Private NAT

Private NAT enables private-to-private translations across Google Cloud networks and other on-premises or cloud provider networks. Private NAT offers the following private-to-private translations options:

  • Inter-VPC NAT: enables private-to-private translations between Virtual Private Cloud (VPC) networks that are connected to a Network Connectivity Center hub.
  • Hybrid NAT (Preview): enables private-to-private translations between VPC networks and on-premises or cloud provider networks that are connected over Google Cloud's enterprise hybrid connectivity solutions.


The following sections cover the specifications of Private NAT. The specifications apply to both Inter-VPC NAT and Hybrid NAT.

General specifications

  • Private NAT allows outbound connections and the inbound responses to those connections. Each Private NAT gateway performs source NAT on egress, and destination NAT for established response packets.

  • Private NAT does not support auto mode VPC networks.
  • Private NAT does not permit unsolicited inbound requests from connected networks, even if firewall rules would otherwise permit those requests. For more information, see Applicable RFCs.

  • Each Private NAT gateway is associated with a single VPC network, region, and Cloud Router. The Private NAT gateway and the Cloud Router provide a control plane—they are not involved in the data plane, so packets do not pass through the Private NAT gateway or Cloud Router.

  • Private NAT does not support Endpoint-Independent Mapping.
  • You cannot use Private NAT to translate a specific primary or secondary IP address range for a given subnet. A Private NAT gateway performs NAT on all IPv4 address ranges for a given subnet or list of subnets.
  • After you create the subnet, you cannot increase or decrease the Private NAT subnet size. However, you can specify multiple Private NAT subnet ranges for a given gateway.
  • Private NAT supports a maximum of 64,000 simultaneous connections per endpoint.
  • Private NAT supports only TCP and UDP connections.
  • A virtual machine (VM) instance in a VPC network can only access destinations in a non-overlapping—not in an overlapping—subnetwork in a connected network.

Routes and firewall rules

Private NAT uses the following routes:

  • For Inter-VPC NAT, Private NAT uses only subnet routes exchanged by two Network Connectivity Center VPC spokes that are attached to a Network Connectivity Center hub. For more information about Network Connectivity Center VPC spokes, see VPC spokes overview.
  • For Hybrid NAT (Preview), Private NAT uses the dynamic routes learned by Cloud Router over Google Cloud's hybrid connectivity options.

Private NAT does not have any Cloud NGFW rule requirements. Firewall rules are applied directly to the network interfaces of Compute Engine VMs, not Private NAT gateways.

You don't have to create any special firewall rules that allow connections to or from NAT IP addresses. When a Private NAT gateway provides NAT for a VM's network interface, applicable egress firewall rules are evaluated as packets for that network interface before NAT. Ingress firewall rules are evaluated after packets have been processed by NAT.

Subnet IP address range applicability

You can configure a Private NAT gateway to provide NAT for the following:

  • Primary and secondary IP address ranges of all subnets in the region. A single Private NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use a subnet in the region. This option uses exactly one NAT gateway per region.
  • Custom subnet list. A single Private NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use a subnet from a list of specified subnets.


Using a Private NAT gateway does not change the amount of outbound or inbound bandwidth that a VM can use. For bandwidth specifications, which vary by machine type, see Network bandwidth in the Compute Engine documentation.

VMs with multiple network interfaces

If you configure a VM to have multiple network interfaces, each interface must be in a separate VPC network. Consequently, a Private NAT gateway can only apply to a single network interface of a VM. Separate Private NAT gateways can provide NAT to the same VM, where each gateway applies to a separate interface.

NAT IP addresses and ports

When you create a Private NAT gateway, you must specify a subnet of purpose PRIVATE_NAT from which NAT IP addresses are assigned for the VMs. For more information about Private NAT IP address assignment, see Private NAT IP addresses.

You can configure the number of source ports that each Private NAT gateway reserves on each VM for which it is to provide NAT services. You can configure static port allocation, where the same number of ports is reserved for each VM, or dynamic port allocation, where the number of reserved ports can vary between the minimum and maximum limits that you specify.

The VMs for which NAT is to be provided are determined by the subnet IP address ranges that the gateway is configured to serve.

For more information about ports, see Ports.

Applicable RFCs

Private NAT is a Port Restricted Cone NAT as defined in RFC 3489.

NAT timeouts

Private NAT sets timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.

What's next