Google CloudGoogle Cloud NetworkingNetworking

google_compute_router_nat cost estimation

Managed NAT gateway for private GKE/VMs reaching the internet. $0.044/hour per gateway + $0.045/GB processed. Significantly cheaper than AWS NAT Gateway, and outbound to Google services is free via Private Google Access.

Google Cloud NAT (Cloud NAT) is the managed NAT service for outbound internet from private resources. The google_compute_router_nat resource configures NAT on a Cloud Router. Pricing is per gateway-hour plus data processed.

Cloud NAT pricing: - Gateway: $0.044/hour ($32.12/month always-on) - Data processed: $0.045/GB

A typical workload with 1 TB/month outbound through Cloud NAT: - Gateway: $32 - Data: 1000 × $0.045 = $45 - Total: ~$77/month

Compared to AWS NAT Gateway: AWS charges $0.045/hour + $0.045/GB. So gateway-hour is similar but AWS doesn't have Cloud NAT's per-VM scaling. Compared to Azure NAT Gateway: Azure is $0.045/hour + $0.045/GB — also similar.

Cloud NAT advantages: - Auto-scales NAT IPs based on traffic; no manual allocation needed - Per-VM port quota tunable; helps with high-connection workloads - Free for outbound to Google services (Cloud Storage, BigQuery, etc.) via Private Google Access - Region-wide, not per-AZ like AWS

Common cost surprises: - GKE clusters routing all egress through Cloud NAT silently rack up data charges - Container image pulls from Docker Hub/Quay through NAT are billed; pulling from Artifact Registry over Private Google Access is free - Per-pod egress in GKE without VPC-native networking goes through NAT

c3x estimates Cloud NAT based on the router_nat resource and the GB processed specified in c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "google_compute_router" "main" {
  name    = "prod-router"
  region  = "us-central1"
  network = google_compute_network.main.id
}

resource "google_compute_router_nat" "main" {
  name                               = "prod-nat"
  router                             = google_compute_router.main.name
  region                             = google_compute_router.main.region
  nat_ip_allocate_option             = "AUTO_ONLY"
  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"

  log_config {
    enable = true
    filter = "ERRORS_ONLY"
  }
}

Pricing dimensions

What you actually pay for when you provision google_compute_router_nat.

DimensionUnitWhat's being charged
Gateway hoursper hourHourly cost of the NAT gateway itself, independent of traffic.
$0.044/hour ($32.12/month)
Data processedper GBOutbound + inbound data processed by the NAT gateway. Inbound from internet (response traffic) also counts.
$0.045/GB
Private Google AccessfreeOutbound to Google services (GCS, BigQuery, Container Registry, etc.) routed via Private Google Access skips NAT data charges.
Free
NAT loggingper GBIf enabled, NAT log entries go to Cloud Logging at standard rates ($0.50/GB ingested).
$0.50/GB logged

Optimization tips

Common ways to reduce google_compute_router_nat cost without changing the workload.

Enable Private Google Access

100% on Google-service egress

Routes traffic to Google services (Cloud Storage, BigQuery, Artifact Registry, etc.) over Google's backbone without NAT processing fees. Saves $0.045/GB for all Google-bound egress.

Use Artifact Registry over Docker Hub

100% on image pull traffic

GKE pulling images from Docker Hub through Cloud NAT bills data charges. Mirroring images to Artifact Registry and pulling over Private Google Access is free. Substantial savings for large container fleets.

Audit GKE NodePort traffic

GKE clusters with VPC-native networking route pod traffic through Cloud NAT for outbound. Audit which workloads need outbound — many GKE pods only talk to internal services and don't need NAT.

Configure per-VM port allocation

Default 64 ports per VM may exhaust under high-connection load (e.g., scraping services). Set min_ports_per_vm to higher values rather than scaling out the NAT.

Single NAT per region

Cloud NAT is region-wide, not zonal like AWS. One NAT per region serves all VMs in that region. Don't deploy multiple NATs per region; consolidate.

FAQ

How does Cloud NAT compare to AWS NAT Gateway?

Cloud NAT is roughly the same hourly rate ($0.044 vs $0.045) and same per-GB rate ($0.045). The main differences: Cloud NAT is region-wide, auto-scales NAT IPs based on load, and Private Google Access lets you skip NAT for Google services. AWS requires one NAT per AZ for HA, multiplying base cost by AZ count.

Do I need a NAT for GKE clusters?

If pods need outbound internet (Docker Hub pulls, calling external APIs, etc.), yes. Private clusters require Cloud NAT for outbound. Workloads talking only to internal services don't need NAT — use Private Service Connect or Internal Load Balancers.

Why is data processed billed for incoming traffic?

Response traffic returning from internet to your VMs flows through the NAT and is billed. So a workload doing 100 GB outbound API calls with 1 GB responses bills for 101 GB total. For most workloads, outbound dominates.

Can I avoid Cloud NAT entirely?

If VMs only access Google services, yes — use Private Google Access without NAT. For VMs needing internet, you need either Cloud NAT or a public IP per VM (more expensive at scale). For organizations with on-prem perimeter, Cloud VPN routing egress through on-prem also works.

Related resources

Google Cloud
google_compute_address

Static IPs for NAT gateway

AWS
aws_nat_gateway

AWS equivalent

Google Cloud
google_container_cluster

Common Cloud NAT user

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including google_compute_router_nat.

Get StartedStar on GitHub
← Browse all Google Cloud resources