Overview
Network Address Translation (NAT) settings refer to configurations that control how instances with private Internet Protocol (IP) addresses can communicate with the internet or other networks. Google Distributed Cloud (GDC) air-gapped provides outgoing NAT configurations to both virtual machines and containerized workloads when accessing external networks.
Types of NAT in Distributed Cloud
Google Distributed Cloud air-gapped supports two NAT implementations. One is a replacement for the other, and they cannot be used together.
Project default egress NAT (deprecated)
Before Cloud NAT the only way to egress traffic was by using the project
default egress NAT configuration. By default projects are created with a
default Egress NAT configuration that allows endpoints from VMs or Pods with the
the label egress.networking.gke.io/enabled:true to egress traffic using an
egress IP automatically assigned to the Project they are in.
This egress solution is now deprecated. We recommend that users migrate to Cloud NAT. Cloud NAT is the main NAT solution in Google Distributed Cloud (GDC) air-gapped systems.
See default project egress for information on how to use this solution, and how to migrate to the recommended solution, Cloud NAT.
Cloud NAT
Cloud NAT lets you send traffic out of the
Google Distributed Cloud (GDC) air-gapped deployment through Cloud NAT gateways.
You can select which specific Internet Protocol (IP) addresses each gateway uses
to send traffic out by specifying leaf subnets with the outgoing IP addresses
to use in the gateway configuration. You can also select which Kubernetes Pod or
virtual machine (VM) endpoints can send traffic out through each gateway by
specifying label selectors in the gateway configuration. Cloud NAT
gateways have project and zonal scope, so the subnets and endpoints you specify,
as well as the outgoing traffic, must be in the same zone and project as the
gateway. Cloud NAT is specifically for external (North-South) traffic
and not for internal (East-West) traffic.