Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Hybrid NAT
Hybrid NAT, jenis Private NAT,
memungkinkan Anda melakukan penafsiran alamat jaringan (NAT) antara jaringan Virtual Private Cloud (VPC) dan jaringan lokal atau jaringan penyedia cloud lainnya. Jaringan non-Google Cloud harus
terhubung ke jaringan VPC Anda menggunakan produk
Network Connectivity Google Cloudseperti
Cloud Interconnect
atau Cloud VPN.
Hybrid NAT memungkinkan jaringan VPC berkomunikasi dengan jaringan lokal atau jaringan penyedia cloud lainnya meskipun rentang alamat IP subnet jaringan tumpang-tindih. Dengan menggunakan
konfigurasi NAT type=PRIVATE, resource di subnet yang tumpang-tindih
dan tidak tumpang-tindih di jaringan VPC dapat terhubung
ke resource di subnet yang tidak tumpang-tindih di jaringan
non-Google Cloud.
Untuk mengaktifkan NAT Hybrid, jaringan non-Google Cloud harus
mengumumkan rute dinamisnya agar jaringan VPC Anda dapat
mempelajari dan menggunakannya. Cloud Router mempelajari rute dinamis ini
dari produk Network Connectivity Google Cloudseperti
Cloud Interconnect, VPN dengan ketersediaan tinggi (HA), atau VPN klasik dengan pemilihan rute dinamis yang dikonfigurasi. Tujuan
rute dinamis ini adalah rentang alamat IP di luar jaringan VPC
Anda.
Demikian pula, untuk traffic kembali, jaringan VPC Anda harus
mengumumkan
rute subnet NAT Pribadi menggunakan Cloud Router,
dan rute subnet ini tidak boleh tumpang tindih dengan subnet yang ada di jaringan yang terhubung.
Hybrid NAT melakukan NAT pada traffic yang berasal dari jaringan VPC ke jaringan lokal atau jaringan penyedia cloud lainnya. Jaringan harus terhubung oleh Cloud Interconnect atau Cloud VPN.
NAT Hybrid hanya mendukung tunnel VPN Klasik yang ada
jika perutean dinamis diaktifkan.
Anda perlu membuat aturan NAT kustom dengan ekspresi pencocokan
nexthop.is_hybrid. Aturan NAT menentukan rentang alamat IP NAT dari
subnet tujuan PRIVATE_NAT yang dapat digunakan resource di jaringan VPC
Anda untuk berkomunikasi dengan jaringan lain.
Cloud Router tempat Anda mengonfigurasi Hybrid NAT
harus berada di region yang sama dengan jaringan VPC.
Cloud Router tempat Anda mengonfigurasi Hybrid NAT
tidak dapat berisi konfigurasi NAT lainnya.
Alur kerja dan konfigurasi Hybrid NAT dasar
Diagram berikut menunjukkan konfigurasi Hybrid NAT dasar:
Contoh terjemahan Hybrid NAT (klik untuk memperbesar).
Dalam contoh ini, Hybrid NAT disiapkan sebagai berikut:
Gateway pvt-nat-gw dikonfigurasi di vpc-a untuk diterapkan ke semua rentang alamat IP subnet-a di region us-east1.
Cloud Router dan router penyedia cloud lokal atau lainnya
bertukar rute subnet berikut:
Cloud Router mengiklankan 10.1.2.0/29 ke
router eksternal.
Router eksternal mengiklankan 192.168.2.0/24 ke
Cloud Router.
Dengan menggunakan rentang alamat IP NAT pvt-nat-gw, instance virtual machine (VM)
di subnet-a dari vpc-a dapat mengirim traffic ke VM di subnet-b dari
jaringan lokal atau jaringan penyedia cloud lainnya, meskipun
subnet-a dari vpc-a tumpang-tindih dengan subnet lain di
jaringan non-Google Cloud .
Contoh alur kerja Hybrid NAT
Pada diagram sebelumnya, vm-a dengan alamat IP internal 192.168.1.2 di
subnet-a dari vpc-a perlu mendownload update dari vm-b dengan alamat IP internal
192.168.2.2 di subnet-b dari jaringan lokal atau jaringan penyedia cloud lainnya. Cloud Interconnect menghubungkan jaringan VPC Anda ke jaringan lokal atau jaringan penyedia cloud lainnya. Asumsikan bahwa jaringan non-Google Cloud berisi
192.168.1.0/24 subnet lain yang tumpang-tindih dengan subnet di vpc-a.
Agar subnet-a dari vpc-a dapat berkomunikasi dengan subnet-b dari jaringan non-Google Cloud , Anda perlu mengonfigurasi gateway Private NAT, pvt-nat-gw, di vpc-a sebagai berikut:
Tentukan subnet Private NAT dengan tujuan PRIVATE_NAT, misalnya, 10.1.2.0/29. Buat subnet ini sebelum
mengonfigurasi gateway NAT Pribadi. Pastikan subnet ini
tidak tumpang-tindih dengan subnet yang ada di jaringan yang terhubung.
Buat aturan NAT dengan match='nexthop.is_hybrid'.
Konfigurasikan gateway NAT Pribadi untuk diterapkan ke semua rentang alamat IP subnet-a.
NAT campuran mengikuti prosedur reservasi port
untuk mencadangkan alamat IP sumber NAT berikut
dan tuple port sumber untuk setiap VM di jaringan. Misalnya, gateway NAT Pribadi mencadangkan 64 port sumber untuk vm-a:
10.1.2.2:34000 hingga 10.1.2.2:34063.
Saat VM menggunakan protokol TCP untuk mengirim paket ke server update
192.168.2.2 di port tujuan 80, hal berikut akan terjadi:
VM mengirimkan paket permintaan dengan atribut berikut:
Alamat IP sumber: 192.168.1.2, alamat IP internal VM
Port sumber: 24000, port sumber ephemeral yang dipilih oleh sistem operasi VM
Alamat tujuan: 192.168.2.2, alamat IP server update
Port tujuan: 80, port tujuan untuk traffic HTTP ke server update
Protokol: TCP
Gateway pvt-nat-gw menjalankan penafsiran alamat jaringan sumber (SNAT atau
NAT sumber) pada traffic keluar, dengan menulis ulang alamat IP sumber NAT dan port sumber paket permintaan:
Alamat IP sumber NAT: 10.1.2.2, dari salah satu alamat IP sumber NAT VM yang dicadangkan dan tuple port sumber
Port sumber: 34022, port sumber yang tidak digunakan dari salah satu tuple port sumber VM yang direservasi
Alamat tujuan: 192.168.2.2, tidak berubah
Port tujuan: 80, tidak berubah
Protokol: TCP, tidak berubah
Server update mengirim paket respons yang tiba di gateway pvt-nat-gw dengan atribut berikut:
Alamat IP sumber: 192.168.2.2, alamat IP internal server update
Port sumber: 80, respons HTTP dari server update
Alamat tujuan: 10.1.2.2, yang cocok dengan alamat IP sumber NAT asli
dari paket permintaan
Port tujuan: 34022, yang cocok dengan port sumber paket permintaan
Protokol: TCP, tidak berubah
Gateway pvt-nat-gw melakukan terjemahan alamat jaringan tujuan
(DNAT) pada paket respons, dan menulis ulang alamat tujuan
dan port tujuan paket respons sehingga paket dikirim ke VM yang
meminta update dengan atribut berikut:
Alamat IP sumber: 192.168.2.2, tidak berubah
Port sumber: 80, tidak berubah
Alamat tujuan: 192.168.1.2, alamat IP internal VM
Port tujuan: 24000, yang cocok dengan port sumber sementara
asli dari paket permintaan
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-19 UTC."],[],[],null,["# Hybrid NAT\n==========\n\nHybrid NAT, a type of Private NAT,\nlets you perform network address translation (NAT) between\na Virtual Private Cloud (VPC) network and an on-premises\nnetwork or other cloud provider network. The non-Google Cloud network must be\nconnected to your VPC network by using Google Cloud's\nNetwork Connectivity products such as\n[Cloud Interconnect](/network-connectivity/docs/how-to/choose-product#cloud-interconnect)\nor [Cloud VPN](/network-connectivity/docs/how-to/choose-product#cloud-vpn).\n\nSpecifications\n--------------\n\nIn addition to the [general Private NAT specifications](/nat/docs/private-nat#pvt-nat-specs),\nHybrid NAT has the following specifications:\n\n- Hybrid NAT lets a VPC network communicate with an on-premises network or other cloud provider network even if the subnet IP address ranges of the networks overlap. By using a NAT configuration of `type=PRIVATE`, resources in both the overlapping and non-overlapping subnets of the VPC network can connect to resources in the non-overlapping subnets of the non-Google Cloud network.\n- To enable Hybrid NAT, the non-Google Cloud network must\n advertise its dynamic routes so that your VPC network can\n learn and use them. Your Cloud Router learns these dynamic routes\n from Google Cloud's Network Connectivity products such as\n Cloud Interconnect, HA VPN, or\n Classic VPN with dynamic routing configured. The destinations of\n these dynamic routes are IP address ranges outside of your VPC\n network.\n\n | **Note:** Only the non-overlapping subnet routes need to be advertised; overlapping subnet routes must not be advertised.\n\n Similarly, for return traffic, your VPC network must\n [advertise](/network-connectivity/docs/router/concepts/advertised-routes#overview-am)\n the Private NAT subnet route by using a Cloud Router,\n and this subnet route must not overlap with an existing subnet in the\n connected networks.\n- Hybrid NAT performs NAT on traffic originating from a\n VPC network to an on-premises network or other cloud\n provider network. The networks must be connected by\n Cloud Interconnect or Cloud VPN.\n\n- Hybrid NAT supports existing Classic VPN tunnels\n only if dynamic routing is enabled.\n\n- You need to create a custom NAT rule with a match expression\n `nexthop.is_hybrid`. The NAT rule specifies a NAT IP address range from a\n subnet of purpose `PRIVATE_NAT` that the resources in your VPC\n network can use to communicate with other networks.\n\n- The Cloud Router on which you configure Hybrid NAT\n must be in the same region as the VPC network.\n\n- The Cloud Router on which you configure Hybrid NAT\n can't contain any other NAT configuration.\n\nBasic Hybrid NAT configuration and workflow\n-------------------------------------------\n\nThe following diagram shows a basic Hybrid NAT configuration:\n[](/static/nat/images/hybrid-nat.svg) Hybrid NAT translation example (click to enlarge).\n\nIn this example, Hybrid NAT is set up as follows:\n\n- The `pvt-nat-gw` gateway is configured in `vpc-a` to apply to all the IP address ranges of `subnet-a` in the `us-east1` region.\n- Cloud Router and the on-premises or other cloud provider router exchange the following subnet routes:\n - Cloud Router advertises `10.1.2.0/29` to the external router.\n - The external router advertises `192.168.2.0/24` to Cloud Router.\n- By using the NAT IP address range of `pvt-nat-gw`, a virtual machine (VM) instance in `subnet-a` of `vpc-a` can send traffic to a VM in `subnet-b` of the on-premises network or other cloud provider network, even though `subnet-a` of `vpc-a` overlaps with another subnet in the non-Google Cloud network.\n\n### Example Hybrid NAT workflow\n\nIn the preceding diagram, `vm-a` with the internal IP address `192.168.1.2` in\n`subnet-a` of `vpc-a` needs to download an update from `vm-b` with the internal\nIP address `192.168.2.2` in `subnet-b` of an on-premises\nnetwork or other cloud provider network. Cloud Interconnect connects\nyour VPC network to the on-premises network or other cloud\nprovider network. Assume that the non-Google Cloud network contains\nanother subnet `192.168.1.0/24` that overlaps with the subnet in `vpc-a`.\nFor `subnet-a` of `vpc-a` to communicate with `subnet-b` of the\nnon-Google Cloud network, you need to configure a\nPrivate NAT gateway, `pvt-nat-gw`, in `vpc-a` as follows:\n\n- Specify a Private NAT subnet of purpose `PRIVATE_NAT`, for example, `10.1.2.0/29`. Create this subnet before configuring the Private NAT gateway. Ensure that this subnet does not overlap with an existing subnet in any of the connected networks.\n- Create a NAT rule with `match='nexthop.is_hybrid'`.\n- Configure the Private NAT gateway to apply to all IP address ranges of `subnet-a`.\n\nHybrid NAT follows the [port reservation procedure](/nat/docs/ports-and-addresses#port-reservation-procedure)\nto reserve the following NAT source IP address\nand source port tuples for each of the VMs in the network. For example, the\nPrivate NAT gateway reserves 64 source ports for `vm-a`:\n`10.1.2.2:34000` through `10.1.2.2:34063`.\n\nWhen the VM uses the TCP protocol to send a packet to the update server\n`192.168.2.2` on destination port `80`, the following occurs:\n\n1. The VM sends a request packet with these attributes:\n\n - Source IP address: `192.168.1.2`, the internal IP address of the VM\n - Source port: `24000`, the ephemeral source port chosen by the VM's operating system\n - Destination address: `192.168.2.2`, the update server's IP address\n - Destination port: `80`, the destination port for HTTP traffic to the update server\n - Protocol: TCP\n2. The `pvt-nat-gw` gateway performs source network address translation (SNAT or\n source NAT) on egress, rewriting the request\n packet's NAT source IP address and source port:\n\n - NAT source IP address: `10.1.2.2`, from one of the VM's reserved NAT source IP address and source port tuples\n - Source port: `34022`, an unused source port from one of the VM's reserved source port tuples\n - Destination address: `192.168.2.2`, unchanged\n - Destination port: `80`, unchanged\n - Protocol: TCP, unchanged\n3. The update server sends a response packet that arrives on the\n `pvt-nat-gw` gateway with these attributes:\n\n - Source IP address: `192.168.2.2`, the update server's internal IP address\n - Source port: `80`, the HTTP response from the update server\n - Destination address: `10.1.2.2`, which matches the original NAT source IP address of the request packet\n - Destination port: `34022`, which matches the source port of the request packet\n - Protocol: TCP, unchanged\n4. The `pvt-nat-gw` gateway performs destination network address translation\n (DNAT) on the response packet, and rewrites the response packet's destination\n address and destination port so that the packet is delivered to the VM that\n requested the update with the following attributes:\n\n - Source IP address: `192.168.2.2`, unchanged\n - Source port: `80`, unchanged\n - Destination address: `192.168.1.2`, the internal IP address of the VM\n - Destination port: `24000`, matching the original ephemeral source port of the request packet\n - Protocol: TCP, unchanged\n\nWhat's next\n-----------\n\n- Set up [Hybrid NAT](/nat/docs/set-up-private-nat).\n- Learn about [Cloud NAT product interactions](/nat/docs/nat-product-interactions).\n- Learn about [Cloud NAT addresses and ports](/nat/docs/ports-and-addresses).\n- Learn about [Cloud NAT rules](/nat/docs/nat-rules-overview).\n- Troubleshoot [common issues](/nat/docs/troubleshooting)."]]
