GCP Cloud NAT - ghdrako/doc_snipets GitHub Wiki

NAT allows us to hide the original IP address of our VM when communicating with external networks. In the case of GCP, it allows VMs with internal addresses to access the internet.

Types

  • NAT gateway
  • Cloud NAT (recommended)

NAT Gatwey

Google allows us to provision a VM that will act as a NAT gateway. This way, you are exposing only one VM to the internet. The gateway machine needs to be configured with the --can-ip-forward parameter, which allows traffic forwarding. You will also need to create default routes for the subnets that should be using the gateway.To eliminate problem single point of failer and not scalability you can create multiple gateways and put them in managed instance groups. Next, you configure the routing rule to the NAT gateways with the same priority. In this case, GCP uses equal-cost multi-path (ECMP) to distribute the traffic between the NAT gateways.

Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet.

Cloud NAT is a regional self-scaling service that's fully managed by Google.

Cloud NAT provides outgoing connectivity for the following resources:

Google Cloud recommends using Cloud NAT when you have many private VMs that need to access public services such as public repositories or upgrades. Cloud NAT can also be used even for one private VM. Therefore, Cloud NAT works as a gateway for your VMs that perform source NAT (SNAT).

Whenever a Cloud Router performs a NAT operation that is translating the private IP address into a public one and vice versa, the entire process is composed of two different stages. For the outbound traffic, the translation is performed on the source IP address (private to public), and we call it SNAT. For the return packets, it is the destination IP address that is translated (public to private), and that is what we call DNAT.

Cloud NAT embeds Cloud Router to route outbound traffic out of one GCP region. It is a regional service and works in a fully distributed manner as it is a software-defined network (SDN) component.

gcloud compute networks subnets create privatesubnet \
--network=privatenetwork --region=europe-west1 \
--range=10.0.0.0/24 --enable-private-ip-google-access  #create a subnet named privatesubnet and attach it to the privatenetwork VPC network. 

gcloud compute instances create default-us-vm \
--zone=us-central1-a --network=default                # create a new GCE instance in default network

gcloud compute instances create mynet-us-vm \
--zone=us-central1-a --network=mynetwork             # create a new GCE instance in mynetwork zone us-central1-a zone

gcloud compute instances create privatenetwork-bastion \
--zone=europe-west1-c --subnet=privatesubnet

gcloud compute instances create privatenetwork-eu-vm \
--zone=europe-west1-a --subnet=privatesubnet