gcloud alpha compute routers nats rules create - add a Rule to a Compute Engine NAT
gcloud alpha compute routers nats rules create RULE_NUMBER --match=MATCH --nat=NAT --router=ROUTER [--async] [--region=REGION] [--source-nat-active-ips=IP_ADDRESS,[IP_ADDRESS,...]] [--source-nat-active-ranges=SUBNETWORK,[SUBNETWORK,...]] [GCLOUD_WIDE_FLAG ...]
(ALPHA) gcloud alpha compute routers nats rules create is used to create a Rule on a Compute Engine NAT.
Create a rule to use the IP Address address-1 to talk to destination IPs in the CIDR Range "203.0.113.0/24".
$ gcloud alpha compute routers nats rules create 1 --nat=my-nat \ --router=my-router --region=us-central1 \ --match='inIpRange(destination.ip, "203.0.113.0/24")' \ --source-nat-active-ips=a1
- RULE_NUMBER
Number that uniquely identifies the Rule to create
- --match=MATCH
CEL Expression used to identify traffic to which this rule applies.
- —
Supported attributes (Public NAT): destination.ip
- —
Supported attributes (Private NAT): nexthop.hub
- —
Supported methods (Public Nat): inIpRange
- —
Supported operators (Public NAT): ||, ==
- —
Supported operators (Private NAT): ==
Examples of allowed Match expressions (Public NAT):
- —
'inIpRange(destination.ip, "203.0.113.0/24")''
- —
'destination.ip == "203.0.113.7"'
- —
'destination.ip == "203.0.113.7" || inIpRange(destination.ip, "203.0.113.16/25")'
Example of allowed Match expression (Private NAT):
- —
nexthop.hub == "//networkconnectivity.googleapis.com/projects/p1/locations/global/hubs/h1"
- --nat=NAT
Name of the NAT that contains the Rule
- --router=ROUTER
The Router to use for NAT.
- --async
Return immediately, without waiting for the operation in progress to complete.
- --region=REGION
Region of the NAT to create. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- --source-nat-active-ips=IP_ADDRESS,[IP_ADDRESS,...]
External IP Addresses to use for connections matching this rule.
These must be valid reserved external IPs in the same region.
- --source-nat-active-ranges=SUBNETWORK,[SUBNETWORK,...]
Subnetworks from which addresses are used for connections matching this rule. This is only supported for Private NAT, and is required when creating a Private NAT gateway..
These must be Subnetwork resources in the same region, with purpose set to PRIVATE_NAT.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
$ gcloud compute routers nats rules create
$ gcloud beta compute routers nats rules create