Process Flow - Cloud NAT for private instances

Private VM without public IP

↓

Send outbound traffic

↓

Traffic reaches Cloud NAT

↓

Cloud NAT translates private IP to NAT IP

↓

Traffic goes to internet

↓

Response returns to Cloud NAT

↓

Cloud NAT translates NAT IP back to private IP

↓

Response delivered to VM

Private VMs send outbound traffic which Cloud NAT translates to a public IP, enabling internet access without exposing VM's private IP.

Execution Sample

GCP

resource "google_compute_router" "nat-router" {
  name    = "nat-router"
  network = "default"
  region  = "us-central1"
}

resource "google_compute_router_nat" "nat-config" {
  name   = "nat-config"
  router = google_compute_router.nat-router.name
  region = "us-central1"

  nat_ip_allocate_option = "AUTO_ONLY"
  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
}

Terraform config creates a Cloud Router and Cloud NAT to enable private VMs in all subnetworks to access the internet.

Process Table

Step	Action	Source IP	NAT Translation	Destination	Response Path
1	VM sends outbound request	10.128.0.5 (private)	No translation yet	Internet service	N/A
2	Packet reaches Cloud NAT	10.128.0.5 (private)	Translate to NAT IP (e.g., 35.192.0.1)	Internet service	N/A
3	Internet service receives request	35.192.0.1 (NAT IP)	N/A	Responds to NAT IP	N/A
4	Response arrives at Cloud NAT	35.192.0.1 (NAT IP)	Translate back to 10.128.0.5 (private)	VM	Forward response
5	VM receives response	10.128.0.5 (private)	No translation	VM	Complete communication
6	No inbound unsolicited traffic allowed	N/A	N/A	N/A	N/A

💡 Communication ends after response is delivered to VM; inbound unsolicited traffic blocked by NAT.

Status Tracker

Variable	Start	After Step 2	After Step 4	Final
Source IP	10.128.0.5	35.192.0.1 (NAT IP)	10.128.0.5	10.128.0.5
Destination	Internet service	Internet service	VM	VM
Response Path	N/A	N/A	Forward response	Complete communication

Key Moments - 3 Insights

Why does the VM not need a public IP to access the internet?

Can inbound unsolicited traffic from the internet reach the VM through Cloud NAT?

What happens to the source IP of packets when they leave the VM and reach the internet?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table, what is the source IP seen by the internet service at step 3?

A10.128.0.5 (private IP)

B35.192.0.1 (NAT IP)

CUnknown IP

DVM's public IP

Concept Snapshot

Cloud NAT enables private VMs without public IPs to access the internet.
It translates private IPs to public NAT IPs for outbound traffic.
Inbound unsolicited traffic is blocked for security.
Configured via Cloud Router and NAT resource.
Supports all subnetworks or selected ranges.
Ensures private instances stay secure while accessing external services.

Full Transcript

Cloud NAT allows virtual machines without public IP addresses to access the internet by translating their private IP addresses to a public NAT IP. When a VM sends outbound traffic, it reaches Cloud NAT, which replaces the private IP with a NAT IP before sending it to the internet. Responses from the internet come back to Cloud NAT, which translates the NAT IP back to the VM's private IP and forwards the response. This process enables internet access without exposing the VM's private IP. Cloud NAT blocks inbound unsolicited traffic, enhancing security. The setup involves creating a Cloud Router and configuring Cloud NAT to handle IP translation for private instances.