hands-on lab

Creating Outbound Connections using Google Cloud NAT

Difficulty: Intermediate

Duration: Up to 45 minutes

Students: 48

Rating: 5/5

Start lab

Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.

Learn and validateUse validations to check your solutions every step of the way.

See resultsTrack your knowledge and monitor your progress.

Description

What is Cloud NAT, and why would you use it?

When you are building applications in GCP, there are many occasions when you do not want the underlying virtual machines (VMs) to be accessible over the public internet. However, you may require the underlying infrastructure to be able to call out to the internet, for example, to install operating system updates. There could be many reasons why you may want to prevent inbound access from the internet, such as:

As a security best practice to minimize your attack surface
The application is a web service but is still under development and not ready to be exposed to external users
The application is a web service but is not configured to use HTTPS
The application could be offering services that are only available to other resources within the project
Only dedicated connectivity options from business offices or data centers should be used to access the application

To allow VMs without external IP addresses to make outbound connections securely, you should use Cloud NAT. Cloud NAT provides outbound internet access for Compute Engine instances without external IPs as well as other services including private GKE clusters and Cloud Run instances.

In this lab, you will walk through the process of setting up Cloud NAT. This includes creating a Cloud Router that acts as a control plane for Cloud NAT by implementing the routes. Finally, you will create a Compute Engine instance without an external IP to verify the ability to connect to the internet.