Accessing Internet Without An External IP

[Geoff Flarity]

Hi,

How does one configure a GCE instance without an external IP to be able to reach the internet (outgoing)? Normally I'd create a gateway server with an external ip and then forward traffic through it using NAT. However I can't find any documentation or howto's for setting up NAT inside a GCE network. All the regular howto's expect you have multiple adapters, but you can't create additional adapters with GCE?

Thanks,

GF

[Geoff Flarity]

From the docs:

"Currently, any packets sent to the Internet must be sent by an instance that has an external IP address. If you create a route that sends packets to the Internet from a particular instance, that instance must also have an external IP. If you create a route that sends packets to the Internet gateway, but the source instance doesn't have an external IP address, the packet will be dropped."

It seems a bit silly to give every VM an ephemeral IP just so that one can run an occasional wget or apt-get install from inside the VM...

[Anthony Voellm]

For NATs look at a feature called advanced routing.

--
© 2014 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/4db04b8c-2428-4b89-ab75-7de67ec2643a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Geoff Flarity]

I see Advanced Networking in the docs, nothing on Advanced Routing.  I was hoping for something resembling the squid example for setting up a gateway.

My best guess is that I need to setup iptables/NAT to work over a single NIC on the gateway server, then set the other hosts to use it. However I'd like to know this would even work before I try. Or better yet, that there's an easier way if you play around with routes.

Thanks,

GF

[Anthony Voellm]

This is what you need - https://developers.google.com/compute/docs/networking#canipforward

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/9170a3e7-0af3-4e7f-99b3-835163337f15%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
Anthony F. Voellm (aka Tony)

Google Voice:  (650) 516-7382

Blog: http://perfguy.blogspot.com/

[Geoff Flarity]

Thanks. I get that and how to setup a route to forward packets to the host that is 'canforward' enabled. Any thoughts on how to setup the iptables on the host to do the forwarding given there's only a single NIC? An know of the howtos seemed right.

This all seems a bit difficult for something I'd expect to be *very* common. Perhaps everyone is just using ephemeral IPs and then using firewall rules to block all external originating traffic? Just seems like a waste of an IP.

GF

[Vigith Maurice]

This is what i did to make a private node route 0.0.0.0/0 via nat (i am quite new to GCE so i could have done something wrong too :-)

I was able to make a curl request to an external url from the private node.

## create an instance with public ip

# inst - 1

gcutil addinstance  nat1-ops --machine_type=f1-micro --image=centos-6 --zone us-central1-a --can_ip_forward=true --auto_delete_boot_disk

## create another instance with no public ip

gcutil addinstance  priv1-ops --machine_type=f1-micro --image=centos-6 --zone us-central1-a --external_ip_address=none --auto_delete_boot_disk

# set tag on private node (for routing) [could have combined with earlier step, but i didn't think about it, was planning to do `route add` which didn't work]

gcutil setinstancetags priv1-ops --tags=private --fingerprint=42WmSpB8rSM=

# create route entry

 gcutil addroute via-nat 0.0.0.0/0 --next_hop_instance=https://www.googleapis.com/compute/v1/projects/<YOUR_PROJECT_ID>/zones/<YOUR_ZONE>/instances/nat1-ops --tags private 

Now login to private node and try curl, yum install etc. Please let me know if any of my steps are wrong :)

[Vigith Maurice]

You will also need to do set ip_forward and also add an iptable entry on the NAT box. 

[vigith@nat1-ops ~]$ cat /proc/sys/net/ipv4/ip_forward

0

[vigith@nat1-ops ~]$ echo 1 | sudo tee !$

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

1

[vigith@nat1-ops ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.240.0.0/16 -j MASQUERADE