Using Cloud NAT rules

This page shows you how to configure Cloud NAT rules. Before setting up Cloud NAT rules, read the Cloud NAT overview.

Creating NAT rules

Use the steps in the following sections to create a rule file, create a NAT gateway that uses the rules in the rule file, and add rules to an existing NAT gateway.

NAT rules are written using Common Expression Language syntax. For more information about the rule expression language, see Rule expression language.

During Preview, the alpha version of the Compute Engine API for Cloud NAT is needed to run gcloud alpha compute routers nats commands. If you get an error that says you need 'Alpha Access', contact your sales representative or contact support.

gcloud

Create a rule file

The command in this section creates an example rule file that fulfills the following requirements for VMs in a VPC network. Replace the placeholder IP addresses with the IP addresses in your project:

  • VMs must use NAT IP address with resource name IP_ADDRESS1 to send traffic to destination 198.51.100.10.
  • VMs must use NAT IP address with resource name IP_ADDRESS2 or IP_ADDRESS3 to send traffic to 198.51.100.20/30.

You can modify this rule file to fit your use case, or skip this step if you already have a rule file.

rules:
 - ruleNumber: 100
   match: destination.ip == '198.51.100.10/32'
   action:
     sourceNatActiveIps:
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS1
 - ruleNumber: 200
   match: inIpRange(destination.ip, '198.51.100.20/30')
   action:
     sourceNatActiveIps:
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS2
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS3

Create a NAT gateway using a NAT rule file

The following command creates a NAT gateway and configures it with rules from a NAT rule file. If you already have a NAT gateway configured, see Add a NAT rule to an existing NAT gateway. Replace the variables with information matching your configuration.

gcloud alpha compute routers nats create NAT_NAME \
    --router=ROUTER_NAME \
    --nat-external-ip-pool=[IP_ADDRESS1],[IP_ADDRESS2] \
    --nat-all-subnet-ip-ranges \
    --no-enable-endpoint-independent-mapping \
    --rules=PATH_TO_NAT_RULE_FILE \
    [--region=REGION] [GLOBAL-FLAG ...]

Add a NAT rule to an existing NAT gateway

You can add a new NAT rule using the NAT rule command. Replace the NAT_RULE_NUMBER with the desired NAT rule number, and replace the other variables with information matching your configuration.

gcloud alpha compute routers nats rules create NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    --match=Match conditions (expressed in CEL) \
    --source-nat-active-ips=[IP_ADDRESS1],[IP_ADDRESS2] \
    --source-nat-drain-ips=[IP_ADDRESS3],[IP_ADDRESS4] \
    [--region=REGION] [GLOBAL-FLAG ...]

Updating NAT rules

To use a NAT rule file or a NAT rule command to update your NAT rules, use the steps in the following sections.

gcloud

Update using a NAT rule file

To use your NAT rule file to update a NAT gateway, use the following command. Replace the variables with information that matches your configuration.

gcloud alpha compute routers nats update NAT_NAME \
    --router=ROUTER_NAME \
    --rules=PATH_TO_NAT_RULE_FILE \
    [--region=REGION] [GLOBAL-FLAG ...]

Update using a NAT rule command

To update a single NAT rule, use the following command. Replace the NAT_RULE_NUMBER with the desired NAT rule number, and replace the other variables with information that matches your configuration.

gcloud alpha compute routers nats rules update NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    --match=Match conditions (expressed in CEL) \
    --source-nat-active-ips=[IP_ADDRESS1],[IP_ADDRESS2] \
    --source-nat-drain-ips=[IP_ADDRESS3],[IP_ADDRESS4] \
    [--region=REGION] [GLOBAL-FLAG ...]

Deleting NAT rules

To remove a NAT rule from a gateway, you can either remove it from the rule file and update the gateway, or remove it from the gateway directly. The steps in the following sections describe both approaches.

gcloud

Delete using a NAT rule file

You can remove a NAT rule from your rule file directly, and then update your NAT gateway. The command for updating your NAT gateway is repeated here for convenience. Replace the variables with information that matches your configuration.

gcloud alpha compute routers nats update NAT_NAME \
    --router=ROUTER_NAME \
    --rules=PATH_TO_NAT_RULE_FILE \
    [--region=REGION] [GLOBAL-FLAG ...]

Delete using a NAT rule command

Alternatively, you can use a NAT rule delete command to remove a NAT rule from your gateway. Replace the NAT_RULE_NUMBER with the desired NAT rule number, and replace the other variables with information that matches your configuration.

gcloud alpha compute routers nats rules delete NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    [--region=REGION] [GLOBAL-FLAG ...]

Describing a NAT rule

gcloud

To describe a NAT rule, use the following command. Replace the NAT_RULE_NUMBER with your NAT rule number, and replace the other variables with information that matches your configuration.

gcloud alpha compute routers nats rules describe NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    [--region=REGION] [GLOBAL-FLAG ...]

Listing all NAT rules in a NAT gateway

gcloud

To list all NAT rules in a NAT gateway, use the following command. This also displays all the NAT IP addresses present in the NAT rules, including the default rule. Replace the variables with information that matches your configuration.

gcloud alpha compute routers nats rules list \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    [--region=REGION] [GLOBAL-FLAG ...]