| subcategory | description |
|---|---|
Compute Engine |
A NAT service created in a router. |
A NAT service created in a router.
~> Note: Recreating a google_compute_address that is being used by google_compute_router_nat will give a resourceInUseByAnotherResource error.
Use lifecycle.create_before_destroy on this address resource to avoid this type of error as shown in the Manual Ips example.
To get more information about RouterNat, see:
- API documentation
- How-to Guides
resource "google_compute_network" "net" {
name = "my-network"
}
resource "google_compute_subnetwork" "subnet" {
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}
resource "google_compute_router" "router" {
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
bgp {
asn = 64514
}
}
resource "google_compute_router_nat" "nat" {
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}resource "google_compute_network" "net" {
name = "my-network"
}
resource "google_compute_subnetwork" "subnet" {
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}
resource "google_compute_router" "router" {
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
}
resource "google_compute_address" "address" {
count = 2
name = "nat-manual-ip-${count.index}"
region = google_compute_subnetwork.subnet.region
lifecycle {
create_before_destroy = true
}
}
resource "google_compute_router_nat" "nat_manual" {
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
nat_ip_allocate_option = "MANUAL_ONLY"
nat_ips = google_compute_address.address.*.self_link
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.subnet.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
}resource "google_compute_network" "net" {
name = "my-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "subnet" {
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}
resource "google_compute_router" "router" {
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
}
resource "google_compute_address" "addr1" {
name = "nat-address1"
region = google_compute_subnetwork.subnet.region
}
resource "google_compute_address" "addr2" {
name = "nat-address2"
region = google_compute_subnetwork.subnet.region
}
resource "google_compute_address" "addr3" {
name = "nat-address3"
region = google_compute_subnetwork.subnet.region
}
resource "google_compute_router_nat" "nat_rules" {
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
nat_ip_allocate_option = "MANUAL_ONLY"
nat_ips = [google_compute_address.addr1.self_link]
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.subnet.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
rules {
rule_number = 100
description = "nat rules example"
match = "inIpRange(destination.ip, '1.1.0.0/16') || inIpRange(destination.ip, '2.2.0.0/16')"
action {
source_nat_active_ips = [google_compute_address.addr2.self_link, google_compute_address.addr3.self_link]
}
}
enable_endpoint_independent_mapping = false
}resource "google_compute_network" "net" {
provider = google-beta
name = "my-network"
}
resource "google_compute_subnetwork" "subnet" {
provider = google-beta
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
purpose = "PRIVATE_NAT"
}
resource "google_compute_router" "router" {
provider = google-beta
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
}
resource "google_network_connectivity_hub" "hub" {
provider = google-beta
name = "my-hub"
description = "vpc hub for inter vpc nat"
}
resource "google_network_connectivity_spoke" "spoke" {
provider = google-beta
name = "my-spoke"
location = "global"
description = "vpc spoke for inter vpc nat"
hub = google_network_connectivity_hub.hub.id
linked_vpc_network {
exclude_export_ranges = [
"198.51.100.0/24",
"10.10.0.0/16"
]
uri = google_compute_network.net.self_link
}
}
resource "google_compute_router_nat" "nat_type" {
provider = google-beta
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
enable_dynamic_port_allocation = false
enable_endpoint_independent_mapping = false
min_ports_per_vm = 32
type = "PRIVATE"
subnetwork {
name = google_compute_subnetwork.subnet.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
rules {
rule_number = 100
description = "rule for private nat"
match = "nexthop.hub == \"//networkconnectivity.googleapis.com/projects/acm-test-proj-123/locations/global/hubs/my-hub\""
action {
source_nat_active_ranges = [
google_compute_subnetwork.subnet.self_link
]
}
}
}The following arguments are supported:
-
name- (Required) Name of the NAT service. The name must be 1-63 characters long and comply with RFC1035. -
source_subnetwork_ip_ranges_to_nat- (Required) How NAT should be configured per Subnetwork. IfALL_SUBNETWORKS_ALL_IP_RANGES, all of the IP ranges in every Subnetwork are allowed to Nat. IfALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, all of the primary IP ranges in every Subnetwork are allowed to Nat.LIST_OF_SUBNETWORKS: A list of Subnetworks are allowed to Nat (specified in the field subnetwork below). Note that if this field contains ALL_SUBNETWORKS_ALL_IP_RANGES or ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, then there should not be any other RouterNat section in any Router for this network in this region. Possible values are:ALL_SUBNETWORKS_ALL_IP_RANGES,ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES,LIST_OF_SUBNETWORKS. -
router- (Required) The name of the Cloud Router in which this NAT will be configured.
-
nat_ip_allocate_option- (Optional) How external IPs should be allocated for this NAT. Valid values areAUTO_ONLYfor only allowing NAT IPs allocated by Google Cloud Platform, orMANUAL_ONLYfor only user-allocated NAT IP addresses. Possible values are:MANUAL_ONLY,AUTO_ONLY. -
initial_nat_ips- (Optional) Self-links of NAT IPs to be used as initial value for creation alongside a RouterNatAddress resource. Conflicts with natIps and drainNatIps. Only valid if natIpAllocateOption is set to MANUAL_ONLY. -
nat_ips- (Optional) Self-links of NAT IPs. Only valid if natIpAllocateOption is set to MANUAL_ONLY. If this field is used alongside with a count created list of address resourcesgoogle_compute_address.foobar.*.self_link, the access level resource for the address resource must have alifecycleblock withcreate_before_destroy = trueso the number of resources can be increased/decreased without triggering theresourceInUseByAnotherResourceerror. -
drain_nat_ips- (Optional) A list of URLs of the IP resources to be drained. These IPs must be valid static external IPs that have been assigned to the NAT. -
subnetwork- (Optional) One or more subnetwork NAT configurations. Only used ifsource_subnetwork_ip_ranges_to_natis set toLIST_OF_SUBNETWORKSStructure is documented below. -
min_ports_per_vm- (Optional) Minimum number of ports allocated to a VM from this NAT. Defaults to 64 for static port allocation and 32 dynamic port allocation if not set. -
max_ports_per_vm- (Optional) Maximum number of ports allocated to a VM from this NAT. This field can only be set when enableDynamicPortAllocation is enabled. -
enable_dynamic_port_allocation- (Optional) Enable Dynamic Port Allocation. If minPortsPerVm is set, minPortsPerVm must be set to a power of two greater than or equal to 32. If minPortsPerVm is not set, a minimum of 32 ports will be allocated to a VM from this NAT config. If maxPortsPerVm is set, maxPortsPerVm must be set to a power of two greater than minPortsPerVm. If maxPortsPerVm is not set, a maximum of 65536 ports will be allocated to a VM from this NAT config. Mutually exclusive with enableEndpointIndependentMapping. -
udp_idle_timeout_sec- (Optional) Timeout (in seconds) for UDP connections. Defaults to 30s if not set. -
icmp_idle_timeout_sec- (Optional) Timeout (in seconds) for ICMP connections. Defaults to 30s if not set. -
tcp_established_idle_timeout_sec- (Optional) Timeout (in seconds) for TCP established connections. Defaults to 1200s if not set. -
tcp_transitory_idle_timeout_sec- (Optional) Timeout (in seconds) for TCP transitory connections. Defaults to 30s if not set. -
tcp_time_wait_timeout_sec- (Optional) Timeout (in seconds) for TCP connections that are in TIME_WAIT state. Defaults to 120s if not set. -
log_config- (Optional) Configuration for logging on NAT Structure is documented below. -
endpoint_types- (Optional) Specifies the endpoint Types supported by the NAT Gateway. Supported values include:ENDPOINT_TYPE_VM,ENDPOINT_TYPE_SWG,ENDPOINT_TYPE_MANAGED_PROXY_LB. -
rules- (Optional) A list of rules associated with this NAT. Structure is documented below. -
enable_endpoint_independent_mapping- (Optional) Enable endpoint independent mapping. For more information see the official documentation. -
type- (Optional, Beta) Indicates whether this NAT is used for public or private IP translation. If unspecified, it defaults to PUBLIC. IfPUBLICNAT used for public IP translation. IfPRIVATENAT used for private IP translation. Default value isPUBLIC. Possible values are:PUBLIC,PRIVATE. -
auto_network_tier- (Optional) The network tier to use when automatically reserving NAT IP addresses. Must be one of: PREMIUM, STANDARD. If not specified, then the current project-level default tier is used. Possible values are:PREMIUM,STANDARD. -
region- (Optional) Region where the router and NAT reside. -
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
The subnetwork block supports:
-
name- (Required) Self-link of subnetwork to NAT -
source_ip_ranges_to_nat- (Required) List of options for which source IPs in the subnetwork should have NAT enabled. Supported values include:ALL_IP_RANGES,LIST_OF_SECONDARY_IP_RANGES,PRIMARY_IP_RANGE. -
secondary_ip_range_names- (Optional) List of the secondary ranges of the subnetwork that are allowed to use NAT. This can be populated only ifLIST_OF_SECONDARY_IP_RANGESis one of the values in sourceIpRangesToNat
The log_config block supports:
-
enable- (Required) Indicates whether or not to export logs. -
filter- (Required) Specifies the desired filtering of logs on this NAT. Possible values are:ERRORS_ONLY,TRANSLATIONS_ONLY,ALL.
-
rule_number- (Required) An integer uniquely identifying a rule in the list. The rule number must be a positive value between 0 and 65000, and must be unique among rules within a NAT. -
description- (Optional) An optional description of this rule. -
match- (Required) CEL expression that specifies the match condition that egress traffic from a VM is evaluated against. If it evaluates to true, the corresponding action is enforced. The following examples are valid match expressions for public NAT: "inIpRange(destination.ip, '1.1.0.0/16') || inIpRange(destination.ip, '2.2.0.0/16')" "destination.ip == '1.1.0.1' || destination.ip == '8.8.8.8'" The following example is a valid match expression for private NAT: "nexthop.hub == 'https://networkconnectivity.googleapis.com/v1alpha1/projects/my-project/global/hub/hub-1'" -
action- (Optional) The action to be enforced for traffic that matches this rule. Structure is documented below.
-
source_nat_active_ips- (Optional) A list of URLs of the IP resources used for this NAT rule. These IP addresses must be valid static external IP addresses assigned to the project. This field is used for public NAT. -
source_nat_drain_ips- (Optional) A list of URLs of the IP resources to be drained. These IPs must be valid static external IPs that have been assigned to the NAT. These IPs should be used for updating/patching a NAT rule only. This field is used for public NAT. -
source_nat_active_ranges- (Optional, Beta) A list of URLs of the subnetworks used as source ranges for this NAT Rule. These subnetworks must have purpose set to PRIVATE_NAT. This field is used for private NAT. -
source_nat_drain_ranges- (Optional, Beta) A list of URLs of subnetworks representing source ranges to be drained. This is only supported on patch/update, and these subnetworks must have previously been used as active ranges in this NAT Rule. This field is used for private NAT.
In addition to the arguments listed above, the following computed attributes are exported:
id- an identifier for the resource with format{{project}}/{{region}}/{{router}}/{{name}}
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
RouterNat can be imported using any of these accepted formats:
projects/{{project}}/regions/{{region}}/routers/{{router}}/{{name}}{{project}}/{{region}}/{{router}}/{{name}}{{region}}/{{router}}/{{name}}{{router}}/{{name}}
In Terraform v1.5.0 and later, use an import block to import RouterNat using one of the formats above. For example:
import {
id = "projects/{{project}}/regions/{{region}}/routers/{{router}}/{{name}}"
to = google_compute_router_nat.default
}When using the terraform import command, RouterNat can be imported using one of the formats above. For example:
$ terraform import google_compute_router_nat.default projects/{{project}}/regions/{{region}}/routers/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{project}}/{{region}}/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{region}}/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{router}}/{{name}}This resource supports User Project Overrides.