GCP Associate Cloud Engineer: Cloud NAT
Cloud NAT (Network Address Translation) is a managed, regional Google Cloud service that allows Compute Engine virtual machine (VM) instances and Google Kubernetes Engine (GKE) containers that do not have external IP addresses to connect to the internet.
The “Office Receptionist” Analogy
Imagine a large office building (Your VPC). Most employees (VMs) don’t have their own direct public phone lines to the outside world for security and cost reasons. However, they still need to call clients or order supplies (Access the Internet).
Cloud NAT is the Office Receptionist. When an employee needs to make an outgoing call, the receptionist handles the connection using the office’s official public number. The person outside only sees the office number, not the employee’s internal extension. Crucially, a stranger cannot call an employee directly unless the employee initiated the call first.
Detail Elaboration: How it Works
Cloud NAT works in conjunction with Cloud Router. While Cloud Router manages the control plane (routing updates), Cloud NAT manages the data plane (the actual translation of traffic). It is not a proxy or a gateway VM; it is a software-defined distributed service that doesn’t create a bottleneck.
Key Features:
- Egress Only: Cloud NAT allows outbound traffic and the responses to those outbound connections. It does not allow unsolicited inbound connections from the internet.
- Highly Available: As a managed service, it scales automatically and is resilient within a region.
- Choke-Point Free: Because it is implemented at the SDN (Software Defined Network) layer, there is no single VM instance that can fail or limit throughput.
Comparison: Outbound Connectivity Options
| Feature | External IP on VM | Cloud NAT | Proxy VM (Self-Managed) |
|---|---|---|---|
| Security | Low (VM exposed to internet) | High (VM stays private) | Medium (Depends on config) |
| Management | Low | Managed by GCP | High (You patch/scale it) |
| Throughput | Per-VM limit | Scales automatically | Limited by VM size |
| Use Case | Public Web Servers | Updates, API calls for private VMs | Deep Packet Inspection |
Scenario-Based Decision Matrix
If/Then Guidance
- IF you have a private GKE cluster that needs to pull images from an external registry… THEN use Cloud NAT.
- IF you need to host a website that users worldwide can browse… THEN use an External HTTP(S) Load Balancer or External IP.
- IF you need to limit outbound traffic to specific URLs (FQDNs)… THEN use Secure Web Proxy (Cloud NAT cannot filter by URL).
- IF you are running out of external IP addresses… THEN use Cloud NAT to share a few IPs across hundreds of VMs.
Exam Tips (ACE Focus)
- The Cloud Router Requirement: You cannot create a Cloud NAT gateway without first having a Cloud Router in the same region and VPC.
- Regionality: Cloud NAT is a regional service. To cover multiple regions, you must deploy a Cloud NAT gateway in each.
- Port Exhaustion: If VMs are making too many simultaneous connections, they might fail due to “Port Exhaustion.” You solve this by increasing the “Minimum ports per VM” or adding more NAT IP addresses.
- No Ingress: Cloud NAT is strictly for outbound traffic. If an exam question asks how to allow internet users to reach a private DB, Cloud NAT is the wrong answer.
Cloud NAT Architecture Visualized
Cloud Router: Mandatory control plane partner.
Compute Engine: Target VMs residing in private subnets.
Logging: Can log every connection (NAT logs) for security audits.
Port Exhaustion: Occurs when too many concurrent connections are opened.
Static IPs: Forgetting to reserve static NAT IPs can cause issues with external firewalls that whitelist your IPs.
Auto-Allocation: Let Google manage the number of NAT IP addresses.
Manual-Allocation: Use when you need to provide specific IPs to a 3rd party for whitelisting.