Cloud NAT

Google Cloud NAT (Network Address Translation) is a fully managed NAT service that allows VM instances and container pods without external IP addresses to connect to the internet. It provides outbound connectivity while keeping VMs private and secure.

Key Features:

1. No external IPs required - Private VMs can access the internet for updates, APIs, and downloads.

2. Fully managed - No NAT gateway VMs to manage; Google handles scaling and availability.

3. Port allocation - Dynamic or static port allocation per VM instance.

4. Logging - NAT logging via Cloud Logging for monitoring and troubleshooting.

5. Regional - Each Cloud NAT gateway is regional and can cover one or multiple subnets.

The below example shows how to create a Cloud NAT gateway using gcloud.

It gives the following output,

Created router [my-nat-router].
Created NAT [my-nat-gateway] on router [my-nat-router].
name: my-nat-gateway
natIpAllocateOption: AUTO_ONLY
logConfig:
  enable: true
  filter: ALL

Cloud NAT Use Cases:

Private VMs - Allow VMs without external IPs to download packages, access APIs, or send data to the internet.

GKE nodes - Private GKE cluster nodes use Cloud NAT for pulling container images from registries.

Security - Reduces attack surface by keeping VMs off the public internet while still allowing outbound connections.