Fundamentals of Cloud Network Address Translation (NAT)

Tudip

Tudip

07 May 2019

An IP address is a basic part that a computer needs in order to communicate with other computers or a web server on the internet. The Internet has grown larger than anyone could have ever imagined. So what has the size of the internet to do with Cloud Network Address Translation (NAT)? Everything! This is where NAT comes to the play. Network Address Translation is an Internet standard which enables a local-area network (LAN) to use one set of the IP addresses for internal traffic and another set of addresses for external traffic. Network address translation enables public and private network connections and allows single IP address communication. An IP address is a basic part that a computer needs in order to communicate with other computers or web server on the internet.

Cloud NAT supports Google Compute Engine virtual machines as well as Google Kubernetes Engine containers and offers both manual modes where developers can specify their IPs as well as an automatic mode where IPs are automatically allocated.

Unlike the traditional NAT proxy solutions, the path from instance to destination for Cloud NAT has no NAT proxy instances. Instead, each instance is allocated a unique set of NAT IPs and associated port ranges, which are used by Andromeda, Google’s network virtualization stack to perform NAT.

Internally, Cloud NAT is a software-defined service that uses the Cloud Router resource to group the NAT gateway configurations. Could Routers do not actually perform Cloud NAT? The NAT is made by Andromeda, Google’s network virtualization stack, that allows an instance that uses Cloud NAT has as much external bandwidth as a VM with an external IP and the NAT gateway does not affect Cloud Router’s performance.

Cloud NAT features

Cloud NAT allows Google Cloud Platform (GCP) virtual machine (VM) instances without external IP addresses and private Google Kubernetes Engine (GKE) clusters to connect to the Internet. Cloud NAT is a regional resource that implements outbound NAT in conjunction with a default route to allow your instances to reach the Internet. Hosts outside of the VPC network can only respond to established connections initiated by the instances and cannot initiate their own, new connections to the instances via NAT.

Benefits of Cloud NAT

  1. Security:

    NAT improves the security of any system behind it drastically. Any services running from within that network are inaccessible outside of that network. Thus protecting the platform by only allowing access to external resources without exposing to the Internet.

  2. High availability:

    Cloud NAT provides high availability without user management and intervention. This can be handled for both automatically allocated and manually allocated IP addresses. A failure in a Cloud Router or a NAT gateway does not affect the NAT configuration or result in the inability of a host to perform NAT.

  3. Scalability:

    Cloud NAT scales with the number of instances and the volume of network traffic. The network bandwidth available for each instance is not affected by the number of instances that use a NAT gateway as it automatically adds the required resources to accommodate the traffic originated from the instances.

Using Cloud NAT with GKE Cluster

Let’s go through about using Cloud NAT with Google Kubernetes Engine cluster:

  • Create a private GKE cluster from the Kubernetes Engine page.
  • Create Cloud NAT Gateway
    • Configure the Cloud NAT gateway from the NAT creation page.
    • In case the cloud router is not present, add it from the NAT addition page.
    • Choose the subnet similar to one where the private cluster is created.
  • Fetch the IP address of the NAT gateway by running a pod as an interactive shell to confirm its working.

This way a secured cluster cannot be intercepted by the outside world but the nodes can get public internet resources using the NAT IP address. This IP address can also be whitelisted for the resource to which kubernetes resource wants to connect to.

Cloud NAT is to be priced per region. Pricing is based on the following:

  • an hourly price for the NAT gateway.
  • based on per/GB cost for ingress and egress traffic processed by the gateway
  • egress pricing to send traffic from the VM out of the network remains unchanged

Since the NAT is a single point of entry and exit into a network, the NAT box happens to be a performance bottleneck. Benefits of cloud computing cannot be denied, but the issues involved in it must also be considered to make this paradigm more acceptable.

Read more about Basic Concepts of Networking in Google Cloud Platform

Request a quote