NAT Gateway
Definition
Network Address Translation Gateway - enables private subnet resources to access the internet for outbound traffic while blocking inbound connections.
Use Cases
- Spotify: Allow private workloads to call external APIs and download packages while keeping compute instances off the public internet. — Runs services on Google Cloud with private IPs in a VPC and uses Cloud NAT for controlled outbound internet access; egress is routed through Cloud NAT rather than assigning public IPs to instances. (Reduced public exposure of workloads while preserving the ability to reach external services for updates, dependency downloads, and third-party API calls.)
- The Home Depot: Enable private application tiers to access external SaaS endpoints and software repositories without opening inbound access. — Uses Google Cloud VPC private subnets for application workloads and provides outbound internet connectivity through Cloud NAT so instances do not require external IP addresses. (Improved security posture by minimizing public IP usage and simplifying outbound access management for private workloads.)
Provider Equivalents
- AWS: NAT Gateway
- Azure: NAT Gateway
- GCP: Cloud NAT
- OCI: NAT Gateway
Frequently Asked Questions
- What's the difference between Cloud NAT and a public IP on a VM?
- A public IP gives a VM a direct internet-facing address, which can allow inbound connections if firewall rules permit. Cloud NAT lets a VM keep only a private IP while still making outbound connections to the internet; unsolicited inbound connections from the internet cannot reach the VM through Cloud NAT.
- When should I use Cloud NAT?
- Use Cloud NAT when your workloads should not be directly reachable from the internet but still need outbound access—for example, to download OS updates, pull container images, install packages, call external APIs, or send logs/metrics to external endpoints. It’s also useful when you want to reduce the number of public IPs and centralize outbound egress through a managed service.
- How much does Cloud NAT cost?
- Cloud NAT pricing is based on two main factors: (1) the number of NAT gateway resources you configure and (2) the amount of data processed for NAT (egress). You also pay for the external IP addresses used by Cloud NAT (auto-allocated or reserved) and standard network egress charges for traffic leaving Google Cloud. Exact rates vary by region and change over time, so confirm with the current Google Cloud pricing page for Cloud NAT and network egress.
Category: networking
Difficulty: advanced
Related Terms
See Also