Private NAT

Private NAT enables private-to-private address translation between networks:

  • Private NAT for Network Connectivity Center spokes enables private-to-private network address translation (NAT) for Virtual Private Cloud (VPC) networks that are connected to a Network Connectivity Center hub, which includes private-to-private NAT for traffic between VPC spokes and between VPC spokes and hybrid spokes.
  • Hybrid NAT enables private-to-private NAT between VPC networks and on-premises or other cloud provider networks that are connected to Google Cloud over Cloud Interconnect or Cloud VPN.

Specifications

The following sections describe the specifications of Private NAT. These specifications apply to both Private NAT for Network Connectivity Center spokes and Hybrid NAT.

General specifications

  • Private NAT allows outbound connections and the inbound responses to those connections. Each Private NAT gateway performs source NAT on egress, and destination NAT for established response packets.

  • Private NAT does not support auto mode VPC networks.
  • Private NAT does not permit unsolicited inbound requests from connected networks, even if firewall rules would otherwise permit those requests. For more information, see Applicable RFCs.

  • Each Private NAT gateway is associated with a single VPC network, region, and Cloud Router. The Private NAT gateway and the Cloud Router provide a control plane—they are not involved in the data plane, so packets do not pass through the Private NAT gateway or Cloud Router.

  • Private NAT does not support Endpoint-Independent Mapping.
  • You cannot use Private NAT to translate a specific primary or secondary IP address range for a given subnet. A Private NAT gateway performs NAT on all IPv4 address ranges for a given subnet or list of subnets.
  • After you create the subnet, you cannot increase or decrease the Private NAT subnet size. However, you can specify multiple Private NAT subnet ranges for a given gateway.
  • Private NAT supports a maximum of 64,000 simultaneous connections per endpoint.
  • Private NAT supports only TCP and UDP connections.
  • A virtual machine (VM) instance in a VPC network can only access destinations in a non-overlapping—not in an overlapping—subnetwork in a connected network.

Routes and firewall rules

Private NAT uses the following routes:

  • For Network Connectivity Center spokes, Private NAT uses subnet routes and dynamic routes:
    • For traffic between two VPC spokes attached to a Network Connectivity Center hub that contains only VPC spokes, Private NAT uses the subnet routes exchanged by the attached VPC spokes. For information about VPC spokes, see VPC spokes overview.
    • If a Network Connectivity Center hub contains both VPC spokes and hybrid spokes such as VLAN attachments for Cloud Interconnect, Cloud VPN tunnels, or Router appliance VMs, Private NAT uses the dynamic routes learned by the hybrid spokes through BGP and subnet routes exchanged by the attached VPC spokes. For information about hybrid spokes, see Hybrid spokes.
  • For Hybrid NAT, Private NAT uses dynamic routes learned by Cloud Router over Cloud Interconnect or Cloud VPN.

Private NAT does not have any Cloud NGFW rule requirements. Firewall rules are applied directly to the network interfaces of Compute Engine VMs, not Private NAT gateways.

You don't have to create any special firewall rules that allow connections to or from NAT IP addresses. When a Private NAT gateway provides NAT for a VM's network interface, applicable egress firewall rules are evaluated as packets for that network interface before NAT. Ingress firewall rules are evaluated after packets have been processed by NAT.

Subnet IP address range applicability

You can configure a Private NAT gateway to provide NAT for the following:

  • Primary and secondary IP address ranges of all subnets in the region. A single Private NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use a subnet in the region. This option uses exactly one NAT gateway per region.
  • Custom subnet list. A single Private NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use a subnet from a list of specified subnets.

Bandwidth

Using a Private NAT gateway does not change the amount of outbound or inbound bandwidth that a VM can use. For bandwidth specifications, which vary by machine type, see Network bandwidth in the Compute Engine documentation.

VMs with multiple network interfaces

If you configure a VM to have multiple network interfaces, each interface must be in a separate VPC network. Consequently, a Private NAT gateway can only apply to a single network interface of a VM. Separate Private NAT gateways can provide NAT to the same VM, where each gateway applies to a separate interface.

NAT IP addresses and ports

When you create a Private NAT gateway, you must specify a subnet of purpose PRIVATE_NAT from which NAT IP addresses are assigned for the VMs. For more information about Private NAT IP address assignment, see Private NAT IP addresses.

You can configure the number of source ports that each Private NAT gateway reserves on each VM for which it is to provide NAT services. You can configure static port allocation, where the same number of ports is reserved for each VM, or dynamic port allocation, where the number of reserved ports can vary between the minimum and maximum limits that you specify.

The VMs for which NAT is to be provided are determined by the subnet IP address ranges that the gateway is configured to serve.

For more information about ports, see Ports.

Applicable RFCs

Private NAT is a Port Restricted Cone NAT as defined in RFC 3489.

NAT timeouts

Private NAT sets timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.

What's next