Stay organized with collections
Save and categorize content based on your preferences.
Hybrid NAT
Hybrid NAT, a type of Private NAT,
lets you perform network address translation (NAT) between
a Virtual Private Cloud (VPC) network and an on-premises
network or other cloud provider network. The non-Google Cloud network must be
connected to your VPC network by using Google Cloud's
Network Connectivity products such as
Cloud Interconnect
or Cloud VPN.
Hybrid NAT lets a VPC network communicate with
an on-premises network or other cloud provider network even if the subnet
IP address ranges of the networks overlap. By using
a NAT configuration of type=PRIVATE, resources in both the overlapping
and non-overlapping subnets of the VPC network can connect
to resources in the non-overlapping subnets of the non-Google Cloud
network.
To enable Hybrid NAT, the non-Google Cloud network must
advertise its dynamic routes so that your VPC network can
learn and use them. Your Cloud Router learns these dynamic routes
from Google Cloud's Network Connectivity products such as
Cloud Interconnect, HA VPN, or
Classic VPN with dynamic routing configured. The destinations of
these dynamic routes are IP address ranges outside of your VPC
network.
Similarly, for return traffic, your VPC network must
advertise
the Private NAT subnet route by using a Cloud Router,
and this subnet route must not overlap with an existing subnet in the
connected networks.
Hybrid NAT performs NAT on traffic originating from a
VPC network to an on-premises network or other cloud
provider network. The networks must be connected by
Cloud Interconnect or Cloud VPN.
Hybrid NAT supports existing Classic VPN tunnels
only if dynamic routing is enabled.
You need to create a custom NAT rule with a match expression
nexthop.is_hybrid. The NAT rule specifies a NAT IP address range from a
subnet of purpose PRIVATE_NAT that the resources in your VPC
network can use to communicate with other networks.
The Cloud Router on which you configure Hybrid NAT
must be in the same region as the VPC network.
The Cloud Router on which you configure Hybrid NAT
can't contain any other NAT configuration.
Basic Hybrid NAT configuration and workflow
The following diagram shows a basic Hybrid NAT configuration:
Hybrid NAT translation example (click to enlarge).
In this example, Hybrid NAT is set up as follows:
The pvt-nat-gw gateway is configured in vpc-a to apply to all the IP
address ranges of subnet-a in the us-east1 region.
Cloud Router and the on-premises or other cloud provider router
exchange the following subnet routes:
Cloud Router advertises 10.1.2.0/29 to the
external router.
The external router advertises 192.168.2.0/24 to
Cloud Router.
By using the NAT IP address range of pvt-nat-gw, a virtual machine (VM)
instance in subnet-a of vpc-a can send traffic to a VM in subnet-b of
the on-premises network or other cloud provider network, even though
subnet-a of vpc-a overlaps with another subnet in the
non-Google Cloud network.
Example Hybrid NAT workflow
In the preceding diagram, vm-a with the internal IP address 192.168.1.2 in
subnet-a of vpc-a needs to download an update from vm-b with the internal
IP address 192.168.2.2 in subnet-b of an on-premises
network or other cloud provider network. Cloud Interconnect connects
your VPC network to the on-premises network or other cloud
provider network. Assume that the non-Google Cloud network contains
another subnet 192.168.1.0/24 that overlaps with the subnet in vpc-a.
For subnet-a of vpc-a to communicate with subnet-b of the
non-Google Cloud network, you need to configure a
Private NAT gateway, pvt-nat-gw, in vpc-a as follows:
Specify a Private NAT subnet of purpose PRIVATE_NAT,
for example, 10.1.2.0/29. Create this subnet before
configuring the Private NAT gateway. Ensure that this subnet
does not overlap with an existing subnet in any of the connected networks.
Create a NAT rule with match='nexthop.is_hybrid'.
Configure the Private NAT gateway to apply to all IP address
ranges of subnet-a.
Hybrid NAT follows the port reservation procedure
to reserve the following NAT source IP address
and source port tuples for each of the VMs in the network. For example, the
Private NAT gateway reserves 64 source ports for vm-a:
10.1.2.2:34000 through 10.1.2.2:34063.
When the VM uses the TCP protocol to send a packet to the update server
192.168.2.2 on destination port 80, the following occurs:
The VM sends a request packet with these attributes:
Source IP address: 192.168.1.2, the internal IP address of the VM
Source port: 24000, the ephemeral source port chosen by the VM's operating system
Destination address: 192.168.2.2, the update server's IP address
Destination port: 80, the destination port for HTTP traffic to the update server
Protocol: TCP
The pvt-nat-gw gateway performs source network address translation (SNAT or
source NAT) on egress, rewriting the request
packet's NAT source IP address and source port:
NAT source IP address: 10.1.2.2, from one of the VM's reserved NAT source
IP address and source port tuples
Source port: 34022, an unused source port from one of the VM's reserved
source port tuples
Destination address: 192.168.2.2, unchanged
Destination port: 80, unchanged
Protocol: TCP, unchanged
The update server sends a response packet that arrives on the
pvt-nat-gw gateway with these attributes:
Source IP address: 192.168.2.2, the update server's internal IP address
Source port: 80, the HTTP response from the update server
Destination address: 10.1.2.2, which matches the original NAT source IP address
of the request packet
Destination port: 34022, which matches the source port of the request packet
Protocol: TCP, unchanged
The pvt-nat-gw gateway performs destination network address translation
(DNAT) on the response packet, and rewrites the response packet's destination
address and destination port so that the packet is delivered to the VM that
requested the update with the following attributes:
Source IP address: 192.168.2.2, unchanged
Source port: 80, unchanged
Destination address: 192.168.1.2, the internal IP address of the VM
Destination port: 24000, matching the original ephemeral source port
of the request packet
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Hybrid NAT\n==========\n\nHybrid NAT, a type of Private NAT,\nlets you perform network address translation (NAT) between\na Virtual Private Cloud (VPC) network and an on-premises\nnetwork or other cloud provider network. The non-Google Cloud network must be\nconnected to your VPC network by using Google Cloud's\nNetwork Connectivity products such as\n[Cloud Interconnect](/network-connectivity/docs/how-to/choose-product#cloud-interconnect)\nor [Cloud VPN](/network-connectivity/docs/how-to/choose-product#cloud-vpn).\n\nSpecifications\n--------------\n\nIn addition to the [general Private NAT specifications](/nat/docs/private-nat#pvt-nat-specs),\nHybrid NAT has the following specifications:\n\n- Hybrid NAT lets a VPC network communicate with an on-premises network or other cloud provider network even if the subnet IP address ranges of the networks overlap. By using a NAT configuration of `type=PRIVATE`, resources in both the overlapping and non-overlapping subnets of the VPC network can connect to resources in the non-overlapping subnets of the non-Google Cloud network.\n- To enable Hybrid NAT, the non-Google Cloud network must\n advertise its dynamic routes so that your VPC network can\n learn and use them. Your Cloud Router learns these dynamic routes\n from Google Cloud's Network Connectivity products such as\n Cloud Interconnect, HA VPN, or\n Classic VPN with dynamic routing configured. The destinations of\n these dynamic routes are IP address ranges outside of your VPC\n network.\n\n | **Note:** Only the non-overlapping subnet routes need to be advertised; overlapping subnet routes must not be advertised.\n\n Similarly, for return traffic, your VPC network must\n [advertise](/network-connectivity/docs/router/concepts/advertised-routes#overview-am)\n the Private NAT subnet route by using a Cloud Router,\n and this subnet route must not overlap with an existing subnet in the\n connected networks.\n- Hybrid NAT performs NAT on traffic originating from a\n VPC network to an on-premises network or other cloud\n provider network. The networks must be connected by\n Cloud Interconnect or Cloud VPN.\n\n- Hybrid NAT supports existing Classic VPN tunnels\n only if dynamic routing is enabled.\n\n- You need to create a custom NAT rule with a match expression\n `nexthop.is_hybrid`. The NAT rule specifies a NAT IP address range from a\n subnet of purpose `PRIVATE_NAT` that the resources in your VPC\n network can use to communicate with other networks.\n\n- The Cloud Router on which you configure Hybrid NAT\n must be in the same region as the VPC network.\n\n- The Cloud Router on which you configure Hybrid NAT\n can't contain any other NAT configuration.\n\nBasic Hybrid NAT configuration and workflow\n-------------------------------------------\n\nThe following diagram shows a basic Hybrid NAT configuration:\n[](/static/nat/images/hybrid-nat.svg) Hybrid NAT translation example (click to enlarge).\n\nIn this example, Hybrid NAT is set up as follows:\n\n- The `pvt-nat-gw` gateway is configured in `vpc-a` to apply to all the IP address ranges of `subnet-a` in the `us-east1` region.\n- Cloud Router and the on-premises or other cloud provider router exchange the following subnet routes:\n - Cloud Router advertises `10.1.2.0/29` to the external router.\n - The external router advertises `192.168.2.0/24` to Cloud Router.\n- By using the NAT IP address range of `pvt-nat-gw`, a virtual machine (VM) instance in `subnet-a` of `vpc-a` can send traffic to a VM in `subnet-b` of the on-premises network or other cloud provider network, even though `subnet-a` of `vpc-a` overlaps with another subnet in the non-Google Cloud network.\n\n### Example Hybrid NAT workflow\n\nIn the preceding diagram, `vm-a` with the internal IP address `192.168.1.2` in\n`subnet-a` of `vpc-a` needs to download an update from `vm-b` with the internal\nIP address `192.168.2.2` in `subnet-b` of an on-premises\nnetwork or other cloud provider network. Cloud Interconnect connects\nyour VPC network to the on-premises network or other cloud\nprovider network. Assume that the non-Google Cloud network contains\nanother subnet `192.168.1.0/24` that overlaps with the subnet in `vpc-a`.\nFor `subnet-a` of `vpc-a` to communicate with `subnet-b` of the\nnon-Google Cloud network, you need to configure a\nPrivate NAT gateway, `pvt-nat-gw`, in `vpc-a` as follows:\n\n- Specify a Private NAT subnet of purpose `PRIVATE_NAT`, for example, `10.1.2.0/29`. Create this subnet before configuring the Private NAT gateway. Ensure that this subnet does not overlap with an existing subnet in any of the connected networks.\n- Create a NAT rule with `match='nexthop.is_hybrid'`.\n- Configure the Private NAT gateway to apply to all IP address ranges of `subnet-a`.\n\nHybrid NAT follows the [port reservation procedure](/nat/docs/ports-and-addresses#port-reservation-procedure)\nto reserve the following NAT source IP address\nand source port tuples for each of the VMs in the network. For example, the\nPrivate NAT gateway reserves 64 source ports for `vm-a`:\n`10.1.2.2:34000` through `10.1.2.2:34063`.\n\nWhen the VM uses the TCP protocol to send a packet to the update server\n`192.168.2.2` on destination port `80`, the following occurs:\n\n1. The VM sends a request packet with these attributes:\n\n - Source IP address: `192.168.1.2`, the internal IP address of the VM\n - Source port: `24000`, the ephemeral source port chosen by the VM's operating system\n - Destination address: `192.168.2.2`, the update server's IP address\n - Destination port: `80`, the destination port for HTTP traffic to the update server\n - Protocol: TCP\n2. The `pvt-nat-gw` gateway performs source network address translation (SNAT or\n source NAT) on egress, rewriting the request\n packet's NAT source IP address and source port:\n\n - NAT source IP address: `10.1.2.2`, from one of the VM's reserved NAT source IP address and source port tuples\n - Source port: `34022`, an unused source port from one of the VM's reserved source port tuples\n - Destination address: `192.168.2.2`, unchanged\n - Destination port: `80`, unchanged\n - Protocol: TCP, unchanged\n3. The update server sends a response packet that arrives on the\n `pvt-nat-gw` gateway with these attributes:\n\n - Source IP address: `192.168.2.2`, the update server's internal IP address\n - Source port: `80`, the HTTP response from the update server\n - Destination address: `10.1.2.2`, which matches the original NAT source IP address of the request packet\n - Destination port: `34022`, which matches the source port of the request packet\n - Protocol: TCP, unchanged\n4. The `pvt-nat-gw` gateway performs destination network address translation\n (DNAT) on the response packet, and rewrites the response packet's destination\n address and destination port so that the packet is delivered to the VM that\n requested the update with the following attributes:\n\n - Source IP address: `192.168.2.2`, unchanged\n - Source port: `80`, unchanged\n - Destination address: `192.168.1.2`, the internal IP address of the VM\n - Destination port: `24000`, matching the original ephemeral source port of the request packet\n - Protocol: TCP, unchanged\n\nWhat's next\n-----------\n\n- Set up [Hybrid NAT](/nat/docs/set-up-private-nat).\n- Learn about [Cloud NAT product interactions](/nat/docs/nat-product-interactions).\n- Learn about [Cloud NAT addresses and ports](/nat/docs/ports-and-addresses).\n- Learn about [Cloud NAT rules](/nat/docs/nat-rules-overview).\n- Troubleshoot [common issues](/nat/docs/troubleshooting)."]]
