Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Cloud NAT for Private Subnets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Cloud NAT is enabled for all private VPC subnets that require outbound access. Cloud NAT enables your VMs and container pods to establish outbound connections to the Internet or other Virtual Private Cloud (VPC) networks. It utilizes a Cloud NAT gateway to manage these connections efficiently.

Security
Operational
excellence

Enabling Cloud NAT for Google Cloud VPC private subnets ensures that instances without public IPs can securely access the Internet for updates or APIs while comply with strict data privacy regulations. It provides scalable, managed network address translation without exposing instances to inbound traffic, improving security and simplifying network management.

Audit

To determine if Cloud NAT is enabled for your private VPC subnets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC networks console available at https://console.cloud.google.com/networking/networks, select the NETWORKS IN CURRENT PROJECT tab, and click on the name (link) of the VPC network that you want to examine.

04 Select the SUBNETS tab, click inside the Filter box, choose Private Google Access and select True, to display the private subnets deployed for the selected VPC network.

05 Choose the private VPC subnet that you want to examine and note the IPv4 address range listed in the Primary IPv4 range column.

06 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

07 Click on the name (link) of the Cloud NAT gateway that you want to examine and search for IPv4 address range copied at step no. 6 in the Source subnets & IP ranges section, under Cloud NAT mapping. If the subnet IP range is not listed in the Source subnets & IP ranges section, the NAT gateway is not associated with your private subnet. Repeat this step for each NAT gateway deployed to the selected GCP project. If no NAT gateways are associated with your private subnet, Cloud NAT is not enabled for the selected VPC subnet.

08 Repeat steps no. 5 – 7 for each private subnet available within the selected VPC network.

09 Repeat steps no. 3 - 8 for each VPC network created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run compute networks list command (Windows/macOS/Linux) with custom output filters to list the name of each VPC network created for the selected GCP project: 

gcloud compute networks list
	--project=cc-project5-123123
	--format="value(name)"

04 The command output should return the requested VPC network names: 

cc-project5-network
cc-custom-vpc-network

05 Run compute networks subnets list command (Windows/macOS/Linux) with custom output filters to describe the identifier (i.e., full ID) of each subnet created for the specified VPC network: 

gcloud compute networks subnets list
	--network=cc-project5-network
	--format="default(selfLink,privateIpGoogleAccess)"

06 The command output should return the requested subnet names. A private VPC subnet has the privateIpGoogleAccess attribute set to true, as shown in the example below: 

---
privateIpGoogleAccess: true
selfLink: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-001

---
privateIpGoogleAccess: true
selfLink: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-002

---
privateIpGoogleAccess: false
selfLink: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-003

07 Run compute routers list command (Windows/macOS/Linux) to describe the name of the Compute Engine router created for the specified VPC network. Cloud NAT uses Compute Engine routers to group NAT configuration information: 

gcloud compute routers list
	--project=cc-project5-123123
	--filter="network:(cc-project5-network)"
	--format="value(name)"

08 The command output should return the name of the requested Compute Engine router: 

cc-project5-router

09 Run compute routers nats list command (Windows/macOS/Linux) to describe the Cloud NAT gateways deployed for the specified Compute Engine router, in the selected VPC network: 

gcloud compute routers nats list
	--region=us-central1
	--router=cc-project5-router
	--format="default(name,subnetworks)"

10 The command output should return the name and the associated VPC subnet of each NAT gateway deployed for your router: 

---
name: cc-cloud-ai-nat-gateway
subnetworks:
- name: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-cloud-ai-subnet
	sourceIpRangesToNat:
	- ALL_IP_RANGES

---
name: cc-backend-nat-gateway
subnetworks:
- name: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-backend-subnet
	sourceIpRangesToNat:
	- ALL_IP_RANGES

A comparison of the subnet IDs provided in steps 6 and 10 will indicate whether Cloud NAT is enabled for your private VPC subnets. If no NAT gateway is associated with a private subnet listed in step 6, Cloud NAT is not enabled for that VPC subnet.

11 Repeat steps no. 5 - 10 for each VPC network created for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project available in your Google Cloud account.

Remediation / Resolution

To ensure that Cloud NAT is enabled for all private VPC subnets that require outbound access, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Choose CREATE CLOUD NAT GATEWAY and perform the following steps to create a Cloud NAT gateway for your private VPC subnets. If CREATE CLOUD NAT GATEWAY is not available, choose GET STARTED to initiate the setup process:

  1. Provide a unique name for your NAT gateway in the Gateway name box.
  2. For NAT type, select Public.
  3. In the Select Cloud Router section, perform the following actions:
    1. For Network, select the VPC network in which you want to create the NAT gateway.
    2. For Region, set the region for the gateway.
    3. For Cloud Router, select a Cloud Router deployed in the selected region. If there are no Cloud Routers, choose CREATE NEW ROUTER, provide a name and a description for the new router, then choose CREATE to deploy your new router. Cloud NAT uses Cloud Routers to group NAT configuration information.
  4. In the Cloud NAT mapping section, perform the following operations:
    1. For Source endpoint type, choose VM instances, GKE nodes, Serverless.
    2. For Source subnets, choose Custom, and select the private VPC subnets (and the IP ranges to include) from the Subnets section. All VMs from selected subnet IP ranges will be able to access the Internet in a secure way. Use ADD SUBNET AND IP RANGE to add one or more subnets.
    3. For Cloud NAT IP addresses, select Automatic (recommended) to use automatic NAT IP address allocation.
    4. For Network Service Tier, choose whether to use the Premium tier or the Standard tier.
  5. Choose ADVANCED CONFIGURATIONS and configure optional settings such as Logging, Port allocation, and Timeouts for protocol connections.
  6. Choose CREATE to deploy your new NAT gateway and enable Cloud NAT for your private VPC subnets.

05 Repeat step no. 4 for each VPC network available within the selected GCP project.

06 Repeat steps no. 2 – 5 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run compute routers create command (Windows/macOS/Linux) to create a Cloud Router for the specified VPC network. Cloud NAT uses Cloud Routers to group NAT configuration information: 

gcloud compute routers create cc-project5-nat-router
	--region=us-central1
	--network=cc-project5-network
	--project=cc-project5-123123

02 The command output should return the configuration information available for the new Cloud Router: 

Creating router [cc-project5-nat-router]...done.

NAME: cc-project5-nat-router
REGION: us-central1
NETWORK: cc-project5-network

03 Run compute routers nats create command (Windows/macOS/Linux) to create a Cloud NAT gateway for your private VPC subnets. Use the --router parameter to specify the required Cloud Router, created at the previous steps. Use the --nat-custom-subnet-ip-ranges parameter to specify the private subnets for which you want to enable Cloud NAT: 

gcloud compute routers nats create cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--auto-network-tier=STANDARD
	--auto-allocate-nat-external-ips
	--nat-custom-subnet-ip-ranges=cc-project5-subnet-001,cc-project5-subnet-002,cc-project5-subnet-003

04 The command output should return the operation status: 

Creating NAT [cc-project5-nat-gateway] in router [cc-project5-nat-router]...done

05 Repeat steps no. 1 - 4 for each VPC network created in the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project available in your Google Cloud account.

References

Publication date Dec 16, 2024

Related CloudNAT rules