hands-on lab

Creating Outbound Connections using Google Cloud NAT

Up to 45m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


What is Cloud NAT, and why would you use it?

When you are building applications in GCP, there are many occasions when you do not want the underlying virtual machines (VMs) to be accessible over the public internet. However, you may require the underlying infrastructure to be able to call out to the internet, for example, to install operating system updates. There could be many reasons why you may want to prevent inbound access from the internet, such as:

  • As a security best practice to minimize your attack surface
  • The application is a web service but is still under development and not ready to be exposed to external users
  • The application is a web service but is not configured to use HTTPS
  • The application could be offering services that are only available to other resources within the project
  • Only dedicated connectivity options from business offices or data centers should be used to access the application

To allow VMs without external IP addresses to make outbound connections securely, you should use Cloud NAT. Cloud NAT provides outbound internet access for Compute Engine instances without external IPs as well as other services including private GKE clusters and Cloud Run instances.

In this lab, you will walk through the process of setting up Cloud NAT. This includes creating a Cloud Router that acts as a control plane for Cloud NAT by implementing the routes. Finally, you will create a Compute Engine instance without an external IP to verify the ability to connect to the internet.

Learning Objectives

Upon completion of this lab you will be able to:

  • Connect your VM without external IPs to the internet
  • Connect your Cloud Router to Cloud NAT
  • Secure your backend platforms exposed to the internet

Intended Audience

This lab is intended for:

  • Cloud Network Professionals
  • Cloud Security Professionals


You should possess:

  • A basic understanding of IP Addressing

Environment before

Environment after

About the author

Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics

Lab steps

Signing In to the Google Cloud Console
Creating a Cloud Router and NAT Gateway
Creating a VM Instance to verify the connection