Public NAT

Public NAT lets your Google Cloud virtual machine (VM) instances communicate with the internet by allocating a set of shared external IPv4 addresses and source ports to each VM that uses Public NAT to create outbound connections to the internet.

With Public NAT, VM instances that don't have external IPv4 addresses can communicate with IPv4 destinations on the internet. Public NAT also lets your VM instances with either external or internal IPv6 addresses connect to IPv4 destinations on the internet (Preview).

Specifications

Public NAT supports network address translation (NAT) for the following:

From IPv4 to IPv4, or NAT44. For more information, see NAT44 in Public NAT.
From IPv6 to IPv4, or NAT64 (Preview). Public NAT supports NAT64 for Compute Engine VM instances. For GKE nodes, serverless traffic, and regional internet NEGs, Public NAT translates only IPv4 traffic. For more information, see NAT64 in Public NAT.

General specifications

For IPv4 source packets, you can configure Public NAT to provide NAT for packets sent from the following:

The Compute Engine VM's network interface's primary internal IP address, provided that the network interface doesn't have an external IP address assigned to it. If the network interface has an external IP address assigned to it, Google Cloud automatically performs one-to-one NAT for packets whose sources match the interface's primary internal IP address because the network interface meets the Google Cloud internet access requirements. The existence of an external IP address on an interface always takes precedence and always performs one-to-one NAT, without using Public NAT.
An alias IP range assigned to the VM's network interface. Even if the network interface has an external IP address assigned to it, you can configure a Cloud NAT gateway for Public NAT to provide NAT for packets whose sources come from an alias IP range of the interface. An external IP address on an interface never performs one-to-one NAT for alias IP addresses.
For Google Kubernetes Engine (GKE) clusters, Public NAT can provide service even if the cluster has external IP addresses in certain circumstances. For details, see GKE interaction.

For IPv6 source packets, you can configure Public NAT to provide NAT for packets sent from the external or internal /96 address range of the VM's IPv6-only network interface (Preview).

Public NAT allows outbound connections and the inbound responses to those connections. Each Cloud NAT gateway for Public NAT performs source NAT on egress, and destination NAT for established response packets.

Public NAT doesn't permit unsolicited inbound requests from the internet, even if firewall rules would otherwise permit those requests. For more information, see Applicable RFCs.

Each Cloud NAT gateway for Public NAT is associated with a single VPC network, region, and Cloud Router. The Cloud NAT gateway and the Cloud Router provide a control plane—they aren't involved in the data plane—so packets don't pass through the Cloud NAT gateway or Cloud Router.

Routes and firewall rules

Public NAT relies on routes whose next hops are the default internet gateway. A default route commonly meets this requirement. For more information, see routes interactions.

Public NAT doesn't have any Cloud NGFW rule requirements. Firewall rules are applied directly to the network interfaces of Compute Engine VMs, not Cloud NAT gateways for Public NAT.

You don't have to create any special firewall rules that allow connections to or from NAT IP addresses. When a Cloud NAT gateway for Public NAT provides NAT for a VM's network interface, applicable egress firewall rules are evaluated as packets for that network interface before NAT. Ingress firewall rules are evaluated after packets have been processed by NAT.

Subnet IP address range applicability

You can configure a Cloud NAT gateway for Public NAT to provide NAT for IPv4 subnet address ranges, IPv6 subnet address ranges, or both. For IPv4 subnet address ranges, the gateway translates traffic from the VM network interface's primary internal IP address, alias IP ranges, or both. For IPv6 subnet address ranges, the gateway translates traffic from the external or internal /96 IPv6 address range of the network interface (Preview).

For IPv4 subnet address ranges, you can configure the Cloud NAT gateway to provide NAT for the following:

Primary and secondary IPv4 address ranges of all subnets in the region. A single Cloud NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use an IPv4 subnet in the region.
Primary IPv4 address ranges of all subnets in the region. A single Cloud NAT gateway provides NAT for the primary internal IP addresses and alias IP ranges from subnet primary IP address ranges of eligible VMs whose network interfaces use an IPv4 subnet in the region. You can create additional Cloud NAT gateways for Public NAT in the region to provide NAT for alias IP ranges from subnet secondary IP address ranges of eligible VMs.
Custom subnet list. A single Cloud NAT gateway provides NAT for the primary internal IP addresses and all alias IP ranges of eligible VMs whose network interfaces use an IPv4 subnet from a list of specified subnets.
Custom subnet IPv4 address ranges. You can create as many Cloud NAT gateways for Public NAT as necessary, subject to Public NAT quotas and limits. You choose which subnet primary or secondary IP address ranges are to be served by each gateway.

For IPv6 subnet address ranges, you can configure the Cloud NAT gateway to provide NAT for the following (Preview):

External and internal IPv6 address ranges of all subnets in the region. A single Cloud NAT gateway provides NAT for all external and internal IPv6 address ranges in the region.
Custom subnet list. A single Cloud NAT gateway provides NAT for the external and internal IPv6 address ranges of the subnets that you specify.

Multiple Cloud NAT gateways

You can have multiple Cloud NAT gateways for Public NAT in the same region of a VPC network if one of the following conditions is true:

Each gateway is configured for a different subnet.
Within a single subnet, each gateway is configured for a different IP address range. You can map a Cloud NAT gateway for Public NAT to a specific subnet or IP address range by using a custom Cloud NAT mapping.

As long as your mapped NAT gateways don't overlap, you can create as many Cloud NAT gateways for Public NAT as necessary, subject to Public NAT quotas and limits. For more information, see Cloud NAT gateways limitations.

Bandwidth

Using a Cloud NAT gateway for Public NAT doesn't change the amount of outbound or inbound bandwidth that a VM can use. For bandwidth specifications, which vary by machine type, see Network bandwidth in the Compute Engine documentation.

VMs with multiple network interfaces

If you configure a VM to have multiple network interfaces, each interface must be in a separate VPC network. Consequently, the following is true:

A Cloud NAT gateway for Public NAT can only apply to a single network interface of a VM. Separate Cloud NAT gateways for Public NAT can provide NAT to the same VM, where each gateway applies to a separate interface.
One interface of a multiple network interface VM can have an external IPv4 address, which makes that interface ineligible for Public NAT, while another one of its interfaces can be eligible for NAT if that interface doesn't have an external IPv4 address and you've configured a Cloud NAT gateway for Public NAT to apply to the appropriate subnet IP address range. For IPv6, both external and internal IPv6 addresses are supported (Preview).

NAT IP addresses and ports

When you create a Cloud NAT gateway for Public NAT, you can choose to have the gateway automatically allocate regional external IP addresses. Alternatively, you can manually assign a fixed number of regional external IP addresses to the gateway.

For a Cloud NAT gateway for Public NAT with automatic NAT IP address allocation, consider the following:

You can select the Network Service Tiers (Premium Tier or Standard Tier) from which the Cloud NAT gateway allocates the IP addresses.
When you change the tier for a Cloud NAT gateway for Public NAT that has automatically allocated NAT IP addresses, Google Cloud releases all assigned IP addresses for that gateway and retires all port allocations.

Note: Changing the network tier of the automatically allocated IP addresses for a Cloud NAT gateway for Public NAT immediately closes all the existing connections on the previously assigned IP addresses.

A new set of IP addresses from the newly selected tier is automatically allocated, and new port allocations are provided to all endpoints.

For a given Cloud NAT gateway for Public NAT, you can also manually assign IP addresses from either Premium Tier or Standard Tier or both, subject to certain conditions.

For details about NAT IP address assignment, see Public NAT IP addresses.

You can configure the number of source ports that each Cloud NAT gateway for Public NAT reserves on each VM for which it is to provide NAT services. You can configure static port allocation, where the same number of ports is reserved for each VM, or dynamic port allocation, where the number of reserved ports can vary between the minimum and maximum limits that you specify.

The VMs for which NAT is to be provided are determined by the subnet IP address ranges that the gateway is configured to serve.

For more information about ports, see Ports.

Applicable RFCs

Public NAT supports Endpoint-Independent Mapping and Endpoint-Dependent Filtering as defined in RFC 5128. You can enable or disable Endpoint-Independent Mapping. By default, Endpoint-Independent Mapping is disabled when you create a NAT gateway.

Endpoint-Independent Mapping means that if a VM sends packets from a given internal IP address and port pair to multiple different destinations, then the gateway maps all of those packets to the same NAT IP address and port pair, regardless of the destination of the packets. For details and implications pertinent to Endpoint-Independent Mapping, see Simultaneous port reuse and Endpoint-Independent Mapping.

Endpoint-Dependent Filtering means that response packets from the internet are allowed to enter only if they are from an IP address and port that a VM had already sent packets to. The filtering is endpoint dependent regardless of Endpoint Mapping type. This feature is always on and not user configurable.

For more information about the relationship between ports and connections, see Ports and connections and the NAT flow example.

Public NAT is a Port Restricted Cone NAT as defined in RFC 3489.

NAT traversal

If Endpoint-Independent Mapping is enabled, Public NAT is compatible with common NAT traversal protocols such as STUN and TURN if you deploy your own STUN or TURN servers:

STUN (Session Traversal Utilities for NAT, RFC 5389) allows direct communication between VMs behind NAT when a communication channel is established.
TURN (Traversal Using Relays around NAT, RFC 5766) permits communication between VMs behind NAT by way of a third server where that server has an external IP address. Each VM connects to the server's external IP address, and that server relays communication between the two VMs. TURN is more robust, but consumes more bandwidth and resources.

NAT timeouts

Public NAT sets timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.

NAT44 in Public NAT

The following diagram shows a basic Public NAT configuration for IPv4 traffic:

Public NAT IPv4 translation example. — Public NAT translation example (click to enlarge).

In this example:

The nat-gw-us-east gateway is configured to apply to the primary IP address range of subnet-1 in the us-east1 region. A VM whose network interface does not have an external IP address can send traffic to the internet by using either its primary internal IP address or an alias IP range from the primary IP address range of subnet-1, 10.240.0.0/16.
A VM whose network interface does not have an external IP address and whose primary internal IP address is located in subnet-2 cannot access the internet because no Cloud NAT gateway applies to any IP address range of that subnet.
The nat-gw-eu gateway is configured to apply to the primary IP address range of subnet-3 in the europe-west1 region. A VM whose network interface does not have an external IP address can send traffic to the internet by using either its primary internal IP address or an alias IP range from the primary IP address range of subnet-3, 192.168.1.0/24.

Example workflow

In the preceding diagram, a VM with primary internal IP address 10.240.0.4, without an external IP address, needs to download an update from the external IP address 203.0.113.1. In the diagram, the nat-gw-us-east gateway is configured as follows:

Minimum ports per instance: 64
Manually assigned two NAT IP addresses: 192.0.2.50 and 192.0.2.60
Provided NAT for the primary IP address range of subnet-1

Public NAT follows the port reservation procedure to reserve the following NAT source IP address and source port tuples for each of the VMs in the network. For example, the Cloud NAT gateway for Public NAT reserves 64 source ports for the VM with internal IP address 10.240.0.4. The NAT IP address 192.0.2.50 has 64 unreserved ports, so the gateway reserves the following set of 64 NAT source IP address and source port tuples for that VM:

192.0.2.50:34000 through 192.0.2.50:34063

When the VM sends a packet to the update server 203.0.113.1 on destination port 80, using the TCP protocol, the following occurs:

The VM sends a request packet with these attributes:
- Source IP address: 10.240.0.4, the primary internal IP address of the VM
- Source port: 24000, the ephemeral source port chosen by the VM's operating system
- Destination address: 203.0.113.1, the update server's external IP address
- Destination port: 80, the destination port for HTTP traffic to the update server
- Protocol: TCP
The nat-gw-us-east gateway performs source network address translation (SNAT) on egress, rewriting the request packet's NAT source IP address and source port. The modified packet is sent to the internet if the Virtual Private Cloud (VPC) network has a route for the 203.0.113.1 destination whose next hop is the default internet gateway. A default route commonly meets this requirement.
- NAT source IP address: 192.0.2.50, from one of the VM's reserved NAT source IP address and source port tuples
- Source port: 34022, an unused source port from one of the VM's reserved source port tuples
- Destination address: 203.0.113.1, unchanged
- Destination port: 80, unchanged
- Protocol: TCP, unchanged
When the update server sends a response packet, that packet arrives on the nat-gw-us-east gateway with these attributes:
- Source IP address: 203.0.113.1, the update server's external IP address
- Source port: 80, the HTTP response from the update server
- Destination address: 192.0.2.50, matching the original NAT source IP address of the request packet
- Destination port: 34022, matching the source port of the request packet
- Protocol: TCP, unchanged
The nat-gw-us-east gateway performs destination network address translation (DNAT) on the response packet, rewriting the response packet's destination address and destination port so that the packet is delivered to the VM:
- Source IP address: 203.0.113.1, unchanged
- Source port: 80, unchanged
- Destination address: 10.240.0.4, the primary internal IP address of the VM
- Destination port: 24000, matching the original ephemeral source port of the request packet
- Protocol: TCP, unchanged

NAT64 in Public NAT

NAT64 lets IPv6-only VM instances communicate with IPv4 destinations on the internet. Public NAT supports NAT64 for both external and internal IPv6 addresses. If you want to configure NAT64, you must also configure DNS64.

Configuring DNS64 in Cloud DNS enables the following behavior:

When an IPv6-only VM instance makes a request to the internet, Cloud DNS checks if an AAAA record exists for the destination of the request. If the record exists, then an IPv6 address is returned and the IPv6-only VM instance can connect to the IPv6 destination.
If DNS64 is enabled and the AAAA record isn't found, the DNS64 server looks up A records instead. After an A record is found, the DNS64 server synthesizes an IPv6 address by prepending the 64:ff9b::/96 prefix to the IPv4 address obtained from the A record.

For example, if the destination IPv4 address is 203.0.113.1, the server returns 64:ff9b::cb00:7101, where cb00:7101 is the hexadecimal representation of 203.0.113.1.

When the request reaches the Cloud NAT gateway with NAT64 enabled, the gateway performs SNAT by doing the following:

Replaces the source IPv6 address and port with one of the external IPv4 addresses and ports that are allocated to the gateway.
Translates the synthesized destination IPv6 address, for example, 64:ff9b::cb00:7101, to the original IPv4 address by using the last 32 bits of the synthesized address.

The Cloud NAT gateway also uses the last 32 bits of the synthesized IPv6 address to determine how the request packet is routed to the internet. When an IPv6-only VM instance sends a packet to a destination that starts with the 64:ff9b::/96 prefix, the gateway applies the VPC network's IPv4 routing table to the destination IPv4 address. If the IPv4 routing table has a route for the destination IPv4 address whose next hop is the default internet gateway, the modified packet is sent to the internet.

When the response is received, the Cloud NAT gateway performs DNAT by doing the following:

Prepending the 64:ff9b::/96 prefix to the source IP address of the response packet.
Rewriting the response packet's destination address and destination port so that the packet is delivered to the VM.

What's next

Learn about Cloud NAT product interactions.
Learn about Cloud NAT addresses and ports.
Set up Public NAT.
Learn about Cloud NAT rules.
Create an example Compute Engine setup.
Create an example Google Kubernetes Engine setup.
Troubleshoot common issues.