Cloud NAT overview
Cloud NAT (network address translation) lets certain resources in Google Cloud create outbound connections to the internet or to other Virtual Private Cloud (VPC) networks. Cloud NAT supports address translation for established inbound response packets only. It does not allow unsolicited inbound connections.
Cloud NAT provides outgoing connectivity for the following resources:
- Compute Engine virtual machine (VM) instances
- Private Google Kubernetes Engine (GKE) clusters
- Cloud Run instances through Serverless VPC Access
- Cloud Functions instances through Serverless VPC Access
- App Engine standard environment instances through Serverless VPC Access
Types of Cloud NAT
In Google Cloud, you use Cloud NAT to create NAT gateways that let instances in a private subnet connect to resources outside your VPC network.
Using a NAT gateway, you can enable the following types of NAT:
- Public NAT
- Private NAT (Preview)
Public NAT lets Google Cloud resources that do not have public IP addresses communicate with the internet. These VMs use a set of shared public IP addresses to connect to the internet. Public NAT does not rely on proxy VMs. Instead, a Public NAT gateway allocates a set of external IP addresses and source ports to each VM that uses the gateway to create outbound connections to the internet.
Consider a scenario in which you have
subnet-1 whose network interface does not have
an external IP address. However,
VM-1 needs to connect to the internet to
download critical updates. To enable connectivity to the internet, you can
create a Public NAT gateway that is configured to apply to the IP
address range of
VM-1 can send traffic to the internet by using
the internal IP address of
For more information about Public NAT, see Public NAT specifications.
Private NAT enables private-to-private translations across Google Cloud networks. Inter-VPC NAT, a Private NAT offering, lets you create a Private NAT gateway that works in conjunction with Network Connectivity Center to perform NAT between Virtual Private Cloud networks. To configure Inter-VPC NAT between VPC networks, each VPC network must be configured as a VPC spoke (Preview) in a Network Connectivity Center hub. The Private NAT gateway uses a NAT IP address from a Private NAT subnet to NAT traffic between resources that are attached to a Network Connectivity Center hub.
Assume that the resources in your VPC network need to communicate with the resources in a VPC network that is owned by a different business entity. However, the VPC network of that business entity contains subnets whose IP addresses overlap with the IP addresses of your VPC network. In this scenario, you create a Private NAT gateway that routes traffic between the subnets in your VPC network to the non-overlapping subnets of that business entity.
For more information about Private NAT, see Private NAT specifications.
Cloud NAT is a distributed, software-defined managed service. It's not based on proxy VMs or appliances. Cloud NAT configures the Andromeda software that powers your Virtual Private Cloud (VPC) network so that it provides source network address translation (source NAT or SNAT) for resources. Cloud NAT also provides destination network address translation (destination NAT or DNAT) for established inbound response packets.
Cloud NAT provides the following benefits:
When using a Public NAT gateway, you can reduce the need for individual VMs to each have external IP addresses. Subject to egress firewall rules, VMs without external IP addresses can access destinations on the internet. For example, you might have VMs that only need internet access to download updates or to complete provisioning.
If you use manual NAT IP address assignment to configure a Public NAT gateway, you can confidently share a set of common external source IP addresses with a destination party. For example, a destination service might only allow connections from known external IP addresses.
A Private NAT gateway does not permit any resource from Network Connectivity Center connected VPC spokes (Preview) to directly initiate a connection with the VMs inside overlapping subnetworks. When a VM in a Private NAT configuration tries to initiate a connection with a VM in a Network Connectivity Center VPC spoke network, the Private NAT gateway performs SNAT by using the IP addresses from the Private NAT range. The gateway also performs DNAT on the responses to the outbound packets.
Cloud NAT is a distributed, software-defined managed service. It doesn't depend on any VMs in your project or a single physical gateway device. You configure a NAT gateway on a Cloud Router, which provides the control plane for NAT, holding configuration parameters that you specify. Google Cloud runs and maintains processes on the physical machines that run your Google Cloud VMs.
Cloud NAT can be configured to automatically scale the number of NAT IP addresses that it uses, and it supports VMs that belong to managed instance groups, including the groups with autoscaling enabled.
Cloud NAT does not reduce the network bandwidth per VM. Cloud NAT is implemented by Google's Andromeda software-defined networking. For more information, see Network bandwidth in the Compute Engine documentation.
For Cloud NAT traffic, you can trace the connections and bandwidth for compliance, debugging, analytics, and accounting purposes.
Cloud NAT exposes key metrics to Cloud Monitoring that give you insight into your fleet's use of NAT gateways. Metrics are sent automatically to Cloud Monitoring. There, you can create custom dashboards, set up alerts, and query metrics.
For more information about the important interactions between Cloud NAT and other Google Cloud products, see Cloud NAT product interactions.
- Learn about Cloud NAT product interactions.
- Learn about Cloud NAT addresses and ports.
- Set up a Public NAT gateway.
- Learn about Cloud NAT rules.
- Set up a Private NAT gateway.
- Troubleshoot common issues.
- Learn about Cloud NAT pricing.