Using Cloud NAT

Introduction

This page shows you how to configure Cloud NAT. Before setting up Cloud NAT, read the Cloud NAT Overview.

Prerequisites

IAM permissions

  • The roles/compute.networkAdmin role can create a NAT gateway on Cloud Router, reserve/assign NAT IPs, and specify subnets whose traffic should use NAT translation by the NAT gateway.

Set up Google Cloud Platform

Before you get started, set up the following items in GCP.

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud Platform project. Learn how to enable billing.

  4. Install and initialize the Cloud SDK.
  gcloud config set project [PROJECTID]

You can also view a project ID that is already set:

  gcloud config list --format='text(core.project)'

Example setups

These examples show you how to test Cloud NAT with GCP.

Example Compute Engine setup

See Example Compute Engine Setup.

Example GKE setup

See Example GKE Setup.

Usage scenarios and sample commands

Create NAT

Simple configuration

This configuration automatically allocates the necessary external IP addresses to provide NAT services to a region. VM instances without external IP addresses in any subnet of the region are provided Internet access through NAT. It also turns on logging for all log types.

When you use auto-allocation, GCP reserves IP addresses in your project automatically. These addresses count against your static IP address quotas in the project.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Click Logging, minimum ports, timeout to open that section.
  8. Under Stackdriver logging, select the following:
    • Logging for translation info and errors — sends all logs to Stackdriver
  9. Click Create.

gcloud

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

Specify IP addresses for NAT

Each IP address is the name of a reserved static IP address resource.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Set NAT IP addresses to Manual.
  8. Select or create a static reserved external IP address to use for NAT.
  9. If you want to specify additional IP addresses, click Add IP address, then select or create an additional static reserved external IP address.
  10. Click Create.

gcloud

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --nat-external-ip-pool=ip-address1,ip-address2

Specify subnet ranges for NAT

By default, NAT works for all primary and secondary IP ranges for all subnets in the region for the given VPC network. You can restrict which subnet primary and secondary ranges can use NAT.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Under NAT mapping, set Source to Custom.
  8. Select a subnet.
  9. In the IP ranges drop-down list, select the subnet IP ranges to include.
  10. Click OK.
  11. If you want to specify additional ranges, click Add subnet and IP range.
  12. Click Create.

gcloud

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=[SUBNET_1],[SUBNET_3]

Specify a different minimum number of default ports per VM for NAT

See Number of NAT ports and connections for more information.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Click Logging, minimum ports, timeout.
  8. Set Minimum ports per VM instance to a different value.
  9. Click Create.

gcloud

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --auto-allocate-nat-external-ips \
    --min-ports-per-vm=128

Specify different timeouts for NAT

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Click Logging, minimum ports, timeout.
  8. Modify timeouts as desired.
  9. Click Create.

gcloud

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=[SUBNET_1],[SUBNET_3] \
    --udp-mapping-idle-timeout=60s \
    --icmp-mapping-idle-timeout=60s \
    --tcp-established-connection-idle-timeout=60s \
    --tcp-transitory-connection-idle-timeout=60s

Update NAT

Change subnetworks and IP address resources associated with NAT

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Under NAT mapping, set Source to Custom.
  5. Select a subnet.
  6. In the IP ranges drop-down list, select the subnet IP ranges to include.
  7. If you want to specify additional ranges, click Add subnet and IP range.
  8. Click NAT IP addresses drop-down list and select Automatic or Manual.
  9. If you selected Manual, specify an external IP address.
  10. For high availability with manual IP addresses, click Add IP address and add a second address.
  11. Click Save.

gcloud

gcloud compute routers nats update nat-config \
    --router=nat-router \
    --nat-external-ip-pool=ip-address2,ip-address3 \
    --nat-custom-subnet-ip-ranges=[SUBNET_3],[SUBNET_3],[SUBNET_3]:range1

Change external IP addresses associated with NAT

You can change the list of external IP addresses for a given gateway. When you do, GCP removes the old addresses and adds the new ones. Any existing connections on the old IP addresses are immediately terminated. To allow existing connections to continue while preventing new connections on those IP addresses, see Drain external IP addresses associated with NAT.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click NAT IP addresses drop-down list and select Automatic or Manual.
  5. If you selected Manual, specify an external IP address.
  6. For high availability, click Add IP address and add a second address.
  7. Click Save.

gcloud

gcloud compute routers nats update nat-config \
    --router=nat-router \
    --nat-external-ip-pool=ip-address2,ip-address3

Drain external IP addresses associated with NAT

Before you remove a manually configured IP address, you can drain it so that existing connections aren't disrupted. When an IP address is drained, all existing connections are allowed to continue until they expire naturally. You can view the logs to check the status of existing connections.

No new connections are accepted on the drained IP addresses. However, the IP address stays associated with the NAT configuration.

You must have at least one active address in a NAT configuration, meaning you cannot drain all IP addresses in a configuration.

You can Show NAT status to see the state of your NAT IP addresses.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click your NAT gateway.
  3. Click Edit.
  4. Under NAT IP addresses, set the IP draining value next to the IP address to On.
  5. Click Save.

gcloud

To drain an address, you must move it from the active pool to the drained pool in the same command. If you remove it from the active pool without adding it to the drain pool in a single command, the IP address is deleted from service and existing connections are terminated immediately.

If you move an IP address from the drain pool to the active pool, you undrain the IP address. If you remove a NAT IP address from both pools, you disconnect it from the NAT configuration.

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update nat-config \
    --router=nat-router \
    --nat-external-ip-pool=ip-address3 \
    --nat-external-drain-ip-pool=ip-address2

where

  • --nat-external-ip-pool=ip-address3 updates the active pool to omit ip-address2
  • --nat-external-drain-ip-pool=ip-address2 adds ip-address2 to the drain pool

Change minimum default ports allocated per VM associated with NAT

See Number of NAT ports and connections for more information.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click Logging, minimum ports, timeout.
  5. Modify the Minimum ports per VM instance field.
  6. Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update nat-config \
    --router=nat-router \
    --min-ports-per-vm=128

Change connection timeouts associated with NAT

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click Logging, minimum ports, timeout.
  5. Modify any timeout values you want to change.
  6. Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update nat-config \
    --router=nat-router \
    --udp-mapping-idle-timeout=60s \
    --icmp-mapping-idle-timeout=60s \
    --tcp-established-connection-idle-timeout=60s \
    --tcp-transitory-connection-idle-timeout=60s

Reset connection timeouts associated NAT to default values

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click Logging, minimum ports, timeout.
  5. Remove any user-configured values you want to reset.
  6. Click Save.

The removed values are reset to the default values.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update nat-config \
    --router=nat-router \
    --clear-udp-mapping-idle-timeout \
    --clear-icmp-mapping-idle-timeout \
    --clear-tcp-established-connection-idle-timeout \
    --clear-tcp-transitory-connection-idle-timeout

Add, modify, or delete logging

To turn on, modify, or removing logging for an existing gateway, see Configuring logging

Delete NAT

This removes a NAT configuration from a Cloud Router. It does not delete the router itself.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Check the checkbox next to the gateway configuration you want to delete.
  3. Click Delete.

gcloud

gcloud compute routers nats delete nat-config --router=nat-router

where you replace

  • nat-config with the name of your NAT configuration
  • nat-router with the name of your Cloud Router

Show NAT information

Show the NAT configuration

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.

gcloud

gcloud compute routers nats describe nat-config --router=nat-router

Show NAT IP:port-ranges

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.

gcloud

gcloud compute routers get-nat-mapping-info

Show NAT status

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Consult the Status column for your NAT gateway.
  3. Click the name of the gateway to see configuration details.

gcloud

The existing routers get-status command shows NAT status.

gcloud compute routers get-status

Limits

See the quotas page for limits.

Restrictions

  • Some servers such as legacy DNS servers require UDP port randomization among 64k ports for enhanced security. Since Cloud NAT selects a random port from one of 64 or user-configured number of ports, it is best to assign a public IP address to these servers instead of using Cloud NAT. Since Cloud NAT does not allow connections initiated from outside, most of these servers are required to use an external IP address anyway.
  • Cloud NAT is not available for legacy networks.

Limitations

  • VMs with an external, public IP address can have 64k TCP, 64k UDP, and 64k ICMP-query sessions (ping) simultaneously if they have enough compute/memory resources. For Cloud NAT, this limit is reduced to a total of 64k connections per VM for all supported protocols combined.
  • NAT ALGs (Application Level Gateway) functionality is not supported. This means that Cloud NAT does update IP in the packet data (such as for FTP, SIP, and other such protocols).
  • There’s a limit of 100 IPs per VPC per region for auto allocated IP addresses.
  • Small idle connection timeouts may not work.

    NAT mappings are checked every 30s for expiration and configuration change. Even if a connection timeout value of 5s is used, the connection may not be available for up to 30s in the worst case, and 15s in the average case.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...