Using Cloud NAT

This page shows you how to configure Cloud NAT. Before setting up Cloud NAT, read the Cloud NAT overview.

Prerequisites

You need to do the following before setting up Cloud NAT.

Get IAM permissions

The roles/compute.networkAdmin role gives you permissions to create a NAT gateway on Cloud Router, reserve and assign NAT IP addresses, and specify subnetworks (subnets) whose traffic should use network address translation by the NAT gateway.

Set up Google Cloud

Before you get started, set up the following items in Google Cloud.

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Install and initialize the Cloud SDK.

Usage scenarios and sample commands

Creating NAT

Set up a simple configuration

This configuration automatically allocates the necessary external IP addresses to provide NAT services to a region. VM instances without external IP addresses in any subnet of the region are provided internet access through NAT. This configuration also turns on logging for all log types.

When you use auto-allocation, Google Cloud reserves IP addresses in your project automatically. These addresses count against your static IP address quotas in the project.

You can enable or disable Endpoint-Independent Mapping for your gateway. For settings, see Set endpoint mapping.

Console

  1. In the Google Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click Get started or Create NAT gateway.

  3. Enter a Gateway name.

  4. Choose a VPC network.

  5. Set the Region for the NAT gateway.

  6. Select or create a Cloud Router in the region.

  7. Click Logging, minimum ports, timeout to open that section.

  8. Under Stackdriver logging, select Translation and errors. This sends all logs to Cloud Logging.

  9. Click Create.

gcloud 

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router

Specify IP addresses for NAT

Each IP address is the name of a reserved static IP address resource.

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click Get started or Create NAT gateway.

  3. Enter a Gateway name.

  4. Choose a VPC network.

  5. Set the Region for the NAT gateway.

  6. Select or create a Cloud Router in the region.

  7. Set NAT IP addresses to Manual.

  8. Select or create a static reserved external IP address to use for NAT.

  9. If you want to specify additional IP addresses, click Add IP address, and then select or create an additional static reserved external IP address.

  10. Click Create.

gcloud 

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-all-subnet-ip-ranges \
    --nat-external-ip-pool=IP_ADDRESS1,IP_ADDRESS2

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router
  • IP_ADDRESS1: a static reserved external IP address to use for NAT
  • IP_ADDRESS2: another static reserved external IP address to use for NAT

Specify subnet ranges for NAT

By default, NAT works for all primary and secondary IP ranges for all subnets in the region for the given VPC network. You can restrict which primary and secondary subnet ranges can use NAT.

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click Get started or Create NAT gateway.

  3. Enter a Gateway name.

  4. Choose a VPC network.

  5. Set the Region for the NAT gateway.

  6. Select or create a Cloud Router in the region.

  7. Under NAT mapping, set Source to Custom.

  8. Select a subnet.

  9. In the IP ranges drop-down list, select the subnet IP ranges to include.

  10. Click OK.

  11. If you want to specify additional ranges, click Add subnet and IP range.

  12. Click Create.

gcloud 

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=SUBNETS

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router
  • SUBNETS: a comma-separated list of subnets

Specify a different minimum number of default ports per VM for NAT

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click Get started or Create NAT gateway.

  3. Enter a Gateway name.

  4. Choose a VPC network.

  5. Set the Region for the NAT gateway.

  6. Select or create a Cloud Router in the region.

  7. Click Logging, minimum ports, timeout.

  8. Set Minimum ports per VM instance to a different value.

  9. Click Create.

gcloud 

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --min-ports-per-vm=128

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router

For more information, see Ports and connections.

Specify different timeouts for NAT

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click Get started or Create NAT gateway.

  3. Enter a Gateway name.

  4. Choose a VPC network.

  5. Set the Region for the NAT gateway.

  6. Select or create a Cloud Router in the region.

  7. Click Logging, minimum ports, timeout.

  8. Modify timeouts as desired.

  9. Click Create.

gcloud 

gcloud compute routers nats create NAT_CONFIG \
    --router=NAT_ROUTER \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=SUBNETS \
    --udp-mapping-idle-timeout=60s \
    --icmp-mapping-idle-timeout=60s \
    --tcp-established-connection-idle-timeout=60s \
    --tcp-transitory-connection-idle-timeout=60s

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router
  • SUBNETS: a comma-separated list of subnets

Updating NAT

Change subnets and IP address resources associated with NAT

Console

  1. In the Google Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click your NAT gateway.

  3. Click Edit.

  4. Under NAT mapping, set Source to Custom.

  5. Select a subnet.

  6. In the IP ranges drop-down list, select the subnet IP ranges to include.

  7. If you want to specify additional ranges, click Add subnet and IP range.

  8. Click the NAT IP addresses drop-down list, and then select Automatic or Manual.

  9. If you select Manual, specify an external IP address.

  10. For high availability with manual IP addresses, click Add IP address, and then add a second address.

  11. Click Save.

gcloud 

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3 \
    --nat-custom-subnet-ip-ranges=SUBNETS:range1

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router
  • IP_ADDRESS2: a manual external IP address
  • IP_ADDRESS3: another manual external IP address
  • SUBNETS: a comma-separated list of subnets

Change external IP addresses associated with NAT

You can change the list of external IP addresses for a given gateway. When you do, Google Cloud removes the old addresses and adds the new ones. Any existing connections on the old IP addresses are immediately terminated. To allow existing connections to continue while preventing new connections on those IP addresses, see Drain external IP addresses associated with NAT.

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click your NAT gateway.

  3. Click Edit.

  4. Click the NAT IP addresses drop-down list, and then select Automatic or Manual.

  5. If you select Manual, specify an external IP address.

  6. For high availability, click Add IP address, and then add a second address.

  7. Click Save.

gcloud 

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-external-ip-pool=IP_ADDRESS2,IP_ADDRESS3

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router
  • IP_ADDRESS2: a manual external IP address
  • IP_ADDRESS3: another manual external IP address

Drain external IP addresses associated with NAT

Before you remove a manually configured IP address, you can drain it so that existing connections aren't disrupted. When an IP address is drained, all existing connections are allowed to continue until they expire naturally. You can view the logs to check the status of existing connections.

No new connections are accepted on the drained IP addresses. However, the IP address stays associated with the NAT configuration.

You must have at least one active address in a NAT configuration, which means that you cannot drain all IP addresses in a configuration.

To see the state of your NAT IP addresses, you can Show NAT status.

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click your NAT gateway.

  3. Click Edit.

  4. Under NAT IP addresses, set the IP draining value next to the IP address to On.

  5. Click Save.

gcloud

To drain an address, you must move it from the active pool to the drain pool in the same command. If you remove it from the active pool without adding it to the drain pool in a single command, the IP address is deleted from service and existing connections are terminated immediately.

If you move an IP address from the drain pool to the active pool, you undrain the IP address. If you remove a NAT IP address from both pools, you disconnect it from the NAT configuration.

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --nat-external-ip-pool=IP_ADDRESS3 \
    --nat-external-drain-ip-pool=IP_ADDRESS2

Where:

  • --nat-external-ip-pool=IP_ADDRESS3: updates the active pool to omit IP_ADDRESS2
  • --nat-external-drain-ip-pool=IP_ADDRESS2: adds IP_ADDRESS2 to the drain pool

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router
  • IP_ADDRESS3: an IP address
  • IP_ADDRESS2: another IP address

Change minimum default ports allocated per VM associated with NAT

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click your NAT gateway.

  3. Click Edit.

  4. Click Logging, minimum ports, timeout.

  5. Modify the Minimum ports per VM instance field.

  6. Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --min-ports-per-vm=128

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router

For more information, see Ports and connections.

Change connection timeouts associated with NAT

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click your NAT gateway.

  3. Click Edit.

  4. Click Logging, minimum ports, timeout.

  5. Modify any timeout values that you want to change.

  6. Click Save.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --udp-mapping-idle-timeout=60s \
    --icmp-mapping-idle-timeout=60s \
    --tcp-established-connection-idle-timeout=60s \
    --tcp-transitory-connection-idle-timeout=60s

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router

Reset connection timeouts associated with NAT to default values

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click your NAT gateway.

  3. Click Edit.

  4. Click Logging, minimum ports, timeout.

  5. Remove any user-configured values that you want to reset.

  6. Click Save.

The removed values are reset to the default values.

gcloud

This command leaves the other fields in the NAT configuration unchanged.

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    --clear-udp-mapping-idle-timeout \
    --clear-icmp-mapping-idle-timeout \
    --clear-tcp-established-connection-idle-timeout \
    --clear-tcp-transitory-connection-idle-timeout

Replace the following:

  • NAT_CONFIG: the name of your NAT gateway
  • NAT_ROUTER: the name of your Cloud Router

Set endpoint mapping

You can enable or disable Endpoint-Independent Mapping for your gateway. It is enabled by default.

Console

  1. In the Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Click your NAT gateway.

  3. Click Edit.

  4. Click Advanced configurations.

  5. To enable Endpoint-Independent Mapping, select the Enable Endpoint-Independent Mapping checkbox. To disable Endpoint-Independent Mapping, clear the checkbox.

  6. Click Save.

gcloud

Update for an existing gateway

gcloud compute routers nats update NAT_CONFIG \
    --router=NAT_ROUTER \
    [--enable-endpoint-independent-mapping | --no-enable-endpoint-independent-mapping]

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router

Configure logging

To add (turn on), modify, or remove logging for an existing gateway, see Configuring logging.

Deleting NAT

This removes a NAT configuration from a Cloud Router. It does not delete the router itself.

Console

  1. In the Google Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. Select the checkbox next to the gateway configuration that you want to delete.

  3. On the Menu, click Delete.

gcloud 

gcloud compute routers nats delete NAT_CONFIG --router=NAT_ROUTER

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router

Showing the NAT configuration, IP:port-ranges, and status

Console

  1. In the Google Cloud Console, go to the Cloud NAT page.

    Go to the Cloud NAT page

  2. To view NAT gateway details, mapping information, or configuration details, click the name of your NAT gateway.

  3. To view NAT status, consult the Status column for your NAT gateway.

gcloud 

gcloud compute routers nats describe NAT_CONFIG --router=NAT_ROUTER

Replace the following:

  • NAT_CONFIG: the name of your NAT configuration
  • NAT_ROUTER: the name of your Cloud Router
gcloud compute routers get-nat-mapping-info

The existing routers get-status command shows NAT status:

gcloud compute routers get-status

Quotas and limits

A given quota or limit is calculated per resource. Quotas and limits may be per project, per network, per region, or per another resource. For more information, see the quotas page.

Example setups

These examples show you how to test Cloud NAT with Google Cloud:

What's next