Documentation

How to set up static IPs for Google BigQuery via VPC

Updated on

Oct 19, 2023

Use this instruction if you need to allow external connections to your Google BigQuery from Improvado IP addresses only.

1. Retrieve a list of Improvado IP addresses

If you are loading data via Improvado Destinations & Load Orders:

  1. Login to your Improvado user interface
  2. Go to Destinations > Add a new destination > Google BigQuery
  3. Copy IP addresses from the documentation on the right
  1. Add “/32” suffix to every IP address: xx.xxx.xx.xxx should become xx.xxx.xx.xxx/32

If you are loading data via Dataprep (transform.improvado.io), then use these IP addresses:

  • 3.228.88.242/32
  • 52.204.215.218/32
  • 54.196.194.110/32

2. Setup Access Context Manager in Google Cloud

  1. Open SecurityAccess Context Manager, on the organization level (in the left top menu choose organization instead of the project)
  2. Click CREATE ACCESS LEVEL
  1. Use the IP Subnetworks filter. Use IP-addresses that you’ve copied in the previous step.
    Each added IP address should have /32 at the end.
  1. Click Save.

3. Setup VPC Service Controls in Google Cloud

  1. Open SecurityVPC Service Controls, on the organization level (In the left top menu, choose organization instead of the project)
  2. Click on the “New Perimeter” button
  3. Fill the name
  4. In “Resources to protect” choose Google project where you host BigQuery and Google Cloud Storage
  5. In the “Restricted Services” step choose:
  • BigQuery API
  • and Google cloud storage API if you use your own Customer-owned transitional GCS bucket.
  1. VPC accessible services - All services
  2. Access Levels - Choose the policy created bellow
  3. Do not configure Ingress and Egress policies.
  4. Save Perimeter

4. Test the configuration

Go to BigQuery UI (or use your preferred BigQuery client) and try to query something outside of the whitelisted IPs.

You should see a similar error:

5. Create a destination connection

  1. Login to your Improvado user interface
  2. Go to Destinations > Add a new destination > Google Big Query
  3. Enter your BigQuery connection details, and set Use static IP to Yes.

Additional instructions: https://improvado.io/docs/google-big-query.

Troubleshooting

In general, use this instruction from Google — https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors.

Steps to troubleshoot the following error: Checking connection failed: VPC Service Controls: Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier:

  1. Login to your Improvado user interface, go to Destinations
  2. Repeat the same error (use the “Re-authorize” button or create a new connection).
  3. Copy the vpcServiceControlsUniqueIdentifier value:
  1. Go to the “Logging” service in Google Cloud Console (https://console.cloud.google.com/logs/query), need to choose the project.
  2. Search for the value of the vpcServiceControlsUniqueIdentifier using the Query field. Adjust the date range if required.
  1. Here is our example of the error event:
  1. Check violationReason field, error details, and consult the https://cloud.google.com/vpc-service-controls/docs/troubleshooting#debugging page.
    If you need our assistance - you can download this error in JSON format and send it to us.

Schema information

Setup guide

Settings

No items found.

Troubleshooting

Troubleshooting guides

Check out troubleshooting guides for
How to set up static IPs for Google BigQuery via VPC
here

Limits

Frequently asked questions

No items found.
☶ On this page
Description
Related articles
No items found.
No items found.

Questions?

Improvado team is always happy to help with any other questions you might have! Send us an email.

Contact your Customer Success Manager or raise a request in Improvado Service Desk.