HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_compute_routers_nats_rules_create.1
.TH "GCLOUD_COMPUTE_ROUTERS_NATS_RULES_CREATE" 1



.SH "NAME"
.HP
gcloud compute routers nats rules create \- add a Rule to a Compute Engine NAT



.SH "SYNOPSIS"
.HP
\f5gcloud compute routers nats rules create\fR \fIRULE_NUMBER\fR \fB\-\-match\fR=\fIMATCH\fR \fB\-\-nat\fR=\fINAT\fR \fB\-\-router\fR=\fIROUTER\fR [\fB\-\-async\fR] [\fB\-\-region\fR=\fIREGION\fR] [\fB\-\-source\-nat\-active\-ips\fR=\fIIP_ADDRESS\fR,[\fIIP_ADDRESS\fR,...]] [\fB\-\-source\-nat\-active\-ranges\fR=\fISUBNETWORK\fR,[\fISUBNETWORK\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fBgcloud compute routers nats rules create\fR is used to create a Rule on a
Compute Engine NAT.



.SH "EXAMPLES"

Create a rule to use the IP Address address\-1 to talk to destination IPs in the
CIDR Range "203.0.113.0/24".

.RS 2m
$ gcloud compute routers nats rules create 1 \-\-nat=my\-nat \e
    \-\-router=my\-router \-\-region=us\-central1 \e
    \-\-match='inIpRange(destination.ip, "203.0.113.0/24")' \e
    \-\-source\-nat\-active\-ips=a1
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIRULE_NUMBER\fR

Number that uniquely identifies the Rule to create


.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-match\fR=\fIMATCH\fR

CEL Expression used to identify traffic to which this rule applies.

.RS 2m
.IP "\(em" 2m
Supported attributes (Public NAT): destination.ip
.IP "\(em" 2m
Supported attributes (Private NAT): nexthop.hub
.IP "\(em" 2m
Supported methods (Public Nat): inIpRange
.IP "\(em" 2m
Supported operators (Public NAT): ||, ==
.IP "\(em" 2m
Supported operators (Private NAT): ==
.RE
.sp

Examples of allowed Match expressions (Public NAT):
.RS 2m
.IP "\(em" 2m
\'inIpRange(destination.ip, "203.0.113.0/24")''
.IP "\(em" 2m
\'destination.ip == "203.0.113.7"'
.IP "\(em" 2m
\'destination.ip == "203.0.113.7" || inIpRange(destination.ip,
"203.0.113.16/25")'
.RE
.sp

Example of allowed Match expression (Private NAT):
.RS 2m
.IP "\(em" 2m
nexthop.hub ==
"//networkconnectivity.googleapis.com/projects/p1/locations/global/hubs/h1"
.RE
.sp

.TP 2m
\fB\-\-nat\fR=\fINAT\fR

Name of the NAT that contains the Rule

.TP 2m
\fB\-\-router\fR=\fIROUTER\fR

Router to use for NAT.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-async\fR

Return immediately, without waiting for the operation in progress to complete.

.TP 2m
\fB\-\-region\fR=\fIREGION\fR

Region of the NAT to create. If not specified, you might be prompted to select a
region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the
\f5\fIcompute/region\fR\fR property:

.RS 2m
$ gcloud config set compute/region REGION
.RE

A list of regions can be fetched by running:

.RS 2m
$ gcloud compute regions list
.RE

To unset the property, run:

.RS 2m
$ gcloud config unset compute/region
.RE

Alternatively, the region can be stored in the environment variable
\f5\fICLOUDSDK_COMPUTE_REGION\fR\fR.

.TP 2m
\fB\-\-source\-nat\-active\-ips\fR=\fIIP_ADDRESS\fR,[\fIIP_ADDRESS\fR,...]

External IP Addresses to use for connections matching this rule. This flag is
supported only for Public NAT and is required when creating a Public NAT
gateway.

These must be valid reserved external IP addresses in the same region.

.TP 2m
\fB\-\-source\-nat\-active\-ranges\fR=\fISUBNETWORK\fR,[\fISUBNETWORK\fR,...]

Subnetworks from which addresses are used for connections matching this rule.
This flag is supported only for Private NAT and is required when creating a
Private NAT gateway.

These must be subnetwork resources in the same region, with purpose set to
PRIVATE_NAT.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

These variants are also available:

.RS 2m
$ gcloud alpha compute routers nats rules create
.RE

.RS 2m
$ gcloud beta compute routers nats rules create
.RE
@ Telegram