Use Public NAT with Compute Engine

This page shows a demonstration of a Public NAT gateway that providesnetwork address translation services for a Compute Engine VM instance. Beforeyou begin, read thePublic NAT overview.

Prerequisites

You need to do the following before setting up Public NAT.

Get IAM permissions

Theroles/compute.networkAdminrole gives you permissions to create a NAT gateway on Cloud Router,reserve and assign NAT IP addresses, and specify subnetworks (subnets) whosetraffic should use network address translation by the NAT gateway.

Set up Google Cloud

Before you get started, set up the following items in Google Cloud.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Install the Google Cloud CLI.

  5. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  6. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  8. Verify that billing is enabled for your Google Cloud project.

  9. Install the Google Cloud CLI.

  10. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  11. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

Note:

The Google Cloud CLI instructions on this page assume that you have set your project ID before issuing commands. You can set a project ID with the following command:

    gcloud config set projectPROJECT_ID

You can also view a project ID that is already set:

    gcloud config list --format='text(core.project)'

Example

The following is an end-to-end example that demonstrates a sample Public NATgateway and a sample Compute Engine VM that uses the Public NATgateway.

Step 1: Create a VPC network and subnet

If you already have a network and subnet, you can skip this step.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to the VPC networks page

  2. ClickCreate VPC network.

  3. Enter aName ofcustom-network1.

  4. UnderSubnets, setSubnet creation mode toCustom.

  5. UnderNew subnet, enter aName ofsubnet-us-east-192.

  6. InRegion, selectus-east4.

  7. Enter anIP address range of192.168.1.0/24.

  8. ClickDone, and then clickCreate.

gcloud

  1. Create a new custom mode VPC network in your project:

    gcloud compute networks create custom-network1 \    --subnet-mode custom

  2. Specify the subnet prefix for your first region. In this example, weassign192.168.1.0/24 to regionus-east4.

    gcloud compute networks subnets create subnet-us-east-192 \   --network custom-network1 \   --region us-east4 \   --range 192.168.1.0/24

Terraform

You can use aTerraform module to create a custom Virtual Private Cloud (VPC) networkand subnet.

module "test-vpc-module" {  source       = "terraform-google-modules/network/google"  version      = "~> 13.0"  project_id   = var.project_id # Replace this with your project ID in quotes  network_name = "custom-network1"  mtu          = 1460  subnets = [    {      subnet_name   = "subnet-us-east-192"      subnet_ip     = "192.168.1.0/24"      subnet_region = "us-east4"    }  ]}

Step 2: Create a VM instance with no external IP address

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to the VM instances page

  2. ClickCreate instance.

  3. Specify aName ofnat-test-1 for your instance.

  4. Set theRegion tous-east4.

  5. Set theZone tous-east4-c.

  6. Click theManagement, security, disks, networking, sole tenancy link.

  7. Click theNetworking tab.

  8. UnderNetwork interfaces, clickEditfor the VM's default interface.

    1. Set theNetwork tocustom-network1.
    2. Set theSubnetwork tosubnet-us-east-192.
    3. SetExternal IP toNone.
    4. ClickDone.

  9. To create and start the instance, clickCreate.

gcloud

gcloud compute instances create nat-test-1 \    --image-family debian-9 \    --image-project debian-cloud \    --network custom-network1 \    --subnet subnet-us-east-192 \    --zone us-east4-c \    --no-address

Terraform

You can use aTerraform resourceto create a VM instance.

resource "google_compute_instance" "default" {  project      = var.project_id  zone         = "us-east4-c"  name         = "nat-test-1"  machine_type = "e2-medium"  boot_disk {    initialize_params {      image = "debian-cloud/debian-9"    }  }  network_interface {    network    = "custom-network1"    subnetwork = var.subnet # Replace with a reference or self link to your subnet, in quotes  }}

Step 3: Create a firewall rule that allows SSH connections

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to the Firewall policies page

  2. ClickCreate firewall rule.

  3. Enter aName ofallow-ssh.

  4. Specify aNetwork ofcustom-network1.

  5. SetDirection of traffic toIngress.

  6. SetAction on match toAllow.

  7. SetTargets toAll instances in the network.

  8. SetSource filter toIPv4 ranges.

  9. SetSource IP ranges to35.235.240.0/20.

  10. SetProtocols and ports toSpecified protocols and ports.

  11. Select thetcp checkbox and enter port22.

  12. ClickCreate.

gcloud

gcloud compute firewall-rules create allow-ssh \    --network custom-network1 \    --source-ranges 35.235.240.0/20 \    --allow tcp:22

Terraform

You can use aTerraform resourceto create a firewall rule.

resource "google_compute_firewall" "rules" {  project = var.project_id  name    = "allow-ssh"  network = var.network # Replace with a reference or self link to your network, in quotes  allow {    protocol = "tcp"    ports    = ["22"]  }  source_ranges = ["35.235.240.0/20"]}

Step 4: Create IAP SSH permissions for your test instance

In a later step, use Identity-Aware Proxy (IAP) to connect to your testinstance.

Console

  1. In the Google Cloud console, go to theIdentity-Aware Proxy page.

    Go to the Identity-Aware Proxy page

  2. Select theSSH and TCP resources tab.

  3. To update member permissions on resources, select the checkbox next toAll Tunnel Resources > us-east4-c > nat-test-1.

  4. In the right pane, clickAdd member.

  5. To grant users, groups, or service accounts access to the resources,in theNew members field, specify their email addresses.

    If you are just testing this feature, you can enter your own emailaddress.

  6. To grant the members access to the resources through CloudIAP's TCP forwarding feature, in theRole drop-downlist, selectCloud IAP > IAP-secured Tunnel User.

  7. ClickSave.

gcloud

This command grants SSH access by using IAP to all VMinstances in your project. If you want to grant SSH access by usingIAP to an individual VM, use the Google Cloud consoleinstructions.

gcloud projects add-iam-policy-bindingPROJECT_ID \    --member=MEMBER_INFO \    --role=roles/iap.tunnelResourceAccessor

Replace the following:

  • PROJECT_ID: your project ID
  • MEMBER_INFO: a comma-separated list ofmembertype:email pairs. Examples:
    • For an individual user:user:test-user@example.com
    • For a group:group:admins@example.com
    • For a service account:serviceAccount:test123@example.domain.com

Terraform

You can use aTerraform resourceto create IAP SSH permissions for your test instance.

resource "google_project_iam_member" "project" {  project = var.project_id  role    = "roles/iap.tunnelResourceAccessor"  member  = "serviceAccount:test123@example.domain.com"}

Step 5: Log in tonat-test-1 and confirm that it cannot reach the internet

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to the VM instances page

  2. Fornat-test-1, in theConnect column, click theSSH drop-downarrow, and then selectOpen in browser window.

  3. At the command prompt of the VM, entercurl example.com and then pressEnter.

    You should get no result. If you do, you might have creatednat-test-1with an external IP address, or there might be some other problem.To troubleshoot, seeVMs can reach the internet unexpectedly without Cloud NAT.

    To end the command, you might have to enterCtrl+C.

gcloud

  1. Add a Compute Engine SSH key to your local host:

    ssh-add ~/.ssh/google_compute_engine

  2. Connect tonat-test-1 and run a command:

    gcloud compute ssh nat-test-1 \    --zone us-east4-c \    --command "curl example.com" \    --tunnel-through-iap

    You should get no result. If you do, you might have creatednat-test-1with an external IP address, or there might be some other problem.To troubleshoot, seeVMs can reach the internet unexpectedly without Cloud NAT.

    To end the command, you might have to enterCtrl+C.

Step 6: Create a NAT configuration using Cloud Router

You must create the Cloud Router in the same region as the instancesthat use Public NAT. Cloud Router is only used to place NATinformation onto the VMs. It is not used as part of the actual NAT gateway.

This configuration allows all instances in the region to use Public NATfor all primary andalias IP ranges. It also automaticallyallocates the external IP addresses for the NAT gateway. For more options, seetheGoogle Cloud CLI documentation.

Note: Public NAT uses Cloud Router only to group NATconfiguration information (control plane). Public NAT does notdirect a Cloud Router to use BGP or to add routes. NAT trafficdoesnot pass through a Cloud Router (data plane).

Console

  1. In the Google Cloud console, go to theCloud NAT page.

    Go to the Cloud NAT page

  2. ClickGet started orCreate NAT gateway.

  3. Enter aGateway name ofnat-config.

  4. Set theVPC network tocustom-network1.

  5. Set theRegion tous-east4.

  6. UnderCloud Router, selectCreate new router.

    1. Enter aName ofnat-router.
    2. ClickCreate.

  7. ClickCreate.

gcloud

  1. Create a Cloud Router:

    gcloud compute routers create nat-router \    --network custom-network1 \    --region us-east4

  2. Add a configuration to the router:

    gcloud compute routers nats create nat-config \    --router-region us-east4 \    --router nat-router \    --nat-all-subnet-ip-ranges \    --auto-allocate-nat-external-ips

Terraform

You can use aTerraform resourceto create a Cloud Router.

resource "google_compute_router" "router" {  project = var.project_id  name    = "nat-router"  network = var.network  region  = "us-east4"}

You can use aTerraform moduleto create a NAT configuration.

module "cloud-nat" {  source  = "terraform-google-modules/cloud-nat/google"  version = "~> 5.0"  project_id                         = var.project_id  region                             = "us-east4"  router                             = google_compute_router.router.name  name                               = "nat-config"  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"}

Step 7: Attempt to connect to the internet again

It might take up to three minutes for the NAT configuration to propagate to the VM,so wait at least a minute before trying to access the internet again.

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to the VM instances page

  2. Fornat-test-1, in theConnect column, click theSSH drop-downarrow, and then selectOpen in browser window.

  3. At the command prompt of the VM, entercurl example.com and then pressEnter.

gcloud

Connect tonat-test-1 and run a command:

gcloud compute ssh nat-test-1 \    --zone us-east4-c \    --command "curl example.com" \    --tunnel-through-iap

You should see output that contains the following content:

<html><head><title>Example Domain</title>.........</head><body><div>    <h1>Example Domain</h1>    <p>This domain is established to be used for illustrative examples in documents. You can use this    domain in examples without prior coordination or asking for permission.</p>    <p><a href="http://www.iana.org/domains/example">More information...</a></p></div></body></html>

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.