Tune NAT configuration (original) (raw)
After you set up your Cloud NAT gateway configuration (either Public NAT or Private NAT), you can edit the configuration based on your requirements. This page lists the tasks that you can perform to tune your Cloud NAT configuration.
Editing configurations can be disruptive in nature and can cause existing network address translation (NAT) connections to drop. For more information about the impact of tuning Cloud NAT configurations, see Impact of tuning NAT configurations on existing NAT connections.
View port usage
Before you modify the minimum port usage per VM, review your per-VM port usage. You can get this information by using thecompute.googleapis.com/nat/port_usage metric.
- In the Google Cloud console, go to the Monitoring page.
Go to Monitoring- In the navigation pane, select Metrics Explorer
. - Expand the Select a metric menu, and use the submenus to choose the
compute.googleapis.com/nat/port_usagemetric:- For Resource, select VM instance.
- For Metric category, select Nat.
- For Metric, select Port usage.
- Click Apply.
- To select your Cloud NAT gateway, use the Filters field.
- In the Group by section, for labels, select instance_id.
- In the Grouping function list, select Max.
- Expand More options, and set the Aligner field to max.
- To see usage for the past 30 days, specify
30d.
For more information about using Metrics Explorer, seeSelect metrics when using Metrics Explorer.
- In the navigation pane, select Metrics Explorer
Choose a minimum number of ports per VM
Choosing an appropriate minimum number of ports is important to help you maximize NAT IP addresses usage.
Before you increase the number of ports per VM, consider other strategies for reducing port usage.
If you need to increase the number of ports per VM, start by considering the per-VM port usage in your gateway. For information about how to find this data, see View port usage.
Review your maximum port usage for the past 30 days, or for another period that you think is representative for your Cloud NAT gateway.
Do one of the following:
- If you are using static port allocation, configure the number of ports per VMso that the minimum is equal to your current peak port usage.
- If you are using dynamic port allocation, configure the number of ports per VM so that the minimum is lower than the peak port usage and the maximum is higher than the peak port usage.
Change minimum default ports allocated per VM
For help deciding how to configure the minimum number of ports per VM, seeChoose a minimum number of ports per VM.
For information about the consequences of changing the minimum port allocation, see the following sections:
If your Cloud NAT gateway has dynamic port allocation configured, seeChange minimum or maximum ports when dynamic port allocation is configured.
Console
- In the Google Cloud console, go to the Cloud NAT page.
Go to Cloud NAT - Click your Cloud NAT gateway.
- Click Edit.
- Click Advanced configurations.
- Modify the Minimum ports per VM instance field.
- Click Save.
gcloud
Use thegcloud compute routers nats update command.
This command leaves the other fields in the Cloud NAT configuration unchanged.
gcloud compute routers nats update NAT_CONFIG
--router=ROUTER_NAME
--region=REGION
--min-ports-per-vm=128
Replace the following:
NAT_CONFIG: the name of your Cloud NAT configuration.ROUTER_NAME: the name of your Cloud Router.REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
Change the port allocation method
Static port allocation and dynamic port allocation have different configuration requirements.
Before you update the port allocation type on an existing Cloud NAT gateway, make sure that the Cloud NAT gateway configuration is compatible with that port allocation type. If the configuration is not compatible, the change fails.
- For dynamic port allocation, check that Endpoint-Independent Mappingis disabled.
- Check that the minimum ports per VM setting is a power of 2, and is between 32 and 32,768.
Console
- In the Google Cloud console, go to the Cloud NAT page.
Go to Cloud NAT - Click your Cloud NAT gateway.
- Click Edit.
- Click Advanced configurations.
- Select or deselect Enable Dynamic Port Allocation.
- If needed, adjust the values for Minimum ports per VM instance andMaximum ports per VM instance.
- Click Save.
gcloud
Use thegcloud compute routers nats update command.
This command leaves the other fields in the Cloud NAT configuration unchanged.
gcloud compute routers nats update NAT_CONFIG
--router=ROUTER_NAME
--region=REGION
--enable-dynamic-port-allocation | --no-enable-dynamic-port-allocation
[ --min-ports-per-vm=MIN_PORTS ]
[ --max-ports-per-vm=MAX_PORTS ]
Replace the following:
NAT_CONFIG: the name of your Cloud NAT configuration.ROUTER_NAME: the name of your Cloud Router.REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled,MIN_PORTSmust be a power of2, and can be between32and32768.MAX_PORTS: the maximum number of ports to allocate for each VM.MAX_PORTSmust be a power of2, and can be between64and65536.MAX_PORTSmust be greater thanMIN_PORTS. The default is65536.
Change minimum or maximum ports when dynamic port allocation is configured
After you have configured dynamic port allocation, you can change the minimum or maximum number of ports assigned per VM.
For help deciding how to configure the minimum number of ports per VM, seeChoose a minimum number of ports per VM.
For information about the consequences of changing the minimum port allocation, see the following sections:
Console
- In the Google Cloud console, go to the Cloud NAT page.
Go to Cloud NAT - Click your Cloud NAT gateway.
- Click Edit.
- Click Advanced configurations.
- Adjust the Minimum ports per VM instance and Maximum ports per VM instance fields.
- Click Save.
gcloud
Use thegcloud compute routers nats update command.
This command leaves the other fields in the Cloud NAT configuration unchanged.
gcloud compute routers nats update NAT_CONFIG
--router=ROUTER_NAME
--region=REGION
--min-ports-per-vm=MIN_PORTS
--max-ports-per-vm=MAX_PORTS
Replace the following:
NAT_CONFIG: the name of your Cloud NAT configuration.ROUTER_NAME: the name of your Cloud Router.REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).MIN_PORTS: the minimum number of ports to allocate for each VM. If dynamic port allocation is enabled,MIN_PORTSmust be a power of2, and can be between32and32768.MAX_PORTS: the maximum number of ports to allocate for each VM.MAX_PORTSmust be a power of2, and can be between64and65536.MAX_PORTSmust be greater thanMIN_PORTS.
Modify NAT timeouts
The following sections describe NAT timeouts and how to modify them:
NAT timeouts
Cloud NAT uses the following timeouts. These timeouts apply to both Public NAT and Private NAT, except where noted. You can modify the default timeout values to decrease or increase the rate at which ports are reused. Each timeout value is a balance between efficient use of Cloud NAT resources and possible disruption to active connections, flows, or sessions.
Timeout processing has a variance of up to five seconds, meaning the actual expiration time might occur up to five seconds earlier or later than the configured timeout value. To avoid shortened timeouts, add five seconds to your intended configuration value.
| Timeout | Description | Cloud NAT default | Configurable |
|---|---|---|---|
| UDP Mapping Idle Timeout RFC 4787 REQ-5 | Specifies the time in seconds after which UDP flows must stop sending traffic to endpoints so that the Cloud NAT mappings are removed. UDP Mapping Idle Timeout affects two endpoints that stop sending traffic to each other. It also affects endpoints that take longer to respond, or if there is increased network latency. You can increase the specified timeout value to decrease the rate at which ports can be reused. The larger timeout value means that the ports are held for longer connections and also protects against pauses in traffic over a specific UDP socket. | 30 seconds | Yes |
| TCP Established Connection Idle Timeout RFC 5382 REQ-5 | Specifies the time in seconds that a connection is idle before the Cloud NAT mappings are removed. TCP Established Connection Idle Timeout affects endpoints that take longer to respond, or if there is increased network latency. You can increase the timeout value when you want to open TCP connections and keep the connections open for a long time without a keepalive mechanism in place. | 1200 seconds (20 minutes) | Yes |
| TCP Transitory Connection Idle Timeout RFC 5382 REQ-5 | Specifies the time in seconds that TCP connections can remain in the half-open state before the Cloud NAT mappings can be deleted. TCP Transitory Connection Idle Timeout affects an endpoint when an external endpoint takes a longer period than the specified time, or when there is increased network latency. Unlike the TCP Established Connection Idle Timeout, the TCP Transitory Connection Idle Timeout affects only half-open connections. | 30 seconds Note: Regardless of the value that you set for this timeout, Cloud NAT might require up to an additional 30 seconds before a Cloud NAT source IP address and source port tuple can be used to process a new connection. | Yes |
| TCP TIME_WAIT Timeout RFC 5382 REQ-5 | Specifies the time in seconds that a fully closed TCP connection is retained in the Cloud NAT mappings after the connection expires. TCP TIME_WAIT Timeout protects your internal endpoints from receiving invalid packets that belong to a closed TCP connection that are retransmitted. You can decrease the timeout value to improve the reuse of Cloud NAT ports at the cost of possibly receiving retransmitted packets from an unrelated, previously closed connection. | 120 seconds Note: Regardless of the value that you set for this timeout, Cloud NAT might require up to an additional 30 seconds before a Cloud NAT source IP address and source port tuple can be used to process a new connection. If you are using dynamic port allocation, set this timeout to 15 seconds or more to avoid dropped packets. | Yes |
| ICMP Mapping Idle Timeout (applicable to Public NAT only) RFC 5508 REQ-2 | Specifies the time in seconds after which Internet Control Message Protocol (ICMP) Cloud NAT mappings that don't have any traffic flows are closed. ICMP Mapping Idle Timeout affects an endpoint when the endpoint takes a longer to respond than the specified time, or when there is increased network latency. | 30 seconds | Yes |
Change NAT timeouts
Console
- In the Google Cloud console, go to the Cloud NAT page.
Go to Cloud NAT - Click your Cloud NAT gateway.
- Click Edit.
- Click Advanced configurations.
- Modify any timeout values that you want to change.
- Click Save.
gcloud
Use the gcloud compute routers nats update commandwith the following flags to change these timeout values:
- UDP Mapping Idle Timeout:
--udp-idle-timeout - TCP Established Connection Idle Timeout:
--tcp-established-idle-timeout - TCP Transitory Connection Idle Timeout:
--tcp-transitory-idle-timeout - TCP TIME_WAIT Timeout:
--tcp-time-wait-timeout - ICMP Mapping Idle Timeout:
--icmp-idle-timeout
This command leaves the other fields in the NAT configuration unchanged.
For example, the following command changes the UDP Mapping Idle Timeout value.
gcloud compute routers nats update NAT_CONFIG
--router=ROUTER_NAME
--region=REGION
--udp-idle-timeout=VALUE
Replace the following:
NAT_CONFIG: the name of your Cloud NAT configuration.ROUTER_NAME: the name of your Cloud Router.REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).VALUE: the timeout value (in seconds)
Reset NAT timeouts to default values
Console
- In the Google Cloud console, go to the Cloud NAT page.
Go to Cloud NAT - Click your Cloud NAT gateway.
- Click Edit.
- Click Advanced configurations.
- Remove any user-configured values that you want to reset.
- Click Save.
The removed values are reset to the default values.
gcloud
Use thegcloud compute routers nats update command.
This command leaves the other fields in the Cloud NAT configuration unchanged.
gcloud compute routers nats update NAT_CONFIG
--router=ROUTER_NAME
--region=REGION
--clear-udp-idle-timeout
--clear-icmp-idle-timeout
--clear-tcp-established-idle-timeout
--clear-tcp-time-wait-timeout
--clear-tcp-transitory-idle-timeout
Replace the following:
NAT_CONFIG: the name of your Cloud NAT gateway.ROUTER_NAME: the name of your Cloud Router.REGION: the region of the Cloud NAT to update. If not specified, you might be prompted to select a region (interactive mode only).
Impact of tuning NAT configurations on existing NAT connections
The following table summarizes the impact of tuning Cloud NAT configurations on existing connections.
| Action | Dynamic port allocation | Connection drops |
|---|---|---|
| Enable dynamic port allocation | Disabled → enabled | No if both of the following conditions are true;yes if they aren't: The number of maximum ports per VM is greater than or equal to the previous number of minimum ports per VM. The number of maximum ports per VM is greater than or equal to 1,024. |
| Disable dynamic port allocation | Enabled → disabled | Yes |
| Increase minimum ports per VM | Enabled or disabled | No |
| Decrease minimum ports per VM | Enabled | No |
| Decrease minimum ports per VM | Disabled | Yes |
| Increase maximum ports per VM | Enabled | No |
| Decrease maximum ports per VM | Enabled | Yes |
| Enable or disable endpoint-independent mapping | Disabled | No |
| Change in Cloud NAT timeouts | Enabled or disabled | No |