Set up and manage network address translation with Private NAT
This page describes how to configure private-to-private network address translation (NAT) in Cloud NAT.
Before you begin
Complete the following tasks before setting up Private NAT.
Review Private NAT specifications
See the following specifications and requirements:
- For general specifications, see Private NAT.
- For traffic between spokes of a Network Connectivity Center hub, including VPC spokes and hybrid spokes, see Private NAT for Network Connectivity Center spokes.
- For traffic between Virtual Private Cloud (VPC) networks and non-Google Cloud networks through Cloud Interconnect or Cloud VPN, see Hybrid NAT.
Get IAM permissions
The Compute Network Admin
role
(roles/compute.networkAdmin
) gives you permissions to create a NAT gateway on
Cloud Router, reserve and assign NAT IP addresses, and specify
subnetworks (subnets) whose traffic should use network address translation by
the NAT gateway.
Set up Google Cloud
Before you get started, set up the following items in Google Cloud.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Compute Engine API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Compute Engine API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
The Google Cloud CLI instructions on this page assume that you have set your project ID before issuing commands.
You can set a project ID with the following command:
gcloud config set project PROJECT_ID
You can also view a project ID that is already set:
gcloud config list --format='text(core.project)'
Create a NAT subnet of purpose PRIVATE_NAT
Before you configure Private NAT, you create a NAT subnet of
purpose PRIVATE_NAT
. The NAT subnet must be in the same region where you plan
to create your Private NAT gateway.
The Private NAT gateway uses IP address ranges from this subnet
to perform NAT. Ensure that this subnet does not overlap with an existing subnet
in any of the connected networks. You cannot create any resource in this subnet.
This subnet is used only for Private NAT.
Console
In the Google Cloud console, go to the VPC networks page.
To show the VPC network details page, click the name of a VPC network.
Click the Subnets tab.
Click Add subnet. In the Add a subnet dialog, do the following:
- Provide a name for the subnet.
- Select a region.
- For Purpose, select Private NAT.
Enter an IP address range, which is the primary IPv4 range for the subnet.
If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information about valid IPv4 subnet ranges, see IPv4 subnet ranges.
Click Add.
gcloud
Use the gcloud compute networks subnet create
command to create the subnet.
gcloud compute networks subnets create NAT_SUBNET \ --network=NETWORK \ --region=REGION \ --range=IP_RANGE \ --purpose=PRIVATE_NAT
Replace the following:
NAT_SUBNET
: the name of the Private NAT subnet range to create.NETWORK
: the network to which the subnetwork belongs.REGION
: the region of the subnetwork to create. If not specified, you might be prompted to select a region (interactive mode only).IP_RANGE
: the IP space allocated to this subnet in CIDR format. Ensure that IP_RANGE takes into account using twice the size of ports required per VM.
Configure Private NAT
You configure Private NAT by creating a Private NAT gateway in the source VPC network. Each gateway is associated with a single VPC network, region, and Cloud Router.
When configuring Private NAT, you can enable one or both of the following:
- Private NAT for Network Connectivity Center spokes. Enables NAT for
traffic between the following:
- A source VPC network and a destination VPC network in the same Network Connectivity Center hub. Both networks must be configured as VPC spokes.
- A source VPC network that is configured as a VPC spoke in a Network Connectivity Center hub and a destination on-premises or other cloud provider network that is connected to the hub through a hybrid spoke.
- Hybrid NAT. Enables NAT for traffic between a source VPC network and a destination on-premises or other cloud provider network. The networks must be connected through Cloud Interconnect or Cloud VPN.
Create a Private NAT gateway
Create a Private NAT gateway in the source VPC network for which you want to configure NAT.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click Get started or Create Cloud NAT gateway.
Enter a gateway name.
For NAT type, select Private.
Select a VPC network for the NAT gateway.
Select the region for the NAT gateway.
Select or create a Cloud Router in the region.
Ensure that VM instances is selected as the source endpoint type.
In the Source list, select Custom.
Select a subnet on which you want to perform NAT.
If you want to specify additional ranges, click Add subnet and IP range.
Click Add a rule.
In the Rule number field, enter any value between
1
to65000
.For Match, select one of the following options:
- To enable Hybrid NAT, select Hybrid connectivity routes.
- To enable Private NAT for Network Connectivity Center spokes, select Network Connectivity Center hub.
- To enable both options, select Hybrid connectivity routes and Network Connectivity Center hub.
Select or create a private NAT subnet range.
Click Done.
Optional: Adjust any of the following settings in the Advanced configurations section:
- Whether to configure logging. By default, No logging is selected.
- Whether to change how Cloud NAT allocates ports. By
default, Enable Dynamic Port Allocation is selected. To
configure static port allocation, clear
Enable Dynamic Port Allocation and
specify Minimum ports per VM instance. The default value
is
64
. - Whether to update NAT timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.
Click Create.
gcloud
Create a Cloud Router in the VPC network for which you want to configure NAT.
Use the
gcloud compute routers create
command.gcloud compute routers create ROUTER_NAME \ --network=NETWORK --region=REGION
Replace the following:
ROUTER_NAME
: a name for the Cloud Router.NETWORK
: the VPC network in which to create the Cloud Router.REGION
: the region in which to create the Cloud Router.
Create a Private NAT gateway and specify one or more subnets of the source VPC network for which you want to configure NAT.
Use the
gcloud compute routers nats create
command with the--type
flag set toPRIVATE
.gcloud compute routers nats create NAT_CONFIG \ --router=ROUTER_NAME --type=PRIVATE --region=REGION \ --nat-custom-subnet-ip-ranges=SUBNETWORK:ALL|[SUBNETWORK_1:ALL,SUBNETWORK_2:ALL,...] | \ [--nat-all-subnet-ip-ranges]
Replace the following:
NAT_CONFIG
: a name for the Private NAT configuration that you are creating.ROUTER_NAME
: the name of the Cloud Router to use with this gateway. This is the Cloud Router that you created in the previous step, and it must not be in use by any other resources.SUBNETWORK
: the name of the subnet or list of subnets for which you want to use NAT.You can also specify a list of subnets in a comma-separated format, such as
SUBNETWORK_1
,SUBNETWORK_2
. Private NAT always performs NAT on all subnet IP ranges for the given subnet or list of subnets.
By default, Private NAT uses dynamic port allocation. If you want to create a Private NAT gateway with static port allocation, run the preceding command with the
--no-enable-dynamic-port-allocation
flag:gcloud compute routers nats create NAT_CONFIG \ --router=ROUTER_NAME --type=PRIVATE --region=REGION \ --nat-custom-subnet-ip-ranges=SUBNETWORK:ALL|[SUBNETWORK_1:ALL,SUBNETWORK_2:ALL,...] | \ [--nat-all-subnet-ip-ranges] --no-enable-dynamic-port-allocation \ [--min-ports-per-vm=VALUE]
Replace
VALUE
with the minimum number of ports to assign per VM. If not specified, Google Cloud assigns the default value of64
.Create a NAT rule to match traffic based on the type of NAT that you are configuring.
Use the
gcloud compute routers nats rules create
command with the--match
flag set to one of the following options:nexthop.is_hybrid
: translates outbound traffic from the source VPC network to an on-premises or other cloud provider network that is connected to Google Cloud through Cloud Interconnect or Cloud VPN.nexthop.hub
: translates outbound traffic from the source VPC spoke to any of the VPC or hybrid spokes that are attached to the same Network Connectivity Center hub as the source VPC spoke.nexthop.is_hybrid || nexthop.hub
: configures both types of Private NAT.
To create a NAT rule for Hybrid NAT, run the following command:
gcloud compute routers nats rules create NAT_RULE_NUMBER \ --router=ROUTER_NAME --region=REGION \ --nat=NAT_CONFIG \ --match='nexthop.is_hybrid' \ --source-nat-active-ranges=NAT_SUBNET
To create a NAT rule for Private NAT for Network Connectivity Center spokes, run the following command:
gcloud compute routers nats rules create NAT_RULE_NUMBER \ --router=ROUTER_NAME --region=REGION \ --nat=NAT_CONFIG \ --match='nexthop.hub == "//networkconnectivity.googleapis.com/projects/PROJECT_ID/locations/global/hubs/HUB"' \ --source-nat-active-ranges=NAT_SUBNET
To create a NAT rule for both Hybrid NAT and Private NAT for Network Connectivity Center spokes, run the following command:
gcloud compute routers nats rules create NAT_RULE_NUMBER \ --router=ROUTER_NAME --region=REGION \ --nat=NAT_CONFIG \ --match='nexthop.is_hybrid || nexthop.hub == "//networkconnectivity.googleapis.com/projects/PROJECT_ID/locations/global/hubs/HUB"' \ --source-nat-active-ranges=NAT_SUBNET
Replace the following:
NAT_RULE_NUMBER
: the rule number that uniquely identifies the NAT rule, from1
to65000
.ROUTER_NAME
: the name of the Cloud Router that you created earlier.REGION
: the region of the Cloud Router.NAT_CONFIG
: the name of the Private NAT configuration that you created earlier.PROJECT_ID
: the Google Cloud project of the Network Connectivity Center hub.HUB
: the name of the Network Connectivity Center hub.NAT_SUBNET
: the name of the Private NAT subnet that you created earlier. You can also specify a list of subnets in a comma-separated format.
View Private NAT configuration
Console
In the Google Cloud console, go to the Cloud NAT page.
To view NAT gateway details, mapping information, or configuration details, click the name of your NAT gateway.
To view NAT status, see the Status column for your NAT gateway.
gcloud
You can view the NAT configuration details by running the following commands:
View the Private NAT gateway configuration.
gcloud compute routers nats describe NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.ROUTER_NAME
: the name of your Cloud Router.REGION
: the region of the NAT to describe. If not specified, you might be prompted to select a region (interactive mode only).
View the mapping of the IP:port-ranges allocated to each VM's interface.
gcloud compute routers get-nat-mapping-info ROUTER_NAME \ --region=REGION
View the status of the Private NAT gateway.
gcloud compute routers get-status ROUTER_NAME \ --region=REGION
Update Private NAT configuration
After you set up your Private NAT gateway, you can update the gateway configuration based on your requirements. The following sections list the tasks that you can perform to update your Private NAT gateway.
Change subnets associated with Private NAT
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your NAT gateway.
Click
Edit.For Cloud NAT mapping, in the Source list, select Custom.
Select a new subnet from the list of available subnets.
If you want to specify additional ranges, click Add subnet and IP range, and then select another subnet.
Click Save.
gcloud
gcloud compute routers nats update NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION \ --nat-custom-subnet-ip-ranges=SUBNETWORK:ALL|[SUBNETWORK_1:ALL,SUBNETWORK_2:ALL,..]
Replace the following:
NAT_CONFIG
: the name of your Private NAT configuration to update.ROUTER_NAME
: the name of the router to use with this gateway.SUBNETWORK
: the name of the subnet to use.
Delete subnets associated with Private NAT
You can remove specific subnets from the NAT gateway that are no longer in use.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your NAT gateway.
Click
Edit.Delete the subnet that you want to remove from NAT mapping.
Click Save.
Add NAT subnets to your Private NAT configuration
To perform NAT on traffic, a Private NAT
configuration uses NAT IP addresses from a subnet that has a purpose of PRIVATE_NAT
.
If your Private NAT configuration requires more than the available
number of NAT IP addresses, you can add more subnets of purpose PRIVATE_NAT
to
the configuration.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your NAT gateway.
Click
Edit.Expand the existing rule.
Click Add subnet ranges.
Select or create a new NAT subnet range, and then click Done.
Click Save.
gcloud
gcloud compute routers nats rules update NAT_RULE_NUMBER \ --nat=NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION \ --source-nat-active-ranges=NAT_SUBNET_1, NAT_SUBNET_2 ...
Replace the following:
NAT_RULE_NUMBER
: the number that uniquely identifies the rule to update.NAT_CONFIG
: the name of your Private NAT configuration for the rule to update.ROUTER_NAME
: the name of the router to use with this gateway.NAT_SUBNET
: the names of the Private NAT subnets to be added to your existing NAT configuration.
Delete NAT configuration
Deleting a gateway configuration removes the NAT configuration from a Cloud Router. It does not delete the router itself.
Console
In the Google Cloud console, go to the Cloud NAT page.
Select the checkbox next to the gateway configuration that you want to delete.
On the
Menu, click Delete.
gcloud
gcloud compute routers nats delete NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION
Replace the following:
NAT_CONFIG
: the name of your NAT configuration.ROUTER_NAME
: the name of your Cloud Router.REGION
: the region of the NAT to delete. If not specified, you might be prompted to select a region (interactive mode only).
What's next
- Configure logging and monitoring for Cloud NAT.
- Troubleshoot common issues with NAT configurations.