Use this instruction if you need to allow external connections to your Google BigQuery from Improvado IP addresses only.
1. Retrieve a list of Improvado IP addresses If you are loading data via Improvado Destinations & Load Orders:
Login to your Improvado user interface Go to Destinations > Add a new destination > Google BigQuery Copy IP addresses from the documentation on the right Add “/32 ” suffix to every IP address: xx.xxx.xx.xxx should become xx.xxx.xx.xxx/32 If you are loading data via Dataprep (transform.improvado.io ), then use these IP addresses:
3.228.88.242/32 52.204.215.218/32 54.196.194.110/32 2. Setup Access Context Manager in Google Cloud Open Security → Access Context Manager , on the organization level (in the left top menu choose organization instead of the project) Click CREATE ACCESS LEVEL Use the IP Subnetworks filter. Use IP-addresses that you’ve copied in the previous step .should have /32 at the end. Click Save . 3. Setup VPC Service Controls in Google Cloud Open Security → VPC Service Controls Click on the “New Perimeter ” button Fill the name In “Resources to protect” choose Google project where you host BigQuery and Google Cloud Storage In the “Restricted Services ” step choose: BigQuery API and Google cloud storage API if you use your own Customer-owned transitional GCS bucket. VPC accessible services - All services Access Levels - Choose the policy created bellow Do not configure Ingress and Egress policies. Save Perimeter 4. Test the configuration Go to BigQuery UI (or use your preferred BigQuery client) and try to query something outside of the whitelisted IPs.
You should see a similar error:
5. Create a destination connection Login to your Improvado user interface Go to Destinations > Add a new destination > Google Big Query Enter your BigQuery connection details, and set Use static IP to Yes . Additional instructions: https://improvado.io/docs/google-big-query .
Troubleshooting In general, use this instruction from Google — https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors .
Steps to troubleshoot the following error: Checking connection failed: VPC Service Controls: Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier :
Login to your Improvado user interface, go to Destinations Repeat the same error (use the “Re-authorize” button or create a new connection). Copy the vpcServiceControlsUniqueIdentifier value: Go to the “Logging” service in Google Cloud Console (https://console.cloud.google.com/logs/query ), need to choose the project. Search for the value of the vpcServiceControlsUniqueIdentifier using the Query field. Adjust the date range if required. Here is our example of the error event: Check violationReason field, error details, and consult the https://cloud.google.com/vpc-service-controls/docs/troubleshooting#debugging page. 
.png)
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
