If they have public IPs, cloud NAT won’t apply to them. CloudNAT only NATs VMs that do NOT have public IPs.
As a sibling has said, use IAP ssh tunneling instead of bastions. With cloudNAT enabled you can pull code from any public repo, including GitHub.
For edge traffic, use any of the gcp provided LBs... there are a bunch of them and they’re all very good. If you’re on GKE I would highly recommend datawires’ ambassador edge proxy: easy to setup and configure, and envoy is a modern, fast and reliable LB.
As a sibling has said, use IAP ssh tunneling instead of bastions. With cloudNAT enabled you can pull code from any public repo, including GitHub.
For edge traffic, use any of the gcp provided LBs... there are a bunch of them and they’re all very good. If you’re on GKE I would highly recommend datawires’ ambassador edge proxy: easy to setup and configure, and envoy is a modern, fast and reliable LB.