Public NAT

Public NAT lets your Google Cloud virtual machine (VM) instances that do not have public IP addresses communicate with the internet by using a set of shared public IP addresses. Cloud NAT uses a Public NAT gateway that allocates a set of external IP addresses and source ports to each VM that uses the gateway to create outbound connections to the internet.

Basic Public NAT configuration and workflow

The following diagram shows a basic Public NAT configuration:

Public NAT translation example.
Public NAT translation example (click to enlarge).

In this example:

  • The nat-gw-us-east gateway is configured to apply to the primary IP address range of subnet-1 in the us-east1 region. A VM whose network interface does not have an external IP address can send traffic to the internet by using either its primary internal IP address or an alias IP range from the primary IP address range of subnet-1, 10.240.0.0/16.

  • A VM whose network interface does not have an external IP address and whose primary internal IP address is located in subnet-2 cannot access the internet because no Public NAT gateway applies to any IP address range of that subnet.

  • The nat-gw-eu gateway is configured to apply to the primary IP address range of subnet-3 in the europe-west1 region. A VM whose network interface does not have an external IP address can send traffic to the internet by using either its primary internal IP address or an alias IP range from the primary IP address range of subnet-3, 192.168.1.0/24.

Example Public NAT workflow

In the preceding diagram, a VM with primary internal IP address 10.240.0.4, without an external IP address, needs to download an update from the external IP address 203.0.113.1. In the diagram, the nat-gw-us-east gateway is configured as follows:

  • Minimum ports per instance: 64
  • Manually assigned two network address translation (NAT) IP addresses: 192.0.2.50 and 192.0.2.60
  • Provided NAT for the primary IP address range of subnet-1

Public NAT follows the port reservation procedure to reserve the following NAT source IP address and source port tuples for each of the VMs in the network. For example, the Public NAT gateway reserves 64 source ports for the VM with internal IP address 10.240.0.4. The NAT IP address 192.0.2.50 has 64 unreserved ports, so the gateway reserves the following set of 64 NAT source IP address and source port tuples for that VM:

  • 192.0.2.50:34000 through 192.0.2.50:34063

When the VM sends a packet to the update server 203.0.113.1 on destination port 80, using the TCP protocol, the following occurs:

  • The VM sends a request packet with these attributes:

    • Source IP address: 10.240.0.4, the primary internal IP address of the VM
    • Source port: 24000, the ephemeral source port chosen by the VM's operating system
    • Destination address: 203.0.113.1, the update server's external IP address
    • Destination port: 80, the destination port for HTTP traffic to the update server
    • Protocol: TCP

  • The nat-gw-us-east gateway performs source network address translation (SNAT) on egress, rewriting the request packet's NAT source IP address and source port. The modified packet is sent to the internet if the Virtual Private Cloud (VPC) network has a route for the 203.0.113.1 destination whose next hop is the default internet gateway. A default route commonly meets this requirement.

    • NAT source IP address: 192.0.2.50, from one of the VM's reserved NAT source IP address and source port tuples
    • Source port: 34022, an unused source port from one of the VM's reserved source port tuples
    • Destination address: 203.0.113.1, unchanged
    • Destination port: 80, unchanged
    • Protocol: TCP, unchanged

  • When the update server sends a response packet, that packet arrives on the nat-gw-us-east gateway with these attributes:

    • Source IP address: 203.0.113.1, the update server's external IP address
    • Source port: 80, the HTTP response from the update server
    • Destination address: 192.0.2.50, matching the original NAT source IP address of the request packet
    • Destination port: 34022, matching the source port of the request packet
    • Protocol: TCP, unchanged

  • The nat-gw-us-east gateway performs destination network address translation (DNAT) on the response packet, rewriting the response packet's destination address and destination port so that the packet is delivered to the VM:

    • Source IP address: 203.0.113.1, unchanged
    • Source port: 80, unchanged
    • Destination address: 10.240.0.4, the primary internal IP address of the VM
    • Destination port: 24000, matching the original ephemeral source port of the request packet
    • Protocol: TCP, unchanged

Specifications

General specifications

You can configure a Public NAT gateway to provide NAT to the internet for packets sent from the following:

  • The Compute Engine VM's network interface's primary internal IP address, provided that the network interface doesn't have an external IP address assigned to it. If the network interface has an external IP address assigned to it, Google Cloud automatically performs one-to-one NAT for packets whose sources match the interface's primary internal IP address because the network interface meets the Google Cloud internet access requirements. The existence of an external IP address on an interface always takes precedence and always performs one-to-one NAT, without using Public NAT.

  • An alias IP range assigned to the VM's network interface. Even if the network interface has an external IP address assigned to it, you can configure a Public NAT gateway to provide NAT for packets whose sources come from an alias IP range of the interface. An external IP address on an interface never performs one-to-one NAT for alias IP addresses.

  • For Google Kubernetes Engine (GKE) clusters, Public NAT can provide service even if the cluster has external IP addresses in certain circumstances. For details, see GKE interaction.

Public NAT allows outbound connections and the inbound responses to those connections. Each Public NAT gateway performs source NAT on egress, and destination NAT for established response packets.

Public NAT does not permit unsolicited inbound requests from the internet, even if firewall rules would otherwise permit those requests. For more information, see Applicable RFCs.

Each Public NAT gateway is associated with a single VPC network, region, and Cloud Router. The Public NAT gateway and the Cloud Router provide a control plane—they are not involved in the data plane, so packets do not pass through the Public NAT gateway or Cloud Router.

Routes and firewall rules

Public NAT relies on custom static routes whose next hops are the default internet gateway. To fully utilize a Public NAT gateway, your Virtual Private Cloud network needs a default route whose next hop is the default internet gateway. For more information, see routes interactions.

Public NAT does not have any Cloud NGFW rule requirements. Firewall rules are applied directly to the network interfaces of Compute Engine VMs, not Public NAT gateways.

You don't have to create any special firewall rules that allow connections to or from NAT IP addresses. When a Public NAT gateway provides NAT for a VM's network interface, applicable egress firewall rules are evaluated as packets for that network interface before NAT. Ingress firewall rules are evaluated after packets have been processed by NAT.

Subnet IP address range applicability

You can configure the Public NAT gateway to provide NAT for the VM network interface's primary internal IP address, alias IP ranges, or both. You make this configuration by choosing the subnet IP address ranges to which the gateway should apply.

You can configure a Public NAT gateway to provide NAT for the following:

  • Primary and secondary IP address ranges of all subnets in the region. A single Public NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use a subnet in the region. This option uses exactly one NAT gateway per region.

  • Primary IP address ranges of all subnets in the region. A single Public NAT gateway provides NAT for the primary internal IP addresses and alias IP ranges from subnet primary IP address ranges of eligible VMs whose network interfaces use a subnet in the region. You can create additional Public NAT gateways in the region to provide NAT for alias IP ranges from subnet secondary IP address ranges of eligible VMs.

  • Custom subnet list. A single Public NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use a subnet from a list of specified subnets.

  • Custom subnet IP address ranges. You can create as many Public NAT gateways as necessary, subject to Public NAT quotas and limits. You choose which subnet primary or secondary IP address ranges are to be served by each gateway.

Multiple Public NAT gateways

You can have multiple Public NAT gateways in the same region of a VPC network if one of the following conditions is true:

  • Each gateway is configured for a different subnet.

  • Within a single subnet, each gateway is configured for a different IP address range. You can map a Public NAT gateway to a specific subnet or IP address range by using a custom Cloud NAT mapping.

As long as your mapped NAT gateways don't overlap, you can create as many Public NAT gateways as necessary, subject to Public NAT quotas and limits. For more information, see Cloud NAT gateways limitations.

Bandwidth

Using a Public NAT gateway does not change the amount of outbound or inbound bandwidth that a VM can use. For bandwidth specifications, which vary by machine type, see Network bandwidth in the Compute Engine documentation.

VMs with multiple network interfaces

If you configure a VM to have multiple network interfaces, each interface must be in a separate VPC network. Consequently, the following is true:

  • A Public NAT gateway can only apply to a single network interface of a VM. Separate Public NAT gateways can provide NAT to the same VM, where each gateway applies to a separate interface.
  • One interface of a multiple network interface VM can have an external IP address, which makes that interface ineligible for Public NAT, while another one of its interfaces can be eligible for NAT if that interface doesn't have an external IP address and you've configured a Public NAT gateway to apply to the appropriate subnet IP address range.

NAT IP addresses and ports

When you create a Public NAT gateway, you can choose to have the gateway automatically allocate regional external IP addresses. Alternatively, you can manually assign a fixed number of regional external IP addresses to the gateway.

For a Public NAT gateway with automatic NAT IP address allocation, consider the following:

  • You can select the Network Service Tiers (Premium Tier or Standard Tier) from which the Public NAT gateway allocates the IP addresses.

  • When you change the tier for a Public NAT gateway that has automatically allocated NAT IP addresses, Google Cloud releases all assigned IP addresses for that gateway and retires all port allocations.

    A new set of IP addresses from the newly selected tier is automatically allocated, and new port allocations are provided to all endpoints.

For a given Public NAT gateway, you can also manually assign IP addresses from either Premium Tier or Standard Tier or both, subject to certain conditions.

For details about NAT IP address assignment, see Public NAT IP addresses.

You can configure the number of source ports that each Public NAT gateway reserves on each VM for which it is to provide NAT services. You can configure static port allocation, where the same number of ports is reserved for each VM, or dynamic port allocation, where the number of reserved ports can vary between the minimum and maximum limits that you specify.

The VMs for which NAT is to be provided are determined by the subnet IP address ranges that the gateway is configured to serve.

For more information about ports, see Ports.

Applicable RFCs

Public NAT supports Endpoint-Independent Mapping and Endpoint-Dependent Filtering as defined in RFC 5128. You can enable or disable Endpoint-Independent Mapping. By default, Endpoint-Independent Mapping is disabled when you create a NAT gateway.

Endpoint-Independent Mapping means that if a VM sends packets from a given internal IP address and port pair to multiple different destinations, then the gateway maps all of those packets to the same NAT IP address and port pair, regardless of the destination of the packets. For details and implications pertinent to Endpoint-Independent Mapping, see Simultaneous port reuse and Endpoint-Independent Mapping.

Endpoint-Dependent Filtering means that response packets from the internet are allowed to enter only if they are from an IP address and port that a VM had already sent packets to. The filtering is endpoint dependent regardless of Endpoint Mapping type. This feature is always on and not user configurable.

For more information about the relationship between ports and connections, see Ports and connections and the NAT flow example.

Public NAT is a Port Restricted Cone NAT as defined in RFC 3489.

NAT traversal

If Endpoint-Independent Mapping is enabled, Public NAT is compatible with common NAT traversal protocols such as STUN and TURN if you deploy your own STUN or TURN servers:

  • STUN (Session Traversal Utilities for NAT, RFC 5389) allows direct communication between VMs behind NAT when a communication channel is established.
  • TURN (Traversal Using Relays around NAT, RFC 5766) permits communication between VMs behind NAT by way of a third server where that server has an external IP address. Each VM connects to the server's external IP address, and that server relays communication between the two VMs. TURN is more robust, but consumes more bandwidth and resources.

NAT timeouts

Public NAT sets timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.

What's next