Routing and NATing on Google Cloud – allowing internet access from a private subnet on GCP
Step 1 – Create an instance in a public subnet (to be later used as a NAT Instance)
gcloud compute instances create nat-gateway --network my-network --can-ip-forward \ --zone us-central1-a \ --image-family debian-8 \ --image-project debian-cloud \ --tags my-nat-instance
Step 2 – On your linux NAT instance, configure iptables:
SSH into your gateway instance and configure iptables to NAT internal traffic out to the public internet
1. Inform the linux kernel that you want to allow IP forwarding sudo sysctl -w net.ipv4.ip_forward=1
2. Masquerade packets received from internal instances as if they were sent from the NAT gateway instance sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --tags private-instance --priority 800
Step 3 – Create a route to allow all instances running in private subnet to access internet.
Basically this route will allow all instances with tag “private-instance” running in private subnet to access internet through NAT instance
gcloud compute routes create demo-vpc-no-ip-internet-route --network demo-vpc-manual-vpc \ --destination-range 0.0.0.0/0 \ --next-hop-instance nat-gateway \ --next-hop-instance-zone us-east1-b \ --tags private-instance --priority 800
Leave a Reply