Configure Cloud NAT

This page shows you how to configure Cloud NAT. Before setting up Cloud NAT, read the Cloud NAT overview.

Limitations

If you use manual NAT IP address allocation, and you change the IP addresses that are used for Cloud NAT, all connections on the old IP addresses immediately close. To avoid this, see Drain external IP addresses associated with NAT.
If you configure a Cloud NAT gateway with static port allocation, and you reduce the minimum ports per VM, established NAT connections might be broken. For more information, see Reducing ports per VM.
If you configure a Cloud NAT gateway with dynamic port allocation, and you make any further configuration changes, established NAT connections might be broken. When the configuration change, the number of ports currently allocated to each VM might be temporarily reset to the minimum number configured.
If you configure a Cloud NAT gateway with dynamic port allocation and then turn off dynamic port allocation, all VM connections that use the NAT gateway are closed.
If Endpoint-Independent Mapping is turned on, you can't configure dynamic port allocation or NAT rules.

Before you begin

Complete the following tasks before setting up Cloud NAT.

Get IAM permissions

The roles/compute.networkAdmin role gives you permissions to create a NAT gateway on Cloud Router, reserve and assign NAT IP addresses, and specify subnetworks (subnets) whose traffic should use network address translation by the NAT gateway.

Set up Google Cloud

Before you get started, set up the following items in Google Cloud.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Install and initialize the Cloud SDK.

In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Install and initialize the Cloud SDK.

The gcloud command-line tool instructions on this page assume that you have set your project ID before issuing commands.

You can set a project ID with the following command:
```
gcloud config set project PROJECT_ID
```
You can also view a project ID that is already set:
```
gcloud config list --format='text(core.project)'
```

Creating NAT

Set up a simple configuration

This configuration automatically allocates the necessary external IP addresses to provide NAT services to a region. VM instances without external IP addresses in any subnet of the region are provided internet access through NAT. This configuration uses static port allocation, which means that each VM is allocated the same number of ports. This configuration also turns on logging for all log types.

When you use automatic NAT IP address allocation, Google Cloud reserves IP addresses in your project automatically. These addresses count against your static IP address quotas in the project.

You can enable or disable Endpoint-Independent Mapping for your gateway. For settings, see Set endpoint mapping.

Console

In the Google Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network for the NAT gateway.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Click Advanced configuration.
Under Stackdriver logging, select Translation and errors. This sends all logs to Cloud Logging.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router

Terraform

You can use a Terraform module to create a Cloud Router with a NAT gateway.

examples/nat/main.tf

View on GitHub

module "cloud_router" {
  source  = "terraform-google-modules/cloud-router/google"
  version = "~> 0.4"
  project = var.project_id # Replace this with your project ID in quotes
  name    = "my-cloud-router"
  network = "default"
  region  = "us-central1"

  nats = [{
    name = "my-nat-gateway"
  }]
}

The resulting NAT gateway uses the following default values:

enable_endpoint_independent_mapping = true
icmp_idle_timeout_sec               = 30
min_ports_per_vm                    = 0
nat_ip_allocate_option              = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat  = "ALL_SUBNETWORKS_ALL_IP_RANGES"
tcp_established_idle_timeout_sec    = 1200
tcp_transitory_idle_timeout_sec     = 30
udp_idle_timeout_sec                = 30
log_config {
    enable = true
    filter = "ALL"
}

Specify IP addresses for NAT

You can manually allocate NAT IP addresses for a NAT gateway. If you choose manual allocation, make sure to allocate enough IP addresses to avoid dropped packets. For more information, see NAT IP addresses.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Set NAT IP addresses to Manual.
Select or create a static reserved external IP address to use for NAT.
If you want to specify additional IP addresses, click Add IP address, and then select or create an additional static reserved external IP address.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-all-subnet-ip-ranges \
    --nat-external-ip-pool=IP_ADDRESS1,IP_ADDRESS2

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
IP_ADDRESS1: a static reserved external IP address to use for NAT
IP_ADDRESS2: another static reserved external IP address to use for NAT

Set up NAT with dynamic port allocation

This configuration uses dynamic port allocation with automatic NAT IP address allocation. You can also configure dynamic port allocation with manual NAT IP address allocation.

Using dynamic port allocation lets the NAT gateway allocate different numbers of ports to each VM based on usage.

You must use the alpha version of the gcloud command-line tool to create a NAT gateway that uses dynamic port allocation.

During the Preview of dynamic port allocation, the alpha version of the Compute Engine API for Cloud NAT is needed to run gcloud alpha compute routers nats commands. If you get an error that says you need 'Alpha Access', contact your sales representative or contact support.

gcloud

gcloud alpha compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-dynamic-port-allocation \
    [ --min-ports-per-vm=MIN_PORTS ] \
    [ --max-ports-per-vm=MAX_PORTS ]

Replace the following:

NAT_CONFIG: the name of your NAT configuration.
NAT_ROUTER: the name of your Cloud Router.
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is turned on, MIN_PORTS must be a power of 2, and can be between 32 and 32768. Default is 32.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS. Default is 65536.

Specify subnet ranges for NAT

By default, NAT works for all primary and secondary IP ranges for all subnets in the region for the given VPC network. You can restrict which primary and secondary subnet ranges can use NAT.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Under NAT mapping, set Source to Custom.
Select a subnet.
In the IP ranges drop-down list, select the subnet IP ranges to include.
Click OK.
If you want to specify additional ranges, click Add subnet and IP range.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=SUBNETS

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
SUBNETS: a comma-separated list of subnets

Specify a different minimum number of default ports per VM for NAT

You can configure the number of ports that a Cloud NAT gateway reserves for each VM. For more information, see Ports and connections.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Click Advanced configurations.
Set Minimum ports per VM instance to a different value.
Click Create.

gcloud

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --min-ports-per-vm=128

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router

Specify different timeouts for NAT

For more information about timeouts, see NAT timeouts.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click Get started or Create NAT gateway.
Enter a Gateway name.
Select a VPC network.
Set the Region for the NAT gateway.
Select or create a Cloud Router in the region.
Click Advanced configuration.
Modify timeouts as desired.
Click Create.

gcloud

Use this command to create a NAT gateway with custom settings for these timeouts:

UDP Mapping Idle Timeout
TCP Established Connection Idle Timeout
TCP Transitory Connection Idle Timeout
TCP TIME_WAIT Timeout
ICMP Mapping Idle Timeout

gcloud compute routers nats create NAT_CONFIG \
  --router=NAT_ROUTER \
  --auto-allocate-nat-external-ips \
  --nat-custom-subnet-ip-ranges=SUBNETS \
  --udp-idle-timeout=60s \
  --tcp-established-idle-timeout=60s \
  --tcp-transitory-idle-timeout=60s \
  --tcp-time-wait-timeout=60s \
  --icmp-idle-timeout=60s

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
SUBNETS: a comma-separated list of subnets

Updating NAT

Change subnets and IP address resources associated with NAT

Important: If your Cloud NAT gateway has dynamic port allocation (Preview) configured, use the alpha version of the gcloud command-line tool to make any changes to that NAT gateway. Do not use the Cloud Console or the API.

Console

In the Google Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Under NAT mapping, set Source to Custom.
Select a subnet.
In the IP ranges drop-down list, select the subnet IP ranges to include.
If you want to specify additional ranges, click Add subnet and IP range.
Click the NAT IP addresses drop-down list, and then select Automatic or Manual.
If you select Manual, specify an external IP address.
For high availability with manual IP addresses, click Add IP address, and then add a second address.
Click Save.

gcloud

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3 \
    --nat-custom-subnet-ip-ranges=SUBNETS:range1

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
IP_ADDRESS2: a manual external IP address
IP_ADDRESS3: another manual external IP address
SUBNETS: a comma-separated list of subnets

Change external IP addresses associated with NAT

You can change the list of external IP addresses for a given gateway. When you do, Google Cloud removes the old addresses and adds the new ones. Any existing connections on the old IP addresses immediately close. To let existing connections continue while preventing new connections on those IP addresses, see Drain external IP addresses associated with NAT.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click the NAT IP addresses drop-down list, and then select Automatic or Manual.
If you select Manual, specify an external IP address.
For high availability, click Add IP address, and then add a second address.
Click Save.

gcloud

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
IP_ADDRESS2: a manual external IP address
IP_ADDRESS3: another manual external IP address

Drain external IP addresses associated with NAT

Before you remove a manually configured IP address, you can drain it so that existing connections aren't disrupted. When an IP address is drained, all existing connections are allowed to continue until they expire naturally. You can view the logs to check the status of existing connections.

No new connections are accepted on the drained IP addresses. However, the IP address stays associated with the NAT configuration.

You must have at least one active address in a NAT configuration, which means that you cannot drain all IP addresses in a configuration.

To see the state of your NAT IP addresses, you can Show NAT status.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Under NAT IP addresses, set the IP draining value next to the IP address to On.
Click Save.

gcloud

To drain an address, you must move it from the active pool to the drain pool in the same command. If you remove it from the active pool without adding it to the drain pool in a single command, the IP address is deleted from service and existing connections are terminated immediately.

If you move an IP address from the drain pool to the active pool, you undrain the IP address. If you remove a NAT IP address from both pools, you disconnect it from the NAT configuration.

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-external-ip-pool=IP_ADDRESS3 \
    --nat-external-drain-ip-pool=IP_ADDRESS2

Where:

--nat-external-ip-pool=IP_ADDRESS3: updates the active pool to omit IP_ADDRESS2
--nat-external-drain-ip-pool=IP_ADDRESS2: adds IP_ADDRESS2 to the drain pool

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
IP_ADDRESS3: an IP address
IP_ADDRESS2: another IP address

Change minimum default ports allocated per VM associated with NAT

For information about changing the minimum port allocation, see Increasing ports per VM and Reducing ports per VM.

If your Cloud NAT gateway has dynamic port allocation configured, see Change minimum or maximum ports when dynamic port allocation is configured.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Modify the Minimum ports per VM instance field.
Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --min-ports-per-vm=128

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router

Update an existing NAT gateway to use dynamic port allocation

Before you turn on dynamic port allocation on an existing NAT gateway, make sure that the minimum ports per VM setting is a power of 2, and is between 32 and 32,768. If you need to change the setting, see Change minimum default ports allocated per VM associated with NAT.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud alpha compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --enable-dynamic-port-allocation \
    [ --min-ports-per-vm=MIN_PORTS ] \
    [ --max-ports-per-vm=MAX_PORTS ]

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled, MIN_PORTS must be a power of 2, and can be between 32 and 32768.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS. Default is 65536.

Change minimum or maximum ports when dynamic port allocation is configured

After you have configured dynamic port allocation, you can change the minimum or maximum number of ports assigned per VM.

For information about changing the minimum port allocation, see Increasing ports per VM and Reducing ports per VM.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud alpha compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --min-ports-per-vm=MIN_PORTS \
    --max-ports-per-vm=MAX_PORTS

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router
MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled, MIN_PORTS must be a power of 2, and can be between 32 and 32768.
MAX_PORTS: the maximum number of ports to allocate for each VM. MAX_PORTS must be a power of 2, and can be between 64 and 65536. MAX_PORTS must be greater than MIN_PORTS.

Change connection timeouts associated with NAT

For more information about timeouts, see NAT timeouts.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Modify any timeout values that you want to change.
Click Save.

gcloud

Use this command to change these timeouts:
- UDP Mapping Idle Timeout
- TCP Established Connection Idle Timeout
- TCP Transitory Connection Idle Timeout
- TCP TIME_WAIT Timeout
- ICMP Mapping Idle Timeout
This command leaves the other fields in the NAT configuration unchanged.
```
gcloud compute routers nats update NAT_CONFIG \
  --router=NAT_ROUTER \
  --udp-idle-timeout=60s \
  --tcp-established-idle-timeout=60s \
  --tcp-transitory-idle-timeout=60s \
  --tcp-time-wait-timeout=60s \
  --icmp-idle-timeout=60s
```

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router

Reset connection timeouts associated with NAT to default values

For more information about timeouts, see NAT timeouts.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configuration.
Remove any user-configured values that you want to reset.
Click Save.

The removed values are reset to the default values.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --clear-udp-idle-timeout \
    --clear-icmp-idle-timeout \
    --clear-tcp-established-idle-timeout \
    --clear-tcp-time-wait-timeout \
    --clear-tcp-transitory-idle-timeout

Replace the following:

NAT_CONFIG: the name of your NAT gateway
NAT_ROUTER: the name of your Cloud Router

Set endpoint mapping

You can enable or disable Endpoint-Independent Mapping for your gateway. By default, it is disabled. Switching Endpoint-Independent Mapping from enabled to disabled (or from disabled to enabled) does not interrupt existing connections.

Do not enable Endpoint-Independent Mapping if your NAT gateway uses NAT rules or dynamic port allocation.

Console

In the Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Click your NAT gateway.
Click Edit.
Click Advanced configurations.
To enable Endpoint-Independent Mapping, select the Enable Endpoint-Independent Mapping checkbox. To disable Endpoint-Independent Mapping, clear the checkbox.
Click Save.

gcloud

Update for an existing gateway

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    [--enable-endpoint-independent-mapping | --no-enable-endpoint-independent-mapping]

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router

Configure logging

To add (turn on), modify, or remove logging for an existing gateway, see Configuring logging.

Deleting NAT

This removes a NAT configuration from a Cloud Router. It does not delete the router itself.

Console

In the Google Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
Select the checkbox next to the gateway configuration that you want to delete.
On the Menu, click Delete.

gcloud

gcloud compute routers nats delete NAT_CONFIG --router=NAT_ROUTER

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router

Showing the NAT configuration, IP:port-ranges, and status

Console

In the Google Cloud Console, go to the Cloud NAT page.

Go to Cloud NAT
To view NAT gateway details, mapping information, or configuration details, click the name of your NAT gateway.
To view NAT status, consult the Status column for your NAT gateway.

gcloud

gcloud compute routers nats describe NAT_CONFIG --router=NAT_ROUTER

Replace the following:

NAT_CONFIG: the name of your NAT configuration
NAT_ROUTER: the name of your Cloud Router

gcloud compute routers get-nat-mapping-info

The routers get-status command shows NAT status:

gcloud compute routers get-status

Quotas and limits

For quota and limit information, see the quotas page.

Example setups

These examples show you how to test Cloud NAT with Google Cloud:

What's next

Configure logging and monitoring for Cloud NAT.
Troubleshoot common issues with NAT configurations.