Skip to content
Gallery
2. Networking
Core Networking
Hybrid Networking
Peering
Choosing a connection
Scalability
Threat Prevention and Detection
Networking Observability
VPC Service Controls
Share
Explore
Core Networking

icon picker
Cloud NAT

Cloud NAT provides
network address translation
(NAT) for outbound traffic to the internet, Virtual Private Cloud (VPC) networks, on-premises networks, and other cloud provider networks.
Cloud NAT provides NAT for the following Google Cloud resources:
Compute Engine
virtual machine (VM) instances
Google Kubernetes Engine (GKE)
clusters
Cloud Run instances through
Serverless VPC Access
or
Direct VPC egress
Cloud Run functions instances through
Serverless VPC Access
App Engine standard environment instances through
Serverless VPC Access
Regional
internet network endpoint groups (NEGs)
Cloud NAT supports address translation for established inbound response packets only. It doesn't allow unsolicited inbound connections.

image.png

Types of Cloud NAT

In Google Cloud, you use Cloud NAT to create NAT gateways that let instances in a private subnet connect to resources outside your VPC network.
Using a NAT gateway, you can enable the following types of NAT:
Public NAT
Private NAT
You can have both Public NAT and Private NAT gateways offering NAT services to the same subnet in a VPC network.

Public NAT

Public NAT lets Google Cloud resources that do not have public IP addresses communicate with the internet. These VMs use a set of shared public IP addresses to connect to the internet. Public NAT does not rely on proxy VMs. Instead, a Public NAT gateway allocates a set of external IP addresses and source ports to each VM that uses the gateway to create outbound connections to the internet.
Consider a scenario in which you have VM-1 in subnet-1 whose network interface does not have an external IP address. However, VM-1 needs to connect to the internet to download critical updates. To enable connectivity to the internet, you can create a Public NAT gateway that is configured to apply to the IP address range of subnet-1. Now, VM-1 can send traffic to the internet by using the internal IP address of subnet-1.
For more information, see
Public NAT
.

Private NAT

Private NAT enables private-to-private NAT for the following traffic.
type of private NAT
Traffic
Description
From a VPC network to another VPC network
Private NAT supports private-to-private NAT for VPC networks attached as VPC spokes to a Network Connectivity Center hub. For more information, see
Private NAT for Network Connectivity Center spokes
.
From a VPC network to a network outside of Google Cloud
Private NAT supports the following options for traffic between VPC networks and on-premises or other cloud provider networks:
Private-to-private NAT for networks connected through Network Connectivity Center hybrid spokes. For more information, see
Private NAT for Network Connectivity Center spokes
.
Private-to-private NAT for networks connected through Cloud Interconnect or Cloud VPN. For more information, see
Hybrid NAT
.
There are no rows in this table
Assume that the resources in your VPC network need to communicate with the resources in a VPC network or an on-premises or other cloud provider network that is owned by a different business unit. However, that network contains subnets whose IP addresses overlap with the IP addresses of your VPC network. In this scenario, you create a Private NAT gateway that translates traffic between the subnets in your VPC network to the non-overlapping subnets of the other network.
For more information about Private NAT, see
Private NAT
.

Architecture

Cloud NAT is a distributed, software-defined managed service. It's not based on proxy VMs or appliances. Cloud NAT configures the
Andromeda software
that powers your Virtual Private Cloud (VPC) network so that it provides source network address translation (source NAT or SNAT) for resources. Cloud NAT also provides destination network address translation (destination NAT or DNAT) for established inbound response packets.
image.png

Benefits

Cloud NAT provides the following benefits:
Security
When using a Public NAT gateway, you can reduce the need for individual VMs to each have external IP addresses. Subject to egress
firewall rules
, VMs without external IP addresses can access destinations on the internet. For example, you might have VMs that only need internet access to download updates or to complete provisioning.
If you use
manual NAT IP address assignment
to configure a Public NAT gateway, you can confidently share a set of common external source IP addresses with a destination party. For example, a destination service might only allow connections from known external IP addresses.
A Private NAT gateway does not permit any resource from Network Connectivity Center connected VPC spokes to directly initiate a connection with the VMs inside overlapping subnetworks. When a VM in a Private NAT configuration tries to initiate a connection with a VM in another network, the Private NAT gateway performs SNAT by using the IP addresses from the Private NAT range. The gateway also performs DNAT on the responses to the outbound packets.
Availability
Cloud NAT is a distributed, software-defined managed service. It doesn't depend on any VMs in your project or a single physical gateway device. You configure a NAT gateway on a Cloud Router, which provides the control plane for NAT, holding configuration parameters that you specify. Google Cloud runs and maintains processes on the physical machines that run your Google Cloud VMs.
Scalability
Cloud NAT can be configured to automatically scale the number of NAT IP addresses that it uses, and it supports VMs that belong to managed instance groups, including the groups with
autoscaling
enabled.
Performance
Cloud NAT does not reduce the network bandwidth per VM. Cloud NAT is implemented by Google's Andromeda software-defined networking. For more information, see
Network bandwidth
in the Compute Engine documentation.
Logging
For Cloud NAT traffic, you can trace the connections and bandwidth for compliance, debugging, analytics, and accounting purposes.
Monitoring
Cloud NAT exposes key metrics to Cloud Monitoring that give you insight into your fleet's use of NAT gateways. Metrics are sent automatically to Cloud Monitoring. There, you can create custom dashboards, set up alerts, and query metrics.
Additionally, Network Analyzer publishes
Cloud NAT insights
. Network Analyzer automatically monitors your Cloud NAT configuration to detect and generate these insights.

Ref:
Cloud NAT overview  |  Google Cloud
Types of Cloud NAT
Public NAT
Private NAT
type of private NAT
Architecture
Benefits
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.