Start course

Learn how you can connect your VMs and GKE clusters to the internet without opening them up to outside attack. Google Cloud NAT makes it easy to create outbound connections to the internet without needing an external IP address.

Learning Objectives

  • What is Google Cloud NAT
  • How to connect a VM to the internet using NAT
  • How to enable NAT logging and monitoring

Intended Audience

  • GCP Network Engineers
  • GCP Security Engineers
  • Anyone preparing for a Google Cloud certification (such as the Professional Data Engineer exam)


  • Basic knowledge about networking and TCP/IP
  • Access to a Google Cloud Platform account

At this point, you should understand what Google Cloud NAT is and how to use it.  You saw how to enable internet connectivity to VMs without using an external IP.  You also saw how to enable logging, and monitor for any issues.

There is one last thing I wanted to show you before I wrap things up.  If you are planning to use NAT to protect your VMs and Kubernetes Clusters, you might also want to consider setting some Organization Policy Constraints.

So let’s say that you decide to only allow your web servers to have public IPs.  Everything else should use NAT.  And you make a bunch of changes to enforce that.  Now, how will you guarantee that it will stay like this in the future?  What is preventing another employee from spinning up a database VM with a public IP.  Well, you can actually prevent this wIth a Policy Constraint.

You can access your list of current policies by searching for “Organizational Policies”.  As you can see, there are quite a few.  So let’s look at a couple of policies you might find useful.

First, search for “external IP” and choose “Defined allowed external IPs for VM instances”.  This policy allows you to limit which VMs can get an external IP.  So you could specify your web servers here.  And that way, all other VMs will be forced to use NAT instead.

Another useful policy can be found by searching for “Cloud NAT”.  The “Restrict Cloud NAT usage” policy can dictate which networks are allowed to use Cloud NAT.  So maybe you want to prevent any internet connection at all in certain networks.  You can enforce that with this policy.

Changing a policy is pretty simple.  Just click on the name and then (if you have the correct permission) you can change them to the values you wish.  As you can see, in this account I do not have permission to make any changes.

Organization Policies are not directly related to Cloud NAT but can be used in conjunction to enhance your overall security.

Well, that’s all I have for you today.  Remember to give this course a rating, and if you have any questions or comments, please let us know.  Thanks for watching, and make sure to check out our many other courses on Cloud Academy!

About the Author
Learning Paths

Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.

Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.

When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.