect → Published Services

30b1a280966b1f06.png

4eafe698193f5f44.png

9. Establish a PSC Endpoint Connection in Looker

In the following section, you will associate the Producers Service Attachment with Looker Core PSC through the use –psc-service-attachment flags in Cloud Shell for a single domain.

Inside Cloud Shell, create the psc association by updating the following parameters to match your environment:

  • INSTANCE_NAME: The name of your Looker (Google Cloud core) instance.
  • DOMAIN_1: githubssh.com
  • SERVICE_ATTACHMENT_1: URI captured when describing the Service Attachment, github-svc-attachment-ssh.
  • REGION: The region in which your Looker (Google Cloud core) instance is hosted.

Inside Cloud Shell, perform the following:

gcloud looker instances update INSTANCE_NAME \
--psc-service-attachment  domain=DOMAIN_1,attachment=SERVICE_ATTACHMENT_URI_1 \
--region=REGION

Example:

gcloud looker instances update looker-psc-instance \
--psc-service-attachment  domain=githubssh.com,attachment=projects/$project/regions/$region/serviceAttachments/github-svc-attachment-ssh \
--region=$region

Inside Cloud Shell, validate the serviceAttachments connectionStatus is "ACCEPTED". Update with your Looker PSC INSTANCE_NAME.

gcloud looker instances describe [INSTANCE_NAME] --region=$region --format=json

Example:

gcloud looker instances describe looker-psc-instance --region=$region --format=json

Example:

{
  "adminSettings": {},
  "createTime": "2024-08-23T00:00:45.339063195Z",
  "customDomain": {
    "domain": "cosmopup.com",
    "state": "AVAILABLE"
  },
  "encryptionConfig": {},
  "lookerVersion": "24.14.18",
  "name": "projects/$project/locations/$region/instances/looker-psc-instance",
  "platformEdition": "LOOKER_CORE_ENTERPRISE_ANNUAL",
  "pscConfig": {
    "allowedVpcs": [
      "projects/$project/global/networks/looker-psc-demo",
      "projects/$project/global/networks/looker-shared-vpc"
    ],
    "lookerServiceAttachmentUri": "projects/t7ec792caf2a609d1-tp/regions/$region/serviceAttachments/looker-psc-f51982e2-ac0d-48b1-91bb-88656971c183",
    "serviceAttachments": [
      {
        "connectionStatus": "ACCEPTED",
        "localFqdn": "githubssh.com",
        "targetServiceAttachmentUri": "projects/$project/regions/$region/serviceAttachments/github-svc-attachment-ssh"
      }
    ]
  },
  "pscEnabled": true,
  "state": "ACTIVE",
  "updateTime": "2024-08-31T20:53:04.824018122Z"
}

Validate the PSC endpoint in Cloud Console

From Cloud Console you can validate the PSC Connection

In Cloud Console, navigate to:

Looker → Looker Instance → Details

2d4684d722d31e4b.png

db670bb008ea3fc4.png

10. Test Connectivity to GitHub

In the following steps, you'll use Looker Console to create a project to validate SSH connectivity to GitHub.com by updating the domain github.com to githubssh.com in the Looker UI. This action is only required for SSH connections to GitHub.

11. Create a new project

Enable Development mode

In Looker Console, navigate to:

Enable Development Mode (bottom left page), once selected the banner ‘You are in Development Mode' is displayed.

70c9ded749decfbe.png

Create a new project

In Cloud Console, navigate to:

Develop → Projects

e8ae11e0392a776d.png

Select New LookML Project

65a3c2573e97e1e9.png

Provide a project name, select Blank Project then Create Project.

dbb890960291aa84.png

Select Configure Git

42f5e51ce70642ad.png

Configure Git

3962a1fe7ac8da77.png

Once you select Continue, you will be promoted to validate the Repository URL and Git hosting service.

743e5d963cfe6f82.png

Add the Deployment Key to your GitHub repository. Ensure to allow write access. Once updated select Test and Finalize Setup.

4894e0af6421802e.png

Select Git Actions

e87931dbf7e265f3.png

Select Test Git Connection

73d90adf267120af.png

Validate the Git Connection Test

f69bc63b9c595aa1.png

12. Clean up

From a single Cloud Shell terminal delete lab components

gcloud compute service-attachments delete github-svc-attachment-ssh --region=$region -q

gcloud compute forwarding-rules delete producer-github-fr --region=$region -q

gcloud compute target-tcp-proxies delete producer-lb-tcp-proxy --region=$region -q

gcloud compute backend-services delete producer-backend-svc --region=$region -q

gcloud compute network-firewall-policies rules delete 2001 --firewall-policy looker-psc-demo-policy --global-firewall-policy -q

gcloud compute network-firewall-policies associations delete --firewall-policy=looker-psc-demo-policy  --name=looker-psc-demo --global-firewall-policy -q

gcloud compute network-firewall-policies delete looker-psc-demo-policy --global -q

gcloud compute routers nats delete looker-psc-demo-natgw --router=looker-psc-demo-cloud-router --router-region=$region -q

gcloud compute routers delete looker-psc-demo-cloud-router --region=$region -q

gcloud compute addresses delete internet-neg-lb-ip --region=$region -q

gcloud compute network-endpoint-groups delete github-internet-neg-ssh --region=$region -q

gcloud compute networks subnets delete producer-psc-fr-subnet producer-psc-nat-subnet $region-proxy-only-subnet --region=$region -q

gcloud compute networks delete looker-psc-demo -q

13. Congratulations

Congratulations, you've successfully configured and validated connectivity to GitHub using Looker Console powered by Private Service Connect.

You created the producer infrastructure, learned how to create an Internet NEG, Producer Service and Looker PSC endpoint that allowed connectivity to the Producer service.

Cosmopup thinks codelabs are awesome!!

c911c127bffdee57.jpeg

What's next?

Check out some of these codelabs...

Further reading & Videos

Reference docs