I have spun up a Looker core instance on a GCP project which is on a private IP. My goal is to enable access to organisation personas BI users, Reporting developers access it over organisation intranet / SSO / AD group auths. The adgroups/auth to Looker is already setup.

However, I am seeking guidance on how to connect private IP enabled looker instance from onprem via interconnect.  Shared VPC is of hub and spoke model with a centralised VPC network and subnet associated with looker project. Cloud routes and DNS records are in place in the shared VPC project. Also VPC SC perimeter is enforced

I have considered below three possible options.

I am seeking some guidance from experts on choosing any one particular. If any reference architectures for my use case, or any google cloud provided solution blue-prints for this scenario would be really helpful.

• Using a proxy VM  with private IP enabled  - least preferable as spinning up VM within our enterprise is not approved so far.
• Hosting looker behind an external load balancer. - complicated for a simple routing mechanism but okay to take this route if this is the only option.
• Private service connect endpoints / Private Google access  - not sure if this is achievable for looker as this option has been factored in based on Cloud SQL being accessed from on-prem

cc: FYI @marout