Logs and metrics

Logging

Cloud NAT logging lets you log NAT connections and errors. WhenCloud NAT logging is enabled, one log entry can be generated foreach of the following scenarios:

When a network connection using NAT is created.
When a packet is dropped because no port was available for NAT.

You can choose to log both kinds of events, or only one or the other.

Created logs are sent toCloud Logging.

Specifications

The following specifications apply to Cloud NAT logging:

Cloud NAT logging handles TCP and UDP traffic only.
Cloud NAT logging only logs dropped packets if they areegress (outbound) TCP and UDP packets. It does not log dropped incomingpackets. For example, if an inbound response to an outboundrequest is dropped for any reason, no error is logged.

Each VM instance can only generate a certain number of log entries per unittime, proportional to its number ofvCPUs. TheVM can generate 50-100 log entries per second per vCPU.

This rate threshold affects the number of events thatcan be logged. Even ifsome events are filtered out, their occurrence counts toward the number ofpossible log entries. Limiting logs to only errors or only network addresstranslation connections does not necessarily increase the number of viewed logentries. For example, if you choose to log only successful connections, periodsof excessive failed connection attempts and NAT errors can still restrict thenumber of successful connection log entries.
Cloud NAT logging does not log every single packet. Even if theVM's rate threshold has not been reached, some conditions can causeevents to be omitted from the log. You should rely on the presence of entriesin Cloud NAT logging to make informed decisions, but youmust not assume that the absence of entries means that an event didn't happen.

Configure logging

To configure Cloud NAT logging, follow these steps.

Enable logging

If logging is enabled, all collected logs are sent to Cloud Logging bydefault. You can filter these so that only certain logs are sent.

You can also specify these values when you create or edit a NAT gateway. Thefollowing directions show how to enable logging for an existing NAT gateway.

Console

In the Google Cloud console, go to theCloud NAT page.
Go to Cloud NAT
Click your NAT gateway.
ClickEdit.
ClickAdvanced configurations.
In theLogging section, select one of the following:
- No logging: disables logging
- Translation and errors: sends all logs to Logging
- Translation only: sends a log only when aconnection is created; does not log dropped packets
- Errors only: sends a log when a packet is dropped because no portwas available; does not log new connections
ClickSave.

gcloud

Use thegcloud compute routers nats update command.

The following commands enable logging for an existing NAT gateway.

In each command, replace the following:

NAT_GATEWAY: the name of the NAT gateway
ROUTER_NAME: the name of the Cloud Routerthat hosts the NAT gateway
REGION: the region of the Cloud Router

To log network address translation events and errors:

gcloud compute routers nats updateNAT_GATEWAY \    --router=ROUTER_NAME \    --region=REGION \    --enable-logging

To log only network address translation events:

gcloud compute routers nats updateNAT_GATEWAY \    --router=ROUTER_NAME \    --region=REGION \    --enable-logging \    --log-filter=TRANSLATIONS_ONLY

To log only errors:

gcloud compute routers nats updateNAT_GATEWAY \    --router=ROUTER_NAME \    --region=REGION \    --enable-logging \    --log-filter=ERRORS_ONLY

Clear log filters

If you have a filter set, you can clear it. Clearing a log filter means thatboth network address translation events and errors are logged, provided thatlogging is enabled.

Console

In the Google Cloud console, go to theCloud NAT page.
Go to Cloud NAT
Click your NAT gateway.
ClickEdit.
ClickAdvanced configurations.
In theLogging section, selectTranslation and errors.
ClickSave.

gcloud

Use thegcloud compute routers nats update command.The--log-filter=ALL flag in the following command sets the log filter toaccept all logs.

gcloud compute routers nats updateNAT_GATEWAY \    --router=ROUTER_NAME \    --region=REGION \    --log-filter=ALL

Replace the following:

NAT_GATEWAY: the name of the NAT gateway
ROUTER_NAME: the name of the Cloud Routerthat hosts the NAT gateway
REGION: the region of the Cloud Router

Disable logging

To disable logging, do the following:

Console

In the Google Cloud console, go to theCloud NAT page.
Go to Cloud NAT
Click your NAT gateway.
ClickEdit.
ClickAdvanced configurations.
In theLogging section, selectNo logging.
ClickSave.

gcloud

Use thegcloud compute routers nats update command.

gcloud compute routers nats updateNAT_GATEWAY \    --router=ROUTER_NAME \    --region=REGION \    --no-enable-logging

Replace the following:

NAT_GATEWAY: the name of the NAT gateway
ROUTER_NAME: the name of the Cloud Routerthat hosts the NAT gateway
REGION: the region of the Cloud Router

Determine logging status

To determine the status for logging, do the following:

Console

In the Google Cloud console, go to theCloud NAT page.
Go to Cloud NAT
Click your NAT gateway.
ClickEdit.
ClickAdvanced configurations.
Inspect the selections in theLogging section.

gcloud

gcloud compute routers nats describeNAT_GATEWAY \    --router=ROUTER_NAME \    --region=REGION

Replace the following:

NAT_GATEWAY: the name of the NAT gateway
ROUTER_NAME: the name of the Cloud Routerthat hosts the NAT gateway
REGION: the region of the Cloud Router

View logs

To view NAT logs, do the following:

Console

In the Google Cloud console, go to theLogs Explorer page.
Go to Logs Explorer
- To see all NAT logs, in theLog name menu, selectCloud NAT Gateway.
- To see logs for only one region, in theLog name menu, selectCloud NAT Gateway, and then slide the cursor right to select a region.
- To see logs for only one gateway, in theLog name menu, selectCloud NAT Gateway, and then slide the cursor right to select a region.Slide the cursor right again to select a single gateway.

Alternatively, enter the following expression intothe query editor:

resource.type="nat_gateway"logName="projects/{#project_id}/logs/compute.googleapis.com%2Fnat_flows"

gcloud

gcloud logging read 'resource.type=nat_gateway' \    --limit=10 \    --format=json

Where:

resource.type=nat_gateway: limits the output to your NAT gateways
--limit=10: limits the output to 10 entries; you can input a differentvalue to see more or fewer entries, or omit it entirely to see acontinuous scroll of logs
--format=json: displays the output in JSON format

For more options, seeReading logentries.

You can configure the export oflogs-based metrics for resource logs.

What is logged

Cloud NAT log entries contain information useful for monitoringand debugging your NAT traffic. Log entries contain the followingtypes of information:

General information shown in most Google Cloud logs, such as severity,project ID, project number, and timestamp.
Specific information related to Cloud NAT. Some log fieldscontain entries that are themselves multiple fields. These entriesand field descriptions are shown in the following tables.

Log fields

Field	Value	Meaning
`connection`	object(NatIpConnection)	7-tuple describing the source VM IP address and port, NAT source IP address and port, destination IP address and port, and IP address protocol of this connection.
`allocation_status`	enum	Indicates whether this connection was successfully allocated or dropped. One of`OK` or`DROPPED`.
`gateway_identifiers`	object(NatGateway)	The NAT gateway configuration that the connection used.
`endpoint`	object(InstanceDetails)	VM instance details. In a Shared VPC configuration,`project_id` corresponds to the service project.
`vpc`	object(VpcDetails)	Virtual Private Cloud (VPC) network details. In a Shared VPC configuration,`project_id` corresponds to that of the host project.
`destination`	object(DestinationDetails)	Details of the destination of the connection.

NatIpConnection field format

Field	Type	Description
`src_ip`	string	Source IP address
`src_port`	int32	Source port
`nat_ip`	string	NAT IP address
`nat_port`	int32	NAT assigned port
`dest_ip`	string	Destination IP address¹
`dest_port`	int32	Destination port
`protocol`	int32	IANA protocol number

¹For NAT64, this field is populated with the destination IPv4-embeddedIPv6 address.

NatGateway field format

Field	Type	Description
`gateway_name`	string	Name of the NAT gateway
`router_name`	string	Cloud Router associated with the NAT gateway
`region`	string	Region of the Cloud Router

InstanceDetails field format

Field	Type	Description
`project_id`	string	ID of the project containing the VM
`vm_name`	string	Instance name of the VM
`region`	string	Region of the VM
`zone`	string	Zone of the VM

VpcDetails field format

Field	Type	Description
`project_id`	string	ID of the project containing the network
`vpc_name`	string	Network on which the VM is operating
`subnetwork_name`	string	Subnet on which the VM is operating

DestinationDetails field format

Field	Type	Description
`geo_location`	object(GeographicDetails)	If the destination of the connection was external to Google Cloud, this field is populated with available location metadata.
`instance`	object(InstanceDetails)	If the destination of the connection is an instance within the same project as the source, this field is populated with VM instance details.
`vpc`	object(VpcDetails)	If the destination of the connection is within the same project as the source, this field is populated with the destination VPC network details. If the destination is a cross-project VPC network, then this field will display a blank.

GeographicDetails field format

Field	Type	Description
`continent`	string	Continent for external endpoints
`country`	string	Country for external endpoints
`region`	string	Region for external endpoints
`city`	string	City for external endpoints
`asn`	string	The autonomous system number (ASN) of the external network to which this endpoint belongs.

Examples

Example 1: NAT-ed TCP connection record from a VM instance in aShared VPC network going to an external server inFrance.

{insertId: "1the8juf6vab1t"jsonPayload: {       connection: {            Src_ip: "10.0.0.1"            Src_port: 45047            Nat_ip: "203.0.113.17"            Nat_port: 34889            dest_ip : "198.51.100.142"            Dest_port: 80            Protocol: "tcp"       }       allocation_status: "OK"       Gateway_identifiers: {             Gateway_name: "my-nat-1"             router_name: "my-router-1"             Region: "europe-west1"       }       Endpoint: {             Project_id: "service-project-1"             Vm_name: "vm-1"             Region: "europe-west1"             Zone: "europe-west1-b"       }       Vpc: {             Project_id: "host-project"             Vpc_name: "network-1"             Subnetwork_name: "subnetwork-1"       }       Destination: {             Geo_location: {                   Continent: "Europe"                   Country: "France"                   Region: "Nouvelle-Aquitaine"                   City: "Bordeaux"             }       }}logName: "projects/host-project/logs/compute.googleapis.com%2Fnat_flows"receiveTimestamp: "2018-06-28T10:46:08.123456789Z"resource: {      labels: {            region: "europe-west1-d"            project_id: "host-project"            router_id: "987654321123456"            gateway_name: "my-nat-1"      }      type: "nat_gateway"}labels: {      nat.googleapis.com/instance_name: "vm-1"      nat.googleapis.com/instance_zone: "europe-west1-b"      nat.googleapis.com/nat_ip: "203.0.113.17"      nat.googleapis.com/network_name: "network-1"      nat.googleapis.com/router_name: "my-router-1"      nat.googleapis.com/subnetwork_name: "subnetwork-1"}timestamp: "2018-06-28T10:46:00.602240572Z"}

Example 2: Record for a packet dropped because there were no available ports.Sending VM was trying to reach the external IP address of another VM in thesame project.

{insertId: "1the8juf6vab1l"jsonPayload: {       connection: {            Src_ip: "10.0.128.1"            Src_port: 45047            dest_ip : "192.0.2.87"            Dest_port: 80            Protocol: "tcp"       }       allocation_status: "DROPPED"       Gateway_identifiers: {             Gateway_name: "my-nat-2"             Cloud_router: "my-router-1"             Region: "europe-west1"       }       Endpoint: {             Project_id: "service-project-1"             Vm_name: "vm-1"             Region: "europe-west1"             Zone: "europe-west1-b"       }       Vpc: {             Project_id: "host-project"             Vpc_name: "network-1"             Subnetwork_name: "subnetwork-1"       }       Destination: {             Instance: {                   Project_id: "service-project-1"                   Vm_name: "vm-2"                   Region: "asia-east1"                   Zone: "asia-east1-b"             }       }}logName: "projects/host-project/logs/compute.googleapis.com%2Fnat_flows"receiveTimestamp: "2018-06-28T10:46:09.123456789Z"resource: {       labels: {              region: "europe-west1-d"              project_id: "host-project"              router_id: "987654321123456"              gateway_name: "my-nat-2"       }       type: "nat_gateway"}timestamp: "2018-06-28T10:46:01.602240572Z"}

Pricing for Cloud NAT logging

SeeLogging pricing.

Monitoring

Cloud NAT exposes key metrics to Cloud Monitoring that give you insightsinto your fleet's usage of NAT gateways.

Metrics are sent automatically to Cloud Monitoring. There, you can createcustom dashboards, set up alerts, and query the metrics.

Following are the required Identity and Access Management (IAM) roles:

For Shared VPC users with VMs and NAT gateways defined in differentprojects, access to the VM level metrics requires theroles/monitoring.viewerIAM role for the project of each VM.
For the NAT gateway resource, access to the gateway metrics requires theroles/monitoring.viewer IAM role for the project thatcontains the gateway.

View predefined dashboards

Cloud NAT provides a set of predefined dashboards that displayactivity across your gateway:

Open connections
Egress data processed by NAT (rate)
Ingress data processed by NAT (rate)
Port usage
NAT allocation errors
Dropped sent packets rate
Dropped received packets rate

To view predefined dashboards from the details page of a particulargateway, follow these steps:

Console

In the Google Cloud console, go to theCloud NAT page.
Go to Cloud NAT
Click an existing gateway.
Click theMonitoring tab.
Scroll to see all the dashboards. You can change the view from 1 hourto 30 days by using the control at the top of the page. Hovering over apoint on the graph gives you details for that specific time.

Define custom dashboards

To create acustom dashboard to view VM instance metrics orNATgateway metrics, follow these steps:

Console

In the Google Cloud console, go to the Dashboards page:
Go toDashboards
If you use the search bar to find this page, then select the result whose subheading isMonitoring.
ClickCreate dashboard
Optional: Update the dashboard title with a descriptive name for your dashboard.
ClickAdd Widget and then selectMetric.
Expand theMetric menu, enterCloud NAT Gateway orVM Instance in the filter bar, and then use the submenus to select a specific resource type and metric:
1. In theActive resources menu, selectCloud NAT Gateway orVM Instance.
2. In theActive metric categories menu, selectNat.
3. In theActive metrics menu, select the metric that you want to view.
4. ClickApply.
Combine time series:
- To display every time series, in theAggregation element, ensure the first menu is set toUnaggregated and the second menu is set toNone.
- To combine time series, in theAggregation element, use the first menu to select a function and the second menu to select the labels. If the second menu is set toNone, then the chart displays one time series.
  For example, to display the average value of time series after grouping by zone, set the first menu toMean and the second tozone.
For information about combining time series, seeChoose how to display charted data.
For each additional widget that you want to add to your dashboard, clickAdd widget, complete the dialog, and then selectApply.
For more information about adding widgets, see the following pages:

Define alerting policies

To create ametrics-based alerting policy,follow these steps:

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

In the Google Cloud console, go to the Alerting page:
Go toAlerting
If you use the search bar to find this page, then select the result whose subheading isMonitoring.
If you haven't created your notification channels and if you want to be notified, then clickEdit Notification Channels and add your notification channels. Return to theAlerting page after you add your channels.
From theAlerting page, selectCreate policy.
To select the metric, expand theSelect a metric menu and then do the following:
1. To limit the menu to relevant entries, enterCloud NAT gateway orVM Instance into the filter bar. If there are no results after you filter the menu, then disable theShow only active resources & metrics toggle.
2. For theResource type, selectCloud NAT gateway orVM Instance.
3. Select aMetric category and aMetric, and then selectApply.
ClickNext.
The settings in theConfigure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, seeCreate metric-threshold alerting policies.
ClickNext.
Optional: To add notifications to your alerting policy, clickNotification channels. In the dialog, select one or more notification channels from the menu, and then clickOK.
Optional: Update theIncident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
Optional: ClickDocumentation, and then add any information that you want included in a notification message.
ClickAlert name and enter a name for the alerting policy.
ClickCreate Policy.

For more information, seeAlerting overview.

Metric reporting frequency and retention

Metrics for Cloud NAT are batched and exported toMonitoring every one minute. Monitoring data is retained forsix weeks.

By default, the dashboard provides data analysis for the past hour (1h).You can request analysis for a different time interval eitherby selecting one of the preconfigured intervals from the menuor by manually entering the time interval you want. For example:3h (for 3 hours) or4d (for 4 days) or6w (for six weeks).

VM instance metrics

The "metric type" strings in this table must be prefixedwithcompute.googleapis.com/. That prefix has beenomitted from the entries in the table.

Metric type ^{Launch stage} Display name
Kind, Type, Unit Monitored resources	Description Labels
`nat/allocated_ports`^GA Allocated ports
`GAUGE`, `INT64`, `{port}` gce_instance	Number of ports allocated to a VM by the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `nat_ip`: The NAT IP allocated to the NAT gateway.
`nat/closed_connections_count`^GA Closed connections count
`DELTA`, `INT64`, `{connection}` gce_instance	Count of connections closed over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/dropped_received_packets_count`^GA Received packets dropped count
`DELTA`, `INT64`, `{packet}` gce_instance	Count of received packets dropped by the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/dropped_sent_packets_count`^GA Sent packets dropped count
`DELTA`, `INT64`, `{packet}` gce_instance	Count of sent packets dropped by the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP. `reason`: The reason for the packet drop. Possible values are OUT_OF_RESOURCES, ENDPOINT_INDEPENDENCE_CONFLICT.
`nat/new_connections_count`^GA New connections count
`DELTA`, `INT64`, `{connection}` gce_instance	Count of new connections created over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/open_connections`^GA Open connections
`GAUGE`, `INT64`, `{connection}` gce_instance	Number of connections open on the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/port_usage`^GA Port usage
`GAUGE`, `INT64`, `{port}` gce_instance	Maximum number of connections from a VM to a single destination endpoint (IP:port). Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/received_bytes_count`^GA Received bytes count
`DELTA`, `INT64`, `By` gce_instance	Count of bytes received (destination -> source) through the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/received_packets_count`^GA Received packets count
`DELTA`, `INT64`, `{packet}` gce_instance	Count of packets received (destination -> source) through the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/sent_bytes_count`^GA Sent bytes count
`DELTA`, `INT64`, `By` gce_instance	Count of bytes sent (source -> destination) over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/sent_packets_count`^GA Sent packets count
`DELTA`, `INT64`, `{packet}` gce_instance	Count of packets sent (source -> destination) over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 165 seconds. `nat_project_number`: The project number to which the NAT gateway belongs. `router_id`: The Cloud Router ID to which the NAT gateway belongs. `nat_gateway_name`: The name of the NAT gateway. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.

VM instance filtering dimensions

label_key	Type	Description
`project_id`	STRING	The project ID of the VM instance.
`instance_id`	STRING	The ID of the VM instance.
`zone`	STRING	The zone of the VM instance.
`nat_project_number`	STRING	The project number to which the NAT gateway belongs.
`router_id`	STRING	The Cloud Router ID to which the NAT gateway belongs.
`nat_gateway_name`	STRING	The name of the NAT gateway.
`nat_ip`	STRING	The NAT IP address allocated to the NAT gateway. Valid for metrics`allocated_ports`.
`ip_protocol`	STRING	The protocol of the connection. Can be`TCP`,`UDP` or`ICMP`. Valid for all metrics except`allocated_ports`.
`reason`	STRING	The reason for the packet drop. Possible values are: `OUT_OF_RESOURCES`, if Cloud NAT runs out of NAT IP addresses or ports. `ENDPOINT_INDEPENDENCE_CONFLICT`, when anendpoint independent conflict arises. Valid for metrics`dropped_sent_packets_count`.

NAT gateway metrics

The "metric type" strings in this table must be prefixedwithrouter.googleapis.com/. That prefix has beenomitted from the entries in the table.

Metric type ^{Launch stage} Display name
Kind, Type, Unit Monitored resources	Description Labels
`nat/allocated_ports`^GA Allocated ports
`GAUGE`, `INT64`, `{port}` nat_gateway	Number of ports allocated to all VMs by the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `nat_ip`: NAT IP of the ports.
`nat/closed_connections_count`^GA Closed connections count
`DELTA`, `INT64`, `{connection}` nat_gateway	Count of connections closed over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/dropped_received_packets_count`^GA Received packets dropped count
`DELTA`, `INT64`, `{packet}` nat_gateway	Count of received packets dropped by the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/dropped_sent_packets_count`^GA Sent packets dropped count
`DELTA`, `INT64`, `{packet}` nat_gateway	Count of sent packets dropped by the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP. `reason`: The reason for the packet drop. Possible values are OUT_OF_RESOURCES, ENDPOINT_INDEPENDENCE_CONFLICT.
`nat/nat_allocation_failed`^GA NAT allocation failed
`GAUGE`, `BOOL`, nat_gateway	Indicates if there is a failure in allocating NAT IPs to any VM in the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 120 seconds.
`nat/new_connections_count`^GA New connections count
`DELTA`, `INT64`, `{connection}` nat_gateway	Count of new connections created over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/open_connections`^GA Open connections
`GAUGE`, `INT64`, `{connection}` nat_gateway	Number of connections open on the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/port_usage`^GA Port usage
`GAUGE`, `INT64`, `{port}` nat_gateway	Maximum number of connections from a VM to a single destination endpoint (IP:port). Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/received_bytes_count`^GA Received bytes count
`DELTA`, `INT64`, `By` nat_gateway	Count of bytes received (destination -> source) through the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/received_packets_count`^GA Received packets count
`DELTA`, `INT64`, `{packet}` nat_gateway	Count of packets received (destination -> source) through the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/sent_bytes_count`^GA Sent bytes count
`DELTA`, `INT64`, `By` nat_gateway	Count of bytes sent (source -> destination) over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.
`nat/sent_packets_count`^GA Sent packets count
`DELTA`, `INT64`, `{packet}` nat_gateway	Count of packets sent (source -> destination) over the NAT gateway. Sampled every 60 seconds. After sampling, data isn't visible for up to 225 seconds. `ip_protocol`: The protocol of the connection. Can be TCP, UDP or ICMP.

Gateway filtering dimensions

label_key	Type	Description
`project_id`	STRING	The project ID of the gateway.
`region`	STRING	The region of the gateway.
`router_id`	STRING	The Cloud Router ID to which the NAT gateway belongs.
`gateway_name`	STRING	The name of the NAT gateway.
`ip_protocol`	STRING	The protocol of the connection. Can be`TCP`,`UDP` or`ICMP`. Valid for all metrics except`allocated_ports`.
`nat_ip`	STRING	The NAT IP address allocated to the NAT gateway. Valid for metrics`allocated_ports`.
`reason`	STRING	The reason for the packet drop. Possible values are: `OUT_OF_RESOURCES`, if Cloud NAT runs out of NAT IP addresses or ports. `ENDPOINT_INDEPENDENCE_CONFLICT`, when anendpoint independent conflict arises. Valid for metrics`dropped_sent_packets_count`.

Query metrics using the Monitoring API

You can construct arbitrary queries over the Cloud NAT metrics by using theMonitoring API's v3 projects.timeSeries.list request.

API example

Getting allocated ports of a VM, with 1m aggregates,timeSeries.list parameters:

name: projects/PROJECT_ID
Filter:resource.type = "gce_instance" ANDmetric.name="compute.googleapis.com/nat/allocated_ports" ANDmetric.labels.nat_gateway_name="nat-1-237227-1569344091-5"
interval.start_time:2019-09-24T16:58:53Z
interval.end_time:2019-09-24T16:58:53Z
aggregation.alignmentPeriod:60s
aggregation.crossSeriesReducer:REDUCE_SUM
aggregation.perSeriesAligner:ALIGN_SUM

"timeSeries": [    {      "resource": {        "labels": {          "instance_id": "1406292833167995938",          "project_id": "PROJECT_ID",          "zone": "us-west1-c"        },        "type": "gce_instance"      },      "metric": {        "labels": {          "nat_ip": "70.32.157.11",          "nat_gateway_name": "nat-1-237227-1569344091-5",          "nat_project_number": "PROJECT_NUMBER",          "router_id": "1380055590921303155"        },        "type": "compute.googleapis.com/nat/allocated_ports"      },      "metricKind": "GAUGE",      "points": [        {          "interval": {            "endTime": "2019-09-24T16:58:53.699Z",            "startTime": "2019-09-24T16:58:53.699Z"          },          "value": {            "int64Value": "64"          }        }      ],      "valueType": "INT64"    },

Pricing for Cloud NAT monitoring

There is no cost for Cloud NAT monitoring.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Logs and metrics

Logging

Specifications

Configure logging

Enable logging

Console

gcloud

Clear log filters

Console

gcloud

Disable logging

Console

gcloud

Determine logging status

Console

gcloud

View logs

Console

gcloud

What is logged

Log fields

NatIpConnection field format

NatGateway field format

InstanceDetails field format

VpcDetails field format

DestinationDetails field format

GeographicDetails field format

Examples

Pricing for Cloud NAT logging

Monitoring

View predefined dashboards

Console

Define custom dashboards

Console

Define alerting policies

Console

Metric reporting frequency and retention

VM instance metrics

VM instance filtering dimensions

NAT gateway metrics

Gateway filtering dimensions

Query metrics using the Monitoring API

API example

Pricing for Cloud NAT monitoring

What's next