Cloud NAT Gateway
A regional Cloud Router and Cloud NAT gateway giving private, external-IP-less instances outbound internet access, with auto-allocated NAT IPs, all-subnet coverage, and logging on by default.
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-30 · how we verify
Documentation
gcp-cloud-nat
A Cloud NAT gateway for one region: a google_compute_router plus a
google_compute_router_nat so private instances (no external IPs) get outbound
internet access. Sensible, secure defaults: auto-allocated NAT IPs, NAT
all subnet ranges, and logging on. Works with Terraform and
OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.
What you get:
- A Cloud Router (optionally BGP-enabled) in the chosen region
- A Cloud NAT gateway:
AUTO_ONLYIP allocation,ALL_SUBNETWORKS_ALL_IP_RANGESby default, tunable idle timeouts and per-VM port minimums - Cloud NAT logging (
ERRORS_ONLYby default)
Requirements
| Requirement | Version |
|---|---|
| Terraform / OpenTofu | >= 1.6 |
hashicorp/google | >= 7.0, < 8.0 |
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).
Usage code & full reference unlock after purchase
The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.
- Usage
- Inputs
- Outputs