googleComputeRouterNat
A NAT service created in a router.
To get more information about RouterNat, see:
- API documentation
- How-to Guides
- Google Cloud Router
Example Usage - Router Nat Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeNetworkNet = new google.computeNetwork.ComputeNetwork(
this,
"net",
{
name: "my-network",
}
);
const googleComputeSubnetworkSubnet =
new google.computeSubnetwork.ComputeSubnetwork(this, "subnet", {
ip_cidr_range: "10.0.0.0/16",
name: "my-subnetwork",
network: googleComputeNetworkNet.id,
region: "us-central1",
});
const googleComputeRouterRouter = new google.computeRouter.ComputeRouter(
this,
"router",
{
bgp: [
{
asn: 64514,
},
],
name: "my-router",
network: googleComputeNetworkNet.id,
region: googleComputeSubnetworkSubnet.region,
}
);
new google.computeRouterNat.ComputeRouterNat(this, "nat", {
log_config: [
{
enable: true,
filter: "ERRORS_ONLY",
},
],
name: "my-router-nat",
nat_ip_allocate_option: "AUTO_ONLY",
region: googleComputeRouterRouter.region,
router: googleComputeRouterRouter.name,
source_subnetwork_ip_ranges_to_nat: "ALL_SUBNETWORKS_ALL_IP_RANGES",
});
Example Usage - Router Nat Manual Ips
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeNetworkNet = new google.computeNetwork.ComputeNetwork(
this,
"net",
{
name: "my-network",
}
);
const googleComputeSubnetworkSubnet =
new google.computeSubnetwork.ComputeSubnetwork(this, "subnet", {
ip_cidr_range: "10.0.0.0/16",
name: "my-subnetwork",
network: googleComputeNetworkNet.id,
region: "us-central1",
});
const googleComputeAddressAddress = new google.computeAddress.ComputeAddress(
this,
"address",
{
name: "nat-manual-ip-${count.index}",
region: googleComputeSubnetworkSubnet.region,
}
);
/*In most cases loops should be handled in the programming language context and
not inside of the Terraform context. If you are looping over something external, e.g. a variable or a file input
you should consider using a for loop. If you are looping over something only known to Terraform, e.g. a result of a data source
you need to keep this like it is.*/
googleComputeAddressAddress.addOverride("count", 2);
const googleComputeRouterRouter = new google.computeRouter.ComputeRouter(
this,
"router",
{
name: "my-router",
network: googleComputeNetworkNet.id,
region: googleComputeSubnetworkSubnet.region,
}
);
new google.computeRouterNat.ComputeRouterNat(this, "nat_manual", {
name: "my-router-nat",
nat_ip_allocate_option: "MANUAL_ONLY",
nat_ips: `\${${googleComputeAddressAddress.fqn}.*.self_link}`,
region: googleComputeRouterRouter.region,
router: googleComputeRouterRouter.name,
source_subnetwork_ip_ranges_to_nat: "LIST_OF_SUBNETWORKS",
subnetwork: [
{
name: googleComputeSubnetworkSubnet.id,
source_ip_ranges_to_nat: ["ALL_IP_RANGES"],
},
],
});
Example Usage - Router Nat Rules
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeNetworkNet = new google.computeNetwork.ComputeNetwork(
this,
"net",
{
auto_create_subnetworks: false,
name: "my-network",
}
);
const googleComputeSubnetworkSubnet =
new google.computeSubnetwork.ComputeSubnetwork(this, "subnet", {
ip_cidr_range: "10.0.0.0/16",
name: "my-subnetwork",
network: googleComputeNetworkNet.id,
region: "us-central1",
});
const googleComputeAddressAddr1 = new google.computeAddress.ComputeAddress(
this,
"addr1",
{
name: "nat-address1",
region: googleComputeSubnetworkSubnet.region,
}
);
const googleComputeAddressAddr2 = new google.computeAddress.ComputeAddress(
this,
"addr2",
{
name: "nat-address2",
region: googleComputeSubnetworkSubnet.region,
}
);
const googleComputeAddressAddr3 = new google.computeAddress.ComputeAddress(
this,
"addr3",
{
name: "nat-address3",
region: googleComputeSubnetworkSubnet.region,
}
);
const googleComputeRouterRouter = new google.computeRouter.ComputeRouter(
this,
"router",
{
name: "my-router",
network: googleComputeNetworkNet.id,
region: googleComputeSubnetworkSubnet.region,
}
);
new google.computeRouterNat.ComputeRouterNat(this, "nat_rules", {
enable_endpoint_independent_mapping: false,
name: "my-router-nat",
nat_ip_allocate_option: "MANUAL_ONLY",
nat_ips: [googleComputeAddressAddr1.selfLink],
region: googleComputeRouterRouter.region,
router: googleComputeRouterRouter.name,
rules: [
{
action: [
{
source_nat_active_ips: [
googleComputeAddressAddr2.selfLink,
googleComputeAddressAddr3.selfLink,
],
},
],
description: "nat rules example",
match:
"inIpRange(destination.ip, '1.1.0.0/16') || inIpRange(destination.ip, '2.2.0.0/16')",
rule_number: 100,
},
],
source_subnetwork_ip_ranges_to_nat: "LIST_OF_SUBNETWORKS",
subnetwork: [
{
name: googleComputeSubnetworkSubnet.id,
source_ip_ranges_to_nat: ["ALL_IP_RANGES"],
},
],
});
Argument Reference
The following arguments are supported:
-
name- (Required) Name of the NAT service. The name must be 1-63 characters long and comply with RFC1035. -
natIpAllocateOption- (Required) How external IPs should be allocated for this NAT. Valid values areautoOnlyfor only allowing NAT IPs allocated by Google Cloud Platform, ormanualOnlyfor only user-allocated NAT IP addresses. Possible values aremanualOnlyandautoOnly. -
sourceSubnetworkIpRangesToNat- (Required) How NAT should be configured per Subnetwork. IfallSubnetworksAllIpRanges, all of the IP ranges in every Subnetwork are allowed to Nat. IfallSubnetworksAllPrimaryIpRanges, all of the primary IP ranges in every Subnetwork are allowed to Nat.listOfSubnetworks: A list of Subnetworks are allowed to Nat (specified in the field subnetwork below). Note that if this field contains ALL_SUBNETWORKS_ALL_IP_RANGES or ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, then there should not be any other RouterNat section in any Router for this network in this region. Possible values areallSubnetworksAllIpRanges,allSubnetworksAllPrimaryIpRanges, andlistOfSubnetworks. -
router- (Required) The name of the Cloud Router in which this NAT will be configured.
-
natIps- (Optional) Self-links of NAT IPs. Only valid if natIpAllocateOption is set to MANUAL_ONLY. -
drainNatIps- (Optional) A list of URLs of the IP resources to be drained. These IPs must be valid static external IPs that have been assigned to the NAT. -
subnetwork- (Optional) One or more subnetwork NAT configurations. Only used ifsourceSubnetworkIpRangesToNatis set tolistOfSubnetworksStructure is documented below. -
minPortsPerVm- (Optional) Minimum number of ports allocated to a VM from this NAT. -
maxPortsPerVm- (Optional) Maximum number of ports allocated to a VM from this NAT. This field can only be set when enableDynamicPortAllocation is enabled. -
enableDynamicPortAllocation- (Optional) Enable Dynamic Port Allocation. If minPortsPerVm is set, minPortsPerVm must be set to a power of two greater than or equal to 32. If minPortsPerVm is not set, a minimum of 32 ports will be allocated to a VM from this NAT config. If maxPortsPerVm is set, maxPortsPerVm must be set to a power of two greater than minPortsPerVm. If maxPortsPerVm is not set, a maximum of 65536 ports will be allocated to a VM from this NAT config. Mutually exclusive with enableEndpointIndependentMapping. -
udpIdleTimeoutSec- (Optional) Timeout (in seconds) for UDP connections. Defaults to 30s if not set. -
icmpIdleTimeoutSec- (Optional) Timeout (in seconds) for ICMP connections. Defaults to 30s if not set. -
tcpEstablishedIdleTimeoutSec- (Optional) Timeout (in seconds) for TCP established connections. Defaults to 1200s if not set. -
tcpTransitoryIdleTimeoutSec- (Optional) Timeout (in seconds) for TCP transitory connections. Defaults to 30s if not set. -
tcpTimeWaitTimeoutSec- (Optional) Timeout (in seconds) for TCP connections that are in TIME_WAIT state. Defaults to 120s if not set. -
logConfig- (Optional) Configuration for logging on NAT Structure is documented below. -
rules- (Optional) A list of rules associated with this NAT. Structure is documented below. -
enableEndpointIndependentMapping- (Optional) Specifies if endpoint independent mapping is enabled. This is enabled by default. For more information see the official documentation. -
region- (Optional) Region where the router and NAT reside. -
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
The subnetwork block supports:
-
name- (Required) Self-link of subnetwork to NAT -
sourceIpRangesToNat- (Required) List of options for which source IPs in the subnetwork should have NAT enabled. Supported values include:allIpRanges,listOfSecondaryIpRanges,primaryIpRange. -
secondaryIpRangeNames- (Optional) List of the secondary ranges of the subnetwork that are allowed to use NAT. This can be populated only iflistOfSecondaryIpRangesis one of the values in sourceIpRangesToNat
-
enable- (Required) Indicates whether or not to export logs. -
filter- (Required) Specifies the desired filtering of logs on this NAT. Possible values areerrorsOnly,translationsOnly, andall.
-
ruleNumber- (Required) An integer uniquely identifying a rule in the list. The rule number must be a positive value between 0 and 65000, and must be unique among rules within a NAT. -
description- (Optional) An optional description of this rule. -
match- (Required) CEL expression that specifies the match condition that egress traffic from a VM is evaluated against. If it evaluates to true, the corresponding action is enforced. The following examples are valid match expressions for public NAT: "inIpRange(destination.ip, '1.1.0.0/16') || inIpRange(destination.ip, '2.2.0.0/16')" "destination.ip == '1.1.0.1' || destination.ip == '8.8.8.8'" The following example is a valid match expression for private NAT: "nexthop.hub == 'https://networkconnectivity.googleapis.com/v1alpha1/projects/my-project/global/hub/hub-1'" -
action- (Optional) The action to be enforced for traffic that matches this rule. Structure is documented below.
-
sourceNatActiveIps- (Optional) A list of URLs of the IP resources used for this NAT rule. These IP addresses must be valid static external IP addresses assigned to the project. This field is used for public NAT. -
sourceNatDrainIps- (Optional) A list of URLs of the IP resources to be drained. These IPs must be valid static external IPs that have been assigned to the NAT. These IPs should be used for updating/patching a NAT rule only. This field is used for public NAT.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
id- an identifier for the resource with format{{project}}/{{region}}/{{router}}/{{name}}
Timeouts
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
Import
RouterNat can be imported using any of these accepted formats:
$ terraform import google_compute_router_nat.default projects/{{project}}/regions/{{region}}/routers/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{project}}/{{region}}/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{region}}/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{router}}/{{name}}
User Project Overrides
This resource supports User Project Overrides.