Is it possible to use Google Cloud NAT for VMs behind a TCP/Proxy LB so that all servers can utilize egress from a single IP?

Question

I am trying to use the Google Cloud NAT on a set of VMs running on Compute Engine which are in their own specific subnet such that all of the servers make requests to customer websites from a single static IP address. Unfortunately when I add these VMs to a TCP/SSL Proxy LB they don't appear to be using the NAT which I believe is configured correctly.

I have tried configuring the TCP Proxy LB as well as an HTTP(S) LB and the Cloud NAT and when I try and make an egress http request it results in a timeout. The ingress via the LB is working properly. The VM instances do not have external IPs which is a requirement for the Cloud NAT.

I expect the http requests to hit the server and for the web-server to make outbound http request via the Cloud NAT such that other servers need only whitelist a single IP address (a static IP assigned to the Cloud NAT)

Answer 1

I'm trying to understand why would you need Cloud NAT in this scenario, since a TCP/SSL proxy load balancer will connect to the backends using a private conneciton and the backends won't be exposed to the Internet. Configuring just a TCP/SSL proxy would be enough for your scenario imo. The following official documentation will explain my point1:

Backend VMs for HTTP(S), SSL Proxy, and TCP Proxy load balancers do not need external IP addresses themselves, nor do they need Cloud NAT to send replies to the load balancer. HTTP(S), SSL Proxy, and TCP Proxy load balancers communicate with backend VMs using their primary internal IP addresses.