gcloud beta compute routers nats rules update

NAME
gcloud beta compute routers nats rules update - update a Rule in a Compute Engine NAT
SYNOPSIS
gcloud beta compute routers nats rules updateRULE_NUMBER--nat=NAT--router=ROUTER[--async][--match=MATCH][--region=REGION][--source-nat-active-ips=IP_ADDRESS,[IP_ADDRESS,…]][--source-nat-active-ranges=SUBNETWORK,[SUBNETWORK,…]][--clear-source-nat-drain-ips    |--source-nat-drain-ips=IP_ADDRESS,[IP_ADDRESS,…]][--clear-source-nat-drain-ranges    |--source-nat-drain-ranges=SUBNETWORK,[SUBNETWORK,…]][GCLOUD_WIDE_FLAG]
DESCRIPTION
(BETA)gcloud beta compute routers nats rules updateis used to update a Rule in a Compute Engine NAT.
EXAMPLES
To drain connections established using address-1 and use address-2 for all newconnections matching Rule 1 in NAT nat-1, run:
gcloudbetacomputeroutersnatsrulesupdate1--nat=nat1--router=my-router--region=us-central1--source-nat-drain-ips=address-1--source-nat-active-ips=address-2
POSITIONAL ARGUMENTS
RULE_NUMBER
Number that uniquely identifies the Rule to update
REQUIRED FLAGS
--nat=NAT
Name of the NAT that contains the Rule
--router=ROUTER
Router to use for NAT.
OPTIONAL FLAGS
--async
Return immediately, without waiting for the operation in progress to complete.
--match=MATCH
CEL Expression used to identify traffic to which this rule applies.
  • Supported attributes (Public NAT): destination.ip
  • Supported attributes (Private NAT): nexthop.hub
  • Supported methods (Public Nat): inIpRange
  • Supported operators (Public NAT): ||, ==
  • Supported operators (Private NAT): ==

Examples of allowed Match expressions (Public NAT):

  • 'inIpRange(destination.ip, "203.0.113.0/24")''
  • 'destination.ip == "203.0.113.7"'
  • 'destination.ip == "203.0.113.7" || inIpRange(destination.ip,"203.0.113.16/25")'

Example of allowed Match expression (Private NAT):

  • nexthop.hub =="//networkconnectivity.googleapis.com/projects/p1/locations/global/hubs/h1"
--region=REGION
Region of the NAT containing the Rule to update. If not specified, you might beprompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

--source-nat-active-ips=IP_ADDRESS,[IP_ADDRESS,…]
External IP Addresses to use for connections matching this rule. This flag issupported only for Public NAT and is required when creating a Public NATgateway.

These must be valid reserved external IP addresses in the same region.

--source-nat-active-ranges=SUBNETWORK,[SUBNETWORK,…]
Subnetworks from which addresses are used for connections matching this rule.This flag is supported only for Private NAT and is required when creating aPrivate NAT gateway.

These must be subnetwork resources in the same region, with purpose set toPRIVATE_NAT.

At most one of these can be specified:
--clear-source-nat-drain-ips
Clear drained IPs from the rule
--source-nat-drain-ips=IP_ADDRESS,[IP_ADDRESS,…]
External IP Addresses to drain connections on.

These must be external IPs previously used as active IPs on this rule. No newconnections will be established using these IPs.

At most one of these can be specified:
--clear-source-nat-drain-ranges
Clear drained ranges from the rule
--source-nat-drain-ranges=SUBNETWORK,[SUBNETWORK,…]
Subnetwork ranges to drain connections on.

These must be subnetworks previously used as active ranges on this rule. No newconnections will be established using these ranges.

GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This command is currently in beta and might change without notice. Thesevariants are also available:
gcloudcomputeroutersnatsrulesupdate
gcloudalphacomputeroutersnatsrulesupdate

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-19 UTC.