Google Git
Sign in
third-party-mirror / terraform-provider-google / refs/heads/main / . / v6.2.0 / website / docs / r / compute_router_nat.html.markdown
blob: 526ae8904fc2d362640f44635e1fc56b36235e23 [file] [log] [blame] [edit]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Compute Engine"
description: |-
A NAT service created in a router.
---
# google_compute_router_nat
A NAT service created in a router.
To get more information about RouterNat, see:
* [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/routers)
* How-to Guides
* [Google Cloud Router](https://cloud.google.com/router/docs/)
## Example Usage - Router Nat Basic
```hcl
resource "google_compute_network" "net" {
name = "my-network"
}
resource "google_compute_subnetwork" "subnet" {
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}
resource "google_compute_router" "router" {
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
bgp {
asn = 64514
}
}
resource "google_compute_router_nat" "nat" {
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}
```
## Example Usage - Router Nat Manual Ips
```hcl
resource "google_compute_network" "net" {
name = "my-network"
}
resource "google_compute_subnetwork" "subnet" {
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}
resource "google_compute_router" "router" {
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
}
resource "google_compute_address" "address" {
count = 2
name = "nat-manual-ip-${count.index}"
region = google_compute_subnetwork.subnet.region
}
resource "google_compute_router_nat" "nat_manual" {
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
nat_ip_allocate_option = "MANUAL_ONLY"
nat_ips = google_compute_address.address.*.self_link
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.subnet.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
}
```
## Example Usage - Router Nat Rules
```hcl
resource "google_compute_network" "net" {
name = "my-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "subnet" {
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}
resource "google_compute_router" "router" {
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
}
resource "google_compute_address" "addr1" {
name = "nat-address1"
region = google_compute_subnetwork.subnet.region
}
resource "google_compute_address" "addr2" {
name = "nat-address2"
region = google_compute_subnetwork.subnet.region
}
resource "google_compute_address" "addr3" {
name = "nat-address3"
region = google_compute_subnetwork.subnet.region
}
resource "google_compute_router_nat" "nat_rules" {
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
nat_ip_allocate_option = "MANUAL_ONLY"
nat_ips = [google_compute_address.addr1.self_link]
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.subnet.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
rules {
rule_number = 100
description = "nat rules example"
match = "inIpRange(destination.ip, '1.1.0.0/16') || inIpRange(destination.ip, '2.2.0.0/16')"
action {
source_nat_active_ips = [google_compute_address.addr2.self_link, google_compute_address.addr3.self_link]
}
}
enable_endpoint_independent_mapping = false
}
```
## Example Usage - Router Nat Private
```hcl
resource "google_compute_network" "net" {
provider = google-beta
name = "my-network"
}
resource "google_compute_subnetwork" "subnet" {
provider = google-beta
name = "my-subnetwork"
network = google_compute_network.net.id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
purpose = "PRIVATE_NAT"
}
resource "google_compute_router" "router" {
provider = google-beta
name = "my-router"
region = google_compute_subnetwork.subnet.region
network = google_compute_network.net.id
}
resource "google_network_connectivity_hub" "hub" {
provider = google-beta
name = "my-hub"
description = "vpc hub for inter vpc nat"
}
resource "google_network_connectivity_spoke" "spoke" {
provider = google-beta
name = "my-spoke"
location = "global"
description = "vpc spoke for inter vpc nat"
hub = google_network_connectivity_hub.hub.id
linked_vpc_network {
exclude_export_ranges = [
"198.51.100.0/24",
"10.10.0.0/16"
]
uri = google_compute_network.net.self_link
}
}
resource "google_compute_router_nat" "nat_type" {
provider = google-beta
name = "my-router-nat"
router = google_compute_router.router.name
region = google_compute_router.router.region
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
enable_dynamic_port_allocation = false
enable_endpoint_independent_mapping = false
min_ports_per_vm = 32
type = "PRIVATE"
subnetwork {
name = google_compute_subnetwork.subnet.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
rules {
rule_number = 100
description = "rule for private nat"
match = "nexthop.hub == \"//networkconnectivity.googleapis.com/projects/acm-test-proj-123/locations/global/hubs/my-hub\""
action {
source_nat_active_ranges = [
google_compute_subnetwork.subnet.self_link
]
}
}
}
```
## Argument Reference
The following arguments are supported:
* `name` -
(Required)
Name of the NAT service. The name must be 1-63 characters long and
comply with RFC1035.
* `source_subnetwork_ip_ranges_to_nat` -
(Required)
How NAT should be configured per Subnetwork.
If `ALL_SUBNETWORKS_ALL_IP_RANGES`, all of the
IP ranges in every Subnetwork are allowed to Nat.
If `ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES`, all of the primary IP
ranges in every Subnetwork are allowed to Nat.
`LIST_OF_SUBNETWORKS`: A list of Subnetworks are allowed to Nat
(specified in the field subnetwork below). Note that if this field
contains ALL_SUBNETWORKS_ALL_IP_RANGES or
ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, then there should not be any
other RouterNat section in any Router for this network in this region.
Possible values are: `ALL_SUBNETWORKS_ALL_IP_RANGES`, `ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES`, `LIST_OF_SUBNETWORKS`.
* `router` -
(Required)
The name of the Cloud Router in which this NAT will be configured.
- - -
* `nat_ip_allocate_option` -
(Optional)
How external IPs should be allocated for this NAT. Valid values are
`AUTO_ONLY` for only allowing NAT IPs allocated by Google Cloud
Platform, or `MANUAL_ONLY` for only user-allocated NAT IP addresses.
Possible values are: `MANUAL_ONLY`, `AUTO_ONLY`.
* `nat_ips` -
(Optional)
Self-links of NAT IPs. Only valid if natIpAllocateOption
is set to MANUAL_ONLY.
* `drain_nat_ips` -
(Optional)
A list of URLs of the IP resources to be drained. These IPs must be
valid static external IPs that have been assigned to the NAT.
* `subnetwork` -
(Optional)
One or more subnetwork NAT configurations. Only used if
`source_subnetwork_ip_ranges_to_nat` is set to `LIST_OF_SUBNETWORKS`
Structure is [documented below](#nested_subnetwork).
* `min_ports_per_vm` -
(Optional)
Minimum number of ports allocated to a VM from this NAT. Defaults to 64 for static port allocation and 32 dynamic port allocation if not set.
* `max_ports_per_vm` -
(Optional)
Maximum number of ports allocated to a VM from this NAT.
This field can only be set when enableDynamicPortAllocation is enabled.
* `enable_dynamic_port_allocation` -
(Optional)
Enable Dynamic Port Allocation.
If minPortsPerVm is set, minPortsPerVm must be set to a power of two greater than or equal to 32.
If minPortsPerVm is not set, a minimum of 32 ports will be allocated to a VM from this NAT config.
If maxPortsPerVm is set, maxPortsPerVm must be set to a power of two greater than minPortsPerVm.
If maxPortsPerVm is not set, a maximum of 65536 ports will be allocated to a VM from this NAT config.
Mutually exclusive with enableEndpointIndependentMapping.
* `udp_idle_timeout_sec` -
(Optional)
Timeout (in seconds) for UDP connections. Defaults to 30s if not set.
* `icmp_idle_timeout_sec` -
(Optional)
Timeout (in seconds) for ICMP connections. Defaults to 30s if not set.
* `tcp_established_idle_timeout_sec` -
(Optional)
Timeout (in seconds) for TCP established connections.
Defaults to 1200s if not set.
* `tcp_transitory_idle_timeout_sec` -
(Optional)
Timeout (in seconds) for TCP transitory connections.
Defaults to 30s if not set.
* `tcp_time_wait_timeout_sec` -
(Optional)
Timeout (in seconds) for TCP connections that are in TIME_WAIT state.
Defaults to 120s if not set.
* `log_config` -
(Optional)
Configuration for logging on NAT
Structure is [documented below](#nested_log_config).
* `endpoint_types` -
(Optional)
Specifies the endpoint Types supported by the NAT Gateway.
Supported values include:
`ENDPOINT_TYPE_VM`, `ENDPOINT_TYPE_SWG`,
`ENDPOINT_TYPE_MANAGED_PROXY_LB`.
* `rules` -
(Optional)
A list of rules associated with this NAT.
Structure is [documented below](#nested_rules).
* `enable_endpoint_independent_mapping` -
(Optional)
Enable endpoint independent mapping.
For more information see the [official documentation](https://cloud.google.com/nat/docs/overview#specs-rfcs).
* `type` -
(Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
Indicates whether this NAT is used for public or private IP translation.
If unspecified, it defaults to PUBLIC.
If `PUBLIC` NAT used for public IP translation.
If `PRIVATE` NAT used for private IP translation.
Default value is `PUBLIC`.
Possible values are: `PUBLIC`, `PRIVATE`.
* `auto_network_tier` -
(Optional)
The network tier to use when automatically reserving NAT IP addresses.
Must be one of: PREMIUM, STANDARD. If not specified, then the current
project-level default tier is used.
Possible values are: `PREMIUM`, `STANDARD`.
* `region` -
(Optional)
Region where the router and NAT reside.
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
<a name="nested_subnetwork"></a>The `subnetwork` block supports:
* `name` -
(Required)
Self-link of subnetwork to NAT
* `source_ip_ranges_to_nat` -
(Required)
List of options for which source IPs in the subnetwork
should have NAT enabled. Supported values include:
`ALL_IP_RANGES`, `LIST_OF_SECONDARY_IP_RANGES`,
`PRIMARY_IP_RANGE`.
* `secondary_ip_range_names` -
(Optional)
List of the secondary ranges of the subnetwork that are allowed
to use NAT. This can be populated only if
`LIST_OF_SECONDARY_IP_RANGES` is one of the values in
sourceIpRangesToNat
<a name="nested_log_config"></a>The `log_config` block supports:
* `enable` -
(Required)
Indicates whether or not to export logs.
* `filter` -
(Required)
Specifies the desired filtering of logs on this NAT.
Possible values are: `ERRORS_ONLY`, `TRANSLATIONS_ONLY`, `ALL`.
<a name="nested_rules"></a>The `rules` block supports:
* `rule_number` -
(Required)
An integer uniquely identifying a rule in the list.
The rule number must be a positive value between 0 and 65000, and must be unique among rules within a NAT.
* `description` -
(Optional)
An optional description of this rule.
* `match` -
(Required)
CEL expression that specifies the match condition that egress traffic from a VM is evaluated against.
If it evaluates to true, the corresponding action is enforced.
The following examples are valid match expressions for public NAT:
"inIpRange(destination.ip, '1.1.0.0/16') || inIpRange(destination.ip, '2.2.0.0/16')"
"destination.ip == '1.1.0.1' || destination.ip == '8.8.8.8'"
The following example is a valid match expression for private NAT:
"nexthop.hub == 'https://networkconnectivity.googleapis.com/v1alpha1/projects/my-project/global/hub/hub-1'"
* `action` -
(Optional)
The action to be enforced for traffic that matches this rule.
Structure is [documented below](#nested_action).
<a name="nested_action"></a>The `action` block supports:
* `source_nat_active_ips` -
(Optional)
A list of URLs of the IP resources used for this NAT rule.
These IP addresses must be valid static external IP addresses assigned to the project.
This field is used for public NAT.
* `source_nat_drain_ips` -
(Optional)
A list of URLs of the IP resources to be drained.
These IPs must be valid static external IPs that have been assigned to the NAT.
These IPs should be used for updating/patching a NAT rule only.
This field is used for public NAT.
* `source_nat_active_ranges` -
(Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
A list of URLs of the subnetworks used as source ranges for this NAT Rule.
These subnetworks must have purpose set to PRIVATE_NAT.
This field is used for private NAT.
* `source_nat_drain_ranges` -
(Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
A list of URLs of subnetworks representing source ranges to be drained.
This is only supported on patch/update, and these subnetworks must have previously been used as active ranges in this NAT Rule.
This field is used for private NAT.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `{{project}}/{{region}}/{{router}}/{{name}}`
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
RouterNat can be imported using any of these accepted formats:
* `projects/{{project}}/regions/{{region}}/routers/{{router}}/{{name}}`
* `{{project}}/{{region}}/{{router}}/{{name}}`
* `{{region}}/{{router}}/{{name}}`
* `{{router}}/{{name}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import RouterNat using one of the formats above. For example:
```tf
import {
id = "projects/{{project}}/regions/{{region}}/routers/{{router}}/{{name}}"
to = google_compute_router_nat.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), RouterNat can be imported using one of the formats above. For example:
```
$ terraform import google_compute_router_nat.default projects/{{project}}/regions/{{region}}/routers/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{project}}/{{region}}/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{region}}/{{router}}/{{name}}
$ terraform import google_compute_router_nat.default {{router}}/{{name}}
```
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).