Example Compute Engine Setup

Introduction

This page shows you how to configure a sample Cloud NAT setup with Compute Engine. Before setting up Cloud NAT, read the Cloud NAT Overview.

Prerequisites

IAM permissions

  • The roles/compute.networkAdmin role can create a NAT gateway on Cloud Router, reserve/assign NAT IPs, and specify subnets whose traffic should use NAT translation by the NAT gateway.

Set up Google Cloud

Before you get started, set up the following items in Google Cloud.

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Cloud Console, on the project selector page, select or create a Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.

  4. Install and initialize the Cloud SDK.
  gcloud config set project PROJECTID

You can also view a project ID that is already set:

  gcloud config list --format='text(core.project)'

Example Compute Engine setup

Use this example if you want to see a simple Cloud NAT configuration working with Compute Engine.

Step 1: Create a VPC network and subnet

If you already have a network and subnet, you can skip this step.

Console

  1. Go to the VPC networks page in the Google Cloud Console.
    Go to the VPC networks page
  2. Click Create VPC network.
  3. Enter a Name of custom-network1.
  4. Under Subnets, set Subnet creation mode to Custom.
  5. Enter a Name of subnet-us-east-192.
  6. Select a Region of us-east4.
  7. Enter an IP address range of 192.168.1.0/24.
  8. Click Done.
  9. Click Create.

gcloud

  1. Create a new custom mode VPC network in your project.

    gcloud compute networks create custom-network1 \
        --subnet-mode custom
  2. Specify the subnet prefix for your first region. In this example, we're assigning 192.168.1.0/24 to region us-east4.

    gcloud compute networks subnets create subnet-us-east-192 \
       --network custom-network1 \
       --region us-east4 \
       --range 192.168.1.0/24

Step 2: Create a VM instance with no external IP address

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. Click the Create button.
  3. Specify a Name of nat-test-1 for your instance.
  4. Set the Region to us-east4.
  5. Set the Zone to us-east4-c.
  6. Click the Management, security, disks, networking, sole tenancy link.
  7. Click the Networking tab.
  8. Under Network interfaces, click the pencil icon for the VM's default interface.
    1. Set the Network to custom-network1.
    2. Set the Subnetwork to subnet-us-east-192.
    3. Set External IP to None.
    4. Click Done.
  9. Click the Create button to create and start the instance.

gcloud

gcloud compute instances create nat-test-1 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --network custom-network1 \
    --subnet subnet-us-east-192 \
    --zone us-east4-c \
    --no-address

Step 3: Create a firewall rule that allows SSH connections

Console

  1. Go to the Firewall rules page in the Google Cloud Console.
    Go to the Firewall rules page
  2. Click Create firewall rule.
  3. Enter a Name of allow-ssh.
  4. Specify a Network of custom-network1.
  5. Set Direction of traffic to ingress.
  6. Set Action on match to allow.
  7. Set Targets to All instances in the network.
  8. Set Source filter to IP ranges.
  9. Set Source IP ranges to 35.235.240.0/20.
  10. Set Protocols and ports to Specified protocols and ports.
  11. Select tcp and specify port 22.
  12. Click Create.

gcloud

gcloud compute firewall-rules create allow-ssh \
    --network custom-network1 \
    --source-ranges 35.235.240.0/20 \
    --allow tcp:22

Step 4: Create IAP SSH permissions for your test instance

In a later step, use IAP to connect to your test instance.

Console

  1. Go to the Identity-Aware Proxy page.

    Go to the Identity-Aware Proxy page

  2. Select the SSH and TCP Resources tab.
  3. Update member permissions on resources by selecting the checkbox next All Tunnel Resources > us-east4-c > nat-test-1.
  4. Click Add member in the right-side pane.
  5. Specify which users, groups, or service accounts for which you want to grant access to the resources by specifying their email addresses in the New members field.
    If you are just testing this feature, you can enter your own email address.
  6. Grant the members access to the resources through Cloud IAP's TCP forwarding feature by opening the Select a role drop-down list and selecting Cloud IAP > IAP-secured tunnel user.
  7. Click Save.

gcloud

Use the Console instructions for this step.

Step 5: Log into nat-test-1 and confirm that it cannot reach the internet

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. For nat-test-1, under the Connect column, click the SSH button and select Open in browser window.
  3. At the command prompt of the VM, enter curl example.com and press Enter.

You should get no result. If you do, you may have created nat-test-1 with an external IP address, or there may be some other problem. See Instances can reach the Internet without Cloud NAT for troubleshooting.

You might have to enter Ctrl-C to end the command.

gcloud

  1. Add a Compute Engine SSH key to your local host.

    ssh-add ~/.ssh/google_compute_engine
    

  2. Connect to nat-test-1 and run a command:

    gcloud compute ssh nat-test-1 \
        --zone us-east4-c \
        --command "curl example.com" \
        --tunnel-through-iap

You should get no result. If you do, you may have created nat-test-1 with an external IP address, or there may be some other problem. See Instances can reach the Internet without Cloud NAT for troubleshooting.

You may have to enter Ctrl-C to end the command.

Step 6: Create a NAT configuration using Cloud Router

You must create the Cloud Router in the same region as the instances that use Cloud NAT. Cloud NAT is only used to place NAT information onto the VMs. It is not used as part of the actual NAT gateway.

This configuration allows all instances in the region to use Cloud NAT for all primary and alias IP ranges. It also automatically allocates the external IP addresses for the NAT gateway. See the gcloud command-line interface documentation for more options.

Console

  1. Go to the Cloud NAT page in the Google Cloud Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name of nat-config.
  4. Set the VPC network to custom-network1.
  5. Set the Region to us-east4.
  6. Under Cloud Router, select Create new router.
    1. Enter a Name of nat-router.
    2. Click Create.
  7. Click Create.

gcloud

Create a Cloud Router

gcloud compute routers create nat-router \
    --network custom-network1 \
    --region us-east4

Add a configuration to the router

gcloud compute routers nats create nat-config \
    --router-region us-east4 \
    --router nat-router \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips

Step 7: Attempt to connect to the Internet again

It may take up to 3 minutes for the NAT configuration to propagate to the VM, so wait at least a minute before trying to access the Internet again.

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. For nat-test-1, under the Connect column, click the *SSH button and select Open in browser window.
  3. At the command prompt of the VM, enter 'curl example.com' and press Enter.

gcloud

Connect to nat-test-1 and run a command:

gcloud compute ssh nat-test-1 \
    --zone us-east4-c \
    --command "curl example.com" \
    --tunnel-through-iap

You should see output that contains the following content:


<html>
<head>
<title>Example Domain</title>
...
...
...
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is established to be used for illustrative examples in documents. You may use this
    domain in examples without prior coordination or asking for permission.</p>
    <p><a href="http://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

What's next