diff --git a/blueprints/networking/filtering-proxy-psc/main.tf b/blueprints/networking/filtering-proxy-psc/main.tf
index ddb3ff59e2..f51d49418f 100644
--- a/blueprints/networking/filtering-proxy-psc/main.tf
+++ b/blueprints/networking/filtering-proxy-psc/main.tf
@@ -79,8 +79,12 @@ module "nat" {
name = "default"
router_network = module.vpc.name
config_source_subnets = "LIST_OF_SUBNETWORKS"
- # 64512/11 = 5864 . 11 is the number of usable IPs in the proxy subnet
- config_min_ports_per_vm = 5864
+ config_port_allocation = {
+ enable_endpoint_independent_mapping = false
+ enable_dynamic_port_allocation = true
+ # 64512/11 = 5864 . 11 is the number of usable IPs in the proxy subnet
+ min_ports_per_vm = 5864
+ }
subnetworks = [
{
self_link = module.vpc.subnet_self_links["${var.region}/proxy"]
diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/filtering-proxy/main.tf
index a8c4d736b0..9851d8e9ad 100644
--- a/blueprints/networking/filtering-proxy/main.tf
+++ b/blueprints/networking/filtering-proxy/main.tf
@@ -98,7 +98,11 @@ module "nat" {
router_network = module.vpc.name
config_source_subnets = "LIST_OF_SUBNETWORKS"
# 64512/11 = 5864 . 11 is the number of usable IPs in the proxy subnet
- config_min_ports_per_vm = 5864
+ config_port_allocation = {
+ enable_dynamic_port_allocation = true
+ enable_endpoint_independent_mapping = false
+ min_ports_per_vm = 5864
+ }
subnetworks = [
{
self_link = module.vpc.subnet_self_links["${var.region}/proxy"]
diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md
index 435ef7f3da..f186b58b18 100644
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@@ -20,19 +20,19 @@ module "nat" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L57) | Name of the Cloud NAT resource. | string | ✓ | |
-| [project_id](variables.tf#L62) | Project where resources will be created. | string | ✓ | |
-| [region](variables.tf#L67) | Region where resources will be created. | string | ✓ | |
+| [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | object({…} | ✓ | |
+| [name](variables.tf#L73) | Name of the Cloud NAT resource. | string | ✓ | |
+| [project_id](variables.tf#L78) | Project where resources will be created. | string | ✓ | |
+| [region](variables.tf#L83) | Region where resources will be created. | string | ✓ | |
| [addresses](variables.tf#L17) | Optional list of external address self links. | list(string) | | [] |
-| [config_min_ports_per_vm](variables.tf#L23) | Minimum number of ports allocated to a VM from this NAT config. | number | | 64 |
-| [config_source_subnets](variables.tf#L29) | Subnetwork configuration (ALL_SUBNETWORKS_ALL_IP_RANGES, ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, LIST_OF_SUBNETWORKS). | string | | "ALL_SUBNETWORKS_ALL_IP_RANGES" |
-| [config_timeouts](variables.tf#L35) | Timeout configurations. | object({…}) | | {…} |
-| [logging_filter](variables.tf#L51) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null |
-| [router_asn](variables.tf#L72) | Router ASN used for auto-created router. | number | | 64514 |
-| [router_create](variables.tf#L78) | Create router. | bool | | true |
-| [router_name](variables.tf#L84) | Router name, leave blank if router will be created to use auto generated name. | string | | null |
-| [router_network](variables.tf#L90) | Name of the VPC used for auto-created router. | string | | null |
-| [subnetworks](variables.tf#L96) | Subnetworks to NAT, only used when config_source_subnets equals LIST_OF_SUBNETWORKS. | list(object({…})) | | [] |
+| [config_source_subnets](variables.tf#L45) | Subnetwork configuration (ALL_SUBNETWORKS_ALL_IP_RANGES, ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, LIST_OF_SUBNETWORKS). | string | | "ALL_SUBNETWORKS_ALL_IP_RANGES" |
+| [config_timeouts](variables.tf#L51) | Timeout configurations. | object({…}) | | {…} |
+| [logging_filter](variables.tf#L67) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null |
+| [router_asn](variables.tf#L88) | Router ASN used for auto-created router. | number | | 64514 |
+| [router_create](variables.tf#L94) | Create router. | bool | | true |
+| [router_name](variables.tf#L100) | Router name, leave blank if router will be created to use auto generated name. | string | | null |
+| [router_network](variables.tf#L106) | Name of the VPC used for auto-created router. | string | | null |
+| [subnetworks](variables.tf#L112) | Subnetworks to NAT, only used when config_source_subnets equals LIST_OF_SUBNETWORKS. | list(object({…})) | | [] |
## Outputs
diff --git a/modules/net-cloudnat/main.tf b/modules/net-cloudnat/main.tf
index a7ef226018..63209d0562 100644
--- a/modules/net-cloudnat/main.tf
+++ b/modules/net-cloudnat/main.tf
@@ -34,18 +34,21 @@ resource "google_compute_router" "router" {
}
resource "google_compute_router_nat" "nat" {
- project = var.project_id
- region = var.region
- name = var.name
- router = local.router_name
- nat_ips = var.addresses
- nat_ip_allocate_option = length(var.addresses) > 0 ? "MANUAL_ONLY" : "AUTO_ONLY"
- source_subnetwork_ip_ranges_to_nat = var.config_source_subnets
- min_ports_per_vm = var.config_min_ports_per_vm
- icmp_idle_timeout_sec = var.config_timeouts.icmp
- udp_idle_timeout_sec = var.config_timeouts.udp
- tcp_established_idle_timeout_sec = var.config_timeouts.tcp_established
- tcp_transitory_idle_timeout_sec = var.config_timeouts.tcp_transitory
+ project = var.project_id
+ region = var.region
+ name = var.name
+ router = local.router_name
+ nat_ips = var.addresses
+ nat_ip_allocate_option = length(var.addresses) > 0 ? "MANUAL_ONLY" : "AUTO_ONLY"
+ source_subnetwork_ip_ranges_to_nat = var.config_source_subnets
+ icmp_idle_timeout_sec = var.config_timeouts.icmp
+ udp_idle_timeout_sec = var.config_timeouts.udp
+ tcp_established_idle_timeout_sec = var.config_timeouts.tcp_established
+ tcp_transitory_idle_timeout_sec = var.config_timeouts.tcp_transitory
+ enable_endpoint_independent_mapping = var.config_port_allocation.enable_endpoint_independent_mapping
+ enable_dynamic_port_allocation = var.config_port_allocation.enable_dynamic_port_allocation
+ min_ports_per_vm = var.config_port_allocation.min_ports_per_vm
+ max_ports_per_vm = var.config_port_allocation.max_ports_per_vm
log_config {
enable = var.logging_filter == null ? false : true
diff --git a/modules/net-cloudnat/variables.tf b/modules/net-cloudnat/variables.tf
index fcf79944ef..97b03b27cc 100644
--- a/modules/net-cloudnat/variables.tf
+++ b/modules/net-cloudnat/variables.tf
@@ -20,10 +20,26 @@ variable "addresses" {
default = []
}
-variable "config_min_ports_per_vm" {
- description = "Minimum number of ports allocated to a VM from this NAT config."
- type = number
- default = 64
+variable "config_port_allocation" {
+ description = "Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'."
+ type = object({
+ enable_endpoint_independent_mapping = optional(bool, true)
+ enable_dynamic_port_allocation = optional(bool, false)
+ min_ports_per_vm = optional(number, 64)
+ max_ports_per_vm = optional(number, 65536)
+ })
+
+ default = {
+ enable_endpoint_independent_mapping = true
+ enable_dynamic_port_allocation = false
+ min_ports_per_vm = 64
+ max_ports_per_vm = 65536
+ }
+
+ validation {
+ condition = var.config_port_allocation.enable_dynamic_port_allocation ? var.config_port_allocation.enable_endpoint_independent_mapping == false : true
+ error_message = "You must set enable_endpoint_independent_mapping to false to set enable_dynamic_port_allocation to true."
+ }
}
variable "config_source_subnets" {