Cloud NAT rules (original) (raw)
This page provides an overview of Cloud NAT rules for Public NAT. These rules let you define how Cloud NAT is used to connect to the internet.
Cloud NAT rules for Public NAT support source network address translation (SNAT) based on source or destination address.
NAT rules
By default, when you configure a Cloud NAT gateway for Public NAT, packets that are translated by that NAT gateway use the same set of NAT IP addresses to reach all internet addresses. If you need more control over packets that are translated by Cloud NAT, you can add NAT rules.
A NAT rule defines a match condition and a corresponding action. After you specify NAT rules, each packet is matched with each NAT rule. If a packet matches the condition set in a rule, then the action corresponding to that match occurs.
NAT rules for Public NAT support both source and destination address matching:
- In source-based rules, packets are matched by their source IP address. Only IPv4 source addresses are supported.
- In destination-based rules, packets are matched by their destination IP address. Only IPv4 destination addresses are supported.
Combining source- and destination-based conditions in a single NAT rule isn't allowed. For more information, see NAT rules specifications.
Cloud NAT rule configuration examples
This section provides configuration examples for source- and destination-based NAT rules.
Source-based rules
The following example shows how you can use source-based NAT rules.
By default, when a Cloud NAT gateway is configured for IPv4 traffic in a subnet, the gateway provides NAT for the primary internal IP address and alias IP ranges of any VM instance in that subnet. By using source-based NAT rules, you can also configure NAT for VM instances withIP forwarding enabled, as described in the following example.
In this example, Cloud NAT is configured in Subnet A. In the subnet, a VM instance with the primary internal IP address 10.1.1.2 and an alias IP range 10.2.1.0/24 sends traffic to the internet. Consider the following requirements for the VM instance:
- If a packet originates from IP range
192.168.1.0/24, the VM must use NAT IP address203.0.113.10to send traffic to any internet destination. - If a packet originates from IP range
192.168.2.0/24, the VM must use NAT IP address203.0.113.20to send traffic to any internet destination. - If a packet originates from IP address
10.1.1.2or IP range10.2.1.0/24, the VM must use NAT IP address203.0.113.30to send traffic to any internet destination.
Cloud NAT configuration with two source-based rules (click to enlarge).
To fulfill these requirements, you create two source-based NAT rules for forwarded packets and the default rule for packets from the primary internal IP address and the alias IP range of the VM instance:
- Source-based rule 1: if the source address is
192.168.1.0/24, use203.0.113.10to send traffic to the internet. - Source-based rule 2: if the source address is
192.168.2.0/24, use203.0.113.20to send traffic to the internet. - The default rule: for all other packets, use
203.0.113.30to send traffic to the internet.
If the source address of a packet forwarded by the VM instance doesn't match either rule 1 or rule 2, the packet is dropped.
For another example of how you can use source-based NAT rules, seeCloud WAN under the hood: A closer look at its differentiated networking capabilities.
Destination-based rules
The following example shows how to use NAT rules when your destination allows access from only a few IP addresses. We recommend that the traffic to such destinations from your Google Cloud VMs in private subnets be SNAT-translated with only the permitted IP addresses. We recommend that you not use these IP addresses for other destinations.
Consider the following requirements for VMs in Subnet-1 (10.10.10.0/24), which is in Region A of the VPC network test:
- The VMs must use NAT IP address
203.0.113.20to send traffic to destination198.51.100.20/30. - The VMs must use NAT IP address
203.0.113.30to send traffic to destination198.51.100.30or198.51.100.31. - The VMs must use NAT IP address
203.0.113.40to send traffic to any other internet destination.
This VPC network also contains two additional subnets in the same region. These VMs must use NAT IP address 203.0.113.10 to send traffic to any destination.
Cloud NAT configuration with two Cloud NAT gateways (click to enlarge).
You can use NAT rules for this example, but you need two NAT gateways becauseSubnet-1 (10.10.10.0/24) has NAT rules that are different from the other subnets. To create this configuration, follow these steps:
- Create a gateway called
Cloud NAT Gateway 1forSubnet-1with NAT IP address203.0.113.40and add the following rules:- NAT rule 1 in
Cloud NAT Gateway 1: when the destination is198.51.100.20/30, use203.0.113.20for NAT. - NAT rule 2 in
Cloud NAT Gateway 1: when the destination is198.51.100.30or198.51.100.31, use203.0.113.30for NAT.
- NAT rule 1 in
- Create a gateway called
Cloud NAT Gateway 2for the region's other subnets and assign the NAT IP address as203.0.113.10. No NAT rules are needed in this step.
NAT rules specifications
- Cloud NAT supports source- and destination-based rules. Each rule defines a condition that is based on the source or destination address, but not both.
- A rule priority uniquely identifies a NAT rule, from 0 (highest priority) to 65,000 (lowest priority). No two rules can have the same priority.
- Each NAT configuration has a default rule:
- The default rule is applied if no other NAT rule matches in the same NAT configuration.
- The rule priority of the default rule is
65001. - For both source- and destination-based rules, the IP CIDR range of the default rule is
0.0.0.0/0. - The default rule doesn't apply to forwarded packets. To use NAT for these packets, your NAT configuration must include a matching source-based rule. For more information, seeSource-based rules.
- Cloud NAT rules are supported only when the value of the NAT IP allocate option is
MANUAL_ONLY. - All IP addresses configured in a given rule must be of the same tier.
You cannot use a mix of Premium Tier and Standard Tier IP addresses within the same rule (including the default rule). - IP CIDR ranges in match conditions must not overlap across NAT rules. At most, one rule can apply to any given packet. If a packet matches both a source- and destination-based rule, Cloud NAT applies the rule that has higher priority.
You can't create a NAT rule with0.0.0.0/0as the source or destination range because it is used by the default rule. - NAT IP addresses across NAT rules must not overlap.
- A rule must either have a non-empty
Activeor non-emptyDrain IP address. If the rule has an emptyActiveIP address, new connections that match the NAT rule are dropped. - NAT rules cannot be added to a NAT gateway that hasendpoint-independent mapping (EIM) enabled. You can't enable EIM on a NAT gateway that has NAT rules in it.
- The NAT gateway uses the minimum ports per VM configuration value to allocate source ports to VMs for each NAT rule. With 64,512 ports available per NAT IP address, this configuration value determines the total number of VMs that one NAT IP can support. If a VM exhausts its allocated ports for a specific rule, new connections that match that rule are dropped, even if other rules have available ports.
For example, consider a subnet with 16 VMs where the NAT gateway is configured with 4,096 ports per VM. The gateway has two NAT rules (rule-1with one NAT IP address andrule-2with two NAT IP addresses) in addition to the default NAT rule with two NAT IP addresses. In this example, the default andrule-2have sufficient capacity to allocate the required number of ports for all VMs. However,rule-1can't provide the full allocation for all 16 VMs (16 × 4,096) because its single IP address supports only 64,512 ports. Consequently, traffic that matchesrule-1might be dropped for any VM that doesn't receive its full port allocation. - To minimize idle port allocations when using source-based rules, Cloud NAT allocates ports to a VM endpoint only if its primary internal or alias IP address matches the source address that is specified in the NAT rule. For example, if a rule specifies
10.1.1.1but a VM is assigned10.1.1.2, Cloud NAT doesn't allocate ports to that VM for that specific rule.
However, if an eligible VM hasIP forwarding enabled, ports are always allocated because the VM can forward packets for other sources.
Rule expression language
NAT rules are written usingCommon Expression Languagesyntax.
An expression requires two components:
- Attributes that can be inspected in rule expressions.
- Operations that can be performed on the attributes as part of an expression.
For example, the following expression uses the attributes destination.ip and198.51.100.0/24 in the operation inIpRange(). In this case, the expression returns true if destination.ip is within the 198.51.100.0/24 IP address range.
inIpRange(destination.ip, '198.51.100.0/24')
NAT rules support only the following attributes and operations:
Attributes
Attributes represent information from an outgoing packet, such as the source and destination IP address.
| Attribute name | Description |
|---|---|
| source.ip | Source IP address of the packet |
| destination.ip | Destination IP address of the packet |
Operations
The following reference describes the operators that you can use with attributes to define rule expressions.
| Operation | Description |
|---|---|
| inIpRange(string, string) -> bool | inIpRange(x, y) returns true if IP CIDR range y contains IP address_x_. |
| | | |
| == | Equals operator. x == y returnstrue if x is equal to_y_. |
Example expressions
You can match packets based on either source or destination address, but not both.
Examples for source-based matching
Match packets with source IP address 10.0.0.25:
"source.ip == '10.0.0.25'"
Match packets with source IP address 10.0.0.25 or 10.0.0.26:
"source.ip == '10.0.0.25' || source.ip == '10.0.0.26'"
Match packets with source IP address range 10.0.2.0/24:
"inIpRange(source.ip, '10.0.2.0/24')"
Match packets with source IP address 10.0.0.25 or source IP address range10.0.2.0/24:
"source.ip == '10.0.0.25' || inIpRange(source.ip, '10.0.2.0/24')"
Examples for destination-based matching
Match packets with destination IP address 198.51.100.20:
"destination.ip == '198.51.100.20'"
Match packets with destination IP address 198.51.100.20 or198.51.100.21:
"destination.ip == '198.51.100.20' || destination.ip == '198.51.100.21'"
Match packets with destination IP address range 198.51.100.10/30:
"inIpRange(destination.ip, '198.51.100.10/30')"
Match packets with destination IP address 198.51.100.20 or destination IP address range 198.51.100.10/30:
"destination.ip == '198.51.100.20' || inIpRange(destination.ip, '198.51.100.10/30')"