๐ What is Google Cloud NAT?
Google Cloud NAT (Network Address Translation) is a fully managed service that enables outbound internet connectivity for resources in private Google Cloud VPC subnets, without requiring external IP addresses.
In simpler terms: Cloud NAT lets VMs without public IPs access the internet (e.g., to install updates or contact APIs), while remaining inaccessible from the outside.
๐ง Why Use Cloud NAT?
- Secure internet access from private subnets
- No need for bastion hosts or manual NAT gateways
- Supports Compute Engine, GKE nodes, Cloud Run VPC connectors
๐ Key Features of Cloud NAT
| Feature | Description |
|---|---|
| No external IPs required | VMs stay private but still access the internet |
| Managed Service | No need to configure or maintain NAT instances |
| Scalability | Automatically scales to meet connection demand |
| High Availability | Fully distributed across zones with regional failover |
| Logging & Monitoring | Integrated with Cloud Logging and Cloud Monitoring |
| Per Subnet & Per Instance Controls | Choose which VMs or subnets are NATed |
| Static IP support | Option to use reserved static IPs for egress |
| Port Allocation Options | Manual or automatic port management per VM |
๐ Use Cases
| Use Case | Description |
|---|---|
| Private GKE Clusters | Let GKE nodes access the internet without public IPs |
| Private Compute VMs | Allow package updates or API calls while remaining internal |
| Secure Outbound API Access | Talk to third-party APIs without exposing VMs |
| Avoiding External Attack Surface | Keep services invisible to external scanning tools |
๐งฐ How to Set Up Cloud NAT โ Step-by-Step Tutorial
๐งพ Prerequisites
- A GCP project with billing enabled
- A VPC with at least one private subnet
- Compute Engine or GKE nodes without public IPs
โ Step 1: Reserve an External Static IP (Optional)
gcloud compute addresses create nat-ip \
--region=us-central1
โ Step 2: Create a Cloud Router
gcloud compute routers create nat-router \
--network=default \
--region=us-central1
Code language: JavaScript (javascript)
โ Step 3: Create the NAT Configuration
gcloud compute routers nats create nat-config \
--router=nat-router \
--region=us-central1 \
--nat-custom-subnet-ip-ranges=default \
--nat-external-ip-pool=nat-ip \
--enable-logging
Code language: JavaScript (javascript)
Explanation:
nat-custom-subnet-ip-ranges=defaultโ Applies to the default subnetnat-external-ip-pool=nat-ipโ Uses the static IP created earlier--enable-loggingโ Enables Cloud NAT logs
โ Step 4: Test NAT Access
Spin up a VM without a public IP and test:
gcloud compute instances create vm-nat-test \
--subnet=default \
--no-address \
--zone=us-central1-a
gcloud compute ssh vm-nat-test --zone=us-central1-a
Code language: JavaScript (javascript)
Once inside:
curl https://api.ipify.org
Code language: JavaScript (javascript)
You should get the external IP address of your NAT gateway!
๐ Logging and Monitoring
Enable VPC flow logs and NAT logging to track:
- Number of connections
- Ports used
- Source and destination
- Bandwidth consumption
This is useful for compliance, debugging, and capacity planning.
๐ Alternatives to Cloud NAT
| Service | Use When |
|---|---|
| NAT instance (manual) | You need custom firewall/NAT logic |
| Cloud Proxy (IAP) | For authenticated user access from outside |
| VPN/Interconnect | For hybrid connectivity, not just internet |
| AWS NAT Gateway | Equivalent in AWS ecosystem |
| Azure NAT Gateway | Equivalent in Azure ecosystem |
โ๏ธ Cloud NAT vs NAT Instance
| Feature | Cloud NAT | NAT Instance |
|---|---|---|
| Managed | โ | โ |
| Scalable | โ | ๐ซ (manually configured) |
| HA/Failover | โ | โ (requires manual setup) |
| Logging | โ | Manual setup needed |
| Maintenance | None | Requires patching, scaling, monitoring |
๐งพ Real-World Example: Private GKE with NAT
A company has a private GKE cluster for running microservices. To access external APIs and pull container updates:
- The nodes have no public IPs
- Cloud NAT + Cloud Router is configured
- No exposure to internet scanners
- Traffic logs are enabled for audit
Outcome:
- Secure architecture
- Reduced operational effort
- Improved compliance posture
๐ Summary
| Capability | Cloud NAT |
|---|---|
| Enable outbound internet for private VMs | โ |
| No public IPs required | โ |
| Fully managed | โ |
| Works with Compute Engine, GKE, Cloud Run VPC | โ |
| Logging & Monitoring | โ |
| Scalable & HA | โ |
โ Conclusion
Google Cloud NAT is an essential component for securely allowing internet access from private Google Cloud networks. It’s reliable, scalable, and easy to set up โ making it a go-to tool in cloud-native and security-conscious environments.
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals