Route tables are essential in managing network traffic that flows in and out of virtual private clouds (VPCs). Proper configuration enhances network flexibility and security. By setting up route entries and choosing the next hop type that tailors to your needs, you can control network traffic, optimize routing, reduce latency, and thereby improve network performance. You can also associate different route tables with different vSwitches for independent traffic control and isolation, which enhances traffic control flexibility.
Route tables
System route table
After you create a VPC, the system creates a system route table to manage the routes of the VPC. By default, vSwitches in the VPC use the system route table. You cannot create or delete a system route table. However, you can add custom route entries to a system route table.
Custom route table
You can create custom route tables in a VPC, associate custom route tables with vSwitches, and then set vSwitch CIDR blocks as destination CIDR blocks. This way, cloud services in vSwitches can communicate with each other, which facilitates network management. For more information, see Create and manage a route table.
Gateway route table
You can create a custom route table in a VPC and associate the custom route table with an IPv4 gateway. This route table is called a gateway route table. You can use a gateway route table to control traffic from the Internet to a VPC. You can redirect Internet traffic to security devices in the VPC, such as virtual firewalls. This allows you to protect cloud resources in the VPC in a centralized manner. For more information, see Create and manage an IPv4 gateway.
When you manage route tables, take note of the following limits:
Each VPC can contain at most 10 route tables including the system route table.
Only one route table can be associated with each vSwitch. The routing policies of a vSwitch are managed by the route table that is associated with the vSwitch. You can associate one route table with multiple vSwitches.
After you create a vSwitch, the system route table is associated with the vSwitch by default.
If a custom route table is associated with a vSwitch and you want to replace the custom route table with the system route table, you must disassociate the custom route table from the vSwitch. If you want to associate a different custom route table with the vSwitch, you can replace the original custom route table without disassociating the original custom route table.
Regions that support custom route tables
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing),China (Zhangjiakou),China (Hohhot), China (Ulanqab), China (Shenzhen), China 2 (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney) Closing Down, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok). |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | UAE (Dubai) and SAU (Riyadh) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Routes
Each item in a route table is a route, which consists of the destination CIDR block, the next hop type, and the next hop. The destination CIDR block is the IP address range to which you want to forward network traffic. The next hop type specifies the type of the cloud resource that is used to transmit network traffic, such as an Elastic Compute Service (ECS) instance, a VPN gateway, or a secondary elastic network interface (ENI). The next hop is the specific cloud resource that is used to transmit network traffic.
Routes include system routes, custom routes, and dynamic routes.
System routes
System routes are classified into IPv4 routes and IPv6 routes. You cannot modify system routes.
After you create a VPC and a vSwitch, the system automatically adds the following IPv4 routes to the route table:
A route whose destination CIDR block is 100.64.0.0/10. This route is used for communication among cloud resources within the VPC.
Routes whose destination CIDR blocks are the same as the CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.
For example, if you create a VPC whose CIDR block is 192.168.0.0/16 and two vSwitches whose CIDR blocks are 192.168.1.0/24 and 192.168.0.0/24, the following system routes are automatically added to the route table of the VPC. The "-" sign in the following table indicates the VPC.
Destination CIDR block
Next hop
Route type
Description
100.64.0.0/10
-
System route
Created by system.
192.168.1.0/24
-
System route
Created with vSwitch(vsw-m5exxjccadi03tvx0****) by system.
192.168.0.0/24
-
System route
Created with vSwitch(vsw-m5esyy9l8ntpt5gsw****) by system.
If IPv6 is enabled for your VPC, the following IPv6 routes are automatically added to the system route table:
A route whose destination CIDR block is
::/0
and whose next hop is an IPv6 gateway. This route is used by instances in the VPC to communicate with the Internet through IPv6 addresses.System routes whose destination CIDR blocks are the same as the IPv6 CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.
- Note
If you create a custom route table and associate it with a vSwitch that resides in an IPv6 CIDR block, you must add a custom route whose destination CIDR block is
::/0
and whose next hop is the IPv6 gateway. For more information, see Add a custom route.
Custom routes
You can add custom routes to replace system routes or route traffic to specified destinations. You can specify the following types of next hops when you create a custom route:
Destination CIDR block
Next hop type
IPv4 CIDR block/VPC prefix list
IPv4 gateway: Traffic that is destined for the destination CIDR block is routed to the specified IPv4 gateway.
NAT gateway: Traffic that is destined for the destination CIDR block is routed to the specified NAT gateway.
You can select this type if you want to access the Internet through a NAT gateway.
VPC peering connection: Traffic that is destined for the destination CIDR block is routed to the specified VPC peering connection.
Transit router: Traffic that is destined for the destination CIDR block is routed to a specified transit router.
VPN gateway: Traffic that is destined for the destination CIDR block is routed to the specified VPN gateway.
You can select this type if you want to connect a VPC to another VPC or an on-premises network through the VPN gateway.
ECS instance: Traffic that is destined for the destination CIDR block is routed to the specified ECS instance in the VPC.
You can select this type if you want to access the Internet or other applications through applications that are deployed on the ECS instance.
ENI: Traffic that is destined for the destination CIDR block is routed to the specified ENI.
High-availability virtual IP address (HAVIP): Traffic that is destined for the destination CIDR block is routed to the specified HAVIP.
Router interface (to VBR): Traffic that is destined for the destination CIDR block is routed to the specified virtual border router (VBR).
You can select this type if you want to connect a VPC to an on-premises network through Express Connect circuits.
Router interface (to VPC): Traffic that is destined for the destination CIDR block is routed to the specified VBR.
ECR: Traffic that is destined for the destination CIDR block is routed to the specified Express Connect Router (ECR).
IPv6 CIDR block
ECS instance: Traffic that is destined for the destination CIDR block is routed to the specified ECS instance in the VPC.
You can select this type if you want to access the Internet or other applications through applications that are deployed on the ECS instance.
IPv6 gateway: Traffic that is destined for the destination CIDR block is routed to the specified IPv6 gateway.
You can select this type if you want to implement IPv6 communication through an IPv6 gateway. You can forward traffic to the specified IPv6 gateway only if a route is added to the system route table and an IPv6 gateway is created in the region where the vSwitch associated with the system route table is deployed.
ENI: Traffic that is destined for the destination CIDR block is routed to the specified ENI.
Router interface (to VBR): Traffic that is destined for the destination CIDR block is routed to the specified VBR.
Select this type if an Express Connect circuit is connected to an on-premises network.
ECR: Traffic that is destined for the destination CIDR block is routed to the specified ECR.
VPC peering connection: Traffic that is destined for the destination CIDR block is routed to the specified VPC peering connection.
Dynamic routes
Dynamic routes are routes learned through route synchronization from dynamic routing sources, such as Cloud Enterprise Network (CEN), VPN Gateway, and Express Connect gateway (ECR).
NoteVPCs support only a single dynamic routing source, which means a VPC can receive dynamic routes from only one dynamic routing source at a time. For example, after a VPC is associated with an ECR, Enabling Advertised Route will fail if you add it to a CEN. After you create a VPN Gateway and Enable Automatic Route Advertisement, BGP routes learned by the VPN Gateway are automatically propagated to the system route table of the VPC. You cannot add the VPC to the ECR in this situation.
VPCs are unable to use dynamic routing sources to learn routes that are identical to or more specific than the CIDR blocks associated with the vSwitches.
Routing priority
The priorities of routes take effect based on the following rules:
Same destination CIDR block
You can implement load balancing only if you select router interface (to VBR) as the next hop type and configure health checks.
You can implement active/standby routing only if you select router interface (to VBR) as the next hop type and configure health checks.
In other cases, the destination CIDR blocks of different routes must be unique. The destination CIDR blocks of custom routes and dynamic routes cannot be the same as those of system routes. The destination CIDR blocks of custom routes cannot be the same as those of dynamic routes.
Overlapping destination CIDR blocks
Network traffic is routed based on the longest prefix match algorithm. The destination CIDR blocks of custom routes and dynamic routes can contain the destination CIDR blocks of system routes. The destination CIDR blocks of custom routes cannot be more specific than those of system routes, except for cloud service system routes. You can configure the CIDR block of the custom route to be more specific than that of the system route of cloud services
100.64.0.0/10
, but the two CIDR blocks cannot be identical.ImportantAs the CIDR block of the system route
100.64.0.0/10
is designated for communication between resources within VPCs, we recommend that you exercise caution if you need to configure more specific routes. Configuration errors may cause disruptions in access to specific cloud services.For example, the following table shows the route table of a VPC. The "-" sign indicates the VPC.
Destination CIDR block
Next hop type
Next hop
Route type
100.64.0.0/10
-
-
System
192.168.0.0/24
-
-
System
0.0.0.0/0
ECS instance
i-bp15u6os7nx2c9h9****
Custom
10.0.0.0/24
ECS instance
i-bp1966ss26t47ka4****
Custom
The routes whose destination CIDR blocks are
100.64.0.0/10
and192.168.0.0/24
are system routes. The routes whose destination CIDR blocks are0.0.0.0/0
and10.0.0.0/24
are custom routes. Traffic destined for0.0.0.0/0
is forwarded to the ECS instance whose ID isi-bp15u6os7nx2c9h9****
, and traffic destined for10.0.0.0/24
is forwarded to the ECS instance whose IDis i-bp1966ss26t47ka4****
. Based on the longest prefix match algorithm, traffic destined for10.0.0.1
is forwarded toi-bp1966ss26t47ka4****
, while traffic destined for10.0.1.1
is forwarded toi-bp15u6os7nx2c9h9****
.
Different destination CIDR blocks
You can specify the same next hop for different routes.
Limits and quotas
Name/ID | Description | Default value | Adjustable |
vpc_quota_route_tables_num | Maximum number of custom route tables that can be created in each VPC | 9 | You can increase the quota by performing the following operations:
|
vpc_quota_route_entrys_num | Maximum number of custom routes that can be created in each route table (dynamic routes are not included) | 200 | |
vpc_quota_dynamic_route_entrys_num | Maximum number of dynamic routes in each route table | 500 | |
vpc_quota_havip_custom_route_entry | Maximum number of custom routes that point to an HAVIP | 5 | |
vpc_quota_vpn_custom_route_entry | Maximum number of custom routes in a VPC that point to a VPN gateway | 50 | |
N/A | Maximum number of tags that can be added to each route table | 20 | No |
Maximum number of vRouters that can be created in each VPC | 1 | ||
Maximum number of routes that can point to a transit router supported by each VPC | 600 |
Examples
You can add custom routes to a route table to control inbound and outbound traffic transmitted over a VPC.
Private VPC route
In the case of noticeable differences in the traffic routing between different vSwitches in a VPC, you can create a custom route table if the system route table fails to meet your business needs. By associating the custom route table to vSwitches and set the CIDR block of the vSwitches as the destination CIDR block, you can enable communication between cloud resources, allowing for flexible network management.
Connect two VPCs through VPC peering connection
VPC peering connection is a network connection between two VPCs. As IPv4 and IPv6 interconnection is supported, you can achieve IPv4 and IPv6 traffic communication through VPC peering connection, enabling communication between two VPCs.
Connect two VPCs through VPN connection
You can use the VPN Gateway to establish an IPsec-VPN connection between two VPCs, encrypt data transmission, and achieve secure mutual access.
Connect a VPC to on-premises networks through Express Connect circuits
You can leverage physical connection to connect an on-premises network to a VPC through a virtual border router (VBR) in Express Connect.
You can combine Express Connect circuits and Express Connect gateways for a better experience, larger specifications, and lower latency connections between the on-premises network and the VPC.
Connect a VPC to an on-premises network through VPN gateway
You can establish a secure and reliable network connection between on-premises networks and cloud VPCs by creating encrypted tunnels.
References
For more information about creating and managing route tables, see Create and manage a route table.
For more information about managing the network traffic of vSwitches, see Subnet routes.