Best practice rules for GCP Cloud NAT
- Enable Cloud NAT for Private Subnets
Ensure that Cloud NAT is enabled for VPC private subnets.
- Enable Logging for Cloud NAT Gateways
Ensure that logging is enabled for Cloud NAT gateways.
- Implement Least Privilege Access for Cloud NAT Management
Ensure that IAM roles with administrative permissions are not used for Cloud NAT management.
- Limit NAT to Specific Subnets Only
Avoid misconfiguration by limiting Cloud NAT gateways to specific subnets only.
- Use Private Google Access with Cloud NAT
Ensure that Private Google Access is enabled for the VPC subnets associated with your Cloud NAT gateways.
- Use Reserved External IPs for Cloud NAT Gateways
sEnsure that your Cloud NAT gateways are using reserved external IPs.