The NAT rules feature lets you create access rules that define howCloud NAT is used to connect to the internet. NAT rules support sourceNAT based on destination address.
When you configure a NAT gateway without NAT rules, the VMs using that NAT gatewayuse the same set of NAT IP addresses to reach all internet addresses. If youneed more control over packets that pass through Cloud NAT, you canadd NAT rules. A NAT rule defines a match condition and a corresponding action.After you specify NAT rules, each packet is matched with each NAT rule. If apacket matches the condition set in a rule, then the action corresponding tothat match occurs.
Cloud NAT rule configuration example
The following example illustrates how to use NAT rules when your destinationallows access from only a few IP addresses. We recommend that the traffic tosuch destinations from your Google Cloud VMs in private subnets aresource NAT-translated with only the permitted IP addresses. We recommend thatyou do not use these IP addresses for other destinations.
Consider the following requirements for VMs in Subnet-1 (10.10.10.0/24),which is in Region A of the VPC network test:
- The VMs must use NAT IP address
203.0.113.20to send traffic to destination198.51.100.20/30. - The VMs must use NAT IP address
203.0.113.30to send traffic to destination198.51.100.30or198.51.100.31. - The VMs must use NAT IP address
203.0.113.40to send traffic to any otherinternet destination.
This VPC network also contains two additional subnets in thesame region. These VMs must use NAT IP address 203.0.113.10 to send trafficto any destination.
You can use NAT rules for this example, but you need two NAT gateways becauseSubnet-1 (10.10.10.0/24) has NAT rules that are different from the othersubnets. To create this configuration, follow these steps:
- Create a gateway called
Cloud NAT Gateway 1forSubnet-1with NAT IPaddress203.0.113.40and add the following rules:- NAT rule 1 in
Cloud NAT Gateway 1: When the destination is198.51.100.20/30, use source NAT with203.0.113.20. - NAT rule 2 in
Cloud NAT Gateway 1: When the destination is198.51.100.30or198.51.100.31, use source NAT with203.0.113.30.
- NAT rule 1 in
- Create a gateway called
Cloud NAT Gateway 2for the region's other subnetsand assign the NAT IP address as203.0.113.10. No NAT rules are needed inthis step.
NAT rules specifications
Before working with NAT rules, note the following specifications:
- A rule number uniquely identifies a NAT rule. No two rules can have the samerule number.
- Each NAT configuration has a default rule:
- The default rule is applied if no other NAT rule matches in the same NATconfiguration.
- The rule number of the default rule is
65001. - The destination IP CIDR range of the default rule is
0.0.0.0/0.
- Cloud NAT rules are supported only when the value of the NAT IP allocateoption is
MANUAL_ONLY. All IP addresses configured in a given rule must be of the same tier.
You cannot use a mix of Premium Tier and Standard Tier IP addresses withinthe same rule (including the default rule).
Destination IP CIDR ranges in the match condition must not overlap across NATrules. There can be at most one rule that can match any given packet.
You cannot create a NAT rule with a destination IP CIDR range of
0.0.0.0/0,because that range is used in the default rule.NAT IP addresses across NAT rules must not overlap.
See AlsoThe Importance of NAT and VPNA rule must either have a non-empty
Activeor non-emptyDrain IP address.If the rule has an emptyActiveIP address, new connections thatmatch the NAT rule are dropped.NAT rules cannot be added to a NAT gateway that hasEndpoint-Independent Mapping enabled. Youcannot enable Endpoint-Independent Mapping on a NAT gateway thathas NAT rules in it.
In addition, all VMs get ports assigned to them from the value for minimum portsper VM for each Cloud NAT rule. If the ports allocated to a VM from aNAT rule are exhausted, new connections that match the NAT rule are dropped.
For example, if you configure 4,096 ports per VM and have 16 VMs and 2 NAT rules(rule1 with 1 IP address and rule2 with 2 IP addresses), alongside the default rule(default) with 2 IP addresses, all 16 VMs would get 4,096 ports in each bundleof NAT rules. In this example, there are no issues in default or rule2 forall their VMs, but rule1 isn't able to allocate ports for all its VMs.Therefore, traffic from VMs that needs to go through rule1 might be droppedand show signs of being out of resources because the traffic does not use thedefault rule.
Rule expression language
NAT rules are written usingCommon Expression Language syntax.
An expression requires two components:
- Attributes that can be inspected in rule expressions.
- Operations that can be performed on the attributes as part of an expression.
For example, the following expression uses the attributes destination.ip and198.51.100.0/24 in the operation inIpRange(). In this case, the expressionreturns true if destination.ip is within the 198.51.100.0/24 IP address range.
inIpRange(destination.ip, '198.51.100.0/24')
NAT rules support only the following attributes and operations:
Attributes
Attributes represent information from an outgoing packet, such as thedestination IP address.
| Attribute name | Description |
|---|---|
destination.ip | Destination IP address of the packet |
Operations
The following reference describes the operators that you can use with attributesto define rule expressions.
| Operation | Description |
|---|---|
inIpRange(string, string) -> bool | inIpRange(X, Y) returns true if IP CIDR range Y contains the IP address X. |
|| | Logical operator. x || y returns true if x or y is true. |
== | Equals operator. x == y returns true if x is equal to y. |
Example expressions
Match traffic with destination IP address 198.51.100.20.
"destination.ip == '198.51.100.20'"
Match traffic with destination IP address 198.51.100.10/30 or 198.51.100.20.
"inIpRange(destination.ip, '198.51.100.10/30') || destination.ip == '198.51.100.20'"
What's next
- Learn to configure NAT rules.
