Unable to deploy Private NAT

[steku]

Checklist

• I did not find a related open enhancement request.
• I understand that enhancement requests filed in the GitHub repository are by default low priority.
• If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

I don't see the option to deploy Cloud NAT in private mode. I am using Private Cloud NAT in conjunction with NCC for NAT back to on-prem via the hybrid spoke but am unable to determine how to deploy Cloud NAT in private mode. There is a reference in the CRD file to use Private NAT with a NCC Hybrid spoke but I can't deploy due to not being able to set it to private mode.

Additional information

# Cloud NAT northamerica-northeast1
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeRouterNAT
metadata:
  name: host-project-id-nonp-nane1-nat # kpt-set: ${host-project-id-nonp}-nane1-nat
  namespace: client-name-networking # kpt-set: ${client-name}-networking
  annotations:
    cnrm.cloud.google.com/project-id: host-project-id-nonp # kpt-set: ${host-project-id-nonp}
    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeRouter/host-project-id-nonp-nane1-router # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeRouter/${host-project-id-nonp}-nane1-router
spec:
  resourceID: nane1-nat
  enableEndpointIndependentMapping: false
  natIpAllocateOption: AUTO_ONLY
  region: northamerica-northeast1
  routerRef:
    name: host-project-id-nonp-nane1-router # kpt-set: ${host-project-id-nonp}-nane1-router
  sourceSubnetworkIpRangesToNat: LIST_OF_SUBNETWORKS
  subnetwork:
  - subnetworkRef:
      name: host-project-id-nonp-nane1-nonp-main-snet # kpt-set: ${host-project-id-nonp}-nane1-nonp-main-snet
    sourceIpRangesToNat:
    - ALL_IP_RANGES
  rules:
    - ruleNumber: 100
      match: match-private-nat # kpt-set: "nexthop.hub == 'https://networkconnectivity.googleapis.com/v1alpha1/projects/${hub-project-id}global/hub/ncc-hub'"
  # AU-12
  logConfig:
    enable: true
    filter: ALL

Error when deploying with the NCC rule.

status:
  conditions:
  - lastTransitionTime: "2025-01-22T19:14:01Z"
    message: 'Update call failed: error applying desired state: summary: Error creating
      RouterNat: googleapi: Error 400: Invalid value for field ''resource.nats[0].rules[0]'':
      ''{  "ruleNumber": 100,  "description": "nat rule examples",  "match": "\"nexthop.hub
      \u003d\u003d \u0...''. NAT rules are only supported with manual IP allocation
      mode., invalid'

I can deploy Private NAT with gcloud using AUTO_ONLY

gcloud compute routers nats create ${NAT_CONFIG} \
  --router=${ROUTER} \
  --type=PRIVATE \
  --region=${REGION} \
  --nat-custom-subnet-ip-ranges=${SUBNET_TO_NAT}:ALL \
  --project ${PROJECT_ID}

gcloud beta compute routers nats rules create 1 \
--router=${ROUTER} \
--region=${REGION} \
--nat=${NAT_CONFIG} \
--enable-logging \
--match="nexthop.hub == \"//networkconnectivity.googleapis.com/projects/${HUB_PROJECT_ID}/locations/global/hubs/${HUB}\"" \
--source-nat-active-ranges=${NAT_SUBNET} \
--project ${PROJECT_ID}

Importance

Additional steps are currently required outside of the automation to deploy Private Cloud NAT.