Hi Community,
Is there a way to limit a Cloud NAT mapping to a single instance (IP) within a subnet? I am not wanting to open up internet access to the whole subnet and all instances in that subnet, but rather a select few IP addresses within a subnet.
Alternatively, if I can only open up to a whole subnet, what is the best way to limit that traffic on a firewall rule? What deny rule would I put in place?
Thanks for the help.
Is there a way to limit a Cloud NAT mapping to a single instance (IP) within a subnet?
The NAT rules feature lets you create access rules that define how Cloud NAT is used to connect to the internet. NAT rules support source NAT based on destination address.
When you configure a NAT gateway without NAT rules, the VMs using that NAT gateway use the same set of NAT IP addresses to reach all internet addresses. If you need more control over packets that pass through Cloud NAT, you can add NAT rules. A NAT rule defines a match condition and a corresponding action.
More information about Set up and manage Cloud NAT rules
Thank you dasalemi for the information. I will have a look at the NAT rules and see what I can configure.
If wanting to implement a firewall rule to block instances from using the Cloud NAT, would this just be a matter of creating an egress firewall with the instances I want to block being the target, and the destination being the NAT IP used in the Cloud NAT rule?
Thanks
You no need to create a firewall rule to block instances from using the cloud NAT, because the NAT rules will only work for the configured IP prefixes.