Cloud NAT Setup
Cloud NAT enables private connectivity for EZ-CDC workers in GCP without assigning external IP addresses. This is the GCP equivalent of AWS PrivateLink for enhanced security.
Overview
With Cloud NAT, workers communicate with the EZ-CDC control-plane through a managed NAT gateway. Instances have no public IPs, reducing attack surface.
Worker (no public IP) → Cloud NAT → Internet → Control Plane (mTLS)
Benefits
| Aspect | Standard | Cloud NAT |
|---|---|---|
| External IPs | Ephemeral per instance | None |
| Attack surface | Public IP reachable | No inbound possible |
| Data path | Direct internet | NAT gateway |
| Control plane auth | TLS | mTLS |
| Compliance | Standard | Enhanced (no public IPs) |
How It Works
EZ-CDC automatically provisions Cloud NAT resources when you select Cloud NAT connectivity mode during deployment:
Cloud Router
A regional Cloud Router is created to manage NAT routing:
resource "google_compute_router" "worker" {
name = "ez-cdc-{deployment-id}-router"
region = "us-central1"
network = "your-vpc"
bgp {
asn = 64514
}
}
Cloud NAT Gateway
The NAT gateway is scoped to only the worker subnetwork:
resource "google_compute_router_nat" "worker" {
name = "ez-cdc-{deployment-id}-nat"
router = google_compute_router.worker.name
region = "us-central1"
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = "your-subnetwork"
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
# Timeouts optimized for CDC long-lived connections
tcp_established_idle_timeout_sec = 1200
tcp_transitory_idle_timeout_sec = 30
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}
Key Configuration Details
| Setting | Value | Reason |
|---|---|---|
| IP allocation | AUTO_ONLY | GCP auto-manages NAT IPs |
| Subnetwork scope | LIST_OF_SUBNETWORKS | NAT only applies to worker subnetwork |
| TCP established timeout | 1200s | CDC connections are long-lived |
| TCP transitory timeout | 30s | Quick cleanup of failed connections |
| Logging | ERRORS_ONLY | Minimize log volume |
Cloud NAT is configured to only affect the worker subnetwork. Other workloads in the same VPC are not affected.
Prerequisites
Cloud NAT mode requires minimal preparation:
□ GCP project with Compute API enabled
□ VPC network with a subnetwork (no external IPs needed)
□ Databases reachable from the subnetwork
Cloud Router and Cloud NAT are created automatically during deployment.
Costs
| Component | Estimated Cost |
|---|---|
| Cloud NAT gateway | |
| Data processed | $0.045/GB |
Typical monthly cost: $35-60 depending on data volume.
Cloud NAT is comparable to AWS PrivateLink pricing (~$10-30/month for endpoint + data). The main cost driver is data transfer volume.
Verification
After deployment, verify Cloud NAT is working:
Check Cloud Router
gcloud compute routers list \
--project=YOUR_PROJECT_ID \
--regions=us-central1 \
--filter="name:ez-cdc-*"
Check Cloud NAT
gcloud compute routers nats list \
--router=ez-cdc-{deployment-id}-router \
--region=us-central1 \
--project=YOUR_PROJECT_ID
Check Worker IPs
Verify workers have no external IPs:
gcloud compute instances list \
--project=YOUR_PROJECT_ID \
--filter="name:ez-cdc-wk-*" \
--format="table(name,networkInterfaces[0].networkIP,networkInterfaces[0].accessConfigs[0].natIP)"
The natIP column should be empty for Cloud NAT mode.
Check NAT Logs
gcloud logging read \
'resource.type="nat_gateway" AND resource.labels.router_id="ez-cdc-{deployment-id}-router"' \
--project=YOUR_PROJECT_ID \
--limit=10
Troubleshooting
Workers can't reach control-plane
- Verify Cloud NAT status is
RUNNING:gcloud compute routers get-status ez-cdc-{deployment-id}-router \
--region=us-central1 --project=YOUR_PROJECT_ID - Check NAT gateway has allocated IPs
- Verify egress firewall rules allow HTTPS (port 443)
High NAT port exhaustion
If you see OUT_OF_RESOURCES in NAT logs:
- Cloud NAT auto-scales IP allocation with
AUTO_ONLY - For very large deployments, consider manual IP allocation
Disable Cloud NAT
To switch from Cloud NAT to Standard mode:
- Go to Deployments → your deployment
- Click Settings → Connectivity
- Select Standard
Workers will be recreated with external IPs. The Cloud Router and Cloud NAT resources are cleaned up automatically.
Next Steps
- GCP Infrastructure - Understand worker infrastructure
- Network Isolation - Security best practices