This guide can help you solve common issues with Cloud NAT.
Instances can reach the Internet without Cloud NAT
If your VM or container instances can reach the Internet without Cloud NAT, but they shouldn't be able to, check the following:
- Make sure your VMs do not have an external IP address. Either run
gcloud compute instances listfrom the command line or go to the VM instances page. Confirm that there is no external IP address listed. If there is, remove it.
- Make sure your GKE is a private cluster. You can only use Cloud NAT with private clusters.
- Make sure you do not have an instance-based NAT proxy or other proxy set up. Routes for these instance-based solutions override the Cloud NAT routes.
See Cases where NAT is not performed on traffic for details.
Get help with questions.
Can I share the same NAT gateway with multiple regions in my VPC network?
- No. The NAT gateway is per-region, per-network.
Cloud NAT and IP addresses
Can a VM or container instance with an external IP use Cloud NAT?
- No, VM and container instances with external IP addresses or with other routes to the Internet cannot use Cloud NAT. See Cases where NAT will not be performed on traffic for details.
Are NAT IPs global?
- No. NAT IPs are regional. That is why each region needs a separate NAT configuration.
Cloud NAT and ports
Why does a VM have a fixed number of ports (default = 64)?
- When an external IP is assigned to an instance, all packets to and from that IP can easily be mapped to that instance, irrespective of the port number.
Can a VM have more than 64 ports?
- Yes. Every VM gets 64 ports by default. If the VM has alias IP ranges, it may get more ports. If there are multiple secondary ranges and they are all put in different NAT configurations, then a lot more than 64 ports are allocated to the VM.
- NOTE: If all secondary alias IP ranges are put in the same NAT configuration, then only 64 ports are allocated.
- If it's a multi-NIC VM, then each NIC that is part of a virtual network gets at least 64 ports.
- NOTE: You can also change this default value of 64 by configuring a different value for minPortsPerVm for your NAT config.
Can I decrease the number of ports allocated per VM from a NAT config after the NAT config is created?
- Yes, you can increase and decrease the number of ports per VM for an existing NAT configuration.
Does Cloud NAT work with Google Services?
- Yes, in a way. Cloud NAT does not provide direct access to Google Services, but all subnets in a region where you enable Cloud NAT are automatically enabled for Private Google Access. Private Google Access allows VMs without an external IP address to reach most Google services.
Cloud NAT and other Google services
How can I connect via SSH to a VM or cluster behind Cloud NAT that doesn't have an external IP address?
- Unless your VPC network is connected to an on-premises network via Cloud VPN or Interconnect, you cannot connect to an instance that only has an internal IP address. Otherwise, you must set up a bastion instance that has an external IP address and then tunnel through it. For examples, see Example Compute Engine setup and Example GKE setup.
Can I use NAT (over VPN) for communication between VMs or clusters in GCP and on-premises hosts to avoid collisions between subnetworks with overlapping IP ranges?
- No. Cloud NAT primarily allows instances to reach the Internet. If a specific public IP can be reached over the VPN, a static route has to be created. NAT isn't used in this case.
Is hairpinning supported?
Hairpinning allows an instance without an external IP address to access another instance through the other instance's external IP address, even though both instances are in the same network and accessible to each other via their internal, private IP addresses.
- Cloud NAT supports hairpinning. When the first instance sends a packet to the second, the packet gets NAT-translated and is then sent to the second instance. Similarly, the response is NAT-translated and sent to the first instance.
- See Using Cloud NAT for instructions on configuring and maintaining Cloud NAT.