Configure Cloud NAT gateways with IP allocation, port ranges, and logging.
Last verified: May 2026
Configure Cloud NAT gateways with IP allocation, port ranges, and logging.
Required Fields
natNamerouterregionnatIpAllocateOptionminPortsPerVmOutput will appear here...Your team's GKE cluster is hitting 'connection refused' errors when calling a partner's REST API. Investigation reveals: the cluster has 200 nodes, each running 30 pods, all calling the same partner — that's 6,000 concurrent connections, exceeding the 64K port limit on a single auto-allocated NAT IP after factoring in port reservation. The builder helps you allocate 4 static NAT IPs (giving 256K total ports), update the partner allowlist with the 4 IPs, and configure dynamic port allocation. Connection errors stop within 2 minutes of deploy.
The GCP Cloud NAT Config Builder helps you configure Cloud NAT gateways for providing outbound internet connectivity to private GCP resources. Cloud NAT enables VMs without external IP addresses, GKE nodes, and serverless VPC access connectors to reach the internet for software updates, API calls, and other outbound traffic. This tool guides you through selecting subnets, IP allocation, port allocation, and logging settings to generate the NAT gateway configuration.
The builder constructs a Cloud NAT gateway resource with: name, region, router (Cloud Router association), nat_ip_allocate_option (AUTO_ONLY or MANUAL_ONLY), nat_ips (when manual), source_subnetwork_ip_ranges_to_nat (ALL or LIST_OF_SUBNETWORKS), subnet selections, port allocation (min_ports_per_vm, max_ports_per_vm, enable_dynamic_port_allocation), and logging config. Output is gcloud compute routers nats create commands and Terraform google_compute_router_nat resources.
Static IP allocation is mandatory if any external system needs to allowlist your outbound traffic (third-party APIs, partner integrations, IP-based authentication). Auto-allocated NAT IPs change unpredictably, breaking allowlists. Always allocate at least 2 static IPs for redundancy.
Each NAT IP supports ~64K concurrent connections (port mapping limit). For services with many concurrent outbound connections — high-fanout API gateways, web crawlers — calculate `peak concurrent connections / 64K = required NAT IPs`. Running out of ports causes silent connection failures that look like 'random network errors'.
Endpoint-Independent Mapping (EIM) keeps the same NAT IP+port mapping per source instance for the same destination IP+port. Required for STUN/TURN, P2P apps, and certain VoIP. Without EIM, NAT will rotate ports and break those protocols. EIM is opt-in — enable explicitly when needed.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.