Set up a NAT Gateway

Introduction

In order for NNM to monitor virtual machine instances in a Google Compute Engine network, NNM must run on a virtual machine instance that functions as a network address translation (NAT) gateway. A NAT gateway instance routes traffic from internal-only virtual machine instances to the Internet. A NNM installed on a NAT gateway has visibility into the hostnames and private IP addresses of the internal virtual machine instances before the NAT gateway masquerades the source IP address of incoming packets to forward them to the Internet.

This guide shows setting up a NAT gateway in a Google Compute Engine legacy network. Network ranges must be adjusted if you're using a subnetwork.

Before You Begin

Follow the instructions on setting up a Google Cloud Platform project.

Steps

Create a Compute Engine network to host your virtual machine instances. In this example, the legacy network range used is 10.240.0.0/16 with a gateway of 10.240.0.1. You can select your own IPv4 range and gateway addresses as needed. You can also create a subnetwork instead.

If you want to use the default network, you can skip this step and replace gce-network in the examples below with default.

$ gcloud compute networks create gce-network --range 10.240.0.0/16 --mode=legacy

Created [https://www.googleapis.com/compute/v1/projects/nnm-example-project/global/networks/gce-network].

NAME MODE IPV4_RANGE GATEWAY_IPV4

gce-network legacy 10.240.0.0/16 10.240.0.1

Instances on this network will not be reachable until firewall rules are created. As an example, you can allow all internal traffic between instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network gce-network --allow tcp,udp,icmp --source-ranges <IP_RANGE>

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network gce-network --allow tcp:22,tcp:3389,icmp
Create firewall rules to allow SSH connections in the new network you just created.

$ gcloud compute firewall-rules create gce-network-allow-ssh --allow tcp:22 --network gce-network

Created [https://www.googleapis.com/compute/v1/projects/nnm-example-project/global/firewalls/gce-network-allow-ssh].

NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS

gce-network-allow-ssh gce-network 0.0.0.0/0 tcp:22
Create firewall rules to allow TCP, UDP, and ICMP traffic within the new network you just created.

$ gcloud compute firewall-rules create gce-network-allow-internal --allow tcp:1-65535,udp:1-65535,icmp --source-ranges 10.240.0.0/16 --network gce-network

Created [https://www.googleapis.com/compute/v1/projects/nnm-example-project/global/firewalls/gce-network-allow-internal].

NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS

gce-network-allow-internal gce-network 10.240.0.0/16 tcp:1-65535,udp:1-65535,icmp
Create a virtual machine instance to act as a NAT gateway on the gce-network or the default network. In this example, a CentOS 6 virtual machine is created.

Note: If you choose a different image to install on your NAT gateway virtual machine, make sure that it's a platform that NNM supports.

For the following examples, use the zone name that was chosen when setting up the Google Cloud Platform project.

$ gcloud compute instances create nat-gateway --network gce-network --can-ip-forward --zone us-east1-b --image centos-6 --tags nat

Created [https://www.googleapis.com/compute/v1/projects/nnm-example-project/zones/us-east1-b/instances/nat-gateway].

NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS

nat-gateway us-east1-b n1-standard-1 10.240.0.2 104.xxx.xxx.xxx RUNNING
Tag any virtual machine instances without an external IP address that will use the gateway instance with the tag no-ip, or create a new virtual machine without an external IP address and tag the instance with the no-ip tag.

# Add tags to an existing instance ...

$ gcloud compute instances add-tags existing-instance --tags no-ip

Updated [https://www.googleapis.com/compute/v1/projects/nnm-example-project/zones/us-east1-b/instances/existing-instance].

# Or create a new virtual machine without an external IP address

$ gcloud compute instances create example-instance --network gce-network --no-address --zone us-east1-b --image centos-6 --tags no-ip

Created [https://www.googleapis.com/compute/v1/projects/nnm-example-project/zones/us-east1-b/instances/example-instance].

NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS

example-instance us-east1-b n1-standard-1 10.240.0.3 RUNNING
Create a route to send traffic destined to the Internet through your gateway instance.

$ gcloud compute routes create no-ip-internet-route --network gce-network --destination-range 0.0.0.0/0 --next-hop-instance nat-gateway --next-hop-instance-zone us-east1-b --tags no-ip --priority 800

Created [https://www.googleapis.com/compute/v1/projects/nnm-example-project/global/routes/no-ip-internet-route].

NAME NETWORK DEST_RANGE NEXT_HOP PRIORITY

no-ip-internet-route gce-network 0.0.0.0/0 us-east1-b/instances/nat-gateway 800

Setting the priority of this route ensures that this route takes precedence if there are any other conflicting routes. 1000 is the default priority and a value lower than 1000 takes precedent.
Log in to your NAT gateway instance.

$ gcloud compute ssh nat-gateway --zone us-east1-b
Once logged into your NAT gateway instance, configure iptables.

user@nat-gateway:~$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

user@nat-gateway:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The first sudo command tells the kernel to allow IP forwarding. The second sudo command masquerades packets received from internal instances as if they originated from the NAT gateway instance.

Tip: Consider saving these commands in a startup script, because these settings will not persist if the instance is rebooted.