Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Reserved External IPs for Cloud NAT Gateways

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud NAT gateways are configured to use static reserved external IPs in order to maintain consistent outbound IP addresses, which are critical for services requiring IP allowlisting, auditing, or compliance

Operational
excellence

In Google Cloud, Reserved External IPs are static IP addresses explicitly allocated and reserved by a user for use with resources like Virtual Machine (VM) instances, load balancers, or other Google Cloud services. Unlike ephemeral external IPs, which are dynamically assigned and can change when a resource is stopped or restarted, reserved external IPs are fixed and persist independently of the lifecycle of the resource they are associated with. Using Reserved External IPs for Google Cloud NAT gateways provides greater control and predictability over the IP addresses used for outbound traffic, enabling easier firewall configuration and allowing for more granular traffic management.

Audit

To determine if your Google Cloud NAT gateways are using reserved external IPs, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Click on the name (link) of the Cloud NAT gateway that you want to examine, listed in the Gateway name column.

05 Select the DETAILS tab to view the configuration information available for the selected NAT gateway.

06 In the Cloud NAT mapping section, check the Cloud NAT IP addresses attribute value to identify the static IP addresses that should be used when performing NAT. If there are no static IP addresses listed for Cloud NAT IP addresses and the Allocation type is set to Automatic, the selected Google Cloud NAT gateway is not configured with static reserved external IP addresses.

07 Repeat steps no. 4 - 6 for each Cloud NAT gateway created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run compute networks list command (Windows/macOS/Linux) with custom output filters to list the name of each VPC network created for the selected GCP project: 

gcloud compute networks list
	--project=cc-project5-123123
	--format="value(name)"

04 The command output should return the requested VPC network names: 

cc-project5-network
cc-custom-vpc-network

05 Run compute routers list command (Windows/macOS/Linux) to describe the name of the Compute Engine router (also known as Cloud Router) created for the specified VPC network. Cloud NAT uses Cloud Routers to group NAT configuration information: 

gcloud compute routers list
	--project=cc-project5-123123
	--filter="network:(cc-project5-network)"
	--format="value(name)"

06 The command output should return the name of the requested Cloud Router: 

cc-project5-nat-router

07 Run compute routers nats list command (Windows/macOS/Linux) to describe the Cloud NAT gateways deployed for the specified Cloud Router, in the selected VPC network: 

gcloud compute routers nats list
	--region=us-central1
	--router=cc-project5-nat-router
	--format="value(name)"

08 The command output should return the name of each NAT gateway deployed for your router: 

cc-project5-nat-gateway
cc-web-platfom-nat-gateway

09 Run compute routers nats describe command (Windows/macOS/Linux) to describe the static reserved external IP addresses configured for the selected NAT gateway: 

gcloud compute routers nats describe cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--format="json(natIps)"

10 The command output should return the static IP addresses that should be used when performing NAT: 

null

If the compute routers nats describe command output returns null, as shown in the example above, the selected Cloud NAT gateway is not configured with static reserved external IP addresses.

11 Repeat steps no. 9 and 10 for each NAT gateway deployed for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project available in your Google Cloud account.

Remediation / Resolution

Using reserved external IPs ensures that traffic is predictable and can be monitored. To configure reserved external IPs for your Google Cloud NAT gateways, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Click on the name (link) of the Cloud NAT gateway that you want to configure, listed in the Gateway name column.

05 Select EDIT to modify the Cloud NAT resource configuration.

06 In the Cloud NAT mapping section, perform the following actions:

  1. For Cloud NAT IP addresses, choose Manual.
  2. For Network Service Tier, choose either Standard or Premium. Network Service Tiers enable you to optimize network quality and performance versus cost for your Google Cloud resources. You can create static external IP addresses based on the tier that you have selected at this step.
  3. Click inside the IP address 1 box, choose CREATE IP ADDRESS, provide a name and a description for your new IP address, and choose RESERVE to create a static reserved external IPv4 address for your Cloud NAT gateway.

07 Choose SAVE to apply the configuration changes.

08 Repeat steps no. 4 - 7 for each Cloud NAT gateway that you want to configure, available within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run compute addresses create command (Windows/macOS/Linux) to create a static reserved external IPv4 address for your Cloud NAT gateway: 

gcloud compute addresses create cc-project5-nat-ip
	--region=us-central1
	--network-tier=STANDARD

02 The command output should return the cloud resource URI: 

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/addresses/cc-project5-nat-ip].

03 Run compute routers nats update command (Windows/macOS/Linux) to assign the static reserved external IP address created at the previous steps to your Google Cloud NAT gateway: 

gcloud compute routers nats update cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--nat-external-ip-pool=cc-project5-nat-ip

04 The command output should return the operation status: 

Updating nat [cc-project5-nat-gateway] in router [cc-project5-nat-router]...done.

05 Repeat steps no. 1 - 4 for each Cloud NAT gateway that you want to configure, created in the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project available in your Google Cloud account.

References

Publication date Dec 16, 2024

Related CloudNAT rules