For the strongest encryption between Looker and your database, you can create a SSH tunnel to either a tunnel server, or the database server itself.
SSH Tunnels are unavailable for databases that lack a single host address, such as Google BigQuery and Amazon Athena databases. BigQuery and Athena users should skip directly to database configuration.
Step 1: Choose a host on which to terminate the tunnel
The first step to set up SSH tunnel access for your database is to choose the host that will be used to terminate the tunnel. The tunnel can be terminated on either the database host itself, or on a separate host (the tunnel server).
Using the database server
Terminating on the database has the advantage of simplicity. There is one fewer host involved, so there are no additional machines and their associated costs. The disadvantage is that your database server may be on a protected network that does not have direct access from the Internet.
Using a tunnel server
Terminating the tunnel on a separate server has the advantage of keeping your database server inaccessible from the Internet. If the tunnel server is compromised it is one step removed from the database server. We recommend that you remove all non-essential software and users from the tunnel server and closely monitor it with tools such as an IDS.
The tunnel server can be any Unix/Linux host that:
- Can be accessed from the Internet via SSH
- Can access the database
Step 2: Create IP allowlist
The second step is to allow network traffic to reach the tunnel server or database host via SSH, which is generally on TCP port 22.
Allow network traffic from each of the IP addresses listed here for the region where your Looker instance is hosted. By default, this will be the United States.
Legacy hosting
Use these IP addresses for all instances that are hosted on AWS and that were created before 07/07/2020.
Next-generation hosting
Use these IP addresses for all instances that are hosted on Google Cloud Platform (GCP) and all instances that are hosted on Amazon Elastic Kubernetes Service (Amazon EKS) and that were created on or after 07/07/2020.
Step 3: SSH tunneling
The SSH Server option is available if the instance is deployed on Kubernetes infrastructure, and only if the ability to add SSH server configuration information to your Looker instance has been enabled. If this option is not enabled on your Looker instance and you would like to enable it, contact your Looker account manager or open a support request in Looker’s Help Center.
Configuring the SSH tunnel using the SSH Server tab
If the SSH Servers tab is enabled, follow the instructions on this page to add your SSH server configuration information into Looker.
In the Connections page in the Admin section of Looker, click the SSH Server tab:
Then click Add Server. Looker displays the Add SSH Server page:
- Enter a name for the SSH server configuration.
- Click Download Key to download the public key to a text file. Be sure to save this file, as you will need to add the public key to your SSH server’s authorized key file later.
- Enter the username Looker will use to connect to the SSH server.
- Enter the SSH server IP address or hostname.
- Enter the port number used to connect to the SSH server.
Configuring the SSH tunnel with assistance from a Looker analyst
If you are configuring your SSH tunnel with the assistance of a Looker analyst, contact your Looker analyst and provide the following information, depending on your configuration:
If you’re connecting with a tunnel server, which is the same as your database host, you should provide the following information to your Looker analyst:
- IP address or DNS name of the database server
- SSH port of the database server
- Database port number
- Whether the SSH tunnel will connect to the tunnel server through a load balancer
If you’re connecting with a tunnel server, which is separate from your database host, you should provide the following information to your Looker analyst:
- IP address or DNS name of the database server as seen from the tunnel server
- Database port number as seen from the tunnel server
- IP address or DNS name of the tunnel server as seen from the public internet
- SSH port of the tunnel server as seen from the public internet
- Username on the tunnel server for the SSH connection (the standard is looker)
- Whether the SSH tunnel will connect to the tunnel server through a load balancer
Step 4: Prepare the tunnel host
To authenticate the SSH tunnel session, Looker requires a unique public key (Looker does not support logins via password). If the SSH Servers tab is enabled on your instance, you can download the public key to a text file by clicking the Download Key button when you enter your SSH configuration information. If you are configuring your SSH tunnel with the assistance of a Looker analyst, your Looker analyst will provide you with a unique public key.
You will need to prepare your host (either the database server or the tunnel server) by creating a looker
user and adding the Looker public key to the Looker .ssh/authorized_keys
file. Here’s how:
In your command line, create a group called
looker
:sudo groupadd looker
Create user
looker
and its home directory:sudo useradd -m -g looker looker
Switch to the
looker
user:sudo su - looker
Create the
.ssh
directory:mkdir ~/.ssh
Set permissions:
chmod 700 ~/.ssh
Change to the
.ssh
directory:cd ~/.ssh
Create the
authorized_keys
file:touch authorized_keys
Set permissions:
chmod 600 authorized_keys
Using your favorite text editor, add the SSH key provided by your Looker analyst to the authorized_keys
file. The key must be all on one line. In some cases, when you retrieve the key from your email, line breaks will be inserted by your email client. If you do not remove them it will be impossible to establish the SSH tunnel.
Tunnel security notes
When an SSH tunnel is terminated on the database server, the connection from Looker appears to be a local connection on the database server. Therefore, it defeats the connection-based security mechanisms built into database platforms such as MySQL. For example, it is very common for local access to be granted to the root user with no password!
By default, opening SSH access also allows forwarding of any ports, circumventing any firewalls between Looker and the database host that is terminating the SSH tunnel. This security risk may well be deemed unacceptable. This port forwarding, and the ability to log in to your tunnel server, can be controlled by properly configuring the .ssh/authorized_keys
entry for the Looker public key.
For example, the following text could be prepended to the Looker SSH key in your authorized_keys
file. Note that this text MUST be customized for your environment.
no-pty,no-X11-forwarding,permitopen="localhost:3306",permitopen="localhost:3307",
command="/bin/echo Login Not Permitted"
See the man ssh
and man authorized_keys
Linux documentation for examples and full details.
Next steps
If the SSH Servers tab is enabled on your instance, return to the Add SSH Server page, and click Test & Request Fingerprint to verify your connection to the SSH server. Looker will show a screen with the new SSH configuration and options to download or view the public key, and to view the unique fingerprint of the SSH server configuration.
Then, on your database Connection Settings page:
- Enable the SSH Server toggle and select your SSH server configuration from the drop-down list.
- In the Remote Host:Port field, enter the IP address or hostname and port number of your database.
Database connections using an SSH tunnel cannot apply a user attribute to the Remote Host:Port field.
If you are configuring your SSH tunnel with the assistance of a Looker analyst, notify your Looker analyst that you are ready to test the SSH tunnel. Once they confirm that the tunnel is established, they will provide you with the port number for the Looker side of the SSH tunnel.
Then, on your database Connection Settings page:
- Enter
localhost
in the Remote Host field. - In the Port field, enter the port number for the Looker side of the SSH tunnel that was provided by your Looker analyst.
Toggle off Verify SSL Cert on your database Connections page.
SSL Certificates are not supported when setting up an SSH tunnel to your database from Looker. Instead, the SSH key that you added in step 4 provides the handshake security between Looker and your database.