Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Last Updated: Mar 27, 2024
Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM


Welcome Techies!

With the growing popularity of Cloud and Cloud-based technologies, Cloud security becomes an essential thing as organizations move towards incorporating cloud-based tools and services as a part of their infrastructure.

NAT stands for Network Address translation. Cloud NAT (Network address translation) is a powerful tool that allows Computer Engine and Google Kubernetes Engine (GKE) workloads to access internet resources in a scalable and secure manner without exposing the workloads operating on them to outside access via external IP (Internet Protocol) addresses. Limiting the number of public IP addresses is a best practice for security and is followed by huge organizations very effectively. Cloud NAT (network address translation) enables certain resources without external IP addresses to establish outbound internet connections.

Cloud NAT

This article explains Cloud NAT in-depth and will help you expand your knowledge about this technology. So, let us get started!

Overview of Cloud NAT

Simply put, Cloud NAT is a managed software solution offered by Google Cloud. It configures the underlying Andromeda software that powers VPC networks within Google Cloud. It is a service that enables source network address translation for virtual machines without the need for public IP addresses to be assigned. It also handles destination network address translation for incoming response packets.

Cloud NAT does not accept unsolicited incoming requests from the internet. It only accepts inbound requests as answers to outgoing requests. So, unless an incoming request is a response to a previous outgoing request, it will be denied.

Outgoing connectivity is provided by Cloud NAT for the following resources:

  • Instances of Compute Engine virtual machines (VMs) without external IP addresses
  • Private clusters of Google Kubernetes Engine (GKE) 
  • Cloud Functions instances through Serverless VPC Access
  • App Engine standard environment instances using Serverless VPC Access
  • Cloud Run instances through Serverless VPC Access
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

The Architecture of Cloud NAT

Cloud NAT is not based on proxy VMs or appliances. It is a software-defined managed service and is distributed in nature. It provides source network address translation (SNAT) for VMs without external IP addresses. For established inbound packets, Cloud NAT also provides destination network address translation (DNAT). It configures the Andromeda Software that powers the Virtual Private Cloud (VPC) network.

Unwanted inbound internet connections are not supported by Cloud NAT. Only packets that arrive as answers to outbound packets are subjected to DNAT.

Architecture of Cloud NAT

Benefits of Cloud NAT

Cloud NAT provides the below-mentioned benefits:

  • Security: Reduces the necessity for individual VMs to have their own external IP addresses. VMs without external IP addresses can connect to the internet, subject to egress firewall rules.
  • Availability: Cloud NAT doesn’t depend on any VMs or a single gateway in your project as it is a software-defined service. You configure NAT gateway on the cloud router and it serves as the control plane for NAT and stores configuration settings that are specified.
  • Performance: Cloud NAT does not reduce the network bandwidth per VM and is implemented by Google’s Andromeda software-defined networking.
  • Scalability: Cloud NAT supports VMs that belong to instance groups that are managed, also including those with autoscaling enabled. Cloud NAT can be configured to automatically scale the number of NAT IP addresses.

NAT Rules

The NAT rules functionality allows you to determine how Cloud NAT connects to the internet by creating access rules. Source NAT based on destination address is supported by NAT rules.

When you establish a NAT gateway without NAT rules, all VMs that utilize that NAT gateway uses the same NAT IP addresses to connect to the internet. You can apply NAT rules to get more control over packets that travel through Cloud NAT. A NAT rule specifies a match condition and an action. Every packet is matched with each NAT rule after you provide them. If a packet matches a rule's condition, the action associated with that match is carried out.

Set Up Cloud NAT 

Prior to setting up the Cloud NAT gateway, some prerequisites are to be followed. The prerequisites of the setup process are as follows:

  • To have permission to create a NAT gateway for the VMs, a person needs to hold the admin role on the network. It is the admin’s work to initiate the NAT gateway through Cloud Router. The admin also takes the lead when it comes to reserving and assigning NAT IP addresses for proper assigning of subnets.
  • It is advisable to have a Google Cloud account and an introduction to GCP and its services prior to starting the process.
  • Then, the user needs to access the Google Cloud console and start a GC project.
  • Then, the billing for your project has to be enabled. The next step is to install and set up the Cloud SDK so that all the required tools are handy to use Google Cloud services.
  • Prior to going to the NAT gateway setup, the project ID is needed to be set up by using the Project ID command line.

Creating a NAT Gateway

With the following set of configurations, create a NAT gateway in the VPC network:

  • The same region as the subnet should be used.
  •  To use the NAT IP address manually, create a new static public IP address.
  • A Cloud router that uses the default settings should be used.
  • The default value should be used for the NAT mapping source.

Cloud NAT with GKE and GCE

GKE stands for Google Kubernetes Engine. It services a managed environment for managing, deploying, and scaling your application using Google infrastructure. The GKE environment consists of multiple machines, specifically, Compute Engine instances grouped together to form a cluster.

By setting up Cloud NAT with GKE or GCE, we have a secure cluster that cannot be intercepted by the outside world, but our nodes may access public internet sites via the NAT IP address. This is also useful if you need to whitelist the IP address of the resource to which the Kubernetes resource (pod) wants to connect.


In order to give you insights into your fleet’s usage of NAT gateways, Cloud NAT exposes key metrics to Cloud Monitoring, the metrics are sent automatically, and you can create custom dashboards, query the metrics and set up alarms.

But to perform monitoring, some Identity and Access Management (IAM) roles are required.

Cloud NAT Policy and Organizational Security

One of the primary benefits of using Cloud NAT is security. Cloud NAT is flexible enough to allow network administrators to configure certain organizational policies. Using this, he or she can introduce some constraints on the accessibility of a private network.

Organizational Policy and Security

A network administrator can construct an unlimited number of subnets and has the authority to create subnetworks that are connected to the main NAT gateway. Furthermore, there are no constraints on which subnets can use the gateway initially. The constraints, however, can be utilized to decide which subnets can use the NAT gateway at any particular time by activating an Organization Policy administrator.

Prerequisites For Setting Up Constraints

IAM Permissions

  • The constraints must be created by someone who has the roles/orgpolicy.policyAdmin role.
  • The user role must be in the host project when utilizing Shared VPC.

Organization Policy Background

If the user has not worked with the organization's policy constraints before, he or she should consider going through the documentation to understand constraints and hierarchy evaluation.

Planning Your Constraints

The constraints can be allowed or denied at the mentioned levels of resource hierarchy:

  • Organization
  • Folder
  • Project
  • Subnetwork

When a constraint is created, it is inherited by all child nodes by default. However, whether or not a given folder inherits from its parents can be decided by Organization Policy Administrator, so it can be said that the inheritance is not automatic.

Audit Logging

Audit Logs are created by Cloud NAT as a part of Cloud Audit logs. In order to help you answer questions like, “What was done, who did it, and when?” within your Cloud resources, Cloud NAT services write audit logs.

Only the audit logs for resources immediately within the Cloud project are stored in your Google Cloud projects. Other Google Cloud resources, such as folders, organizations, and billing accounts, store the entity's audit logs.

The following types of audit logs are available for Cloud NAT:

  • Admin Activity audit logs
    It includes "admin write" operations, which write metadata or configuration data.
    Admin Activity audit logs cannot be disabled.
  • Data Access audit logs
    Includes "admin read" operations that read metadata or configuration information. It also includes "data read" and, "data write" operations that read or write user-provided data.

Also read, kubernetes interview questions

Frequently Asked Questions

Can the same Cloud NAT gateway be used in more than one region?

The answer is NO. You will have to create additional Cloud NAT gateways for other regions or VPC networks if you want to provide connectivity to them, as a Cloud NAT gateway cannot be associated with more than one VPC network or cloud router.

Can Cloud NAT be used to connect a VPC network to another network in order to avoid overlapping IP addresses?

No, Cloud NAT cannot be applied to any custom route with a next hop that is not the default internet gateway. Cloud NAT, for example, cannot apply to traffic delivered to a next hop Cloud VPN tunnel, even if the destination IP address is publicly routable.

Can Cloud NAT be used to communicate between VMs on a VPC network?

No, Cloud NAT is just intended to enable internet connectivity.

Why does a virtual machine (VM) have a set number of ports (64 by default)?

When a Cloud NAT gateway performs NAT on behalf of a VM, it reserves the source address and source port tuples in accordance with the port reservation protocol.

Is Cloud NAT applicable to instances with external IP addresses, such as GKE node VMs?

In general, no. If a VM's network interface has an external IP address, Google Cloud always executes 1-to-1 NAT.


If you reached the end, congratulations on expanding your knowledge about Cloud NAT. So we discussed what Cloud NAT is in simple terms and explained how it works. We then discussed the architecture, benefits, and rules of Cloud NAT, followed by steps to set up Cloud NAT Gateway. This article also gives an insight into Organizational policy constraints set up and audit logging.

To dive deep into the world of Cloud Computing, do check out our blogs on Cloud Computing ArchitectureCloud Server,  and Introduction to Cloud Computing. To know more about Google Cloud Platform certifications, click here.

Please refer to our guided paths on Coding Ninjas Studio to learn more about DSACompetitive ProgrammingJava ProgrammingOperating Systems, etc. Have a look at the interview experiences and interview bundle for placement preparations. And also, enroll in our courses and refer to the mock test and problems available.

Thank you

Do upvote our blogs, keep learning and keep growing!

Happy Reading!

Topics covered
Overview of Cloud NAT
The Architecture of Cloud NAT
Benefits of Cloud NAT
NAT Rules
Set Up Cloud NAT 
Creating a NAT Gateway
Cloud NAT with GKE and GCE
Cloud NAT Policy and Organizational Security
Prerequisites For Setting Up Constraints
IAM Permissions
Organization Policy Background
Planning Your Constraints
Audit Logging
Frequently Asked Questions
Can the same Cloud NAT gateway be used in more than one region?
Can Cloud NAT be used to connect a VPC network to another network in order to avoid overlapping IP addresses?
Can Cloud NAT be used to communicate between VMs on a VPC network?
Why does a virtual machine (VM) have a set number of ports (64 by default)?
Is Cloud NAT applicable to instances with external IP addresses, such as GKE node VMs?