Set up and manage Cloud NAT rules
This page shows you how to configure Cloud NAT rules. Before setting up Cloud NAT rules, read the Cloud NAT rules overview.
Create NAT rules
NAT rules are written using Common Expression Language syntax. For more information about the rule expression language, see Rule expression language.
The following example configuration steps fulfill the following conditions:
- VMs must use NAT IP address with resource name
IP_ADDRESS1to send traffic to destination198.51.100.10. - VMs must use NAT IP address with resource name
IP_ADDRESS2orIP_ADDRESS3to send traffic to198.51.100.20/30.
You can create one NAT rule to fulfill each of these conditions.
Console
Add a NAT rule to an existing NAT gateway
Add a NAT rule that sends traffic from IP_ADDRESS1 to
198.51.100.10.
- In the Google Cloud console, go to the Cloud NAT page.
- Select your NAT gateway.
- Select Edit.
- Under NAT Rules, select Add new rule.
- In the Match field, enter
198.51.100.10. - In the IP address menu, select the IP address that you used for IP_ADDRESS1.
- In the Rule number field, enter
100. - Select Done.
Add a NAT rule that sends traffic from IP_ADDRESS2 or
IP_ADDRESS3 to 198.51.100.20/30.
- Under NAT Rules, select Add new rule.
- In the Match field, enter
198.51.100.20/30. - In the IP address menu, select the IP address that you used for IP_ADDRESS2.
- Select Add IP address, and then select the IP address that you used for IP_ADDRESS3.
- In the Rule number field, enter
200. - Select Done.
- Select Save to save both rules.
gcloud
You can use the steps in the following sections to create a rule file, create a NAT gateway that uses the rules in the rule file, or add rules to an existing NAT gateway.
Add a NAT rule to an existing NAT gateway
You can add a new NAT rule using the NAT rule command.
Replace the NAT_RULE_NUMBER with the desired NAT rule number,
and replace the other variables with information matching your configuration.
First, add a NAT rule that sends traffic from IP_ADDRESS1 to
198.51.100.10.
gcloud compute routers nats rules create NAT_RULE_NUMBER \
--router=ROUTER_NAME \
--nat=NAT_NAME \
--match='destination.ip == "198.51.100.10"' \
--source-nat-active-ips=[IP_ADDRESS1] \
[--region=REGION] [GLOBAL-FLAG ...]
Next, add a NAT rule that sends traffic from IP_ADDRESS2 or
IP_ADDRESS3 to 198.51.100.20/30.
gcloud compute routers nats rules create NAT_RULE_NUMBER \
--router=ROUTER_NAME \
--nat=NAT_NAME \
--match='inIpRange(destination.ip, "198.51.100.20/30")' \
--source-nat-active-ips=[IP_ADDRESS2],[IP_ADDRESS3] \
[--region=REGION] [GLOBAL-FLAG ...]
Create a rule file
The following code sample is an example rule file. You can modify this rule file to fit your use case, or skip this step if you already have a rule file.
rules:
- ruleNumber: 100
match: destination.ip == '198.51.100.10'
action:
sourceNatActiveIps:
- /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS1
- ruleNumber: 200
match: inIpRange(destination.ip, '198.51.100.20/30')
action:
sourceNatActiveIps:
- /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS2
- /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS3
Create a NAT gateway using a NAT rule file
The following command creates a NAT gateway and configures it with rules from a NAT rule file. If you already have a NAT gateway configured, see Add a NAT rule to an existing NAT gateway. Replace the variables with information matching your configuration.
gcloud compute routers nats create NAT_NAME \
--router=ROUTER_NAME \
--nat-external-ip-pool=[IP_ADDRESS4],[IP_ADDRESS5] \
--nat-all-subnet-ip-ranges \
--rules=PATH_TO_NAT_RULE_FILE \
[--region=REGION] [GLOBAL-FLAG ...]
Update NAT rules
To update your NAT rules, use the steps in the following sections. You can only
use rule files with the gcloud command-line tool.
Console
- In the Google Cloud console, go to the Cloud NAT page.
- Select your NAT gateway.
- Select Edit.
- Under Customized rules, click the rule that you want to update.
- In the expanded fields, you can modify any information that you want to change.
- When you are finished making changes, select Done.
- Select Save.
gcloud
Update using a NAT rule file
To use your NAT rule file to update a NAT gateway, use the following command. Replace the variables with information that matches your configuration.
gcloud compute routers nats update NAT_NAME \
--router=ROUTER_NAME \
--rules=PATH_TO_NAT_RULE_FILE \
[--region=REGION] [GLOBAL-FLAG ...]
The following code sample is an example rule file. Note the
sourceNatDrainIps action, which prevents new connections to the
destination using IP_ADDRESS1 but keeps existing connections.
rules:
- ruleNumber: 100
match: destination.ip == '198.51.100.10'
action:
sourceNatActiveIps:
- /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS2
sourceNatDrainIps:
- /projects/PROJECT ID/regions/REGION/addresses/IP_ADDRESS1
Update using a NAT rule command
To update a single NAT rule, use the following command. Replace the
NAT_RULE_NUMBER with the desired NAT rule number,
and replace the other variables with information that matches your
configuration. Note the source-nat-drain-ips option, which prevents new
connections to the destination using IP_ADDRESS3 and IP_ADDRESS4, but
keeps existing connections.
gcloud compute routers nats rules update NAT_RULE_NUMBER \
--router=ROUTER_NAME \
--nat=NAT_NAME \
--match=Match conditions (expressed in CEL) \
--source-nat-active-ips=[IP_ADDRESS1],[IP_ADDRESS2] \
--source-nat-drain-ips=[IP_ADDRESS3],[IP_ADDRESS4] \
[--region=REGION] [GLOBAL-FLAG ...]
Delete NAT rules
Console
- In the Google Cloud console, go to the Cloud NAT page.
- Select your NAT gateway.
- Select Edit.
- Under Customized rules, hold the pointer over on the rule that you want to delete. Click .
- Click Save.
gcloud
To remove a NAT rule from a gateway, you can either remove it from the gateway directly, or remove it from the rule file and update the gateway.
Delete using a NAT rule file
You can remove a NAT rule from your rule file directly, and then update your NAT gateway. The command for updating your NAT gateway is repeated here for convenience. Replace the variables with information that matches your configuration.
gcloud compute routers nats update NAT_NAME \
--router=ROUTER_NAME \
--rules=PATH_TO_NAT_RULE_FILE \
[--region=REGION] [GLOBAL-FLAG ...]
Delete using a NAT rule command
Alternatively, you can use a NAT rule delete command to remove a NAT rule
from your gateway. Replace the NAT_RULE_NUMBER with
the desired NAT rule number, and replace the other variables with
information that matches your configuration.
gcloud compute routers nats rules delete NAT_RULE_NUMBER \
--router=ROUTER_NAME \
--nat=NAT_NAME \
[--region=REGION] [GLOBAL-FLAG ...]
Describe a NAT rule
Console
You can view information about your NAT rules on the Cloud NAT page.
- In the Google Cloud console, go to the Cloud NAT page.
- Select your NAT gateway.
- View the NAT rules.
For additional information about an individual NAT rule, you can do the following:
- Select Edit.
- Under the Customized rules heading, select a NAT rule.
- View the additional information.
- Select Cancel to ensure that you do not save any changes.
gcloud
To describe a NAT rule, use the following command. Replace the
NAT_RULE_NUMBER with your NAT rule number, and
replace the other variables with information that matches your configuration.
gcloud compute routers nats rules describe NAT_RULE_NUMBER \
--router=ROUTER_NAME \
--nat=NAT_NAME \
[--region=REGION] [GLOBAL-FLAG ...]
List all NAT rules in a NAT gateway
Console
You can view your NAT rules on the Cloud NAT page.
- In the Google Cloud console, go to the Cloud NAT page.
- Select your NAT gateway.
- View the NAT rules.
gcloud
To list all NAT rules in a NAT gateway, use the following command. This also displays all the NAT IP addresses present in the NAT rules, including the default rule. Replace the variables with information that matches your configuration.
gcloud compute routers nats rules list \
--router=ROUTER_NAME \
--nat=NAT_NAME \
[--region=REGION] [GLOBAL-FLAG ...]