Example Compute Engine setup

This page shows you how to configure a sample Cloud NAT setup with Compute Engine. Before setting up Cloud NAT, read the Cloud NAT overview.

Prerequisites

You need to do the following before setting up Cloud NAT.

Get IAM permissions

The roles/compute.networkAdmin role gives you permissions to create a NAT gateway on Cloud Router, reserve and assign NAT IP addresses, and specify subnetworks (subnets) whose traffic should use network address translation by the NAT gateway.

Set up Google Cloud

Before you get started, set up the following items in Google Cloud.

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Install and initialize the Cloud SDK.

Setting up the Compute Engine example

Use this example if you want to see a simple Cloud NAT configuration working with Compute Engine.

Step 1: Create a VPC network and subnet

If you already have a network and subnet, you can skip this step.

Console

  1. In the Google Cloud Console, go to the VPC networks page.

    Go to the VPC networks page

  2. Click Create VPC network.

  3. Enter a Name of custom-network1.

  4. Under Subnets, set Subnet creation mode to Custom.

  5. Under New subnet, enter a Name of subnet-us-east-192.

  6. In Region, select us-east4.

  7. Enter an IP address range of 192.168.1.0/24.

  8. Click Done, and then click Create.

gcloud

  1. Create a new custom mode VPC network in your project:

    gcloud compute networks create custom-network1 \
        --subnet-mode custom
  2. Specify the subnet prefix for your first region. In this example, we assign 192.168.1.0/24 to region us-east4.

    gcloud compute networks subnets create subnet-us-east-192 \
       --network custom-network1 \
       --region us-east4 \
       --range 192.168.1.0/24

Step 2: Create a VM instance with no external IP address

Console

  1. In the Cloud Console, go to the VM instances page.

    Go to the VM instances page

  2. Click Create instance.

  3. Specify a Name of nat-test-1 for your instance.

  4. Set the Region to us-east4.

  5. Set the Zone to us-east4-c.

  6. Click the Management, security, disks, networking, sole tenancy link.

  7. Click the Networking tab.

  8. Under Network interfaces, click Edit for the VM's default interface.

    1. Set the Network to custom-network1.
    2. Set the Subnetwork to subnet-us-east-192.
    3. Set External IP to None.
    4. Click Done.
  9. To create and start the instance, click Create.

gcloud

gcloud compute instances create nat-test-1 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --network custom-network1 \
    --subnet subnet-us-east-192 \
    --zone us-east4-c \
    --no-address

Step 3: Create a firewall rule that allows SSH connections

Console

  1. In the Cloud Console, go to the Firewall page.

    Go to the Firewall page

  2. Click Create firewall rule.

  3. Enter a Name of allow-ssh.

  4. Specify a Network of custom-network1.

  5. Set Direction of traffic to Ingress.

  6. Set Action on match to Allow.

  7. Set Targets to All instances in the network.

  8. Set Source filter to IP ranges.

  9. Set Source IP ranges to 35.235.240.0/20.

  10. Set Protocols and ports to Specified protocols and ports.

  11. Select the tcp checkbox and enter port 22.

  12. Click Create.

gcloud

gcloud compute firewall-rules create allow-ssh \
    --network custom-network1 \
    --source-ranges 35.235.240.0/20 \
    --allow tcp:22

Step 4: Create IAP SSH permissions for your test instance

In a later step, use IAP to connect to your test instance.

Console

  1. In the Cloud Console, go to the Identity-Aware Proxy page.

    Go to the Identity-Aware Proxy page

  2. Select the SSH and TCP resources tab.

  3. To update member permissions on resources, select the checkbox next to All Tunnel Resources > us-east4-c > nat-test-1.

  4. In the right pane, click Add member.

  5. To grant users, groups, or service accounts access to the resources, in the New members field, specify their email addresses.

    If you are just testing this feature, you can enter your own email address.

  6. To grant the members access to the resources through Cloud IAP's TCP forwarding feature, in the Role drop-down list, select Cloud IAP > IAP-secured Tunnel User.

  7. Click Save.

gcloud

For this step, use the Console instructions.

Step 5: Log in to nat-test-1 and confirm that it cannot reach the internet

Console

  1. In the Cloud Console, go to the VM instances page.

    Go to the VM instances page

  2. For nat-test-1, in the Connect column, click the SSH drop-down arrow, and then select Open in browser window.

  3. At the command prompt of the VM, enter curl example.com and then press Enter.

    You should get no result. If you do, you might have created nat-test-1 with an external IP address, or there might be some other problem. To troubleshoot, see VMs can reach the internet unexpectedly without Cloud NAT.

    To end the command, you might have to enter Ctrl+C.

gcloud

  1. Add a Compute Engine SSH key to your local host:

    ssh-add ~/.ssh/google_compute_engine
    
  2. Connect to nat-test-1 and run a command:

    gcloud compute ssh nat-test-1 \
        --zone us-east4-c \
        --command "curl example.com" \
        --tunnel-through-iap

    You should get no result. If you do, you might have created nat-test-1 with an external IP address, or there might be some other problem. To troubleshoot, see VMs can reach the internet unexpectedly without Cloud NAT.

    To end the command, you might have to enter Ctrl+C.

Step 6: Create a NAT configuration using Cloud Router

You must create the Cloud Router in the same region as the instances that use Cloud NAT. Cloud NAT is only used to place NAT information onto the VMs. It is not used as part of the actual NAT gateway.

This configuration allows all instances in the region to use Cloud NAT for all primary and alias IP ranges. It also automatically allocates the external IP addresses for the NAT gateway. For more options, see the gcloud command-line interface documentation.

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click Get started or Create NAT gateway.

  3. Enter a Gateway name of nat-config.

  4. Set the VPC network to custom-network1.

  5. Set the Region to us-east4.

  6. Under Cloud Router, select Create new router.

    1. Enter a Name of nat-router.
    2. Click Create.
  7. Click Create.

gcloud

  1. Create a Cloud Router:

    gcloud compute routers create nat-router \
        --network custom-network1 \
        --region us-east4
  2. Add a configuration to the router:

    gcloud compute routers nats create nat-config \
        --router-region us-east4 \
        --router nat-router \
        --nat-all-subnet-ip-ranges \
        --auto-allocate-nat-external-ips

Step 7: Attempt to connect to the internet again

It might take up to three minutes for the NAT configuration to propagate to the VM, so wait at least a minute before trying to access the internet again.

Console

  1. In the Cloud Console, go to the VM instances page.

    Go to the VM instances page

  2. For nat-test-1, in the Connect column, click the SSH drop-down arrow, and then select Open in browser window.

  3. At the command prompt of the VM, enter curl example.com and then press Enter.

gcloud

Connect to nat-test-1 and run a command:

gcloud compute ssh nat-test-1 \
    --zone us-east4-c \
    --command "curl example.com" \
    --tunnel-through-iap

You should see output that contains the following content:


<html>
<head>
<title>Example Domain</title>
...
...
...
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is established to be used for illustrative examples in documents. You can use this
    domain in examples without prior coordination or asking for permission.</p>
    <p><a href="http://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

What's next