Cloud NAT rules

This page provides an overview of Cloud NAT rules for Public NAT. These rules let you define how Cloud NAT is used to connect to the internet.

Cloud NAT rules for Public NAT support source network address translation (SNAT) based on source (Preview) or destination address.

NAT rules

By default, when you configure a Cloud NAT gateway for Public NAT, packets that are translated by that NAT gateway use the same set of NAT IP addresses to reach all internet addresses. If you need more control over packets that are translated by Cloud NAT, you can add NAT rules.

A NAT rule defines a match condition and a corresponding action. After you specify NAT rules, each packet is matched with each NAT rule. If a packet matches the condition set in a rule, then the action corresponding to that match occurs.

NAT rules for Public NAT support both source and destination address matching:

  • In source-based rules (Preview), packets are matched by their source IP address. Only IPv4 source addresses are supported.
  • In destination-based rules, packets are matched by their destination IP address. Only IPv4 destination addresses are supported.

Combining source- and destination-based conditions in a single NAT rule isn't allowed. For more information, see NAT rules specifications.

Cloud NAT rule configuration example

The following example illustrates how to use NAT rules when your destination allows access from only a few IP addresses. We recommend that the traffic to such destinations from your Google Cloud VMs in private subnets are SNAT-translated with only the permitted IP addresses. We recommend that you not use these IP addresses for other destinations.

Consider the following requirements for VMs in Subnet-1 (10.10.10.0/24), which is in Region A of the VPC network test:

  • The VMs must use NAT IP address 203.0.113.20 to send traffic to destination 198.51.100.20/30.
  • The VMs must use NAT IP address 203.0.113.30 to send traffic to destination 198.51.100.30 or 198.51.100.31.
  • The VMs must use NAT IP address 203.0.113.40 to send traffic to any other internet destination.

This VPC network also contains two additional subnets in the same region. These VMs must use NAT IP address 203.0.113.10 to send traffic to any destination.

Cloud NAT configuration with two Cloud NAT gateways.
Cloud NAT configuration with two Cloud NAT gateways (click to enlarge).

You can use NAT rules for this example, but you need two NAT gateways because Subnet-1 (10.10.10.0/24) has NAT rules that are different from the other subnets. To create this configuration, follow these steps:

  1. Create a gateway called Cloud NAT Gateway 1 for Subnet-1 with NAT IP address 203.0.113.40 and add the following rules:
    1. NAT rule 1 in Cloud NAT Gateway 1: When the destination is 198.51.100.20/30, use 203.0.113.20 for NAT.
    2. NAT rule 2 in Cloud NAT Gateway 1: When the destination is 198.51.100.30 or 198.51.100.31, use 203.0.113.30 for NAT.
  2. Create a gateway called Cloud NAT Gateway 2 for the region's other subnets and assign the NAT IP address as 203.0.113.10. No NAT rules are needed in this step.

NAT rules specifications

  • Cloud NAT supports source- and destination-based rules. Each rule defines a condition that is based on the source or destination address, but not both.
  • A rule priority uniquely identifies a NAT rule, from 0 (highest priority) to 65,000 (lowest priority). No two rules can have the same priority.
  • Each NAT configuration has a default rule:
    • The default rule is applied if no other NAT rule matches in the same NAT configuration.
    • The rule priority of the default rule is 65001.
    • For both source- and destination-based rules, the IP CIDR range of the default rule is 0.0.0.0/0.
  • Cloud NAT rules are supported only when the value of the NAT IP allocate option is MANUAL_ONLY.

  • All IP addresses configured in a given rule must be of the same tier.

    You cannot use a mix of Premium Tier and Standard Tier IP addresses within the same rule (including the default rule).

  • IP CIDR ranges in match conditions must not overlap across NAT rules. At most, one rule can apply to any given packet. If a packet matches both a source- and destination-based rule, Cloud NAT applies the rule that has higher priority.

    You can't create a NAT rule with 0.0.0.0/0 as the source or destination range because it is used by the default rule.

  • NAT IP addresses across NAT rules must not overlap.

  • A rule must either have a non-empty Active or non-empty Drain IP address. If the rule has an empty Active IP address, new connections that match the NAT rule are dropped.

  • NAT rules cannot be added to a NAT gateway that has Endpoint-Independent Mapping enabled. You cannot enable Endpoint-Independent Mapping on a NAT gateway that has NAT rules in it.

In addition, all VMs get ports assigned to them from the value for minimum ports per VM for each Cloud NAT rule. If the ports allocated to a VM from a NAT rule are exhausted, new connections that match the NAT rule are dropped.

For example, if you configure 4,096 ports per VM and have 16 VMs and 2 NAT rules (rule1 with 1 IP address and rule2 with 2 IP addresses), alongside the default rule (default) with 2 IP addresses, all 16 VMs would get 4,096 ports in each bundle of NAT rules. In this example, there are no issues in default or rule2 for all their VMs, but rule1 isn't able to allocate ports for all its VMs. Therefore, traffic from VMs that needs to go through rule1 might be dropped and show signs of being out of resources because the traffic does not use the default rule.

Rule expression language

NAT rules are written using Common Expression Language syntax.

An expression requires two components:

  • Attributes that can be inspected in rule expressions.
  • Operations that can be performed on the attributes as part of an expression.

For example, the following expression uses the attributes destination.ip and 198.51.100.0/24 in the operation inIpRange(). In this case, the expression returns true if destination.ip is within the 198.51.100.0/24 IP address range.

inIpRange(destination.ip, '198.51.100.0/24')

NAT rules support only the following attributes and operations:

Attributes

Attributes represent information from an outgoing packet, such as the source and destination IP address.

Attribute name Description
source.ip Source IP address of the packet
destination.ip Destination IP address of the packet

Operations

The following reference describes the operators that you can use with attributes to define rule expressions.

Operation Description
inIpRange(string, string) -> bool inIpRange(x, y) returns true if IP CIDR range y contains IP address x.
|| Logical operator. x || y returns true if x or y is true.
== Equals operator. x == y returns true if x is equal to y.

Example expressions

You can match packets based on either source or destination address, but not both.

Examples for source-based matching

Match packets with source IP address 10.0.0.25:

"source.ip == '10.0.0.25'"

Match packets with source IP address 10.0.0.25 or 10.0.0.26:

"source.ip == '10.0.0.25' || source.ip == '10.0.0.26'"

Match packets with source IP address range 10.0.2.0/24:

"inIpRange(source.ip, '10.0.2.0/24')"

Match packets with source IP address 10.0.0.25 or source IP address range 10.0.2.0/24:

"source.ip == '10.0.0.25' || inIpRange(source.ip, '10.0.2.0/24')"

Examples for destination-based matching

Match packets with destination IP address 198.51.100.20:

"destination.ip == '198.51.100.20'"

Match packets with destination IP address 198.51.100.20 or 198.51.100.21:

"destination.ip == '198.51.100.20' || destination.ip == '198.51.100.21'"

Match packets with destination IP address range 198.51.100.10/30:

"inIpRange(destination.ip, '198.51.100.10/30')"

Match packets with destination IP address 198.51.100.20 or destination IP address range 198.51.100.10/30:

"destination.ip == '198.51.100.20' || inIpRange(destination.ip, '198.51.100.10/30')"

What's next