Learn how you can connect your VMs and GKE clusters to the internet without opening them up to outside attack. Google Cloud NAT makes it easy to create outbound connections to the internet without needing an external IP address.
Learning Objectives
- What is Google Cloud NAT
- How to connect a VM to the internet using NAT
- How to enable NAT logging and monitoring
Intended Audience
- GCP Network Engineers
- GCP Security Engineers
- Anyone preparing for a Google Cloud certification (such as the Professional Data Engineer exam)
Prerequisites
- Basic knowledge about networking and TCP/IP
- Access to a Google Cloud Platform account
Securing cloud resources can be a challenge. As your systems grow and become more complex, the total number of potential vulnerabilities increases. If you allow your attack surface to grow too large, eventually even the most talented security professional will miss something. That is why it is important to try to minimize your attack surface as much as possible.
Physically securing a room with a single door is much easier than trying to secure an entire building with many entrances. In much the same way, securing a private network is much easier than trying to secure a public one. That is why it is recommended to only assign public IPs when it is absolutely necessary.
Now of course, this strategy does have some drawbacks. Cutting your VMs and Kubernetes clusters off from the internet also means cutting them off from a lot of updates and patches. Luckily, it is possible to get the best of both worlds using Network Address Translation. Network Address Translation (or NAT for short) allows you to assign a single IP address to a group of computers. This allows those machines to make requests out to the internet, but (by default) prevents incoming requests to resolve to any specific machine. So essentially, requests that originate from your internal network can reach the internet. But requests from the internet to your internal network will fail.
Now there are several ways to set up a NAT in GCP, but the easiest is to use Google Cloud NAT. Cloud NAT works with both your Compute Engine VMs as well as with Google Kubernetes Engine (GKE). It is fully managed and does not require you to maintain your own NAT Gateways. It is also extremely scalable and reliable. Cloud NAT can automatically manage the NAT IPs for you, if you wish. And if a zone ever goes down, Cloud NAT will continue to stay available across the region.
Just because the service is managed, it doesn't mean that your options are limited. You can use manual mode to manage the settings yourself. Or you can just leave it on auto mode and Cloud NAT will handle everything for you. With Google Cloud NAT, you have an easy way to help keep your VMs both secure and up-to-date.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.