DEV Community

Cover image for Part-60: Google Cloud Networking – Cloud NAT Gateway with Internal-Only VM
Latchu@DevOps
Latchu@DevOps

Posted on

Part-60: Google Cloud Networking – Cloud NAT Gateway with Internal-Only VM

#googlecloud #virtualmachine #vpc #learning

In this guide, we’ll set up a Cloud NAT Gateway to provide outbound internet access for a VM that does not have an external IP address.

This is a common use case when you want your VMs to stay private while still being able to download packages, updates, or connect to APIs securely.

🔹 Step 01: Introduction

  1. We’ll perform the following steps:
  2. Create a VM Instance without an External IP
  3. Verify that it cannot access the internet
  4. Create Cloud Router and Cloud NAT Gateway
  5. Verify internet access via Cloud NAT
  6. Clean up resources

🔹 Step 02: Create a VM Instance with Internal-Only IP Address

# Set Project
gcloud config set project PROJECT_ID
gcloud config set project gcpdemos

# Create VM in mysubnet1 without External IP Address
gcloud compute instances create myvm8-internal-only \
    --zone=us-central1-a \
    --machine-type=e2-micro \
    --network-interface=subnet=mysubnet1,no-address
Enter fullscreen mode Exit fullscreen mode

n1

Connect to the VM:

gcloud compute ssh --zone "us-central1-a" "myvm8-internal-only" --tunnel-through-iap
Enter fullscreen mode Exit fullscreen mode

Test connectivity:

ping stacksimplify.com
ping google.com
sudo apt install -y telnet
Enter fullscreen mode Exit fullscreen mode

n2

Observation: All commands should fail 🚫 because the VM does not have internet access.

🔹 Step 03: Create Cloud Router

Go to Network Connectivity → Cloud Routers → CREATE ROUTER

n3

  • Name: mycloudrouter1
  • Network: vpc2-custom
  • Region: us-central1
  • Routes: Default (Advertise all subnets)

n4

Click CREATE ✅

n5

🔹 Step 04: Create Cloud NAT

Go to Network Services → Cloud NAT → GET STARTED

Gateway name: mycloudnat1

NAT Type: Public

Select Cloud Router: mycloudrouter1

Region: us-central1

n6

Cloud NAT mapping:

  • Source endpoint type: VM Instances
  • Source: Primary and Secondary ranges for all subnets
  • Cloud NAT IP Address: Automatic
  • Network Service Tier: Premium

n7

Click CREATE ✅

n8

🔹 Step 05: Verify Internet Access after Cloud NAT

Reconnect to the VM:

gcloud compute ssh --zone "us-central1-a" "myvm8-internal-only" --tunnel-through-iap
Enter fullscreen mode Exit fullscreen mode

Run connectivity tests (wait 2–3 mins after NAT creation):

ping google.com
sudo apt install -y apache2
Enter fullscreen mode Exit fullscreen mode

n9

Observation: All should succeed ✅.

The VM now has internet access via Cloud NAT Gateway even without a public IP.

Check external IP used by NAT:
👉 Go to VPC Networks → IP Addresses

🔹 Step 06: Cleanup 

# Delete VM
gcloud compute instances delete myvm8-internal-only --zone=us-central1-a --delete-disks=all 

# Delete Cloud NAT Gateway and Cloud Router
Enter fullscreen mode Exit fullscreen mode

Or via Console:

Network Services → Cloud NAT → Delete mycloudnat1
Network Connectivity → Cloud Routers → Delete mycloudrouter1
Enter fullscreen mode Exit fullscreen mode

Top comments (0)