diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md
index 89a9c3524..a8d65d9d1 100644
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@@ -26,6 +26,7 @@ module "nat" {
 | *config_min_ports_per_vm* | Minimum number of ports allocated to a VM from this NAT config. | <code title="">number</code> |  | <code title="">64</code> |
 | *config_source_subnets* | Subnetwork configuration (ALL_SUBNETWORKS_ALL_IP_RANGES, ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, LIST_OF_SUBNETWORKS). | <code title="">string</code> |  | <code title="">ALL_SUBNETWORKS_ALL_IP_RANGES</code> |
 | *config_timeouts* | Timeout configurations. | <code title="object&#40;&#123;&#10;icmp            &#61; number&#10;tcp_established &#61; number&#10;tcp_transitory  &#61; number&#10;udp             &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;icmp            &#61; 30&#10;tcp_established &#61; 1200&#10;tcp_transitory  &#61; 30&#10;udp             &#61; 30&#10;&#125;">...</code> |
+| *logging_filter* | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | <code title="">string</code> |  | <code title="">null</code> |
 | *router_asn* | Router ASN used for auto-created router. | <code title="">number</code> |  | <code title="">64514</code> |
 | *router_create* | Create router. | <code title="">bool</code> |  | <code title="">true</code> |
 | *router_name* | Router name, leave blank if router will be created to use auto generated name. | <code title="">string</code> |  | <code title="">null</code> |
diff --git a/modules/net-cloudnat/main.tf b/modules/net-cloudnat/main.tf
index cd380d725..30ee30ea9 100644
--- a/modules/net-cloudnat/main.tf
+++ b/modules/net-cloudnat/main.tf
@@ -47,6 +47,11 @@ resource "google_compute_router_nat" "nat" {
   tcp_established_idle_timeout_sec   = var.config_timeouts.tcp_established
   tcp_transitory_idle_timeout_sec    = var.config_timeouts.tcp_transitory
 
+  log_config {
+    enable = var.logging_filter == null ? false : true
+    filter = var.logging_filter == null ? "ALL" : var.logging_filter
+  }
+
   dynamic "subnetwork" {
     for_each = var.subnetworks
     content {
diff --git a/modules/net-cloudnat/variables.tf b/modules/net-cloudnat/variables.tf
index dbe0f46b5..58cb6f305 100644
--- a/modules/net-cloudnat/variables.tf
+++ b/modules/net-cloudnat/variables.tf
@@ -48,6 +48,12 @@ variable "config_timeouts" {
   }
 }
 
+variable "logging_filter" {
+  description = "Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'."
+  type        = string
+  default     = null
+}
+
 variable "name" {
   description = "Name of the Cloud NAT resource."
   type        = string