Cloud NAT logging allows you to log NAT connections and errors. When Cloud NAT logging is enabled, one log entry can be generated for each of the following scenarios:
- when a network connection using NAT is created
- when a packet is dropped because no port was available for NAT
You can opt to log both kinds of events, or just one or the other.
Created logs are sent to Stackdriver Logging.
Specifications
The following specifications apply to Cloud NAT logging:
Cloud NAT logging handles TCP and UDP traffic only.
Cloud NAT logging only logs dropped packets if they are egress (outbound) TCP and UDP packets. It does not log dropped incoming packets. For example, if an inbound response to an outbound request is dropped for any reason, no error is logged.
Each VM instance can only generate a certain number of log entries per unit time, proportional to its number of vCPUs. The VM can generate 50-100 log entries per second per vCPU.
This rate threshold affects the number of events that can be logged. Even if some events are filtered out, their occurrence counts toward the number of possible log entries. Limiting logs to just errors or just NAT translation connections does not necessarily increase the number of viewed log entries. For example, if you choose to log only successful connections, periods of excessive failed connection attempts and NAT errors can still restrict the number of successful connection log entries.
Cloud NAT logging does not log every single packet. Even if the VM's rate threshold has not been reached, there are conditions that can cause events to be omitted from the log. You should rely on the presence of entries in Cloud NAT logging to make informed decisions, but you should not assume that the absence of entries means that an event didn't happen.
Configuring logging
Enabling logging
If logging is enabled, all collected logs are sent to Stackdriver by default. You can filter these so that only certain logs are sent.
You can also specify these values when you create a NAT gateway or by editing one after it has been created. The following directions show how to enable logging for an existing NAT gateway.
Console
- Go to the Cloud NAT page in the Google Cloud Platform Console.
Go to the Cloud NAT page - Click on your NAT gateway.
- Click Edit.
- Click Logging, minimum ports, timeout to open that section.
- Under Stackdriver logging, select one of the following:
No logging— disables loggingTranslation and errors— sends all logs to StackdriverTranslation only— sends a log only when a connection is created. Does not log dropped packets.Errors only— sends a log when a packed is dropped because no port was available. Does not log new connections.
- Click Save.
gcloud
The following commands enable logging for an existing NAT gateway. In each
command, replace [NAT_GATEWAY] with the name of the NAT gateway,
[ROUTER_NAME] with the name of the Cloud Router on which it is
hosted, and [REGION] with the region of the Cloud Router.
To log NAT translation events and errors:
gcloud compute routers nats update [NAT_GATEWAY] \
--router=[ROUTER_NAME] \
--region=[REGION] \
--enable-logging
To just log NAT translation events:
gcloud compute routers nats update [NAT_GATEWAY] \
--router=[ROUTER_NAME] \
--region=[REGION] \
--enable-logging \
--log-filter=TRANSLATIONS_ONLY
To just log errors:
gcloud compute routers nats update [NAT_GATEWAY] \
--router=[ROUTER_NAME] \
--region=[REGION] \
--enable-logging \
--log-filter=ERRORS_ONLY
Clearing log filters
If you have a filter set, you can clear it. Clearing a log filter means that both NAT translation events and errors will be logged, provided that logging is enabled.
Console
- Go to the Cloud NAT page in the Google Cloud Platform Console.
Go to the Cloud NAT page - Click on your NAT gateway.
- Click Edit.
- Click Logging, minimum ports, timeout to open that section.
- Under Stackdriver logging, select the following:
Translation and errors— sends all logs to Stackdriver
- Click Save.
gcloud
gcloud compute routers nats update [NAT_GATEWAY] \
--router=[ROUTER_NAME] \
--region=[REGION] \
--log-filter=ALL
where
[NAT_GATEWAY]is the name of the NAT gateway.[ROUTER_NAME]is the name of the Cloud Router that hosts the NAT gateway.[REGION]is the Cloud Router's region.--log-filter=ALLsets the log filter to accept all logs.
Disabling logging
Console
- Go to the Cloud NAT page in the Google Cloud Platform Console.
Go to the Cloud NAT page - Click on your NAT gateway.
- Click Edit.
- Click Logging, minimum ports, timeout to open that section.
- Under Stackdriver logging, select the following:
No logging— disables logging
- Click Save.
gcloud
gcloud compute routers nats update [NAT_GATEWAY] \
--router=[ROUTER_NAME] \
--region=[REGION] \
--no-enable-logging
where
[NAT_GATEWAY]is the name of the NAT gateway.[ROUTER_NAME]is the name of the Cloud Router that hosts the NAT gateway.[REGION]is the Cloud Router's region.
Determining logging status
To determine the status for logging, do the following:
Console
- Go to the Cloud NAT page in the Google Cloud Platform Console.
Go to the Cloud NAT page - Click on your NAT gateway.
- In the Logging, minimum ports, timeout section, inspect Stackdriver logging.
gcloud
gcloud compute routers nats describe [NAT_GATEWAY] \
--router=[ROUTER_NAME] \
--region=[REGION]
where
[NAT_GATEWAY]is the name of the NAT gateway.[ROUTER_NAME]is the name of the Cloud Router that hosts the NAT gateway.[REGION]is the Cloud Router's region.
Viewing logs
Console
To view logs, go to the Logs Viewer.
- To see all NAT logs, in the first pull-down menu select Cloud NAT Gateway.
- To see logs for just one region, in the first pull-down menu select Cloud NAT Gateway, then slide the cursor right to select a region.
- To see logs for just one gateway, in the first pull-down menu select Cloud NAT Gateway, then slide the cursor right to select a region, then slide the cursor right again to select a single gateway.
Alternatively, go to the Logs page and paste the following into the Filter by label or text search field.
resource.type="nat_gateway"
logName="projects/{#project_id}/logs/compute.googleapis.com%2Fnat_flows"
gcloud
To see the most recent NAT logs, run the following command:
gcloud logging read 'resource.type=nat_gateway' \ --limit=10 \ --format=jsonwhere
resource.type=nat_gatewaylimits the output to your NAT gateways.--limit=10limits the output to 10 entries. You can put a different value to see more or fewer entries, or omit it entirely to see a continuous scroll of logs.--format=jsondisplays the output in JSON format.
For more options, see Reading log entries
You can configure export of Stackdriver logs based metrics for resource logs.
What is logged
Cloud NAT log entries contain information useful for monitoring and debugging your NAT traffic. Log entries contain the following types of information:
- General information shown in most GCP logs, such as severity, project ID, project number, timestamp, and so on.
- Specific information related to Cloud NAT. Some log fields contain entries that are themselves multiple fields. These entries and field descriptions are shown in tables below.
Log fields
| Field | Value | Meaning |
|---|---|---|
connection
|
object(NatIpConnection) | 7-Tuple describing the source VM IP and port, source NAT IP and port, destination IP and port, and IP protocol of this connection. |
allocation_status
|
enum | Indicate whether this connection was successfully allocated or
dropped. One of OK or DROPPED.
|
gateway_identifiers
|
object(NatGateway) | The NAT gateway configuration that the connection used. |
endpoint
|
object(InstanceDetails) | VM instance details. Note that in a Shared VPC configuration,
project_id corresponds to the service project.
|
vpc
|
object(VpcDetails) | VPC network details. Note that in a Shared VPC configuration,
project_id corresponds to that of the host project.
|
destination
|
object(DestinationDetails) | Details of the destination of the connection. |
NatIpConnection field format
| Field | Type | Description |
|---|---|---|
src_ip
|
string | Source IP address |
src_port
|
int32 | Source port |
nat_ip
|
string | NAT IP address |
nat_port
|
int32 | NAT assigned port |
dest_ip
|
string | Destination IP address |
dest_port
|
int32 | Destination port |
protocol
|
int32 | IANA protocol number |
NatGateway field format
| Field | Type | Description |
|---|---|---|
gateway_name
|
string | Name of the NAT gateway |
router_name
|
string | Cloud Router associated with the NAT gateway |
region
|
string | Region of the Cloud Router |
InstanceDetails field format
| Field | Type | Description |
|---|---|---|
project_id
|
string | ID of the project containing the VM |
vm_name |
string | Instance name of the VM |
region
|
string | Region of the Cloud Router |
zone |
string | Zone of the VM |
VpcDetails field format
| Field | Type | Description |
|---|---|---|
project_id
|
string | ID of the project containing the network |
vpc_name |
string | Network on which the VM is operating |
subnetwork_name
|
string | Subnet on which the VM is operating |
DestinationDetails field format
| Field | Type | Description |
|---|---|---|
geo_location
|
object(GeographicDetails) | If the destination of the connection was external to GCP, this field is populated with available location metadata. |
instance |
object(InstanceDetails) | If the destination of the connection is an instance within the same project as the source, this field is populated with VM instance details. |
GeographicDetails field format
| Field | Type | Description |
|---|---|---|
continent
|
string | Continent for external endpoints |
country |
string | Country for external endpoints |
region
|
string | Region for external endpoints |
city |
string | City for external endpoints |
asn |
string | The autonomous system number (ASN) of the external network to which this endpoint belongs. |
Examples
Example 1: NAT-ed TCP connection record from a VM instance in a Shared VPC network going to an external server in France.
{
insertId: "1the8juf6vab1t"
jsonPayload: {
connection: {
Src_ip: "10.0.0.1"
Src_port: 45047
Nat_ip: "203.0.113.17"
Nat_port: 34889
dest_ip : "198.51.100.142"
Dest_port: 80
Protocol: "tcp"
}
allocation _status: "OK"
Gateway_identifiers: {
Gateway_name: "my-nat-1"
router_name: "my-router-1"
Region: "europe-west1"
}
Endpoint: {
Project_id: "service-project-1"
Vm_name: "vm-1"
Region: "europe-west1"
Zone: "europe-west1-b"
}
Vpc: {
Project_id: "host-project"
Vpc_name: "network-1"
Subnetwork_name: "subnetwork-1"
}
Destination: {
Geo_location: {
Continent: "Europe"
Country: "France"
Region: "Nouvelle-Aquitaine"
City: "Bordeaux"
}
}
}
logName: "projects/host-project/logs/compute.googleapis.com%2Fnat_flows"
receiveTimestamp: "2018-06-28T10:46:08.123456789Z"
resource: {
labels: {
region: "europe-west1-d"
project_id: "host-project"
router_id: "987654321123456"
gateway_name: "my-nat-1"
}
type: "nat_gateway"
}
labels: {
nat.googleapis.com/instance_name: "vm-1"
nat.googleapis.com/instance_zone: "europe-west1-b"
nat.googleapis.com/nat_ip: "203.0.113.17"
nat.googleapis.com/network_name: "network-1"
nat.googleapis.com/router_name: "my-router-1"
nat.googleapis.com/subnetwork_name: "subnetwork-1"
}
timestamp: "2018-06-28T10:46:00.602240572Z"
}
Example 2: Record for a packet dropped because there were no available ports. Sending VM was trying to reach the external IP address of another VM in the same project.
{
insertId: "1the8juf6vab1l"
jsonPayload: {
connection: {
Src_ip: "10.0.128.1"
Src_port: 45047
dest_ip : "192.0.2.87"
Dest_port: 80
Protocol: "tcp"
}
allocation _status: "DROPPED"
Gateway_identifiers: {
Gateway_name: "my-nat-2"
Cloud_router: "my-router-1"
Region: "europe-west1"
}
Endpoint: {
Project_id: "service-project-1"
Vm_name: "vm-1"
Region: "europe-west1"
Zone: "europe-west1-b"
}
Vpc: {
Project_id: "host-project"
Vpc_name: "network-1"
Subnetwork_name: "subnetwork-1"
}
Destination: {
Instance: {
Project_id: "service-project-1"
Vm_name: "vm-2"
Region: "asia-east1"
Zone: "asia-east1-b"
}
}
}
logName: "projects/host-project/logs/compute.googleapis.com%2Fnat_flows"
receiveTimestamp: "2018-06-28T10:46:09.123456789Z"
resource: {
labels: {
region: "europe-west1-d"
project_id: "host-project"
router_id: "987654321123456"
gateway_name: "my-nat-2"
}
type: "nat_gateway"
}
timestamp: "2018-06-28T10:46:01.602240572Z"
}
Pricing
See Logging pricing.
Troubleshooting
No logs are generated
- Verify that NAT logging is enabled.
- Double-check that your view of the logs isn't filtering out the logs you are looking for. See Viewing logs for instructions.
- Make sure a firewall rule isn't blocking traffic. Firewall rules that block egress (outbound) traffic are applied before the traffic would have been sent to the NAT gateway. You can use firewall rules logging to see if your custom egress rules are blocking outbound traffic.
- Review cases where NAT is not performed on traffic. The destination for your traffic might not be handled by NAT.
Certain logs are excluded
- Verify that NAT logging is enabled and that your log filter is not excluding logs you want to keep. You can clear a logs filter so that nothing is excluded.
- Cloud NAT does not log every single event. During periods of heavy egress traffic, NAT logging is throttled, proportional to the machine type of the VM. NAT translation or error logs might be dropped, and it is not possible to determine what is omitted during throttling.
What's next
- Refer to the Stackdriver documentation for more information on logging, monitoring, and exporting.
- Learn about creating your own Cloud NAT gateway.
