Enable Logging for Cloud NAT Gateways

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Click on the name (link) of the Cloud NAT gateway that you want to examine, listed in the Gateway name column.

05 Select the DETAILS tab to view the configuration information available for the selected NAT gateway.

06 In the Advanced configurations section, check the Logging attribute value to determine if logging is enabled for your Cloud NAT resource. If Logging is set to No logging, logging is not enabled for the selected Cloud NAT gateway.

07 Repeat steps no. 4 - 6 for each Cloud NAT gateway created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

cc-project5-123123
cc-ai-project-123123

03 Run compute networks list command (Windows/macOS/Linux) with custom output filters to list the name of each VPC network created for the selected GCP project:

gcloud compute networks list
	--project=cc-project5-123123
	--format="value(name)"

04 The command output should return the requested VPC network names:

cc-project5-network
cc-custom-vpc-network

05 Run compute routers list command (Windows/macOS/Linux) to describe the name of the Compute Engine router (also known as Cloud Router) created for the specified VPC network. Cloud NAT uses Cloud Routers to group NAT configuration information:

gcloud compute routers list
	--project=cc-project5-123123
	--filter="network:(cc-project5-network)"
	--format="value(name)"

06 The command output should return the name of the requested Cloud Router:

cc-project5-nat-router

07 Run compute routers nats list command (Windows/macOS/Linux) to describe the Cloud NAT gateways deployed for the specified Cloud Router, in the selected VPC network:

gcloud compute routers nats list
	--region=us-central1
	--router=cc-project5-nat-router
	--format="value(name)"

08 The command output should return the name of each NAT gateway deployed for your router:

cc-project5-nat-gateway
cc-web-platfom-nat-gateway

09 Run compute routers nats describe command (Windows/macOS/Linux) to describe the logging feature status for the specified NAT gateway:

gcloud compute routers nats describe cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--format="value(logConfig.enable)"

10 The command output should return the requested logging status (True for enabled, False for disabled):

False

11 Repeat steps no. 9 and 10 for each NAT gateway deployed for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project available in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Click on the name (link) of the Cloud NAT gateway that you want to configure, listed in the Gateway name column.

05 Select EDIT to modify the Cloud NAT resource configuration.

06 Choose ADVANCED CONFIGURATIONS, and set Logging to Translation and errors to enable logging for the selected Cloud NAT gateway. Cloud NAT flow logs include two types of logs: Translation logs, which record successful connections where a VM instance initiates traffic that is assigned a Cloud NAT IP and port and reaches the Internet, and Error logs, which capture failed connection attempts when a VM instance sends a packet but the NAT gateway cannot allocate an IP and port due to port exhaustion. The best practice is to collect logs for both successful connections and connection failures. Choose SAVE to apply the configuration changes. Once the logging feature is enabled, all collected logs are sent to Cloud Logging.

07 Repeat steps no. 4 - 6 for each Cloud NAT gateway that you want to configure, available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

01 Run compute routers nats update command (Windows/macOS/Linux) to enable logging for the specified Cloud NAT gateway. Cloud NAT flow logs include two types of logs: Translation logs, which record successful connections where a VM instance initiates traffic that is assigned a Cloud NAT IP and port and reaches the Internet, and Error logs, which capture failed connection attempts when a VM instance sends a packet but the NAT gateway cannot allocate an IP and port due to port exhaustion. The best practice is to collect logs for both successful connections and connection failures. Set the --log-filter parameter to ALL to collect logs for both successful connections and connection failures (recommended):

gcloud compute routers nats update cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--enable-logging
	--log-filter=ALL

02 The command output should return the operation status:

Updating nat [cc-project5-nat-gateway] in router [cc-project5-nat-router]...done.

03 Repeat steps no. 1 - 2 for each Cloud NAT gateway that you want to configure, created in the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project available in your Google Cloud account.