Creating Outbound Connections using Google Cloud NAT

Lab Steps

lock
Signing In to the Google Cloud Console
lock
Creating a Cloud Router and NAT Gateway
lock
Creating a VM Instance to verify the connection

Ready for the real environment experience?

DifficultyIntermediate
Time Limit45m
Students25
Ratings
5/5
starstarstarstarstar

Description

What is Cloud NAT, and why would you use it?

When you are building applications in GCP, there are many occasions when you do not want the underlying virtual machines (VMs) to be accessible over the public internet. However, you may require the underlying infrastructure to be able to call out to the internet, for example, to install operating system updates. There could be many reasons why you may want to prevent inbound access from the internet, such as:

  • As a security best practice to minimize your attack surface
  • The application is a web service but is still under development and not ready to be exposed to external users
  • The application is a web service but is not configured to use HTTPS
  • The application could be offering services that are only available to other resources within the project
  • Only dedicated connectivity options from business offices or data centers should be used to access the application

To allow VMs without external IP addresses to make outbound connections securely, you should use Cloud NAT. Cloud NAT provides outbound internet access for Compute Engine instances without external IPs as well as other services including private GKE clusters and Cloud Run instances.

In this lab, you will walk through the process of setting up Cloud NAT. This includes creating a Cloud Router that acts as a control plane for Cloud NAT by implementing the routes. Finally, you will create a Compute Engine instance without an external IP to verify the ability to connect to the internet.

Learning Objectives

Upon completion of this lab you will be able to:

  • Connect your VM without external IPs to the internet
  • Connect your Cloud Router to Cloud NAT
  • Secure your backend platforms exposed to the internet

Intended Audience

This lab is intended for:

  • Cloud Network Professionals
  • Cloud Security Professionals

Prerequisites

You should possess:

  • A basic understanding of IP Addressing
Environment before
PREVIEW
arrow_forward
Environment after
PREVIEW
About the Author
Students164600
Labs208
Courses9
Learning paths48

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.