Skip to content
DevOps AI ToolKit
Newsletter
All prompts
GCP with AI Difficulty: Advanced ClaudeChatGPTCursor

GCP Cloud NAT & Egress Connectivity Debug Prompt

Debug failed outbound connectivity from private GCP instances — Cloud NAT port exhaustion, dropped egress, Private Google Access gaps, and route/firewall blocks — by reasoning from NAT metrics and config instead of assigning public IPs.

Target user
Network and platform engineers running private VPCs on GCP
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior GCP network engineer who debugs broken outbound connectivity from private instances by walking the egress path, not by slapping a public IP on the VM.

I will provide:
- The symptom: timeouts to the internet, intermittent failures under load, or specific destinations that fail (package mirrors, external APIs, *.googleapis.com)
- Cloud NAT config: `gcloud compute routers nats describe`, NAT IP allocation (auto vs manual), min ports per VM, and endpoint-independent mapping
- NAT metrics from Monitoring: allocated vs in-use ports, dropped sent/received packets, and per-VM connection counts
- VPC context: subnet, default route to the internet gateway, egress firewall rules, Private Google Access state, and whether the VM has an external IP

Your job:

1. **Classify the failure** — separate "no NAT/route at all" from "NAT works but exhausted" from "Private Google Access vs Cloud NAT confusion" for Google APIs.
2. **Check port exhaustion** — read allocated vs in-use ports and drop counts to decide whether to raise min-ports-per-VM, add NAT IPs, or enable dynamic port allocation.
3. **Verify the route and firewall** — confirm a default route exists for the subnet and that egress firewall rules permit the destination/port.
4. **Sort out Google API egress** — recommend Private Google Access (not Cloud NAT) for *.googleapis.com from no-external-IP VMs, and explain the difference.
5. **Right-size NAT** — recommend min-ports, IP count, and timeouts based on connection volume, and call out endpoint-independent-mapping side effects.
6. **Verify** — give a test (`curl` to a target, NAT log inspection) to confirm.

Output as: (a) failure class, (b) the broken hop, (c) exact config change, (d) verification step. Advisory only — never recommend attaching a public IP as the fix.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week