Configuring Private Google Access and Cloud NAT in Google Cloud Platform (GCP)

5 min readJan 4, 2024

Configuring Private Google Access and Cloud NAT in Google Cloud Platform (GCP) can be achieved through a series of steps. Here’s a breakdown of the process:

Go to Firewall in the left pane > Create Firewall Rule
Specify following details:
Name: default-allow-ssh
Network: private-network
Targets: All Instances in the network
Source Filter: Ipv4 ranges
Source ipv4 ranges: 0.0.0.0/0
Protocols and ports: Specified protocols and ports
For TCP, specify port 22
Click Create

2. Creating a private VM instance:

Deploy a VM instance: Launch your virtual machine within the VPC network, but choose “None” for the external IP address option. This keeps your VM private and only accessible via the Cloud NAT gateway.
Navigation menu > Compute Engine > VM Instances > Create Instances
Specify following details:
Name: taurus
Region: us-central1
Zone: us-central1-a
Machine Type: e2-medium(2 vCPU, 1 core, 4GB Memory)
Advance Options > Networking > Network Interfaces > Edit
Specify Following Details:
Network: private-network
Sub-network: private-net
External IPv4 address: None

Click Done > Click Create
Return back to VM Instances and verify that there is no external IP

3. Creating the Bastion host (optional):

Deploy a bastion host: This dedicated VM allows secure SSH access to your private network through a public IP address. It acts as a jump box, forwarding connections to the internal VM instance via the Cloud NAT gateway.
VM instances > Create instance
Specify Following Details:
Name: Orion
Region: us-central1
Zone: us-central1-a
Machine type: e2-micro(2vCPU)
Identity and API access > Access scopes
Set access for each API
Compute Engine > Read Write
Click Networking > Network interfaces

Specify following information:
Network: private-network
Sub-network: private-net
External IPv4 address: Ephemeral
Click Done > Click Create

Enable private Google access

Virtual machine instances without external IP addresses can leverage Private Google Access to connect to external IP addresses associated with Google APIs and services. By default, a VPC network has Private Google Access disabled.

1.Create a Cloud Storage bucket

Navigate to the Cloud Console, click on the Navigation menu (Navigation menu icon), then select Cloud Storage > Bucket > Create
Define the following parameters, and retain the default settings for the remaining configurations:
Bucket Name: Scorpius(globally unique name)
Default Storage class: Multi-Regional
Click Create
Copy an image from a public Cloud Storage bucket to your own bucket.

Run the following command in Cloud Shell:

gsutil cp gs://cloud-training/gcpnet/private/access.png gs://scorpius

In the Cloud Console, select the “Refresh Bucket” option to confirm the successful copy of the image. For a demonstration of how Private Google Access is implemented, simply click on the image’s name within the Cloud Console.

2. Access the image from your VM instances:

In the Cloud Console, on the Navigation menu (Navigation menu icon), click Compute Engine > VM instances.

For Orion, click SSH to launch a terminal and connect.
gsutil cp gs://scorpius/*.png .
gcloud compute ssh taurus — zone=us-central1-a — internal-ip
gsutil cp gs://scorpius/*.png .

(You must receive a error as Private google access for taurus is disabled)
Hit Ctrl+C to terminate the process if running.
Close the terminal using Exit.

3. Enable private Google access

Come back to Google Cloud Console.
In navigation menu click VPC Network > VPC networks
Click private-network > private-net to select the subnet
Click Edit > Turn on Private Google access > Save
Now the Private Google Access Is Enabled!

Return to the tab of VM Instances.

Connect to VM Orion using ssh & connect to Taurus VM using: gcloud compute ssh taurus — zone=us-central1-a — internal-ip

Enter Y if prompted
Copy image to instance taurus using: gsutil cp gs://scorpius]/*.png .

Now this bucket will be successfully copied as you have enabled the private google access.

Configure a Cloud Nat Gateway

Type Exit on taurus to return back to Orion VM.
Update the instance using: sudo apt-get update

This will execute completely as instance Orion has an External IP Address

Connect to taurus instance using the command given above.
Enter Y if prompted.
Update taurus using: sudo apt-get update

This will only work for Google Cloud Packages as only Google APIs and Services are enabled for taurus.

Configure a Cloud NAT Gateway

Return to Google Cloud Console
Navigation menu > Network Services > Cloud NAT > Get Started
Enter following information:
Gateway-name: bridge
VPC Network: Private Network
Region: us-central1-a
In Cloud Router, Create New Router
Name: bridge-router
Click Create. The Gateway Status will be Running soon.

Return Back to VM Instances. SSH into Orion VM and connect to taurus using the command given above. Enter Y is prompted.

sudo apt-get update : This time it should work because taurus is using NAT gateway this time.

Stop the terminal.

Viewing logs for Cloud NAT Gateway

Enable logging

Navigation menu > Network Services > Cloud NAT
Click on Bridge > Edit > Advanced Configuration
Select Translation and errors under Stackdriver Logging
Save the configurations.

2. View Logs in Stackdriver

Click on Bridge > Logs > Logging

3. Generate logs

Go to VM Instances > SSH Orion > Connect to taurus
Re-synchronize the package index of taurus using: sudo apt-get update
Close the terminal
Return to the logging page and click Jump to now.
New logs are generated connecting the bastion host(orion) to the internal VM(taurus).

Congratulations!

~ Michael A
Team KloudKraft