Inter-VPC NAT
Inter-VPC NAT, a Private NAT offering, lets you create a Private NAT gateway that works in conjunction with Network Connectivity Center Virtual Private Cloud (VPC) spokes to perform network address translation (NAT) between VPC networks.
Specifications
In addition to the generic Private NAT specifications, consider the following specifications for Inter-VPC NAT:
- Inter-VPC NAT uses a NAT configuration of
type=PRIVATE
to let VPC networks with overlapping subnet IP address ranges communicate. However, only the resources in non-overlapping subnets can connect to each other. - To enable Inter-VPC NAT between two VPC networks, configure each VPC network as a VPC spoke of a Network Connectivity Center hub. When you create the spoke, you must prevent the overlapping IP address ranges from being shared with other VPC spokes. For more information, see Create a VPC spoke.
- Inter-VPC NAT supports network address translation (NAT) between Network Connectivity Center Virtual Private Cloud (VPC) spokes only, and not with Virtual Private Cloud networks connected using VPC Network Peering.
- You need to create a custom NAT rule by referencing a Network Connectivity Center hub.
The NAT rule specifies a NAT IP address range from a subnet of purpose
PRIVATE_NAT
that the VMs can use to communicate with another VPC network. - Inter-VPC NAT supports address translation for VPC subnets within a region as well as across regions.
Basic Inter-VPC NAT configuration and workflow
The following diagram shows a basic Inter-VPC NAT configuration:
In this example, Inter-VPC NAT is set up as follows:
- The
pvt-nat-gw
gateway is configured invpc-a
to apply to all the IP address ranges ofsubnet-a
in theus-east1
region. Using the NAT IP ranges ofpvt-nat-gw
, a virtual machine (VM) instance insubnet-a
ofvpc-a
can send traffic to a VM insubnet-b
ofvpc-b
, even thoughsubnet-a
ofvpc-a
overlaps withsubnet-c
ofvpc-b
. - Both
vpc-a
andvpc-b
are configured as spokes of a Network Connectivity Center hub. - The
pvt-nat-gw
gateway is configured to provide NAT between VPC networks that are configured as VPC spokes to the same Network Connectivity Center hub.
Example Inter-VPC NAT workflow
In the preceding diagram, vm-a
with the internal IP address 192.168.1.2
in
subnet-a
of vpc-a
needs to download an update from vm-b
with the internal
IP address 192.168.2.2
in subnet-b
of vpc-b
. Both the VPC
networks are connected to the same Network Connectivity Center hub as VPC
spokes. Assume that vpc-b
contains another subnet 192.168.1.0/24
that overlaps
with the subnet in vpc-a
. For subnet-a
of vpc-a
to communicate with subnet-b
of vpc-b
, you need to configure a Private NAT gateway, pvt-nat-gw
,
in vpc-a
as follows:
Private NAT subnet: Before configuring the Private NAT gateway, create this subnet with the subnet IP address range as
10.1.2.0/29
and the purpose asPRIVATE_NAT
. Ensure that this subnet does not overlap with an existing subnet in any of the VPC spokes attached to the same Network Connectivity Center hub.A NAT rule whose
nexthop.hub
matches the Network Connectivity Center hub URL.NAT for all address ranges of
subnet-a
.
The following table summarizes the network configuration specified in the preceding example:
Network name | Network component | IP address/range | Region |
---|---|---|---|
vpc-a | subnet-a | 192.168.1.0/24 | us-east1 |
vm-a | 192.168.1.2 | ||
pvt-nat-gw | 10.1.2.0/29 | ||
vpc-b | subnet-b | 192.168.2.0/24 | us-west1 |
vm-b | 192.168.2.2 | ||
subnet-c | 192.168.1.0/24 | ||
vm-c | 192.168.1.3 |
Inter-VPC NAT follows the port reservation procedure
to reserve the following NAT source IP address
and source port tuples for each of the VMs in the network. For example, the
Private NAT gateway reserves 64 source ports for vm-a
:
10.1.2.2:34000
through 10.1.2.2:34063
.
When the VM uses the TCP protocol to send a packet to the update server
192.168.2.2
on destination port 80
, the following occurs:
The VM sends a request packet with these attributes:
- Source IP address:
192.168.1.2
, the internal IP address of the VM - Source port:
24000
, the ephemeral source port chosen by the VM's operating system - Destination address:
192.168.2.2
, the update server's IP address - Destination port:
80
, the destination port for HTTP traffic to the update server - Protocol: TCP
- Source IP address:
The
pvt-nat-gw
gateway performs source network address translation (SNAT or source NAT) on egress, rewriting the request packet's NAT source IP address and source port:- NAT source IP address:
10.1.2.2
, from one of the VM's reserved NAT source IP address and source port tuples - Source port:
34022
, an unused source port from one of the VM's reserved source port tuples - Destination address:
192.168.2.2
, unchanged - Destination port:
80
, unchanged - Protocol: TCP, unchanged
- NAT source IP address:
The update server sends a response packet that arrives on the
pvt-nat-gw
gateway with these attributes:- Source IP address:
192.168.2.2
, the update server's internal IP address - Source port:
80
, the HTTP response from the update server - Destination address:
10.1.2.2
, which matches the original NAT source IP address of the request packet - Destination port:
34022
, which matches the source port of the request packet - Protocol: TCP, unchanged
- Source IP address:
The
pvt-nat-gw
gateway performs destination network address translation (DNAT) on the response packet, rewriting the response packet's destination address and destination port so that the packet is delivered to the VM that requested the update with the following attributes:- Source IP address:
192.168.2.2
, unchanged - Source port:
80
, unchanged - Destination address:
192.168.1.2
, the internal IP address of the VM - Destination port:
24000
, matching the original ephemeral source port of the request packet - Protocol: TCP, unchanged
- Source IP address:
What's next
- Set up Inter-VPC NAT.
- Learn about Cloud NAT product interactions.
- Learn about Cloud NAT addresses and ports.
- Learn about Cloud NAT rules.
- Troubleshoot common issues.