Cloud NAT rules

The NAT rules feature lets you create access rules that define how Cloud NAT is used to connect to the internet. NAT rules support source NAT based on destination address.

When you configure a NAT gateway without NAT rules, the VMs using that NAT gateway use the same set of NAT IP addresses to reach all internet addresses. If you need more control over packets that pass through Cloud NAT, you can add NAT rules. A NAT rule defines a match condition and a corresponding action. After you specify NAT rules, each packet is matched with each NAT rule. If a packet matches the condition set in a rule, then the action corresponding to that match occurs.

Cloud NAT rule configuration example

The following example illustrates how to use NAT rules when your destination allows access from only a few IP addresses. We recommend that the traffic to such destinations from your Google Cloud VMs in private subnets are source NAT-translated with only the permitted IP addresses. We recommend that you do not use these IP addresses for other destinations.

Consider the following requirements for VMs in Subnet-1 (10.10.10.0/24), which is in Region A of the VPC network test:

  • The VMs must use NAT IP address 203.0.113.20 to send traffic to destination 198.51.100.20/30.
  • The VMs must use NAT IP address 203.0.113.30 to send traffic to destination 198.51.100.30 or 198.51.100.31.
  • The VMs must use NAT IP address 203.0.113.40 to send traffic to any other internet destination.

This VPC network also contains two additional subnets in the same region. These VMs must use NAT IP address 203.0.113.10 to send traffic to any destination.

Cloud NAT configuration with two Cloud NAT gateways (click to enlarge).
Cloud NAT configuration with two Cloud NAT gateways (click to enlarge)

You can use NAT rules for this example, but you need two NAT gateways because Subnet-1 (10.10.10.0/24) has NAT rules that are different from the other subnets. To create this configuration, follow these steps:

  1. Create a gateway called Cloud NAT Gateway 1 for Subnet-1 with NAT IP address 203.0.113.40 and add the following rules:
    1. NAT rule 1 in Cloud NAT Gateway 1: When the destination is 198.51.100.20/30, use source NAT with 203.0.113.20.
    2. NAT rule 2 in Cloud NAT Gateway 1: When the destination is 198.51.100.30 or 198.51.100.31, use source NAT with 203.0.113.30.
  2. Create a gateway called Cloud NAT Gateway 2 for the region's other subnets and assign the NAT IP address as 203.0.113.10. No NAT rules are needed in this step.

NAT rules specifications

Before working with NAT rules, note the following specifications:

  • A rule number uniquely identifies a NAT rule. No two rules can have the same rule number.
  • Each NAT configuration has a default rule:
    • The default rule is applied if no other NAT rule matches in the same NAT configuration.
    • The rule number of the default rule is 65001.
  • Cloud NAT rules are supported only when the value of the NAT IP allocate option is MANUAL_ONLY.
  • Destination IP CIDRs in the match condition must not overlap across NAT rules. There can be at most one rule that can match any given packet.
  • NAT IP addresses across NAT rules must not overlap.
  • A rule must either have a non-empty Active or non-empty Drain IP address. If the rule has an empty Active IP address, new connections that match the NAT rule are dropped.
  • NAT rules cannot be added to a NAT gateway that has Endpoint-Independent Mapping enabled. You cannot enable Endpoint-Independent Mapping on a NAT gateway that has NAT rules in it.

In addition, all VMs get ports assigned to them from the value for minimum ports per VM for each Cloud NAT rule. If the ports allocated to a VM from a NAT rule are exhausted, new connections that match the NAT rule are dropped.

For example, if you configure 4,096 ports per VM and have 16 VMs and 2 NAT rules (rule1 with 1 IP address and rule2 with 2 IP addresses), alongside the default rule (default) with 2 IP addresses, all 16 VMs would get 4,096 ports in each bundle of NAT rules. In this example, there are no issues in default or rule2 for all their VMs, but rule1 isn't able to allocate ports for all its VMs. Therefore, traffic from VMs that needs to go through rule1 might be dropped and show signs of being out of resources because the traffic does not use the default rule.

Rule expression language

NAT rules are written using Common Expression Language syntax.

An expression requires two components:

  • Attributes that can be inspected in rule expressions.
  • Operations that can be performed on the attributes as part of an expression.

For example, the following expression uses the attributes destination.ip and 198.51.100.0/24 in the operation inIpRange(). In this case, the expression returns true if destination.ip is within the 198.51.100.0/24 IP address range.

inIpRange(destination.ip, '198.51.100.0/24')

NAT rules support only the following attributes and operations:

Attributes

Attributes represent information from an outgoing packet, such as the destination IP address.

Attribute name Description
destination.ip Destination IP address of the packet

Operations

The following reference describes the operators that you can use with attributes to define rule expressions.

Operation Description
inIpRange(string, string) -> bool inIpRange(X, Y) returns true if IP CIDR range Y contains the IP address X.
|| Logical operator. x || y returns true if x or y is true.
== Equals operator. x == y returns true if x is equal to y.

Example expressions

Match traffic with destination IP address 198.51.100.20.

"destination.ip == '198.51.100.20'"

Match traffic with destination IP address 198.51.100.10/30 or 198.51.100.20.

"inIpRange(destination.ip, '198.51.100.10/30') || destination.ip == '198.51.100.20'"

What's next