Set up and manage Cloud NAT rules

This page shows you how to configure Cloud NAT rules. Before setting up Cloud NAT rules, read the Cloud NAT rules overview.

Create NAT rules

NAT rules are written using Common Expression Language syntax. For more information about the rule expression language, see Rule expression language.

The following example configuration steps fulfill the following conditions:

  • VMs must use NAT IP address with resource name IP_ADDRESS1 to send traffic to destination 198.51.100.10.
  • VMs must use NAT IP address with resource name IP_ADDRESS2 or IP_ADDRESS3 to send traffic to 198.51.100.20/30.

You can create one NAT rule to fulfill each of these conditions.

Console

Add a NAT rule to an existing NAT gateway

Add a NAT rule that sends traffic from IP_ADDRESS1 to 198.51.100.10.

  1. In the Google Cloud console, go to the Cloud NAT page.

    Go to Cloud NAT

  2. Select your NAT gateway.
  3. Select Edit.
  4. Under NAT Rules, select Add new rule.
  5. In the Match field, enter 198.51.100.10.
  6. In the IP address menu, select the IP address that you used for IP_ADDRESS1.
  7. In the Rule number field, enter 100.
  8. Select Done.

Add a NAT rule that sends traffic from IP_ADDRESS2 or IP_ADDRESS3 to 198.51.100.20/30.

  1. Under NAT Rules, select Add new rule.
  2. In the Match field, enter 198.51.100.20/30.
  3. In the IP address menu, select the IP address that you used for IP_ADDRESS2.
  4. Select Add IP address, and then select the IP address that you used for IP_ADDRESS3.
  5. In the Rule number field, enter 200.
  6. Select Done.
  7. Select Save to save both rules.

gcloud

You can use the steps in the following sections to create a rule file, create a NAT gateway that uses the rules in the rule file, or add rules to an existing NAT gateway.

Add a NAT rule to an existing NAT gateway

You can add a new NAT rule using the NAT rule command. Replace the NAT_RULE_NUMBER with the desired NAT rule number, and replace the other variables with information matching your configuration.

First, add a NAT rule that sends traffic from IP_ADDRESS1 to 198.51.100.10.

gcloud compute routers nats rules create NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    --match='destination.ip == "198.51.100.10"' \
    --source-nat-active-ips=[IP_ADDRESS1] \
    [--region=REGION] [GLOBAL-FLAG ...]

Next, add a NAT rule that sends traffic from IP_ADDRESS2 or IP_ADDRESS3 to 198.51.100.20/30.

gcloud compute routers nats rules create NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    --match='inIpRange(destination.ip, "198.51.100.20/30")' \
    --source-nat-active-ips=[IP_ADDRESS2],[IP_ADDRESS3] \
    [--region=REGION] [GLOBAL-FLAG ...]

Create a rule file

The following code sample is an example rule file. You can modify this rule file to fit your use case, or skip this step if you already have a rule file.

rules:
 - ruleNumber: 100
   match: destination.ip == '198.51.100.10'
   action:
     sourceNatActiveIps:
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS1
 - ruleNumber: 200
   match: inIpRange(destination.ip, '198.51.100.20/30')
   action:
     sourceNatActiveIps:
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS2
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS3

Create a NAT gateway using a NAT rule file

The following command creates a NAT gateway and configures it with rules from a NAT rule file. If you already have a NAT gateway configured, see Add a NAT rule to an existing NAT gateway. Replace the variables with information matching your configuration.

gcloud compute routers nats create NAT_NAME \
    --router=ROUTER_NAME \
    --nat-external-ip-pool=[IP_ADDRESS4],[IP_ADDRESS5] \
    --nat-all-subnet-ip-ranges \
    --rules=PATH_TO_NAT_RULE_FILE \
    [--region=REGION] [GLOBAL-FLAG ...]

Update NAT rules

To update your NAT rules, use the steps in the following sections. You can only use rule files with the gcloud command-line tool.

Console

  1. In the Google Cloud console, go to the Cloud NAT page.

    Go to Cloud NAT

  2. Select your NAT gateway.
  3. Select Edit.
  4. Under Customized rules, click the rule that you want to update.
  5. In the expanded fields, you can modify any information that you want to change.
  6. When you are finished making changes, select Done.
  7. Select Save.

gcloud

Update using a NAT rule file

To use your NAT rule file to update a NAT gateway, use the following command. Replace the variables with information that matches your configuration.

gcloud compute routers nats update NAT_NAME \
    --router=ROUTER_NAME \
    --rules=PATH_TO_NAT_RULE_FILE \
    [--region=REGION] [GLOBAL-FLAG ...]

The following code sample is an example rule file. Note the sourceNatDrainIps action, which prevents new connections to the destination using IP_ADDRESS1 but keeps existing connections.

rules:
 - ruleNumber: 100
   match: destination.ip == '198.51.100.10'
   action:
     sourceNatActiveIps:
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS2
     sourceNatDrainIps:
     -  /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS1

Update using a NAT rule command

To update a single NAT rule, use the following command. Replace the NAT_RULE_NUMBER with the desired NAT rule number, and replace the other variables with information that matches your configuration. Note the source-nat-drain-ips option, which prevents new connections to the destination using IP_ADDRESS3 and IP_ADDRESS4, but keeps existing connections.

gcloud compute routers nats rules update NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    --match=Match conditions (expressed in CEL) \
    --source-nat-active-ips=[IP_ADDRESS1],[IP_ADDRESS2] \
    --source-nat-drain-ips=[IP_ADDRESS3],[IP_ADDRESS4] \
    [--region=REGION] [GLOBAL-FLAG ...]

Delete NAT rules

Console

  1. In the Google Cloud console, go to the Cloud NAT page.

    Go to Cloud NAT

  2. Select your NAT gateway.
  3. Select Edit.
  4. Under Customized rules, hold the pointer over on the rule that you want to delete. Click .
  5. Click Save.

gcloud

To remove a NAT rule from a gateway, you can either remove it from the gateway directly, or remove it from the rule file and update the gateway.

Delete using a NAT rule file

You can remove a NAT rule from your rule file directly, and then update your NAT gateway. The command for updating your NAT gateway is repeated here for convenience. Replace the variables with information that matches your configuration.

gcloud compute routers nats update NAT_NAME \
    --router=ROUTER_NAME \
    --rules=PATH_TO_NAT_RULE_FILE \
    [--region=REGION] [GLOBAL-FLAG ...]

Delete using a NAT rule command

Alternatively, you can use a NAT rule delete command to remove a NAT rule from your gateway. Replace the NAT_RULE_NUMBER with the desired NAT rule number, and replace the other variables with information that matches your configuration.

gcloud compute routers nats rules delete NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    [--region=REGION] [GLOBAL-FLAG ...]

Describe a NAT rule

Console

You can view information about your NAT rules on the Cloud NAT page.

  1. In the Google Cloud console, go to the Cloud NAT page.

    Go to Cloud NAT

  2. Select your NAT gateway.
  3. View the NAT rules.

For additional information about an individual NAT rule, you can do the following:

  1. Select Edit.
  2. Under the Customized rules heading, select a NAT rule.
  3. View the additional information.
  4. Select Cancel to ensure that you do not save any changes.

gcloud

To describe a NAT rule, use the following command. Replace the NAT_RULE_NUMBER with your NAT rule number, and replace the other variables with information that matches your configuration.

gcloud compute routers nats rules describe NAT_RULE_NUMBER \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    [--region=REGION] [GLOBAL-FLAG ...]

List all NAT rules in a NAT gateway

Console

You can view your NAT rules on the Cloud NAT page.

  1. In the Google Cloud console, go to the Cloud NAT page.

    Go to Cloud NAT

  2. Select your NAT gateway.
  3. View the NAT rules.

gcloud

To list all NAT rules in a NAT gateway, use the following command. This also displays all the NAT IP addresses present in the NAT rules, including the default rule. Replace the variables with information that matches your configuration.

gcloud compute routers nats rules list \
    --router=ROUTER_NAME \
    --nat=NAT_NAME \
    [--region=REGION] [GLOBAL-FLAG ...]