Building High Availability and High Bandwidth NAT Gateways
This lab will show you how to set up multiple NAT (Network Address Translation) gateways with Equal Cost Multi-Path (ECMP) routing and autohealing enabled for a more resilient and high-bandwidth deployment.
Google Cloud Platform (GCP) uses RFC 1918 private IP addresses for virtual machines (VMs). If these VMs need access to resources on the public internet, Network Address Translation (NAT) is required. A single NAT gateway architecture is sufficient for simple scenarios. However, higher throughput or higher availability requires a more resilient architecture.
- Reserve three public IPs for use by the NAT gateways.
- Create Compute Engine instances and associate reserved IPs with them.
- Create health checks and instance groups to enable automatic failure recovery.
- Create routing rules to distribute traffic from guest VMs to NAT gateways.
- Tag instances for no-IP.
- Review a sample Debian config.
In instances where multiple routes have the same priority, GCP uses ECMP routing to distribute traffic. For this lab you'll create several NAT gateways to receive parts of the traffic through ECMP. The NAT gateways then forward the traffic to external hosts with their public IP addresses.The following diagram shows this configuration:
For higher resiliency, you place each gateway in a separate managed instance group with a single instance and attach a simple health check to ensure they'll automatically restart if they fail. The gateways are in separate instance groups so they'll have a static external IP attached to the instance template. In this lab you'll provision three
n1-standard-2 NAT gateways, but you can use any number or size of gateway. For example,
n1-standard-2 instances are capped at 4 Gbps of network traffic; if you need more, you might choose
Setup and Requirements
What you'll need
To complete this lab, you'll need:
- Access to a standard internet browser (Chrome browser recommended).
- Time. Note the lab's Completion time in Qwiklabs, which is an estimate of the time it should take to complete all steps. Plan your schedule so you have time to complete the lab. Once you start the lab, you will not be able to pause and return later (you begin at step 1 every time you start a lab).
- You do NOT need a Google Cloud Platform account or project. An account, project and associated resources are provided to you as part of this lab.
- If you already have your own GCP account, make sure you do not use it for this lab.
- If your lab prompts you to log into the console, use only the student account provided to you by the lab. This prevents you from incurring charges for lab activities in your personal GCP account.
Start your lab
When you are ready, click Start Lab. You can track your lab's progress with the status bar at the top of your screen.
Find Your Lab's GCP Username and Password
To access the resources and console for this lab, locate the Connection Details panel in Qwiklabs. Here you will find the account ID and password for the account you will use to log in to the Google Cloud Platform:
If your lab provides other resource identifiers or connection-related information, it will appear on this panel as well.
Log in to Google Cloud Console
Using the Qwiklabs browser tab/window (preferably in Incognito mode) or the separate browser you are using for the Qwiklabs session, copy the Username from the Connection Details panel and click the orange "Open Google Console" button. Paste in the Username, and then the Password as prompted:
Accept the terms and conditions.
Since this is a temporary account, which you will only have access to for this one lab:
- Do not add recovery options
- Do not sign up for free trials
The Google Cloud Shell
Activate Google Cloud Shell
From the GCP Console click the Cloud Shell icon on the top right toolbar:
Then click "Start Cloud Shell":
It should only take a few moments to provision and connect to the environment:
This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on the Google Cloud, greatly enhancing network performance and authentication. Much, if not all, of your work in this lab can be done with simply a browser or your Google Chromebook.
Once connected to the cloud shell, you should see that you are already authenticated and that the project is already set to your PROJECT_ID:
gcloud auth list
Credentialed accounts: - <myaccount>@<mydomain>.com (active)
gcloud config list project
[core] project = <PROJECT_ID>
If it is not, you can set it with this command:
gcloud config set project <PROJECT_ID>
Updated property [core/project].
Join Qwiklabs to Read the Rest of this Lab...and More!
- Get temporary access to the Google Cloud Console.
- Nearly 100 labs from beginner to advanced levels.
- Bite-sized so you can learn at your own pace.