Google Cloud NAT
A high number of public IP addresses in your network poses a significant security threat to it. The danger with public IP addresses is their biggest advantage; anyone can connect to personal devices, including those with malicious intent. For this reason, it is a best practice to limit the number of public IP addresses in your network. This is where network address translations (NAT) come in to allow your instances outbound access for updates, patching, etc. without having an external IP address.
However, setting up a traditional NAT is intricate requiring reserving static IP addresses, creating compute instances, etc. In addition, with a traditional NAT, you will have a NAT proxy instance sitting between your cloud instances and their destination. This can result in a chokepoint that undermines performance and availability. With Google Cloud NAT, all of this can be avoided.
Cloud NAT is a software-defined solution that lets certain resources without external IP addresses create outbound connections to the internet. Cloud NAT provides outgoing connectivity for VM instances created using Compute Engine without external IP addresses, private GKE clusters, and Cloud Run instances, Cloud Functions, and App Engine standard environment instances via Serverless VPC access. Cloud NAT’s proxy is designed to overcome the problems encountered by typical proxies. Knowing this, how is it different from typical proxies?
It is a software-defined, distributed, and managed service that is not based on proxy VMs or appliances. Cloud NAT functions like a proxy but with a proxy-less architecture. This architecture grants Cloud NAT advantages in scale and eliminates chokepoints thereby ensuring low latency and availability. Cloud NAT also provides source network address translation (SNAT) for VMs without external IP addresses. Translation of SNAT is achieved by configuring Andromeda, the software responsible for powering your VPC network.
Google Cloud NAT benefits
Security: The essence of proxies is to protect your internal network from cybercriminals. Cloud NAT ensures that outside resources cannot directly access any of your instances behind it, keeping your VPCs isolated and secure without using a proxy. Cloud NAT assigns unique NAT IPs and port ranges to your instances, thereby eliminating the need for each of your internal endpoints to have an external IP address.
Scalability: You can configure Cloud NAT to automatically scale the number of NAT IP addresses it uses. Cloud NAT scales seamlessly with the number of instances and the volume of network traffic. Since Cloud NAT assigns unique NAT IPs and does not use proxies, it eliminates the problem of chokepoints, which results in better scalability.
Availability: Just like other solutions on GCP, Cloud NAT is distributed and managed service. It is also software-defined, rendering it independent of the VM instances on your project or any single physical gateway device. Cloud Router avails a control panel for NAT where you can make and implement configurations to your Cloud NAT.
High Performance: Google’s Andromeda SDN implements Cloud NAT, ensuring that it does not reduce network bandwidth per VM. Cloud NAT has been designed to deliver as much network bandwidth as instances with external IP addresses.