Google Cloud NAT
The course is part of these learning paths
Learn how you can connect your VMs and GKE clusters to the internet without opening them up to outside attack. Google Cloud NAT makes it easy to create outbound connections to the internet without needing an external IP address.
- What is Google Cloud NAT
- How to connect a VM to the internet using NAT
- How to enable NAT logging and monitoring
- GCP Network Engineers
- GCP Security Engineers
- Anyone preparing for a Google Cloud certification (such as the Professional Data Engineer exam)
- Basic knowledge about networking and TCP/IP
- Access to a Google Cloud Platform account
Now that you understand what Cloud NAT can do, I want to show you how to actually set it up. So for this demo, I have already created a couple of Virtual Machines. Let me show you those. I’ll navigate to Compute Engine.
Here you can see I have a public VM that has both an internal and external IP address. And I have a private VM with just an internal IP address. They both exist in the same VPC but in separate subnets. So you can think of my public VM as representing some internet-facing service, like a web server. The private VM could be an internal database or application server, something you would NOT want to be publicly accessible.
Let’s verify that the public VM does indeed have internet access. I can quickly test this out using the curl command. This first website will return my public IP address. And I will also try to get the Apple homepage as well. So, you can see my public VM is connected to the internet.
Next, let’s verify the private VM. Here we see that when I try to run a curl command it’s just going to time out. That is because there is no valid route between my private VM and the internet.
So no one is able to directly attack my private VM without first gaining access to my GCP account. However, downloading patches and updates is going to be pretty difficult. So now I am going to show you how easy it is to create a NAT Gateway using Cloud NAT. This will allow me to download updates from the internet, without assigning an external IP address to the VM.
So to get started, I need to navigate to Cloud NAT and then click on “Get Started”. When creating a NAT Gateway, you need to specify a name. I’m going to call this “nat-demo-gateway”. In order to be able to route to the public internet, I am going to need a router. You can select one here, or if you don’t already have one, you can create a new one. In this case, I will select the network my VPC is in, select the region, and then pick “Create a new router”.
So this will open a new side window where I can create a router. This screen has several options, but for a basic working router, all I have to do is to give it a name. The network and region are already set to what I picked on the previous form so I don’t have to change those. And now I can click “Create” to create my new router. So now my gateway has a Cloud router assigned to it.
There are two more sections I could make changes to if I wanted. However, for this first example, I am going to leave the defaults. This will automatically handle all the details for me. It’s going to map all subnets in the VPC to the NAT gateway and it will automatically assign NAT IP addresses. If you just need basic internet access, this works best. There are other options available under “Advanced configurations'' but we will look at those later. I will go ahead and click on “Create” to create a new NAT Gateway.
Ok, now at this point I just have to wait for the gateway to be created. So now I should have a working router and NAT gateway. My private VM should be able to connect to the internet. Let me try running those curl commands again to verify.
So now when I connect, I am getting a response. I can also see that my NAT public IP address has been assigned to 18.104.22.168. Because I am using automatic mode, this address can change. But if I just want to download updates, then that will not be an issue at all. Cloud NAT is going to manage everything. It will add, remove and update the IPs as needed.
If I try to download the Apple homepage, we now see that it is successful as well. So, as you can see, it is actually quite simple to use Cloud NAT.
Let me go back and show you some of the more advanced features. I can click on my gateway to see the details. And if I want to change anything, I just need to click on the “Edit” button at the top.
So first I’ll show you how to set your own IP addresses. Maybe you need a specific IP for creating a firewall rule or to add to a whitelist. To manage it myself, I can simply click on NAT-IP Addresses and set it to “Manual” mode. Now I can add my IP addresses.
The addresses used will be reserved public IPs. Since I don’t have any IP addresses reserved already, I’ll just pick “Create IP address”. I have to give this IP address a name. This is so I can later remember what I plan to use it for. So it looks like it reserved 22.214.171.124.
I could add more addresses if I wanted. If you have a lot of VMs, you might need more than one IP. But a single address will work fine for several VMs. The exact number depends on how many connections each VM will require.
So let me go ahead and save this. Now I have to wait for the changes to propagate. And now I should see that the public IP address for my private VM has changed from a 104 address to a 34. There we go. The change happens pretty quickly. You won’t have to wait long at all to see the new IP.
Let’s look at some of the other things you can change. I’ll open up Advanced Configurations this time. The first option allows you to enable logging. You can tell it to either log errors or network translations or both. Error logging is useful for debugging issues. Translations might also be useful to look at if you are doing something more advanced. So if you are experiencing intermittent errors, both could be useful. Just remember the more you log, the higher your storage costs will be. I’ll go ahead and enable both for this example.
So now everything that happens in Cloud NAT will be written to the logs. I’ll demonstrate a little later how to view the logs and what the entries look like. I want to show you a few more options first. You can change the minimum assigned ports per instance. By default, my VM can create 64 connections at once. This is usually more than enough. If you need more you can increase it here. Just remember that increasing this number means you are also decreasing the number of VMs that can share this IP. If you don’t need 64 simultaneous connections, you can decrease this number.
You also can change the timeout values for TCP, UDP, and ICMP protocols. This is definitely more advanced stuff. If you are running into timeout issues, you can probably fix those by tweaking these values. If too many connections are timing out, you might want to increase these. However, making these too high means it will take longer for connections to fail. Make sure you know what you are doing before messing with these values.
There are a few more options here, but I covered the main ones. You can hover your mouse cursor over the question marks to get details on any of them. Again, it’s pretty easy to make any changes, so feel free to experiment on your own.
I previously showed you how to enable logging. Now it’s time I show you how to access the logs. The easiest way is to go to your gateway in Cloud NAT and click on the Logs tab. Then I just have to click on the “Cloud Logging” link and it will take me to Logs Explorer. You can also directly navigate to Logs Explorer, but then you have to set up the filters to show you the NAT logs. If you use the link I showed you, it automatically selects the correct filters for you.
Now at this point I don’t have any logs because I haven’t actually done anything since I enabled logging. Let me run a few more curl commands and then refresh the page. Now we can see three entries for the three curl commands I just ran. And if you start opening up the different parts of the logs you can access the details for each entry. So that’s how you view the Logs for Cloud NAT.
The last thing I wanted to show you is how to access the pre-built monitoring graphs. You get to them in a similar way to the logs. Just select your gateway and then click on the “Monitoring” tab here. This will give you information on the number of open connections, the amount of egress data, and a bunch of other things. If you want something else, you can (of course) go to Cloud Monitoring and build your own custom dashboards as well. But the prebuilt dashboards are usually enough, especially when you are just starting out.
And that is pretty much it. That gives you enough details to start using Cloud NAT on your own.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.