Set up and manage network address translation with Private NAT
This page describes how to configure private-to-private network address translation (NAT) in Cloud NAT.
Before you begin
Complete the following tasks before setting up Private NAT.
Prepare your environment
Depending on whether you want to use the Google Cloud console or gcloud CLI to set up Private NAT, configure the following resources in Google Cloud.
Console
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Compute Engine API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Compute Engine API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
gcloud
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Compute Engine API:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable compute.googleapis.com
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Compute Engine API:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable compute.googleapis.com
Get IAM permissions
The Compute Network Admin
role
(roles/compute.networkAdmin) gives you permissions to create a NAT gateway,
reserve and assign NAT IP addresses, and specify
subnets whose traffic must use network address translation by
the NAT gateway.
Create a NAT subnet
Before you configure Private NAT, you create a NAT subnet of
purpose PRIVATE_NAT. The NAT subnet must be in the same region where you plan
to create your Private NAT gateway.
The Private NAT gateway uses IP address ranges from this subnet
to perform NAT. Ensure that this subnet doesn't overlap with an existing subnet
in any of the connected networks. You cannot create any resource in this subnet.
This subnet is used only for Private NAT.
Console
In the Google Cloud console, go to the VPC networks page.
To show the VPC network details page, click the name of a VPC network.
Click the Subnets tab.
Click Add subnet. In the Add a subnet dialog, do the following:
- Provide a name for the subnet.
- Select a region.
- For Purpose, select Private NAT.
Enter an IP address range, which is the primary IPv4 range for the subnet.
If you select a range that isn't an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information about valid IPv4 subnet ranges, see IPv4 subnet ranges.
Click Add.
gcloud
Use the gcloud compute networks subnet create command to create the subnet.
gcloud compute networks subnets create NAT_SUBNET \
--network=NETWORK \
--region=REGION \
--range=IP_RANGE \
--purpose=PRIVATE_NAT
Replace the following:
NAT_SUBNET: the name of the Private NAT subnet range to create.NETWORK: the network to which the subnetwork belongs.REGION: the region of the subnetwork to create. If not specified, you might be prompted to select a region (interactive mode only).IP_RANGE: the IP space allocated to this subnet in CIDR format. Ensure thatIP_RANGEtakes into account using twice the size of ports required per VM.
Configure DNS64
To use translation from IPv6 to IPv4 (NAT64),
destination addresses must match the 64:ff9b::/96 prefix. You can
configure DNS64 to automatically synthesize
IPv4-embedded IPv6 addresses by prepending this prefix to your destination
IPv4 addresses.
Skip this step if you want to use Cloud NAT only for IPv4 traffic.
Configure Private NAT
You configure Private NAT by creating a Cloud NAT gateway in the source VPC network. Each gateway is associated with a single VPC network, region, and Cloud Router.
When creating a Cloud NAT gateway for Private NAT, you can configure the following options.
| Configuration | Supported options | Description |
|---|---|---|
| Source IP version |
|
Private NAT supports translation from IPv4 to IPv4 (NAT44) and from IPv6 to IPv4 (NAT64). You can configure the gateway to perform NAT44 or NAT64, but not both.
|
| Source subnets | For IPv4 traffic:
For IPv6 traffic:
|
Private NAT supports the following subnet ranges in the region for the VPC network that you specify:
You can restrict which subnets can use NAT. |
| Connectivity type |
|
Private NAT supports the following options for NAT44: You can enable one or both of these options. For NAT64, the Source IPv6 traffic (for NAT64) option configures Private NAT for all supported destinations. |
| Advanced configurations |
|
By default, Private NAT uses dynamic port allocation, which lets the Cloud NAT gateway dynamically allocate ports to each VM based on usage. Logging is disabled by default. For information about NAT timeouts and their default values, see NAT timeouts. |
Create a Cloud NAT gateway
Create a Cloud NAT gateway in the VPC network and region where you want to configure Private NAT. You can configure the gateway to apply NAT to IPv4 subnet ranges (NAT44) or IPv6 subnet ranges (NAT64), but not both.
Create a gateway for IPv4 ranges (NAT44)
Console
- In the Google Cloud console, go to the Cloud NAT page.
- Click Get started or, if you have existing gateways, Create Cloud NAT gateway.
- Enter a gateway name.
- For NAT type, select Private.
- Select the VPC network and region where you want to create the gateway.
- Select or create a Cloud Router in the region.
- In the Cloud NAT mapping section, for Source endpoint type, make sure the VM instances, GKE nodes, Serverless option is selected.
- In the Source IP version field, select IPv4 subnet ranges.
- In the Source subnets field, select Custom.
- In the Subnets section, select a subnet for which you want to configure NAT. If you want to specify additional ranges, click Add subnet and IP range and add another subnet.
- Add a NAT rule to define which type of
Private NAT is enabled for the subnet
ranges that you selected in the previous step and configure a private
subnet range that you want to use for NAT:
- Click Add a rule.
- In the Rule priority field, enter any value from
0to65000. - For Match, select one of the following options:
- Hybrid connectivity routes: enables Hybrid NAT.
- Network Connectivity Center hub: enables Private NAT for NCC spokes.
To enable both types of Private NAT, select Hybrid connectivity routes and Network Connectivity Center hub.
- Select or create a private NAT subnet range.
- Click Done.
- Optional: Adjust any of the following settings in the Advanced
configurations section:
- Whether to configure logging. By default, No logging is selected.
- Whether to change how Cloud NAT allocates ports. By
default, Enable Dynamic Port Allocation is selected. To
configure static port allocation, clear
Enable Dynamic Port Allocation and
specify Minimum ports per VM instance. The default value
is
64. - Whether to update NAT timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.
- Click Create.
gcloud
Create a Cloud Router in the region of the VPC network where you want to configure Private NAT. You need this Cloud Router to create your gateway.
Use the
gcloud compute routers createcommand.gcloud compute routers create ROUTER_NAME \ --network=NETWORK --region=REGION
Replace the following:
ROUTER_NAME: a name for the Cloud RouterNETWORK: the VPC network in which to create the Cloud RouterREGION: the region in which to create the Cloud Router
Create the gateway and specify one or more subnets of the VPC network where you want to configure NAT. By default, Private NAT uses dynamic port allocation.
Use the
gcloud compute routers nats createcommand with the--type=PRIVATEflag.gcloud compute routers nats create NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION \ --type=PRIVATE \ --nat-custom-subnet-ip-ranges=SUBNETWORK:ALL,[SUBNETWORK_1:ALL,...]
Replace the following:
NAT_CONFIG: a name for your NAT configurationROUTER_NAME: the name of the Cloud Router that you created in the previous stepREGION: the region of the Cloud RouterSUBNETWORK: the name of the subnet or subnets (comma-separated) for which you want to use NAT
If you want to create a gateway with static port allocation, run the preceding command with the
--no-enable-dynamic-port-allocationand--min-ports-per-vm=VALUEflags, replacingVALUEwith the minimum number of ports. If the--min-ports-per-vmflag isn't specified, the default value is64.Create a NAT rule to match traffic based on the type of Private NAT that you are configuring.
Use the
gcloud compute routers nats rules createcommand with the--matchflag set to one of the following options:--match='nexthop.hub': enables Private NAT for NCC spokes.--match='nexthop.is_hybrid': enables Hybrid NAT.--match='nexthop.hub == "HUB" || nexthop.is_hybrid': enables both types of Private NAT.
To create a NAT rule for Private NAT for NCC spokes, run the following command:
gcloud compute routers nats rules create NAT_RULE_PRIORITY \ --router=ROUTER_NAME --region=REGION \ --nat=NAT_CONFIG \ --match='nexthop.hub == "//networkconnectivity.googleapis.com/projects/PROJECT_ID/locations/global/hubs/HUB"' \ --source-nat-active-ranges=NAT_SUBNET
To create a NAT rule for Hybrid NAT, run the following command:
gcloud compute routers nats rules create NAT_RULE_PRIORITY \ --router=ROUTER_NAME \ --region=REGION \ --nat=NAT_CONFIG \ --match='nexthop.is_hybrid' \ --source-nat-active-ranges=NAT_SUBNET
To create a NAT rule for both Private NAT for NCC spokes and Hybrid NAT, run the following command:
gcloud compute routers nats rules create NAT_RULE_PRIORITY \ --router=ROUTER_NAME \ --region=REGION \ --nat=NAT_CONFIG \ --match='nexthop.hub == "//networkconnectivity.googleapis.com/projects/PROJECT_ID/locations/global/hubs/HUB" || nexthop.is_hybrid' \ --source-nat-active-ranges=NAT_SUBNET
Replace the following:
NAT_RULE_PRIORITY: the rule number that uniquely identifies the NAT rule; specify any number from0to65000ROUTER_NAME: the name of the Cloud Router that you created earlierREGION: the region of the Cloud RouterNAT_CONFIG: the name of the NAT configuration that you created earlierPROJECT_ID: the Google Cloud project of the NCC hubHUB: the name of the NCC hubNAT_SUBNET: the name of the Private NAT subnet or subnets (comma-separated) that you created earlier
Create a gateway for IPv6 ranges (NAT64)
Console
- In the Google Cloud console, go to the Cloud NAT page.
- Click Get started or, if you have existing gateways, Create Cloud NAT gateway.
- Enter a gateway name.
- For NAT type, select Private.
- Select the VPC network and region where you want to create the gateway.
- Select or create a Cloud Router in the region.
- In the Cloud NAT mapping section, for Source endpoint type, make sure the VM instances, GKE nodes, Serverless option is selected.
- In the Source IP version field, select IPv6 subnet ranges.
- In the Source subnets field, do one of the
following:
- To use Cloud NAT for all IPv6 subnets in the region, select All subnets.
- To restrict which subnets can use Cloud NAT, select Custom and then select a subnet. If you want to specify additional subnets, click Add subnet and add another subnet.
- Add a NAT rule to configure a private subnet range that you want
to use for NAT:
- Click Add a rule.
- In the Rule priority field, enter any value
from
0to65000. - Select or create a private NAT subnet range.
- Click Done.
- Optional: Adjust any of the following settings in the
Advanced configurations
section:
- Whether to configure logging. By default, No logging is selected.
- Whether to change how Cloud NAT allocates ports. By
default, Enable Dynamic Port Allocation is selected. To
configure static port allocation, clear
Enable Dynamic Port Allocation and
specify Minimum ports per VM instance. The default value
is
64. - Whether to update NAT timeouts for protocol connections. For information about these timeouts and their default values, see NAT timeouts.
- Click Create.
gcloud
Create a Cloud Router in the region of the VPC network where you want to configure Private NAT. You need this Cloud Router to create your gateway.
Use the
gcloud compute routers createcommand.gcloud compute routers create ROUTER_NAME \ --network=NETWORK --region=REGION
Replace the following:
ROUTER_NAME: a name for the Cloud RouterNETWORK: the VPC network in which to create the Cloud RouterREGION: the region in which to create the Cloud Router
Create the Cloud NAT gateway.
Use the
gcloud compute routers nats createcommand with the--type=PRIVATEflag.To configure Private NAT for all IPv6 subnet ranges, run the following command:
gcloud compute routers nats create NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION \ --type=PRIVATE \ --nat64-all-v6-subnet-ip-ranges
To configure Private NAT for custom IPv6 subnet ranges, run the following command:
gcloud compute routers nats create NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGION \ --type=PRIVATE \ --nat64-custom-v6-subnet-ip-ranges=SUBNETWORK,[SUBNETWORK_1,…]
Replace the following:
NAT_CONFIG: a name for your NAT configurationROUTER_NAME: the name of the Cloud Router that you created in the previous stepREGION: the region of the Cloud RouterSUBNETWORK: the name of the subnet or subnets (comma-separated) for which you want to use NAT
Create a NAT rule for NAT64. Use the
gcloud beta compute routers nats rules createcommand with the--matchflag.gcloud beta compute routers nats rules create NAT_RULE_PRIORITY \ --router=ROUTER_NAME \ --region=REGION \ --nat=NAT_CONFIG \ --match='isIPv6(source.ip)' \ --source-nat-active-ranges=NAT_SUBNET
Replace the following:
NAT_RULE_PRIORITY: the rule number that uniquely identifies the NAT rule; specify any number from0to65000ROUTER_NAME: the name of the Cloud Router that you created earlierREGION: the region of the Cloud RouterNAT_CONFIG: the name of the NAT configuration that you created earlierNAT_SUBNET: the name of the Private NAT subnet or subnets (comma-separated) that you created earlier
After you enable the isIPv6(source.ip) option, you must use the
beta version of the gcloud CLI for the following
operations:
- Update the Cloud NAT gateway that translates IPv6 to IPv4
- Create and update a Cloud NAT gateway that uses the same Cloud Router as the gateway that translates IPv6 to IPv4
- Update the Cloud Router where the Cloud NAT gateway is configured
View Private NAT configuration
Console
In the Google Cloud console, go to the Cloud NAT page.
To view NAT gateway details, mapping information, or configuration details, click the name of your NAT gateway.
To view NAT status, see the Status column for your NAT gateway.
gcloud
You can view the NAT configuration details by running the following commands:
View the Private NAT gateway configuration.
gcloud compute routers nats describe NAT_CONFIG \ --router=ROUTER_NAME \ --region=REGIONReplace the following:
NAT_CONFIG: the name of your NAT configurationROUTER_NAME: the name of your Cloud RouterREGION: the region of the NAT to describe; if not specified, you might be prompted to select a region (interactive mode only)
View the mapping of the IP:port-ranges allocated to each VM's interface.
gcloud compute routers get-nat-mapping-info ROUTER_NAME \ --region=REGIONView the status of the Private NAT gateway.
gcloud compute routers get-status ROUTER_NAME \ --region=REGION
Update a Private NAT configuration
The following sections describe how to update an existing Cloud NAT gateway.
Update subnets in the NAT configuration
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your NAT gateway.
Click Edit.
If Custom is selected for Source subnets, select a subnet. To specify additional ranges, click Add subnet and IP range.
IPv6 subnet ranges only: In the Customized rule section, select Source IPv6 traffic (for NAT64).
Click Save.
gcloud
Use the
gcloud compute routers nats update command.
To update the source subnet ranges for an existing Cloud NAT gateway, run one of the following commands, depending on the IP version of the subnet ranges that you want to update:
Update IPv4 subnet ranges:
gcloud compute routers nats update NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --nat-custom-subnet-ip-ranges=IPV4_SUBNET_RANGESUpdate IPv6 subnet ranges (Preview):
gcloud beta compute routers nats update NAT_CONFIG \ --router=NAT_ROUTER \ --region=REGION \ --nat64-custom-v6-subnet-ip-ranges=IPV6_SUBNET_RANGES
Replace the following:
NAT_CONFIG: the name of your NAT configurationNAT_ROUTER: the name of your Cloud RouterREGION: the region of the NAT gatewayIPV4_SUBNET_RANGES: a subnet or subnets in the following format:SUBNET_NAME_1:ALL,SUBNET_NAME_2:ALL.IPV6_SUBNET_RANGES: a subnet or subnets in the following format:SUBNET_NAME_1,SUBNET_NAME_2.
Remove subnets from the NAT configuration
You can remove subnets from your NAT gateway configuration.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your NAT gateway.
Click Edit.
Delete the subnet that you want to remove from NAT mapping.
Click Save.
Add NAT subnets to the configuration
To perform NAT on traffic, a Private NAT
configuration uses NAT IP addresses from a subnet that has a purpose of PRIVATE_NAT.
If your Private NAT configuration requires more than the available
number of NAT IP addresses, you can add more subnets of purpose PRIVATE_NAT to
the configuration.
Console
In the Google Cloud console, go to the Cloud NAT page.
Click your NAT gateway.
Click Edit.
Expand the existing rule.
Click Add subnet ranges.
Select or create a new NAT subnet range, and then click Done.
Click Save.
gcloud
gcloud compute routers nats rules update NAT_RULE_PRIORITY \
--nat=NAT_CONFIG \
--router=ROUTER_NAME \
--region=REGION \
--source-nat-active-ranges=NAT_SUBNET_1, NAT_SUBNET_2 ...
Replace the following:
NAT_RULE_PRIORITY: the number that uniquely identifies the rule to update, from0to65000.NAT_CONFIG: the name of your Private NAT configuration for the rule to update.ROUTER_NAME: the name of the router to use with this gateway.NAT_SUBNET: the names of the Private NAT subnets to be added to your existing NAT configuration.
Delete NAT configuration
Deleting a gateway configuration removes the NAT configuration from a Cloud Router. Deleting a gateway configuration doesn't delete the router itself.
Console
In the Google Cloud console, go to the Cloud NAT page.
Select the checkbox next to the gateway configuration that you want to delete.
On the Menu, click Delete.
gcloud
gcloud compute routers nats delete NAT_CONFIG \
--router=ROUTER_NAME \
--region=REGION
Replace the following:
NAT_CONFIG: the name of your NAT configurationROUTER_NAME: the name of your Cloud RouterREGION: the region of the NAT to delete; if not specified, you might be prompted to select a region (interactive mode only).