Why are we adding public subnet to the Router NAT

[syedrakib]

We use NAT for the private instances to reach out to the internet.

Referring to Lines68-74, the comment says "Manually define the subnetworks ... exclude the public subnetwork".

However, in the subnetwork block it is then selecting vpc_subnetwork_public. Shouldn't it be selecting the vpc_subnetwork_private instead so that we can allow the private subnet to use the NAT?

[itsmunim]

@syedrakib this is what I think-

1. The NAT is there for you to be able to connect to your VPC from any services you might have on premise or any public IP you expose from your public subnet. The NAT defined here is to limit the range of public IPs can be allocated from your VPC. Cause as per design, the public subnet and private subnet both are anyhow just subnets, to differentiate public subnet as public and limit the public IP ranges to be allocated only from that subnet, the NAT has been used.

2. That's a typo. It will actually be private subnetwork not public around those lines.

[syedrakib]

The google_compute_router_nat resource in Terraform creates a CloudNAT on GCP. CloudNATs are used for outbound connection from VPC to the world - not for inbound - irrespective of there are on-premise machines or not. CloudNATs are meant to allow a VPC's VM instances without ExternalIPs (which would usually reside in the private subnet of the VPC) to communicate with the public internet to download software/os updates & patches.

[syedrakib]

You are right that there is a typo here between the comment and the code. After playing around with the TF resource and observing its changes in GCP, i realised that the typo is actually in the code and not in the comment.

The value for subnetwork:name should be vpc_subnetwork_private.self_link (instead of vpc_subnetwork_public.self_link) as private subnets would generally have instances without ExternalIPs and those are the ones that we want to be able to fetch updates from the internet through the CloudNAT.

I was still hoping there could be a confirmation from the author of this file that the typo is in the code or in the comment. Because, for a newcomer the comment/code is misleading.

[itsmunim]

The google_compute_router_nat resource in Terraform creates a CloudNAT on GCP. CloudNATs are used for outbound connection from VPC to the world - not for inbound - irrespective of there are on-premise machines or not. CloudNATs are meant to allow a VPC's VM instances without ExternalIPs (which would usually reside in the private subnet of the VPC) to communicate with the public internet to download software/os updates & patches.

• You are right. Just checked. Was referring the normal definition of NATs. In that case, it will only make sense if they add private subnet while creating the NAT.

[Bluesboy]

I applied this configuration with private instead of public and my nodes can't connect to internet anymore.

[robmorgan]

Hi @Bluesboy, are you using v0.3.0 of our modules? https://github.com/gruntwork-io/terraform-google-network/releases/tag/v0.3.0

[onsails]

Same for me. I am using v0.4.0.

module "gke-cluster" {
  ...
  subnetwork = module.vpc_network.public_subnetwork 
  enable_private_nodes = "true"
}

[snyman]

I believe the change made in PR #53 was an error. The documentation states:

A VPC network defines two subnetworks instances can reside in;

• public - instances are able to communicate over the public internet through Cloud NAT if an external IP was not provided
• private - instances are exclusively able to communicate within your network or with private Google services if an external IP was not provided

This means that the NAT should be on for the public subnet, and not for the private subnet, as it was originally.

[robmorgan]

After re-reading this issue and the docs I'm also under the impression that the changes in #53 were incorrect and I'm going to revert them in the next release.

[Jojoooo1]

Any news on that ?

[robmorgan]

I've reverted the change. Its pending approval in #57

[robmorgan]

Released in https://github.com/gruntwork-io/terraform-google-network/releases/tag/v0.5.0