Set up and manage network address translation with Private NAT

This page shows you how to configure network address translation (NAT) by using Private NAT. Before setting up your Private NAT configuration, read about Private NAT.

Before you begin

Complete the following tasks before setting up Private NAT.

Get IAM permissions

The Compute Network Admin role (roles/compute.networkAdmin) gives you permissions to create a NAT gateway on Cloud Router, reserve and assign NAT IP addresses, and specify subnetworks (subnets) whose traffic should use network address translation by the NAT gateway.

Set up Google Cloud

Before you get started, set up the following items in Google Cloud.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Compute Engine API.

Enable the API

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running

gcloud components
      update

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Compute Engine API.

Enable the API

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running

gcloud components
      update

The Google Cloud CLI instructions on this page assume that you have set your project ID before issuing commands.

You can set a project ID with the following command:
```
gcloud config set project PROJECT_ID
```
You can also view a project ID that is already set:
```
gcloud config list --format='text(core.project)'
```

Create a NAT subnet of purpose PRIVATE_NAT

Before you configure Private NAT, you create a NAT subnet of purpose PRIVATE_NAT. The NAT subnet must be in the same region where you plan to create your Private NAT gateway. The Private NAT gateway uses IP address ranges from this subnet to perform NAT. Ensure that this subnet does not overlap with an existing subnet in any of the connected networks. You cannot create any resource in this subnet. This subnet is used only for Private NAT.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
To show the VPC network details page, click the name of a VPC network.
Click the Subnets tab.
Click Add subnet. In the Add a subnet dialog, do the following:
1. Provide a name for the subnet.
2. Select a region.
3. For Purpose, select Private NAT.
4. Enter an IP address range, which is the primary IPv4 range for the subnet.
  
  If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information about valid IPv4 subnet ranges, see IPv4 subnet ranges.
  
  Note: IP address ranges that have privately used public IPv4 addresses are not supported. For more information, see VPC spokes and VPC Network Peering.
Click Add.

gcloud

Use the compute networks subnet create command to create the subnet.

    gcloud compute networks subnets create NAT_SUBNET \
      --network=NETWORK \
      --region=REGION \
      --range=IP_RANGE \
      --purpose=PRIVATE_NAT

Replace the following:

NAT_SUBNET: the name of the Private NAT subnet range to create.
NETWORK: the network to which the subnetwork belongs.
REGION: the region of the subnetwork to create. If not specified, you might be prompted to select a region (interactive mode only).
IP_RANGE: the IP space allocated to this subnet in CIDR format. Ensure that IP_RANGE takes into account using twice the size of ports required per VM.

Create Private NAT configurations

You can configure a Private NAT gateway to support the following Private NAT offerings:

Inter-VPC NAT: performs NAT on traffic between VPC networks configured as VPC spokes that are connected to a common Network Connectivity Center hub.
Hybrid NAT (Preview): performs NAT on traffic between VPC networks and on-premises networks or other cloud provider networks that are connected over Google Cloud's enterprise hybrid connectivity solutions.

Set up Private NAT

Create a Private NAT gateway with a custom NAT rule that performs NAT on traffic between your VPC network and other networks.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create Cloud NAT gateway.

Note: If this is the first Cloud NAT gateway that you're creating, click Get started. If you already have existing gateways, then instead of Get started, Google Cloud displays the Create Cloud NAT gateway button. To create another gateway, click Create Cloud NAT gateway.
Enter a gateway name.
For NAT type, select Private.
Select a VPC network for the NAT gateway.
Select the region for the NAT gateway.
Select or create a Cloud Router in the region.
Ensure that VM instances is selected as the source endpoint type.
In the Source list, select Custom.
Select a subnet on which you want to perform NAT.
If you want to specify additional ranges, click Add subnet and IP range.
Click Add a rule.
In the Rule number field, enter any value between 1 to 65000.
For Match, select either of the following options:
- For Inter-VPC NAT, select Network Connectivity Center hub.
- For Hybrid NAT (Preview), select Hybrid Connectivity Routes.
Select or create a private NAT subnet range.
Click Done, and then click Create.

gcloud

Create a Cloud Router in the VPC network for which you want to perform NAT. Use the compute routers create command.
```
gcloud compute routers create ROUTER_NAME \
  --network=NETWORK --region=REGION
```
Replace the following:
- ROUTER_NAME: the name of the router to create.
- NETWORK: the VPC network for this router.
- REGION: the region of the router to create. If not specified, you might be prompted to select a region (interactive mode only).
Create a Private NAT gateway by specifying the subnets of the source VPC network for which you want to perform NAT.

Use the compute routers nats create command with the --type flag set to PRIVATE.
```
gcloud compute routers nats create NAT_CONFIG \
  --router=ROUTER_NAME --type=PRIVATE --region=REGION \
  --nat-custom-subnet-ip-ranges=SUBNETWORK:ALL|[SUBNETWORK_1:ALL ...] | \
  [--nat-all-subnet-ip-ranges]
```
Replace the following:
- NAT_CONFIG: the name of your Private NAT configuration to create.
- ROUTER_NAME: the name of the router to use with this gateway. The router is the same that you created in the previous step. Ensure that no other resource is associated with this router.
- SUBNETWORK: the name of the subnet or list of subnets to be allowed to use the gateway. You can also specify a list of subnets in a comma-separated format, such as SUBNETWORK_1, SUBNETWORK_2. Google Cloud always performs NAT on all subnet IP ranges for the given subnet or the list of subnets.
Create a rule to match traffic based on your requirement:
- To perform NAT on traffic that egresses through the source VPC spoke to any of the peer VPC spokes attached to a matching Network Connectivity Center hub, create a NAT rule in the Private NAT gateway. Based on the NAT rule, the Private NAT gateway assigns NAT IP addresses from the Private NAT subnet to perform NAT on the traffic.
  
  Use the compute routers nats rules create command.
```
gcloud beta compute routers nats rules create NAT_RULE_NUMBER \
--router=ROUTER_NAME --region=REGION \
--nat=NAT_CONFIG \
--match='nexthop.hub == "//networkconnectivity.googleapis.com/projects/PROJECT_ID/locations/global/hubs/HUB"' \
--source-nat-active-ranges=NAT_SUBNET ...
```
  Replace the following:
  - NAT_RULE_NUMBER: the number that uniquely identifies the rule to create.
  - NAT_CONFIG: the name of your Private NAT configuration for the rule to create. The configuration is the same that you created in the previous step.
  - PROJECT_ID: the globally unique identifier for the project where your router is located.
  - HUB: the name of the matching Network Connectivity Center hub.
  - NAT_SUBNET: the name of the Private NAT subnet that you created earlier. You can also specify a list of subnets in a comma-separated format.
- To perform NAT on traffic that egresses through your source VPC network to an on-premises or other cloud provider network over Google Cloud's enterprise hybrid connectivity solutions (Preview), create a NAT rule in the Private NAT gateway. Based on the NAT rule, the Private NAT gateway assigns NAT IP addresses from the Private NAT subnet to perform NAT on the traffic.
  
  Use the compute routers nats rules create command.
```
gcloud beta compute routers nats rules create NAT_RULE_NUMBER \
--router=ROUTER_NAME --region=REGION \
--nat=NAT_CONFIG \
--match='nexthop.is_hybrid' \
--source-nat-active-ranges=NAT_SUBNET ...
```
  Replace the following:
  - NAT_RULE_NUMBER: the number that uniquely identifies the rule to create.
  - NAT_CONFIG: the name of your Private NAT configuration for the rule to create. The configuration is the same that you created in the previous step.
  - NAT_SUBNET: the name of the Private NAT subnet that you created earlier. You can also specify a list of subnets in a comma-separated format.

Set up Private NAT with static port allocation

Private NAT uses dynamic port allocation by default. However, you can configure Private NAT to use static port allocation.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create Cloud NAT gateway.

Note: If this is the first Cloud NAT gateway that you're creating, click Get started. If you already have existing gateways, then instead of Get started, Google Cloud displays the Create Cloud NAT gateway button. To create another gateway, click Create Cloud NAT gateway.
Enter a gateway name.
For NAT type, select Private.
Select a VPC network for the NAT gateway.
Select the region for the NAT gateway.
Select or create a Cloud Router in the region.
Specify the Cloud NAT mapping details and create a NAT rule. For more information, see Set up Private NAT.
Click Advanced configuration.
Clear Enable Dynamic Port Allocation.
Specify the value for Minimum ports per VM instance. The default is 64.
Click Done, and then click Create.

gcloud

Use the compute routers nats create command with the flag --no-enable-dynamic-port-allocation.

  gcloud compute routers nats create NAT_CONFIG \
    --router=ROUTER_NAME --type=PRIVATE --region=REGION \
    --nat-custom-subnet-ip-ranges=SUBNETWORK:ALL|[SUBNETWORK_1:ALL,SUBNETWORK_2:ALL,...] \
    --no-enable-dynamic-port-allocation \
    [--min-ports-per-vm=VALUE]

Replace the following:

NAT_CONFIG: the name of your Private NAT configuration to create.
ROUTER_NAME: the name of the router to use with this gateway.
SUBNETWORK: the name of the subnet or list of subnets to be allowed to use the gateway.

You can also specify a list of subnets in a comma-separated format, such as SUBNETWORK_1, SUBNETWORK_2. Google Cloud always performs NAT on all subnet IP ranges for the given subnet or the list of subnets.
VALUE: the minimum ports per VM that you want the gateway to assign. If not specified, Google Cloud assigns the default value of 64.

View NAT configuration

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
To view NAT gateway details, mapping information, or configuration details, click the name of your NAT gateway.
To view NAT status, see the Status column for your NAT gateway.

gcloud

You can view the NAT configuration details by running the following commands:

View the Private NAT gateway configuration.
```
gcloud compute routers nats describe NAT_CONFIG \
   --router=ROUTER_NAME \
   --region=REGION
```
Replace the following:
- NAT_CONFIG: the name of your NAT configuration.
- ROUTER_NAME: the name of your Cloud Router.
- REGION: the region of the NAT to describe. If not specified, you might be prompted to select a region (interactive mode only).

View the mapping of the IP:port-ranges allocated to each VM's interface.

gcloud compute routers get-nat-mapping-info ROUTER_NAME \
  --region=REGION

View the status of the Private NAT gateway.

gcloud compute routers get-status ROUTER_NAME \
  --region=REGION

Update Private NAT configurations

After you set up your Private NAT gateway, you can update the gateway configuration based on your requirements. The following sections list the tasks that you can perform to update your Private NAT gateway.

Change subnets associated with Private NAT

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
For Cloud NAT mapping, in the Source list, select Custom.
Select a new subnet from the list of available subnets.
If you want to specify additional ranges, click Add subnet and IP range, and then select another subnet.
Click Save.

gcloud

gcloud beta compute routers nats update NAT_CONFIG \
  --router=ROUTER_NAME \
  --region=REGION \
  --nat-custom-subnet-ip-ranges=SUBNETWORK:ALL|[SUBNETWORK_1:ALL,SUBNETWORK_2:ALL,..]

Replace the following:

NAT_CONFIG: the name of your Private NAT configuration to update.
ROUTER_NAME: the name of the router to use with this gateway.
SUBNETWORK: the name of the subnet to use.

Delete subnets associated with Private NAT

You can remove specific subnets from the NAT gateway that are no longer in use.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Delete the subnet that you want to remove from NAT mapping.

Note: If the subnet that you deleted is the only subnet that is mapped to the Private NAT gateway, then the system prompts you to add a subnet. You can map a new subnet or select Primary and secondary ranges for all subnets in the Source list.
Click Save.

Add NAT subnets to your Private NAT configuration

To perform NAT on traffic, a Private NAT configuration uses NAT IP addresses from a subnet that has a purpose of PRIVATE_NAT. If your Private NAT configuration requires more than the available number of NAT IP addresses, you can add more subnets of purpose PRIVATE_NAT to the configuration.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Expand the existing rule.
Click Add subnet ranges.
Select or create a new NAT subnet range, and then click Done.

Note: To add more NAT subnets, repeat the step.
Click Save.

gcloud

gcloud beta compute routers nats rules update NAT_RULE_NUMBER \
  --nat=NAT_CONFIG \
  --router=ROUTER_NAME \
  --region=REGION \
  --source-nat-active-ranges=NAT_SUBNET_1, NAT_SUBNET_2 ...

Replace the following:

NAT_RULE_NUMBER: the number that uniquely identifies the rule to update.
NAT_CONFIG: the name of your Private NAT configuration for the rule to update.
PROJECT_ID: the globally unique identifier for the project where your router is located.
NAT_SUBNET: the names of the Private NAT subnets to be added to your existing NAT configuration.

Delete NAT configuration

Deleting a gateway configuration removes the NAT configuration from a Cloud Router. It does not delete the router itself.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Select the checkbox next to the gateway configuration that you want to delete.
On the Menu, click Delete.

gcloud

gcloud compute routers nats delete NAT_CONFIG \
    --router=ROUTER_NAME \
    --region=REGION

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
ROUTER_NAME: the name of your Cloud Router.
REGION: the region of the NAT to delete. If not specified, you might be prompted to select a region (interactive mode only).

What's next

Configure logging and monitoring for Cloud NAT.
Troubleshoot common issues with NAT configurations.