Set up and manage network address translation with Cloud NAT

This page shows you how to configure and manage network address translation by using Cloud NAT. Before setting up Cloud NAT, read the Cloud NAT overview.

Limitations

If you change the network tier of the automatically allocated IP addresses for a Cloud NAT gateway, all connections on the old IP addresses immediately close.
If you use manual NAT IP address allocation, and you change the IP addresses that are used for Cloud NAT, all connections on the old IP addresses immediately close. To avoid this, see Drain external IP addresses associated with NAT.
If you configure a Cloud NAT gateway with static port allocation, and you reduce the minimum ports per VM, established NAT connections might be broken. For more information, see Reducing ports per VM.
If you configure a Cloud NAT gateway with dynamic port allocation, and you make any further configuration changes, established NAT connections might be broken. When the configuration change, the number of ports currently allocated to each VM might be temporarily reset to the minimum number configured.
If you configure a Cloud NAT gateway with dynamic port allocation and then turn off dynamic port allocation, all VM connections that use the NAT gateway are closed.
If Endpoint-Independent Mapping is turned on, you can't configure dynamic port allocation or NAT rules.
Cloud NAT does not support IP fragments.

Before you begin

Complete the following tasks before setting up Cloud NAT.

Get IAM permissions

The Compute Network Admin role (roles/compute.networkAdmin) gives you permissions to create a NAT gateway on Cloud Router, reserve and assign NAT IP addresses, and specify subnetworks (subnets) whose traffic should use network address translation by the NAT gateway.

Set up Google Cloud

Before you get started, set up the following items in Google Cloud.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

The Google Cloud CLI instructions on this page assume that you have set your project ID before issuing commands.

You can set a project ID with the following command:
```
gcloud config set project PROJECT_ID
```
You can also view a project ID that is already set:
```
gcloud config list --format='text(core.project)'
```

Create NAT

Set up a simple configuration

This configuration automatically allocates the necessary external IP addresses to provide NAT services to a region. VM instances without external IP addresses in any subnet of the region are provided internet access through NAT. This configuration uses static port allocation, which means that each VM is allocated the same number of ports. This configuration also turns on logging for all log types.

When you use automatic NAT IP address allocation, Google Cloud reserves IP addresses in your project automatically. These addresses count against your static IP address quotas in the project.

You can enable or disable Endpoint-Independent Mapping for your gateway. For settings, see Set endpoint mapping.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network for the NAT gateway.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Click Advanced configuration.
Under Stackdriver logging, select Translation and errors. This sends all logs to Cloud Logging.
Click Create.

gcloud

Before setting up a Cloud NAT gateway, first create your Cloud Router. You need this Cloud Router to set up your Cloud NAT gateway.
Set up the Cloud NAT gateway:
```
gcloud compute routers nats create NAT_CONFIG \
   --router=NAT_ROUTER \
   --region=REGION \
   --auto-allocate-nat-external-ips \
   --nat-all-subnet-ip-ranges \
   --enable-logging
```
Replace the following:
- NAT_CONFIG: the name of your NAT configuration.
- NAT_ROUTER: the name of your Cloud Router.
- REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).

Terraform

You can use a Terraform module to create a Cloud Router with a NAT gateway.

examples/nat/main.tf

View on GitHub Feedback

module "cloud_router" {
  source  = "terraform-google-modules/cloud-router/google"
  version = "~> 5.0"
  project = var.project_id # Replace this with your project ID in quotes
  name    = "my-cloud-router"
  network = "default"
  region  = "us-central1"

  nats = [{
    name = "my-nat-gateway"
  }]
}

The resulting NAT gateway uses the following default values:

enable_endpoint_independent_mapping = true
icmp_idle_timeout_sec               = 30
min_ports_per_vm                    = 0
nat_ip_allocate_option              = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat  = "ALL_SUBNETWORKS_ALL_IP_RANGES"
tcp_established_idle_timeout_sec    = 1200
tcp_transitory_idle_timeout_sec     = 30
udp_idle_timeout_sec                = 30
log_config {
    enable = true
    filter = "ALL"
}

Specify IP addresses for NAT

You can manually allocate NAT IP addresses for a NAT gateway. If you choose manual allocation, make sure to allocate enough IP addresses to avoid dropped packets. For more information, see NAT IP addresses.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Set NAT IP addresses to Manual.
Select or create a static reserved external IP address to use for NAT.
If you want to specify additional IP addresses, click Add IP address, and then select or create an additional static reserved external IP address.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --nat-all-subnet-ip-ranges \
    --nat-external-ip-pool=IP_ADDRESS1,IP_ADDRESS2

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).
IP_ADDRESS1: a static reserved external IP address to use for NAT.
IP_ADDRESS2: another static reserved external IP address to use for NAT.

Set up NAT using IP addresses from a specific network tier

When you create a Cloud NAT gateway, Google Cloud lets you assign IP addresses from both Standard Tier and Premium Tier.

Set up NAT with automatic IP allocation using a specific network tier

When creating a Cloud NAT gateway, if you choose automatic NAT IP address allocation, you can specify the Network Service Tiers (Premium Tier or Standard Tier) from which the Cloud NAT gateway allocates the IP addresses.

Use the gcloud CLI to run the compute routers nats create command with the flag --auto-network-tier.

gcloud beta compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips \
    --auto-network-tier=AUTO_NETWORK_TIER

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).
AUTO_NETWORK_TIER: the network tier to use when automatically allocating IP addresses for the Cloud NAT gateway. The allowed values are PREMIUM and STANDARD. If not specified, then IP addresses from the Premium Tier are allocated to the Cloud NAT gateway.

Set up NAT with manual IP assignment using a specific network tier

When creating a Cloud NAT gateway, you can choose to manually assign NAT IP addresses from either Premium Tier or Standard Tier. Use the --nat-external-ip-pool field of the gcloud compute routers nats create command.

For information about manually assigning NAT IP addresses, see Specify IP addresses for NAT.

Set up NAT with dynamic port allocation

This configuration uses dynamic port allocation with automatic NAT IP address allocation. You can also configure dynamic port allocation with manual NAT IP address allocation.

Using dynamic port allocation lets the NAT gateway allocate different numbers of ports to each VM based on usage.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select a Cloud Router, or click Create new router to create a new router.
Click Advanced configuration.
Select Enable Dynamic Port Allocation.
Select the Minimum ports per VM instance. The default value is 32.
Select the Maximum ports per VM instance. The default value is 65536.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-dynamic-port-allocation \
    [ --min-ports-per-vm=MIN_PORTS ] \
    [ --max-ports-per-vm=MAX_PORTS ]

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is turned on, MIN_PORTS must be a power of 2, and can be between 32 and 32768. Default is 32.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS. Default is 65536.

Specify subnet ranges for NAT

By default, NAT works for all primary and secondary IP ranges for all subnets in the region for the given VPC network. You can restrict which primary and secondary subnet ranges can use NAT.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Under NAT mapping, set Source to Custom.
Select a subnet.
In the IP ranges drop-down list, select the subnet IP ranges to include.
Click OK.
If you want to specify additional ranges, click Add subnet and IP range.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=SUBNETS_RANGES_LIST

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).
SUBNETS_RANGES_LIST: a comma-separated list of subnet names. For example:
- SUBNET_NAME_1,SUBNET_NAME_2: includes only the primary subnet range of SUBNET_NAME_1 and SUBNET_NAME_2.
- SUBNET_NAME:SECONDARY_RANGE_NAME: includes the secondary range SECONDARY_RANGE_NAME of subnet SUBNET_NAME. It does not include the primary range of SUBNET_NAME.
- SUBNET_NAME_1,SUBNET_NAME_2:SECONDARY_RANGE_NAME: includes the primary range of SUBNET_NAME_1 and the specified secondary range SECONDARY_RANGE_NAME of subnet SUBNET_NAME_2.

Specify a different minimum number of default ports per VM for NAT

You can configure the number of ports that a Cloud NAT gateway reserves for each VM. For more information, see Ports and connections.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Click Advanced configurations.
Set Minimum ports per VM instance to a different value.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --auto-allocate-nat-external-ips \
    --min-ports-per-vm=128

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).

Specify different timeouts for NAT

For more information about timeouts, see NAT timeouts.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Click Advanced configuration.
Modify timeouts as desired.
Click Create.

gcloud

Use this command to create a NAT gateway with custom settings for these timeouts:

UDP Mapping Idle Timeout
TCP Established Connection Idle Timeout
TCP Transitory Connection Idle Timeout
TCP TIME_WAIT Timeout
ICMP Mapping Idle Timeout

gcloud compute routers nats create NAT_CONFIG \
  --router=NAT_ROUTER \
  --region=REGION \
  --auto-allocate-nat-external-ips \
  --nat-custom-subnet-ip-ranges=SUBNETS_RANGES_LIST \
  --udp-idle-timeout=60s \
  --tcp-established-idle-timeout=60s \
  --tcp-transitory-idle-timeout=60s \
  --tcp-time-wait-timeout=60s \
  --icmp-idle-timeout=60s

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).
SUBNETS_RANGES_LIST: a comma-separated list of subnet names. For example:
- SUBNET_NAME_1,SUBNET_NAME_2: includes only the primary subnet range of SUBNET_NAME_1 and SUBNET_NAME_2.
- SUBNET_NAME:SECONDARY_RANGE_NAME: includes the secondary range SECONDARY_RANGE_NAME of subnet SUBNET_NAME. It does not include the primary range of SUBNET_NAME.
- SUBNET_NAME_1,SUBNET_NAME_2:SECONDARY_RANGE_NAME: includes the primary range of SUBNET_NAME_1 and the specified secondary range SECONDARY_RANGE_NAME of subnet SUBNET_NAME_2.

Update NAT

Change subnets and IP address resources associated with NAT

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Under NAT mapping, set Source to Custom.
Select a subnet.
In the IP ranges drop-down list, select the subnet IP ranges to include.
If you want to specify additional ranges, click Add subnet and IP range.
Click the NAT IP addresses drop-down list, and then select Automatic or Manual.
If you select Manual, specify an external IP address.
For high availability with manual IP addresses, click Add IP address, and then add a second address.
Click Save.

gcloud

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3 \
    --nat-custom-subnet-ip-ranges=SUBNETS_RANGES_LIST

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
IP_ADDRESS2: a manual external IP address
IP_ADDRESS3: another manual external IP address
SUBNETS_RANGES_LIST: a comma-separated list of subnet names. For example:
- SUBNET_NAME_1,SUBNET_NAME_2: includes only the primary subnet range of SUBNET_NAME_1 and SUBNET_NAME_2.
- SUBNET_NAME:SECONDARY_RANGE_NAME: includes the secondary range SECONDARY_RANGE_NAME of subnet SUBNET_NAME. It does not include the primary range of SUBNET_NAME.
- SUBNET_NAME_1,SUBNET_NAME_2:SECONDARY_RANGE_NAME: includes the primary range of SUBNET_NAME_1 and the specified secondary range SECONDARY_RANGE_NAME of subnet SUBNET_NAME_2.

Delete subnets associated with NAT

You can remove specific subnets from the NAT gateway that are no longer in use.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
In the NAT mapping section, set Source to Custom.
Delete the subnet that you want to remove from NAT mapping.

Note: If the subnet that you deleted is the only subnet that is mapped to the Cloud NAT gateway, then the system prompts you to add a subnet. You can map a new subnet or select Primary and secondary ranges for all subnets in the Source list.
Click Save.

Change external IP addresses associated with NAT

You can change the list of external IP addresses for a given gateway. When you do, Google Cloud removes the old addresses and adds the new ones. Any existing connections on the old IP addresses immediately close. To let existing connections continue while preventing new connections on those IP addresses, see Drain external IP addresses associated with NAT.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click the NAT IP addresses drop-down list, and then select Automatic or Manual.
If you select Manual, specify an external IP address.
For high availability, click Add IP address, and then add a second address.
Click Save.

gcloud

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
IP_ADDRESS2: a manual external IP address.
IP_ADDRESS3: another manual external IP address.

Drain external IP addresses associated with NAT

Before you remove a manually configured IP address, you can drain it so that existing connections aren't disrupted. When an IP address is drained, all existing connections are allowed to continue until they expire naturally. You can view the logs to check the status of existing connections.

No new connections are accepted on the drained IP addresses. However, the IP address stays associated with the NAT configuration.

You must have at least one active address in a NAT configuration, which means that you cannot drain all IP addresses in a configuration.

To see the state of your NAT IP addresses, you can Show NAT status.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Under NAT IP addresses, set the IP draining value next to the IP address to On.
Click Save.

gcloud

To drain an address, you must move it from the active pool to the drain pool in the same command. If you remove it from the active pool without adding it to the drain pool in a single command, the IP address is deleted from service and existing connections are terminated immediately.

If you move an IP address from the drain pool to the active pool, you undrain the IP address. If you remove a NAT IP address from both pools, you disconnect it from the NAT configuration.

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --nat-external-ip-pool=IP_ADDRESS3 \
    --nat-external-drain-ip-pool=IP_ADDRESS2

Where:

--nat-external-ip-pool=IP_ADDRESS3: updates the active pool to omit IP_ADDRESS2
--nat-external-drain-ip-pool=IP_ADDRESS2: adds IP_ADDRESS2 to the drain pool

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
IP_ADDRESS3: an IP address.
IP_ADDRESS2: another IP address.

Change the network tier of an existing NAT gateway

You can change the network tier for a given gateway that is configured with automatic IP address allocation. In that case, Google Cloud removes the old addresses and adds new ones from the specified network tier. Any existing connections on the old IP addresses immediately close.

Use the gcloud CLI to run the compute routers nats update command with the flag --auto-network-tier.

gcloud beta compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --auto-allocate-nat-external-ips
    --auto-network-tier=AUTO_NETWORK_TIER

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).
AUTO_NETWORK_TIER: the network tier to use when automatically allocating IP addresses for the Cloud NAT gateway. The allowed values are PREMIUM and STANDARD. If not specified, then IP addresses from the Premium Tier are allocated to the Cloud NAT gateway.

View port usage

Before you modify the minimum port usage per VM, review your per-VM port usage. You can get this information by using the compute.googleapis.com/nat/port_usage metric.

Console

Go to the Monitoring page.

Go to Monitoring
In the navigation pane, select Metrics Explorer .
Expand the Select a metric menu, and use the submenus to choose the compute.googleapis.com/nat/port_usage metric:
- For Resource, select VM instance.
- For Metric category, select Nat.
- For Metric, select Port usage.
Use the Filters field to select your NAT gateway.
In the Group by field, select instance_id.
Set the Aggregator field to max.
Under Advanced options, set the Aligner field to max.
To see usage for the past 30 days, use the menu at the top right to select 1M.

For more information about using Metrics Explorer, see Select metrics when using Metrics Explorer

Choose a minimum number of ports per VM

Choosing an appropriate minimum number of ports is important to help you maximize NAT IP addresses usage.

Before you increase the number of ports per VM, consider other strategies for reducing port usage.

If you do need to increase the number of ports per VM, start by considering the per-VM port usage in your gateway. For information about how to find this data, see View port usage.

Review your maximum port usage for the past 30 days, or for another period that you think is representative for your NAT gateway.

Do one of the following:

If you are using static port allocation, configure the number of ports per VM so that the minimum is equal to your current peak port usage.
If you are using dynamic port allocation, configure the number of ports per VM so that the minimum is lower than the peak port usage and the maximum is higher than the peak port usage.

Change minimum default ports allocated per VM associated with NAT

For help deciding how to configure the minimum number of ports per VM, see Choose a minimum number of ports per VM.

For information about the consequences of changing the minimum port allocation, see the following sections:

If your Cloud NAT gateway has dynamic port allocation configured, see Change minimum or maximum ports when dynamic port allocation is configured.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Modify the Minimum ports per VM instance field.
Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --min-ports-per-vm=128

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).

Update an existing NAT gateway to use dynamic port allocation

Static port allocation and dynamic port allocation have different configuration requirements.

Before you turn on dynamic port allocation on an existing NAT gateway, make sure that the NAT gateway configuration is compatible with dynamic port allocation. If the configuration is not compatible, the change fails.

Check that Endpoint-Independent Mapping is disabled.
Check that the minimum ports per VM setting is a power of 2, and is between 32 and 32,768.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Select Enable Dynamic Port Allocation.
If needed, adjust the values for Minimum ports per VM instance and Maximum ports per VM instance.
Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --enable-dynamic-port-allocation \
    [ --min-ports-per-vm=MIN_PORTS ] \
    [ --max-ports-per-vm=MAX_PORTS ]

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled, MIN_PORTS must be a power of 2, and can be between 32 and 32768.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS. Default is 65536.

Change minimum or maximum ports when dynamic port allocation is configured

After you have configured dynamic port allocation, you can change the minimum or maximum number of ports assigned per VM.

For help deciding how to configure the minimum number of ports per VM, see Choose a minimum number of ports per VM.

For information about the consequences of changing the minimum port allocation, see the following sections:

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Adjust the Minimum ports per VM instance and Maximum ports per VM instance fields.
Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --min-ports-per-vm=MIN_PORTS \
    --max-ports-per-vm=MAX_PORTS

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled, MIN_PORTS must be a power of 2, and can be between 32 and 32768.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS.

Change connection timeouts associated with NAT

For more information about timeouts, see NAT timeouts.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Modify any timeout values that you want to change.
Click Save.

gcloud

Use this command to change these timeouts:
- UDP Mapping Idle Timeout
- TCP Established Connection Idle Timeout
- TCP Transitory Connection Idle Timeout
- TCP TIME_WAIT Timeout
- ICMP Mapping Idle Timeout
This command leaves the other fields in the NAT configuration unchanged.
```
gcloud compute routers nats update NAT_CONFIG \
  --router=NAT_ROUTER \
  --region=REGION \
  --udp-idle-timeout=60s \
  --tcp-established-idle-timeout=60s \
  --tcp-transitory-idle-timeout=60s \
  --tcp-time-wait-timeout=60s \
  --icmp-idle-timeout=60s
```

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).

Reset connection timeouts associated with NAT to default values

For more information about timeouts, see NAT timeouts.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Remove any user-configured values that you want to reset.
Click Save.

The removed values are reset to the default values.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    --clear-udp-idle-timeout \
    --clear-icmp-idle-timeout \
    --clear-tcp-established-idle-timeout \
    --clear-tcp-time-wait-timeout \
    --clear-tcp-transitory-idle-timeout

Replace the following:

NAT_CONFIG: the name of your NAT gateway.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).

Set endpoint mapping

You can enable or disable Endpoint-Independent Mapping for your gateway. By default, it is disabled. Switching Endpoint-Independent Mapping from enabled to disabled (or from disabled to enabled) does not interrupt existing connections.

Do not enable Endpoint-Independent Mapping if your NAT gateway uses NAT rules or dynamic port allocation.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configurations.
To enable Endpoint-Independent Mapping, select the Enable Endpoint-Independent Mapping checkbox. To disable Endpoint-Independent Mapping, clear the checkbox.
Click Save.

gcloud

Update for an existing gateway

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --region=REGION \
    [--enable-endpoint-independent-mapping | --no-enable-endpoint-independent-mapping]

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).

Configure logging

To add (turn on), modify, or remove logging for an existing gateway, see Configuring logging.

Delete NAT

This removes a NAT configuration from a Cloud Router. It does not delete the router itself.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Select the checkbox next to the gateway configuration that you want to delete.
On the Menu, click Delete.

gcloud

gcloud compute routers nats delete NAT_CONFIG \
 --router=NAT_ROUTER \
 --region=REGION

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
REGION: the region of the NAT to delete. If not specified, you might be prompted to select a region (interactive mode only).

View the NAT configuration

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
To view NAT gateway details, mapping information, or configuration details, click the name of your NAT gateway.
To view NAT status, consult the Status column for your NAT gateway.

gcloud

You can view the NAT configuration details by running the following commands:

View the Cloud NAT gateway configuration.
```
gcloud compute routers nats describe NAT_CONFIG \
--router=NAT_ROUTER \
--region=REGION
```
Replace the following:
- NAT_CONFIG: the name of your NAT configuration.
- NAT_ROUTER: the name of your Cloud Router.
- REGION: the region of the NAT to describe. If not specified, you might be prompted to select a region (interactive mode only).

View the mapping of the IP:port-ranges allocated to each VM's interface.

gcloud compute routers get-nat-mapping-info NAT_ROUTER \
--region=REGION

View the status of the Cloud NAT gateway.

gcloud compute routers get-status NAT_ROUTER \
--region=REGION

Quotas and limits

For quota and limit information, see the quotas page.

Example setups

These examples show you how to test Cloud NAT with Google Cloud:

What's next

Configure logging and monitoring for Cloud NAT.
Troubleshoot common issues with NAT configurations.