GCPcloud~5 mins

Cloud NAT for private instances in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Private instances in a cloud network cannot access the internet directly. Cloud NAT lets these instances send requests outside without exposing them to incoming internet traffic.

When you have virtual machines without public IP addresses that need to download software updates.

When private instances must access external APIs or services securely without exposing their IPs.

When you want to keep your instances isolated from the internet but still allow outbound connections.

When you want to reduce security risks by avoiding public IPs on your instances.

When you need to manage internet access centrally for many private instances.

Config File - cloud_nat.yaml

cloud_nat.yaml

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeRouter
metadata:
  name: example-router
  namespace: default
spec:
  networkRef:
    name: example-vpc
  region: us-central1
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeRouterNat
metadata:
  name: example-nat
  namespace: default
spec:
  routerRef:
    name: example-router
  region: us-central1
  natIpAllocateOption: AUTO_ONLY
  sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
  logConfig:
    enable: true
    filter: "ERRORS_ONLY"

This file creates a Cloud Router named example-router in the us-central1 region linked to the example-vpc network. Then it creates a Cloud NAT configuration example-nat attached to that router.

The NAT uses automatic IP allocation and applies to all subnetworks and IP ranges in the VPC. Logging is enabled to capture errors only.

Commands

This command creates the Cloud Router and Cloud NAT resources in your Google Cloud project using the configuration file.

Terminal

kubectl apply -f cloud_nat.yaml

Expected OutputExpected

computerrouter.compute.cnrm.cloud.google.com/example-router created computerouternat.compute.cnrm.cloud.google.com/example-nat created

This command checks the details of the Cloud NAT configuration to confirm it is set up correctly.

Terminal

gcloud compute routers nats describe example-nat --router=example-router --region=us-central1

Expected OutputExpected

name: example-nat region: us-central1 natIpAllocateOption: AUTO_ONLY sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES logConfig: enable: true filter: ERRORS_ONLY

→

--router - Specifies the router the NAT is attached to

→

--region - Specifies the region of the router and NAT

This command verifies that the private instance has no external IP but can still access the internet through Cloud NAT.

Terminal

gcloud compute instances describe private-instance-1 --zone=us-central1-a

Expected OutputExpected

name: private-instance-1 networkInterfaces: - networkIP: 10.128.0.5 accessConfigs: []

→

--zone - Specifies the zone of the instance

Key Concept

Cloud NAT allows private instances without public IPs to access the internet securely by translating their outbound traffic through a managed gateway.

Common Mistakes

Not creating a Cloud Router before setting up Cloud NAT

Cloud NAT requires a Cloud Router to function; without it, NAT cannot be configured.

Always create and configure a Cloud Router in the same region and network before creating Cloud NAT.

Assigning public IPs to private instances expecting NAT to be used

If instances have public IPs, they do not use Cloud NAT for outbound traffic, defeating the purpose of private instances.

Ensure instances have no external IPs to use Cloud NAT for outbound internet access.

Not specifying the correct subnetworks or IP ranges in NAT configuration

Cloud NAT will not apply to instances outside the specified subnetworks, causing connectivity failures.

Use ALL_SUBNETWORKS_ALL_IP_RANGES or specify subnetworks explicitly to cover all private instances.

Summary

Create a Cloud Router in your VPC network and region.

Configure Cloud NAT attached to the router to enable internet access for private instances.

Verify the NAT setup and confirm private instances have no public IP but can reach the internet.