Set up and manage network address translation with Public NAT
This page shows you how to configure and manage network address translation (NAT) by using Public NAT. Before setting up Public NAT, see the Public NAT overview.
Limitations
If you change the network tier of the automatically allocated IP addresses for a Cloud NAT gateway, all connections on the old IP addresses immediately close.
If you use manual NAT IP address allocation, and you change the IP addresses that are used for Cloud NAT, all connections on the old IP addresses immediately close. To avoid this, see Drain external IP addresses associated with NAT.
If you configure a Cloud NAT gateway with static port allocation, and you reduce the minimum ports per VM, established NAT connections might be broken. For more information, see Reducing ports per VM.
If you configure a Cloud NAT gateway with dynamic port allocation, and you make any further configuration changes, established NAT connections might be broken. When the configuration change, the number of ports currently allocated to each VM might be temporarily reset to the minimum number configured. For more information, see Reducing ports per VM.
If you configure a Cloud NAT gateway with dynamic port allocation and then turn off dynamic port allocation, all VM connections that use the NAT gateway are closed. For more information, see Switch port allocation method.
If Endpoint-Independent Mapping is turned on, you can't configure dynamic port allocation or NAT rules.
Cloud NAT doesn't support IP fragments.
A Cloud NAT configuration is tied to a Virtual Private Cloud (VPC) network. So, the configuration applies to all the resources that belong to the subnets of that network. You can't choose specific VMs to be served by a Cloud NAT gateway.
Before you begin
Complete the following tasks before setting up Public NAT.
Get IAM permissions
The Compute Network Admin
role
(roles/compute.networkAdmin
) includes the permissions that you need to
configure Public NAT.
Set up Google Cloud
Before you get started, set up the following items in Google Cloud.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
The Google Cloud CLI instructions on this page assume that you have set your project ID before issuing commands.
You can set a project ID with the following command:
gcloud config set project PROJECT_ID
You can also view a project ID that is already set:
gcloud config list --format='text(core.project)'
Configure Public NAT
You configure Public NAT by creating a Cloud NAT gateway in the source VPC network. Each gateway is associated with a single VPC network, region, and Cloud Router. When creating a Cloud NAT gateway, you can configure the following settings.
Setting | Supported options | Description |
---|---|---|
Source endpoint type |
|
By default, Public NAT provides NAT services to VM instances, Google Kubernetes Engine (GKE) nodes, and serverless traffic. To create a Cloud NAT gateway for these resources, complete the steps in the following section. To create a Cloud NAT gateway for a regional internet network endpoint group (NEG), see "Set up a Cloud NAT gateway" for the following:
For a full list of Google Cloud resources that Cloud NAT supports, see Cloud NAT overview. |
Source subnets |
|
By default, Public NAT is enabled for all primary and secondary IP ranges for all subnets in the region for the VPC network that you specify. You can restrict which primary and secondary subnet ranges can use NAT. |
IP address allocation |
|
By default, Public NAT uses automatic NAT IP address allocation. This configuration automatically allocates the necessary external IP addresses to provide NAT services to a region. VM instances without external IP addresses in any subnet of the region are provided internet access through NAT. When you use automatic NAT IP address allocation, Google Cloud reserves IP addresses in your project. These addresses count against your static IP address quotas in the project. You can manually allocate NAT IP addresses for a Cloud NAT gateway. If you choose manual allocation, make sure to allocate enough IP addresses to avoid dropped packets. For more information, see Public NAT IP addresses. |
Network tier |
|
Public NAT lets you specify
the Network Service Tiers from which
the Cloud NAT gateway allocates external IP addresses.
The default is Premium.
|
Advanced configurations |
|
By default, Public NAT uses static port allocation, which means that each VM is allocated the same number of ports. You can configure dynamic port allocation with either automatic or manual NAT IP address allocation. Using dynamic port allocation lets the Cloud NAT gateway allocate different numbers of ports to each VM based on usage. You can't enable Endpoint-Independent Mapping if your Cloud NAT gateway uses NAT rules or dynamic port allocation. Logging is disabled by default. For information about NAT timeouts and their default values, see NAT timeouts. |
Create a Cloud NAT gateway
Console
In the Google Cloud console, go to the Cloud NAT page.
Click Get started or Create Cloud NAT gateway.
In the Gateway name field, enter a name for the gateway.
For NAT type, select Public.
In the Select Cloud Router section, configure the following:
- In the Network field, select the VPC network in which you want to create the gateway.
- In the Region field, set the region for the gateway.
- In the Cloud Router field, select or create a Cloud Router in the region.
In the Cloud NAT mapping section, for Source endpoint type, make sure the VM instances, GKE nodes, Serverless option is selected.
Configure Source subnets by selecting one of the following:
- To use Cloud NAT for all primary and secondary IP ranges for all subnets in the region, select Primary and secondary IP ranges for all subnets.
- To use Cloud NAT only for primary IP ranges, select Primary IP ranges for all subnets.
- To restrict which subnet IP ranges can use Cloud NAT,
select Custom and do the following:
- In the Subnets section, select a subnet.
- In the IP ranges drop-down list, select the subnet IP ranges to include and click OK.
- If you want to specify additional ranges, click Add subnet and IP range and add another subnet.
Configure the NAT IP address allocation type and network tier by selecting one of the following:
- To use automatic NAT IP address allocation, do the
following:
- In the Cloud NAT IP addresses list, select Automatic (recommended).
- For Network service tier, choose either Premium or Standard.
To use manual NAT IP address allocation, do the following:
- In the Cloud NAT IP addresses list, select Manual.
- For Network service tier, choose either Premium or Standard.
Select or create a static reserved external IP address to use for NAT.
If you want to specify additional IP addresses, click Add IP address and then select or create an additional static reserved external IP address.
If you want to create custom NAT rules, configure the Cloud NAT rules section. For instructions, see Create NAT rules.
- To use automatic NAT IP address allocation, do the
following:
Optional: Adjust any of the following settings in the Advanced configurations section:
- Whether to configure logging. By default, No logging is selected.
- Whether to change how Cloud NAT allocates ports. By default, Enable Dynamic Port Allocation is deselected. To configure dynamic port allocation, select Enable Dynamic Port Allocation and select a value for the Minimum ports per VM instance field (default is 32) and the Maximum ports per VM instance field (default is 65536).
- Whether to update NAT timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.
Click Create.
gcloud
To create a Cloud NAT gateway, use the
gcloud compute routers nats create
command.
Create a Cloud Router in the region in which you want to use the Cloud NAT gateway. You need this Cloud Router to create your Cloud NAT gateway.
Create the Cloud NAT gateway by doing one of the following. When using either of these options, replace
NAT_CONFIG
with a name for your NAT configuration,NAT_ROUTER
with the name of the Cloud Router that you created in the previous step, andREGION
with the region in which you want to use the Cloud NAT gateway.To create a Cloud NAT gateway with all of its configuration parameters set to their default values, run the following command:
gcloud compute routers nats create NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --auto-allocate-nat-external-ips \ --nat-all-subnet-ip-ranges
This configuration enables NAT for all primary and secondary IP ranges for all subnets in the region and automatically allocates the necessary external IP addresses to provide NAT services to the region.
When creating a Cloud NAT gateway, you can customize your gateway configuration by specifying each parameter that you want to customize. For a full list of flags that you can use, see the
gcloud compute routers nats create
command. For example:To create a Cloud NAT gateway that restricts which subnet ranges can use NAT, run the following command:
gcloud compute routers nats create NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --auto-allocate-nat-external-ips \ --nat-custom-subnet-ip-ranges=SUBNETS_RANGES_LIST
Replace
SUBNETS_RANGES_LIST
with a comma-separated list of subnet names. For example:SUBNET_NAME_1:ALL,SUBNET_NAME_2:ALL
: includes both the primary and secondary subnet ranges ofSUBNET_NAME_1
andSUBNET_NAME_2
.SUBNET_NAME_1,SUBNET_NAME_2
: includes only the primary subnet range ofSUBNET_NAME_1
andSUBNET_NAME_2
.SUBNET_NAME:SECONDARY_RANGE_NAME
: includes the secondary rangeSECONDARY_RANGE_NAME
of subnetSUBNET_NAME
. It doesn't include the primary range ofSUBNET_NAME
.SUBNET_NAME_1,SUBNET_NAME_2:SECONDARY_RANGE_NAME
: includes the primary range ofSUBNET_NAME_1
and the specified secondary rangeSECONDARY_RANGE_NAME
of subnetSUBNET_NAME_2
.
To create a Cloud NAT gateway with manual NAT IP address allocation, run the following command:
gcloud compute routers nats create NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --nat-all-subnet-ip-ranges \ --nat-external-ip-pool=IP_ADDRESS_1,IP_ADDRESS_2
Replace
IP_ADDRESS_1
andIP_ADDRESS_2
with the static reserved external IP addresses that you want to use for NAT. You can specify one or more external IP addresses when using the--nat-external-ip-pool
flag.To specify the network tier from which the Cloud NAT gateway allocates external IP addresses, run the following command:
gcloud compute routers nats create NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --nat-all-subnet-ip-ranges \ --auto-allocate-nat-external-ips \ --auto-network-tier=AUTO_NETWORK_TIER
Replace
AUTO_NETWORK_TIER
with the network tier to use when automatically allocating IP addresses for the Cloud NAT gateway. The allowed values arePREMIUM
andSTANDARD
. If not specified, then the current project-level default tier is associated with the Cloud NAT gateway.You can also specify the network tier with manual NAT IP addresses allocation. If you assign multiple IP addresses to the gateway, all the IP addresses that you assign must be from the same network tier.
To create a Cloud NAT gateway with dynamic port allocation, run the following command:
gcloud compute routers nats create NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --auto-allocate-nat-external-ips \ --nat-all-subnet-ip-ranges \ --enable-dynamic-port-allocation \ [ --min-ports-per-vm=MIN_PORTS ] \ [ --max-ports-per-vm=MAX_PORTS ]
Replace the following optional flags:
MIN_PORTS
: the minimum number of ports to allocate for each VM. If dynamic port allocation is turned on,MIN_PORTS
must be a power of2
and can be between32
and32768
. The default is32
.MAX_PORTS
: the maximum number of ports to allocate for each VM.MAX_PORTS
must be a power of2
, and can be between64
and65536
.MAX_PORTS
must be greater thanMIN_PORTS
. The default is65536
.
Terraform
You can use a Terraform module to create a Cloud Router with a NAT gateway.
The resulting NAT gateway uses the following default values:
enable_endpoint_independent_mapping = true icmp_idle_timeout_sec = 30 min_ports_per_vm = 0 nat_ip_allocate_option = "AUTO_ONLY" source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" tcp_established_idle_timeout_sec = 1200 tcp_transitory_idle_timeout_sec = 30 udp_idle_timeout_sec = 30 log_config { enable = true filter = "ALL" }
View Public NAT configuration
Console
In the Google Cloud console, go to the Cloud NAT page.
To view NAT gateway details, mapping information, or configuration details, click the name of your NAT gateway.
To view NAT status, see the Status column for your NAT gateway.
gcloud
You can view the NAT configuration details by running the following commands:
View the Public NAT gateway configuration.
gcloud compute routers nats describe NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.ROUTER_NAME
: the name of your Cloud Router.REGION
: the region of the NAT to describe. If not specified, you might be prompted to select a region (interactive mode only).
View the mapping of the IP:port-ranges allocated to each VM's interface.
gcloud compute routers get-nat-mapping-info ROUTER_NAME \ --region=REGION
View the status of the Public NAT gateway.
gcloud compute routers get-status ROUTER_NAME \ --region=REGION
View external IP addresses assigned to a Cloud NAT gateway
To view NAT IP addresses that were automatically added, see the list of static external IP addresses. These addresses don't count toward per-project quotas.
Console
In the Google Cloud console, go to the IP addresses page and then click External IP addresses.
gcloud
To list all allocated NAT IP addresses, use the following command:
gcloud compute routers get-nat-ip-info NAT_ROUTER \ --region=REGION
For more examples, see gcloud compute routers get-nat-ip-info.
Update the Public NAT configuration
After you set up your Cloud NAT gateway, you can update the gateway configuration based on your requirements. The following sections list the tasks that you can perform to update your Cloud NAT gateway.
Update subnets and IP address resources associated with NAT
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your Cloud NAT gateway.
Click
Edit.Under NAT mapping, set Source to Custom.
Select a subnet.
In the IP ranges drop-down list, select the subnet IP ranges to include.
If you want to specify additional ranges, click Add subnet and IP range.
Click the NAT IP addresses drop-down list, and then select Automatic or Manual.
If you select Manual, specify an external IP address.
For high availability with manual IP addresses, click Add IP address, and then add a second address.
Click Save.
gcloud
gcloud compute routers nats update NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3 \ --nat-custom-subnet-ip-ranges=SUBNETS_RANGES_LIST
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.NAT_ROUTER
: the name of your Cloud Router.REGION
: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).IP_ADDRESS2
: a manual external IP addressIP_ADDRESS3
: another manual external IP addressSUBNETS_RANGES_LIST
: a comma-separated list of subnet names. For example:SUBNET_NAME_1:ALL,SUBNET_NAME_2:ALL
: includes both the primary and secondary subnet ranges ofSUBNET_NAME_1
andSUBNET_NAME_2
.SUBNET_NAME_1,SUBNET_NAME_2
: includes only the primary subnet range ofSUBNET_NAME_1
andSUBNET_NAME_2
.SUBNET_NAME:SECONDARY_RANGE_NAME
: includes the secondary rangeSECONDARY_RANGE_NAME
of subnetSUBNET_NAME
. This list of subnet names doesn't include the primary range ofSUBNET_NAME
.SUBNET_NAME_1,SUBNET_NAME_2:SECONDARY_RANGE_NAME
: includes the primary range ofSUBNET_NAME_1
and the specified secondary rangeSECONDARY_RANGE_NAME
of subnetSUBNET_NAME_2
.
Delete subnets associated with NAT
You can remove specific subnets from the Cloud NAT gateway that are no longer in use.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your Cloud NAT gateway.
Click
Edit.Delete the subnet that you want to remove from NAT mapping.
Click Save.
Update external IP addresses associated with NAT
You can change the list of external IP addresses for a given gateway or switch from manual to automatic IP allocation. When you do, Google Cloud removes the old addresses and adds the new ones. Any existing connections on the old IP addresses immediately close. To let existing connections continue while preventing new connections on those IP addresses, see Drain external IP addresses associated with NAT.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your Cloud NAT gateway.
Click
Edit.Click the NAT IP addresses drop-down list, and then select Automatic or Manual.
If you select Manual, specify an external IP address.
For high availability, click Add IP address, and then add a second address.
Click Save.
gcloud
gcloud compute routers nats update NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.NAT_ROUTER
: the name of your Cloud Router.REGION
: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).IP_ADDRESS2
: a manual external IP address.IP_ADDRESS3
: another manual external IP address.
Update NAT by using external IP addresses from a different network tier
You can update an existing Cloud NAT gateway by changing the network tier of the external IP addresses associated with the gateway.
Update NAT by changing the network tier of automatically allocated external IP addresses
When you change the network tier of automatically allocated external IP addresses associated with an existing Cloud NAT gateway, Google Cloud removes the previously allocated IP addresses and replaces them with IP addresses from the specified network tier. Any existing connections on the previously allocated IP addresses immediately close.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your Cloud NAT gateway name that has automatically allocated IP addresses.
Click
Edit.For Network service tier, choose either Premium or Standard.
Click Save.
gcloud
Use the gcloud CLI to run the compute routers nats update
command
with the flag --auto-network-tier
.
gcloud compute routers nats update NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --auto-allocate-nat-external-ips --auto-network-tier=AUTO_NETWORK_TIER
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.NAT_ROUTER
: the name of your Cloud Router.REGION
: the region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).AUTO_NETWORK_TIER
: the network tier to use when automatically allocating IP addresses for the Cloud NAT gateway. The allowed values arePREMIUM
andSTANDARD
. If not specified, then the current project-level default tier is associated with the Cloud NAT gateway.
Update NAT by changing the network tier of manually assigned IP addresses
You can update an existing NAT by manually specifying external IP addresses from a different tier. You can assign external IP addresses from either Standard Tier or Premium Tier or both, subject to certain conditions. Before you specify external IP addresses from a different tier, first drain the existing IP addresses to let existing connections continue and prevent new connections on the existing IP addresses.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your Cloud NAT gateway name that has manually assigned IP addresses.
Click
Edit.To specify IP addresses from a tier that is different from the currently selected tier, either delete all the existing IP addresses or enable draining for all the existing IP addresses.
You can't change the network tier if draining is disabled for an existing IP address.
For Network service tier, choose either Premium or Standard.
Select an external IP address from the list of active, available IP addresses.
Optional: To add more IP addresses, click Add IP addresses.
Click Save.
gcloud
To update an existing gateway by manually changing the existing external IP
addresses with new ones from a different network tier, use the --nat-external-ip-pool
field of the compute routers nats update
command.
For more information about manually changing the existing external IP addresses, see Change external IP addresses associated with NAT.
Drain external IP addresses associated with NAT
Before you remove a manually configured IP address, you can drain it so that existing connections aren't disrupted. When an IP address is drained, all existing connections are allowed to continue until they expire naturally. You can view the logs to check the status of existing connections.
No new connections are accepted on the drained IP addresses. However, the IP address stays associated with the NAT configuration.
You must have at least one active address in a NAT configuration, which means that you can't drain all IP addresses in a configuration.
To see the state of your NAT IP addresses, you can Show NAT status.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your Cloud NAT gateway.
Click
Edit.For NAT IP addresses, set the IP draining value next to the IP address to On.
Click Save.
gcloud
To drain an address, you must move it from the active pool to the drain pool in the same command. If you remove it from the active pool without adding it to the drain pool in a single command, the IP address is deleted from service and existing connections are terminated immediately.
If you move an IP address from the drain pool to the active pool, you undrain the IP address. If you remove a NAT IP address from both pools, you disconnect it from the NAT configuration.
This command leaves the other fields in the NAT configuration unchanged.
gcloud compute routers nats update NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --nat-external-ip-pool=IP_ADDRESS3 \ --nat-external-drain-ip-pool=IP_ADDRESS2
Where:
--nat-external-ip-pool=IP_ADDRESS3
: updates the active pool to omitIP_ADDRESS2
--nat-external-drain-ip-pool=IP_ADDRESS2
: addsIP_ADDRESS2
to the drain pool
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.NAT_ROUTER
: the name of your Cloud Router.REGION
: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).IP_ADDRESS3
: an IP address.IP_ADDRESS2
: another IP address.
Update endpoint mapping
You can enable or disable Endpoint-Independent Mapping for your gateway. By default, this option is disabled. Switching Endpoint-Independent Mapping from enabled to disabled (or from disabled to enabled) doesn't interrupt existing connections.
You can't enable Endpoint-Independent Mapping if your Cloud NAT gateway uses NAT rules or dynamic port allocation.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your Cloud NAT gateway.
Click
Edit.Click Advanced configurations.
To enable Endpoint-Independent Mapping, select the Enable Endpoint-Independent Mapping checkbox. To disable Endpoint-Independent Mapping, clear the checkbox.
Click Save.
gcloud
gcloud compute routers nats update NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ [--enable-endpoint-independent-mapping | --no-enable-endpoint-independent-mapping]
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.NAT_ROUTER
: the name of your Cloud Router.REGION
: the region of the NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
Update logging
To add, modify, or remove logging for an existing Cloud NAT gateway, see Configuring logging.
Delete Public NAT configuration
Deleting a gateway configuration removes the NAT configuration from a Cloud Router. It does not delete the router itself.
Console
In the Google Cloud console, go to the Cloud NAT page.
Select the checkbox next to the gateway configuration that you want to delete.
On the
Menu, click Delete.
gcloud
gcloud compute routers nats delete NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.ROUTER_NAME
: the name of your Cloud Router.REGION
: the region of the NAT to delete. If not specified, you might be prompted to select a region (interactive mode only).
Quotas and limits
For quota and limit information, see the quotas page.
Example setups
These examples show you how to test Cloud NAT with Google Cloud:
What's next
- Configure logging and monitoring for Cloud NAT.
- Troubleshoot common issues with NAT configurations.