Tune NAT configuration

After you set up your Cloud NAT gateway configuration (either Public NAT or Private NAT), you can edit the configuration based on your requirements. This page lists the tasks that you can perform to tune your Cloud NAT configuration.

Editing configurations can be disruptive in nature and can cause existing network address translation (NAT) connections to drop. For more information about the impact of tuning Cloud NAT configurations, see Impact of tuning NAT configurations on existing NAT connections.

View port usage

Before you modify the minimum port usage per VM, review your per-VM port usage. You can get this information by using the compute.googleapis.com/nat/port_usage metric.

In the Google Cloud console, go to the Monitoring page.

Go to Monitoring
1. In the navigation pane, select Metrics Explorer .
2. Expand the Select a metric menu, and use the submenus to choose the compute.googleapis.com/nat/port_usage metric:
  - For Resource, select VM instance.
  - For Metric category, select Nat.
  - For Metric, select Port usage.
3. Click Apply.
4. To select your Cloud NAT gateway, use the Filters field.
5. In the Group by section, for labels, select instance_id.
6. In the Grouping function list, select Max.
7. Expand More options, and set the Aligner field to max.
8. To see usage for the past 30 days, specify 30d.
For more information about using Metrics Explorer, see Select metrics when using Metrics Explorer.

Choose a minimum number of ports per VM

Choosing an appropriate minimum number of ports is important to help you maximize NAT IP addresses usage.

Before you increase the number of ports per VM, consider other strategies for reducing port usage.

If you need to increase the number of ports per VM, start by considering the per-VM port usage in your gateway. For information about how to find this data, see View port usage.

Review your maximum port usage for the past 30 days, or for another period that you think is representative for your Cloud NAT gateway.

Do one of the following:

If you are using static port allocation, configure the number of ports per VM so that the minimum is equal to your current peak port usage.
If you are using dynamic port allocation, configure the number of ports per VM so that the minimum is lower than the peak port usage and the maximum is higher than the peak port usage.

Change minimum default ports allocated per VM

For help deciding how to configure the minimum number of ports per VM, see Choose a minimum number of ports per VM.

For information about the consequences of changing the minimum port allocation, see the following sections:

If your Cloud NAT gateway has dynamic port allocation configured, see Change minimum or maximum ports when dynamic port allocation is configured.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your Cloud NAT gateway.
Click Edit.
Click Advanced configurations.
Modify the Minimum ports per VM instance field.
Click Save.

gcloud

This command leaves the other fields in the Cloud NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=ROUTER_NAME \
    --region=REGION \
    --min-ports-per-vm=128

Replace the following:

NAT_CONFIG: the name of your Cloud NAT configuration.
ROUTER_NAME: the name of your Cloud Router.
REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).

Change the port allocation method

Static port allocation and dynamic port allocation have different configuration requirements.

Before you update the port allocation type on an existing Cloud NAT gateway, make sure that the Cloud NAT gateway configuration is compatible with that port allocation type. If the configuration is not compatible, the change fails.

For dynamic port allocation, check that Endpoint-Independent Mapping is disabled.
Check that the minimum ports per VM setting is a power of 2, and is between 32 and 32,768.

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your Cloud NAT gateway.
Click Edit.
Click Advanced configurations.
Select or deselect Enable Dynamic Port Allocation.
If needed, adjust the values for Minimum ports per VM instance and Maximum ports per VM instance.
Click Save.

gcloud

This command leaves the other fields in the Cloud NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=ROUTER_NAME \
    --region=REGION \
    --enable-dynamic-port-allocation | --no-enable-dynamic-port-allocation \
    [ --min-ports-per-vm=MIN_PORTS ] \
    [ --max-ports-per-vm=MAX_PORTS ]

Replace the following:

NAT_CONFIG: the name of your Cloud NAT configuration.
ROUTER_NAME: the name of your Cloud Router.
REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled, MIN_PORTS must be a power of 2, and can be between 32 and 32768.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS. The default is 65536.

Change minimum or maximum ports when dynamic port allocation is configured

After you have configured dynamic port allocation, you can change the minimum or maximum number of ports assigned per VM.

For help deciding how to configure the minimum number of ports per VM, see Choose a minimum number of ports per VM.

For information about the consequences of changing the minimum port allocation, see the following sections:

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your Cloud NAT gateway.
Click Edit.
Click Advanced configurations.
Adjust the Minimum ports per VM instance and Maximum ports per VM instance fields.
Click Save.

gcloud

This command leaves the other fields in the Cloud NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=ROUTER_NAME \
    --region=REGION \
    --min-ports-per-vm=MIN_PORTS \
    --max-ports-per-vm=MAX_PORTS

Replace the following:

NAT_CONFIG: the name of your Cloud NAT configuration.
ROUTER_NAME: the name of your Cloud Router.
REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled, MIN_PORTS must be a power of 2, and can be between 32 and 32768.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS.

Modify NAT timeouts

The following sections describe NAT timeouts and how to modify them:

NAT timeouts
Change NAT timeouts
Reset NAT timeouts to default values

NAT timeouts

Cloud NAT uses the following timeouts for protocol connections. These timeouts apply to both Public NAT and Private NAT, except where noted. You can modify the default timeout values to decrease or increase the rate at which ports are reused. Each timeout value is a balance between efficient use of Cloud NAT resources and possible disruption to active connections, flows, or sessions.

Timeout	Description	Cloud NAT default	Configurable
UDP Mapping Idle Timeout RFC 4787 REQ-5	Specifies the time in seconds after which UDP flows must stop sending traffic to endpoints so that the Cloud NAT mappings are removed. UDP Mapping Idle Timeout affects two endpoints that stop sending traffic to each other. It also affects endpoints that take longer to respond, or if there is increased network latency. You can increase the specified timeout value to decrease the rate at which ports can be reused. The larger timeout value means that the ports are held for longer connections and also protects against pauses in traffic over a specific UDP socket.	30 seconds	Yes
TCP Established Connection Idle Timeout RFC 5382 REQ-5	Specifies the time in seconds that a connection is idle before the Cloud NAT mappings are removed. TCP Established Connection Idle Timeout affects endpoints that take longer to respond, or if there is increased network latency. You can increase the timeout value when you want to open TCP connections and keep the connections open for a long time without a keepalive mechanism in place.	1200 seconds (20 minutes)	Yes
TCP Transitory Connection Idle Timeout RFC 5382 REQ-5	Specifies the time in seconds that TCP connections can remain in the half-open state before the Cloud NAT mappings can be deleted. TCP Transitory Connection Idle Timeout affects an endpoint when an external endpoint takes a longer period than the specified time, or when there is increased network latency. Unlike the TCP Established Connection Idle Timeout, the TCP Transitory Connection Idle Timeout affects only half-open connections.	30 seconds Note: Regardless of the value that you set for this timeout, Cloud NAT might require up to an additional 30 seconds before a Cloud NAT source IP address and source port tuple can be used to process a new connection.	Yes
TCP TIME_WAIT Timeout RFC 5382 REQ-5	Specifies the time in seconds that a fully closed TCP connection is retained in the Cloud NAT mappings after the connection expires. TCP TIME_WAIT Timeout protects your internal endpoints from receiving invalid packets that belong to a closed TCP connection that are retransmitted. You can decrease the timeout value to improve the reuse of Cloud NAT ports at the cost of possibly receiving retransmitted packets from an unrelated, previously closed connection.	120 seconds Note: Regardless of the value that you set for this timeout, Cloud NAT might require up to an additional 30 seconds before a Cloud NAT source IP address and source port tuple can be used to process a new connection. If you are using dynamic port allocation, set this timeout to 30 seconds or more to avoid dropped packets.	Yes
ICMP Mapping Idle Timeout (applicable to Public NAT only) RFC 5508 REQ-2	Specifies the time in seconds after which Internet Control Message Protocol (ICMP) Cloud NAT mappings that don't have any traffic flows are closed. ICMP Mapping Idle Timeout affects an endpoint when the endpoint takes a longer to respond than the specified time, or when there is increased network latency.	30 seconds	Yes

Change NAT timeouts

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your Cloud NAT gateway.
Click Edit.
Click Advanced configurations.
Modify any timeout values that you want to change.
Click Save.

gcloud

Use the gcloud compute routers nats update command with the following flags to change these timeout values:

UDP Mapping Idle Timeout: --udp-idle-timeout
TCP Established Connection Idle Timeout: --tcp-established-idle-timeout
TCP Transitory Connection Idle Timeout: --tcp-transitory-idle-timeout
TCP TIME_WAIT Timeout: --tcp-time-wait-timeout
ICMP Mapping Idle Timeout: --icmp-idle-timeout

This command leaves the other fields in the NAT configuration unchanged.

For example, the following command changes the UDP Mapping Idle Timeout value.

gcloud compute routers nats update NAT_CONFIG \
    --router=ROUTER_NAME \
    --region=REGION \
    --udp-idle-timeout=VALUE

Replace the following:

NAT_CONFIG: the name of your Cloud NAT configuration.
ROUTER_NAME: the name of your Cloud Router.
REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
VALUE: the timeout value (in seconds)

Reset NAT timeouts to default values

Console

In the Google Cloud console, go to the Cloud NAT page.

Go to Cloud NAT
Click your Cloud NAT gateway.
Click Edit.
Click Advanced configurations.
Remove any user-configured values that you want to reset.
Click Save.

The removed values are reset to the default values.

gcloud

This command leaves the other fields in the Cloud NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=ROUTER_NAME \
    --region=REGION \
    --clear-udp-idle-timeout \
    --clear-icmp-idle-timeout \
    --clear-tcp-established-idle-timeout \
    --clear-tcp-time-wait-timeout \
    --clear-tcp-transitory-idle-timeout

Replace the following:

NAT_CONFIG: the name of your Cloud NAT gateway.
ROUTER_NAME: the name of your Cloud Router.
REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).

Impact of tuning NAT configurations on existing NAT connections

The following table summarizes the impact of tuning Cloud NAT configurations on existing connections:

Tuning action	Connection drop
Disable Endpoint-Independent Mapping	No
Decrease minimum ports per VM while enabling dynamic port allocation: maximum ports per VM >= old minimum ports per VM, and maximum ports per VM >= `1024`	No
Increase minimum ports per VM when you have dynamic port allocation already enabled	No
Decrease minimum ports per VM when you have dynamic port allocation already enabled	No
Increase minimum ports per VM when you have dynamic port allocation already disabled	No
Decrease minimum ports per VM when you have dynamic port allocation already disabled	Yes
Increase maximum ports per VM	No
Decrease maximum ports per VM when you have dynamic port allocation already enabled	Yes
Change Cloud NAT timeouts when you have dynamic port allocation either enabled or disabled	No
Disable dynamic port allocation	Yes

What's next

Configure logging and monitoring for Cloud NAT.
Troubleshoot common issues with NAT configurations.