Using Cloud NAT

Introduction

This page shows you how to configure Cloud NAT. Before setting up Cloud NAT, review the information in the Cloud NAT Overview.

IAM permissions

  • The roles/compute.networkAdmin role can create a NAT gateway on Cloud Router, reserve/assign NAT IPs, and specify subnets whose traffic should use NAT translation by the NAT gateway.

Example setup

Use this example if you want to see a simple working Cloud NAT configuration.

Step 0: Set GCP project

If you have not already set your default project. Replace [PROJECT_ID] with your project ID.

Console

Select your project in the project drop-down at the top of the screen.

gcloud

gcloud config set project [PROJECT_ID]

Step 1: Create a VPC network and subnet

If you already have a network and subnet, you can skip this step.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click Create VPC network.
  3. Enter a Name of custom-network1.
  4. Under Subnets, set Subnet creation mode to Custom.
  5. Enter a Name of subnet-us-central-192.
  6. Select a Region of us-central1.
  7. Enter an IP address range of 192.168.1.0/24.
  8. Click Done.
  9. Click Create.

gcloud

  1. Create a new custom subnet network in your project.

    gcloud compute networks create custom-network1 \
        --subnet-mode custom
    NAME            MODE   IPV4_RANGE GATEWAY_IPV4
    custom-network1 custom
  2. Specify the subnet prefix for your first region. In this example, we're assigning 192.168.1.0/24 to region us-central1.

    gcloud compute networks subnets create subnet-us-central-192 \
       --network custom-network1 \
       --region us-central1 \
       --range 192.168.1.0/24
    NAME                  REGION      NETWORK         RANGE
    subnet-us-central-192 us-central1 custom-network1 192.168.1.0/24

Step 2: Create a bastion host for testing

To test Cloud NAT, you must use a test VM instance that has no external IP address. But, you cannot directly connect via SSH to an instance that doesn't have an external IP address. To connect to the instance that doesn't have an external IP address, you must first connect to an instance that does have an external IP address, then connect to the other instance via internal IP addresses.

In this step, create a bastion host VM.

In a later step, use this VM to connect to your test instance.

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. Click the Create or Create instance button.
  3. Specify a Name of bastion-1 for your instance.
  4. Set the Region to us-central1.
  5. Set the Zone to us-central1-c.
  6. Click the Management, security, disks, networking, sole tenancy link.
  7. Click the Networking tab.
  8. Under Network interfaces, click the pencil icon for the VM's default interface.
    1. Set the Network to custom-network1.
    2. Set the Subnetwork to subnet-us-central-192.
    3. Click Done.
  9. Click the Create button to create and start the instance.

gcloud

gcloud compute instances create bastion-1 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --network custom-network1 \
    --subnet subnet-us-central-192 \
    --zone us-central1-c

Step 3: Create a VM instance with no external IP address

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. Click the Create button.
  3. Specify a Name of nat-test-1 for your instance.
  4. Set the Region to us-central1.
  5. Set the Zone to us-central1-c.
  6. Click the Management, security, disks, networking, sole tenancy link.
  7. Click the Networking tab.
  8. Under Network interfaces, click the pencil icon for the VM's default interface.
    1. Set the Network to custom-network1.
    2. Set the Subnetwork to subnet-us-central-192.
    3. Set External IP to None.
    4. Click Done.
  9. Click the Create button to create and start the instance.

gcloud

gcloud compute instances create nat-test-1 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --network custom-network1 \
    --subnet subnet-us-central-192 \
    --zone us-central1-c \
    --no-address

Step 4: Create a firewall rule that allows SSH connections

Console

  1. Go to the Firewall rules page in the Google Cloud Platform Console.
    Go to the Firewall rules page
  2. Click Create firewall rule.
  3. Enter a Name of allow-ssh.
  4. Specify a Network of custom-network1.
  5. Set Direction of traffic to ingress.
  6. Set Action on match to allow.
  7. Set Targets to All instances in the network.
  8. Set Source filter to IP ranges.
  9. Set Source IP ranges to 0.0.0.0/0.
  10. Set Protocols and ports to Specified protocols and ports.
  11. Select tcp and specify port 22.
  12. Click Create.

gcloud

gcloud compute firewall-rules create allow-ssh \
    --network custom-network1 \
    --allow tcp:22

Step 5: Log into nat-test-1 and confirm that it cannot reach the Internet

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. In the Connect column of bastion-1, select Open in browser window.

    If this is the first time you are connecting to the instance, GCP generates the SSH keys for you.

  3. From bastion-1, connect to nat-test-1:

    ssh nat-test-1 -A

    If this is the first time you are connecting to the instance, GCP generates the SSH keys for you.

  4. From nat-test-1, attempt to connect to the Internet:

    curl example.com

    You should get no result.

gcloud

  1. Add a Compute Engine SSH key to your local host.

    ssh-add ~/.ssh/google_compute_engine
    

  2. Connect to bastion-1:

    gcloud compute ssh bastion-1 --zone us-central1-c -- -A

    If this is the first time you are connecting to the instance, GCP generates the SSH keys for you.

  3. From bastion-1, connect to nat-test-1:

    ssh nat-test-1 -A

    If this is the first time you are connecting to the instance, GCP generates the SSH keys for you.

  4. From nat-test-1, attempt to connect to the Internet:

    curl example.com

    You should get no result.

Step 6: Create a Cloud Router

You must create the Cloud Router in the same region as the instances that use Cloud NAT. Cloud NAT is only used to place NAT information onto the VMs. It is not used as part of the actual NAT gateway.

Console

This step is completed as part of Step 7: Add a NAT configuration to the Cloud Router.

gcloud

gcloud beta compute routers create nat-router \
    --network custom-network1 \
    --region us-central1

Step 7: Add a NAT configuration to the Cloud Router

This configuration allows all instances in the region to use Cloud NAT for all primary and alias IP ranges. It also automatically allocates the external IP addresses for the NAT gateway. See the gcloud command-line interface documentation for more options.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name of nat-test-config.
  4. Set the VPC network to custom-network1.
  5. Set the Region to us-central1.
  6. Under Cloud Router, select Create new router.
    1. Enter a Name of nat-router.
    2. Click Create.
  7. Click Create.

gcloud

gcloud beta compute routers nats create nat-test-config \
    --router-region us-central1 \
    --router nat-router \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips

Step 8: Attempt to connect to the Internet again

It may take up to 3 minutes for the NAT configuration to propagate to the VM, so wait at least a minute before trying to access the Internet again.

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. In the Connect column of bastion-1, select Open in browser window.

    If this is the first time you are connecting to the instance, GCP generates the SSH keys for you.

  3. From bastion-1, connect to nat-test-1:

    ssh nat-test-1 -A

    If this is the first time you are connecting to the instance, GCP generates the SSH keys for you.

  4. From nat-test-1, attempt to connect to the Internet:

    curl example.com

    You should see output that contains the following:

    
    <html>
    <head>
    <title>Example Domain</title>
    ...
    ...
    ...
    </head>
    
    <body>
    <div>
        <h1>Example Domain</h1>
        <p>This domain is established to be used for illustrative examples in documents. You may use this
        domain in examples without prior coordination or asking for permission.</p>
        <p><a href="http://www.iana.org/domains/example">More information...</a></p>
    </div>
    </body>
    </html>
    

gcloud

  1. Connect to bastion-1:

    gcloud compute ssh bastion-1 --zone us-central1-c -- -A
  2. From bastion-1, connect to nat-test-1:

    ssh nat-test-1 -A
  3. From nat-test-1, attempt to connect to the Internet:

    curl example.com

    You should see output that contains the following:

    
    <html>
    <head>
    <title>Example Domain</title>
    ...
    ...
    ...
    </head>
    
    <body>
    <div>
        <h1>Example Domain</h1>
        <p>This domain is established to be used for illustrative examples in documents. You may use this
        domain in examples without prior coordination or asking for permission.</p>
        <p><a href="http://www.iana.org/domains/example">More information...</a></p>
    </div>
    </body>
    </html>
    

Usage scenarios and sample commands

Create NAT

Auto-allocate NAT for all IP addresses of all subnets in the region

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Click Create.

gcloud

gcloud beta compute routers nats create nat1 \
    --router=my-router \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges

Specify IP addresses for NAT

Each IP address is the name of a reserved static IP address resource.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Set NAT IP addresses to Manual.
  8. Select or create a static reserved external IP address to use for NAT.
  9. If you want to specify additional IP addresses, click Add IP address, then select or create an additional static reserved external IP address.
  10. Click Create.

gcloud

gcloud beta compute routers nats create nat1 \
    --router=my-router \
    --nat-external-ip-pool=ip-address1,ip-address2

Specify subnet ranges for NAT

By default, NAT works for all primary and secondary IP ranges for all subnets in the region for the given VPC network. You can restrict which subnet primary and secondary ranges can use NAT.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Under NAT mapping, set Source to Custom.
  8. Select a subnet.
  9. In the IP ranges drop-down list, select the subnet IP ranges to include.
  10. Click OK.
  11. If you want to specify additional ranges, click Add subnet and IP range.
  12. Click Create.

gcloud

gcloud beta compute routers nats create nat1 \
    --router=my-router \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=[SUBNET_1],[SUBNET_3]

Specify a different minimum number of default ports per VM for NAT

See Number of NAT ports and connections for more information.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Click Minimum ports, timeout.
  8. Set Minimum ports per VM instance to a different value.
  9. Click Create.

gcloud

gcloud beta compute routers nats create nat1 \
    --router=my-router \
    --auto-allocate-nat-external-ips \
    --min-default-ports-per-vm=128

Specify different timeouts for NAT

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click Get started or Create NAT gateway.
  3. Enter a Gateway name.
  4. Choose a VPC network.
  5. Set the Region for the NAT gateway.
  6. Select or create a Cloud Router in the region.
  7. Click Minimum ports, timeout.
  8. Modify timeouts as desired.
  9. Click Create.

gcloud

gcloud beta compute routers nats create nat1 \
    --router=my-router \
    --auto-allocate-nat-external-ips \
    --nat-custom-subnet-ip-ranges=[SUBNET_1],[SUBNET_3] \
    --udp-mapping-idle-timeout=60s \
    --icmp-mapping-idle-timeout=60s \
    --tcp-established-connection-idle-timeout=60s \
    --tcp-transitory-connection-idle-timeout=60s

Update NAT

Change subnetworks and IP address resources associated with NAT

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Under NAT mapping, set Source to Custom.
  5. Select a subnet.
  6. In the IP ranges drop-down list, select the subnet IP ranges to include.
  7. If you want to specify additional ranges, click Add subnet and IP range.
  8. Click NAT IP addresses drop-down list and select Automatic or Manual.
  9. If you selected Manual, specify an external IP address.
  10. For high availability with manual IP addresses, click Add IP address and add a second address.
  11. Click Save.

gcloud

gcloud beta compute routers nats update nat1 \
    --router=my-router \
    --nat-external-ip-pool=ip-address2,ip-address3 \
    --nat-custom-subnet-ip-ranges=[SUBNET_3],[SUBNET_3],[SUBNET_3]:range1

Change external IP addresses associated with NAT

This command leaves the other fields in the NAT configuration unchanged.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click NAT IP addresses drop-down list and select Automatic or Manual.
  5. If you selected Manual, specify an external IP address.
  6. For high availability, click Add IP address and add a second address.
  7. Click Save.

gcloud

gcloud beta compute routers nats update nat1 \
    --router=my-router \
    --nat-external-ip-pool=ip-address2,ip-address3

Change minimum default ports allocated per VM associated with NAT

This command leaves the other fields in NAT configuration unchanged.

See Number of NAT ports and connections for more information.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click Minimum ports, timeout.
  5. Modify the Minimum ports per VM instance field.
  6. Click Save.

gcloud

gcloud beta compute routers nats update nat1 \
    --router=my-router \
    --min-default-ports-per-vm=128

Change connection timeouts associated with NAT

This command leaves the other fields in the NAT configuration unchanged.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click Minimum ports, timeout.
  5. Modify any timeout values you want to change.
  6. Click Save.

gcloud

gcloud beta compute routers nats update nat1 \
    --router=my-router \
    --udp-mapping-idle-timeout=60s \
    --icmp-mapping-idle-timeout=60s \
    --tcp-established-connection-idle-timeout=60s \
    --tcp-transitory-connection-idle-timeout=60s

Reset connection timeouts associated NAT to default values

This command leaves the other fields in the NAT configuration unchanged.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.
  3. Click Edit.
  4. Click Minimum ports, timeout.
  5. Remove any user-configured values you want to reset.
  6. Click Save.

The removed values are reset to the default values.

gcloud

gcloud beta compute routers nats update nat1 \
    --router=my-router \
    --clear-udp-mapping-idle-timeout \
    --clear-icmp-mapping-idle-timeout \
    --clear-tcp-established-connection-idle-timeout \
    --clear-tcp-transitory-connection-idle-timeout

Delete NAT

This removes a NAT configuration from a Cloud Router. It does not delete the router itself.

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Check the checkbox next to the gateway configuration you want to delete.
  3. Click Delete.

gcloud

gcloud beta compute routers nats delete nat1 --router=my-router

Show NAT information

Show the NAT configuration

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.

gcloud

gcloud beta compute routers nats describe nat1 --router=my-router

Show NAT IP:port-ranges

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Click on your NAT gateway.

gcloud

gcloud beta compute routers get-nat-mapping-info

Show NAT status

Console

  1. Go to the Cloud NAT page in the Google Cloud Platform Console.
    Go to the Cloud NAT page
  2. Consult the Status column for your NAT gateway.

gcloud

The existing routers get-status command shows NAT status.

gcloud beta compute routers get-status

Limits

See the quotas page for limits.

Restrictions

  • Some servers such as legacy DNS servers require UDP port randomization among 64k ports for enhanced security. Since Cloud NAT selects a random port from one of 64 or user-configured number of ports, it is best to assign a public IP address to these servers instead of using Cloud NAT. Since Cloud NAT does not allow connections initiated from outside, most of these servers are required to use an external IP address anyway.

Limitations

  • VMs with an external, public IP address can have 64k TCP, 64k UDP, and 64k ICMP-query sessions (ping) simultaneously if they have enough compute/memory resources. For Cloud NAT, this limit is reduced to a total of 64k connections per VM for all supported protocols combined.
  • NAT ALGs (Application Level Gateway) functionality is not supported. This means that Cloud NAT does update IP in the packet data (such as for FTP, SIP, and other such protocols).
  • There’s a limit of 100 IPs per VPC per region for auto allocated IP addresses.
  • Small idle connection timeouts may not work.

    NAT mappings are checked every 30s for expiration and configuration change. Even if a connection timeout value of 5s is used, the connection may not be available for up to 30s in the worst case, and 15s in the average case.

Also see Troubleshooting and Support.

What's next

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...