All Products
Search
Document Center

Virtual Private Cloud:Route tables

Last Updated:Dec 02, 2024

Route tables are used to manage and control network traffic of virtual private clouds (VPCs). Proper route configurations enhance network flexibility and security. You can configure routes and specify proper next-hop types to optimize traffic paths, reduce latency, and improve network performance. You can also associate different route tables with different vSwitches to implement traffic control and isolation. This improves network flexibility.

Route table

  • System route table

    After you create a VPC, the system creates a system route table to manage the routes of the VPC. By default, vSwitches in the VPC use the system route table. You cannot create or delete a system route table. However, you can add custom route entries to a system route table.

  • Custom route table

    You can create custom route tables in a VPC, associate custom route tables with vSwitches, and then set vSwitch CIDR blocks as destination CIDR blocks. This way, cloud services in vSwitches can communicate with each other. This facilitates network management. For more information, see Create and manage a route table.

  • Gateway route table

    You can create a custom route table in a VPC and associate the custom route table with an IPv4 gateway. This route table is called a gateway route table. You can use a gateway route table to control traffic from the Internet to a VPC. You can redirect Internet traffic to security devices in the VPC, such as virtual firewalls. This allows you to protect cloud resources in the VPC in a centralized manner. For more information, see Create and manage an IPv4 gateway.

When you manage route tables, take note of the following limits:

  • Each VPC can contain at most 10 route tables including the system route table.

  • Only one route table can be associated with each vSwitch. The routing policies of a vSwitch are managed by the route table that is associated with the vSwitch. You can associate one route table with multiple vSwitches.

  • After you create a vSwitch, the system route table is associated with the vSwitch by default.

  • If a custom route table is associated with a vSwitch and you want to replace the custom route table with the system route table, you must disassociate the custom route table from the vSwitch. If you want to associate a different custom route table with the vSwitch, you can directly replace the original custom route table without the need to disassociate the original custom route table.

Routes

Each item in a route table is a route. A route consists of the destination CIDR block, the next hop type, and the next hop. The destination CIDR block is the IP address range to which you want to forward network traffic. The next hop type specifies the type of cloud resource that is used to transmit network traffic, such as an Elastic Compute Service (ECS) instance, a VPN gateway, or a secondary elastic network interface (ENI). The next hop is the specific cloud resource that is used to transmit network traffic.

Routes are classified into system routes, custom routes, and dynamic routes.

  • System routes

    System routes are classified into IPv4 routes and IPv6 routes. You cannot modify system routes.

    • After you create a VPC and vSwitches, the system automatically adds the following IPv4 routes to the route table:

      • A route whose destination CIDR block is 100.64.0.0/10. This route is used for communication among cloud resources within the VPC.

      • Routes whose destination CIDR blocks are the same as the CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.

      For example, if you create a VPC whose CIDR block is 192.168.0.0/16 and two vSwitches whose CIDR blocks are 192.168.1.0/24 and 192.168.0.0/24, the following system routes are automatically added to the route table of the VPC. The "-" sign in the following table indicates the VPC.

      Destination CIDR block

      Next hop

      Route type

      Description

      100.64.0.0/10

      -

      System route

      Created by system.

      192.168.1.0/24

      -

      System route

      Created with vSwitch(vsw-m5exxjccadi03tvx0****) by system.

      192.168.0.0/24

      -

      System route

      Created with vSwitch(vsw-m5esyy9l8ntpt5gsw****) by system.

    • If IPv6 is enabled for your VPC, the following IPv6 routes are automatically added to the system route table of the VPC:

      • A custom route whose destination CIDR block is ::/0 and whose next hop is an IPv6 gateway. Cloud resources deployed in the VPC use this route to access the Internet through IPv6 addresses.

      • System routes whose destination CIDR blocks are the same as the IPv6 CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.

        Note

        If you create a custom route table and associate the custom route table with a vSwitch that resides in an IPv6 CIDR block, you must add a custom route whose destination CIDR block is ::/0 and whose next hop is the IPv6 gateway. For more information, see Add a custom route.

  • Custom routes

    You can add custom routes to replace system routes or route traffic to specified destinations. You can specify the following types of next hops when you create a custom route:

    Destination CIDR block

    Next hop type

    IPv4 CIDR block and VPC prefix list

    IPv4 gateway: Traffic that is destined for the destination CIDR block is routed to the specified IPv4 gateway.

    NAT gateway: Traffic that is destined for the destination CIDR block is routed to the specified NAT gateway.

    You can select this type if you want to access the Internet through a NAT gateway.

    VPC peering connection: Traffic that is destined for the destination CIDR block is routed to the specified VPC peering connection.

    Transit router: Traffic that is destined for the destination CIDR block is routed to a specified transit router.

    VPN gateway: Traffic that is destined for the destination CIDR block is routed to the specified VPN gateway.

    You can select this type if you want to connect a VPC to another VPC or an on-premises network through the VPN gateway.

    ECS instance: Traffic that is destined for the destination CIDR block is routed to the specified ECS instance in the VPC.

    You can select this type if you want to access the Internet or other applications through applications that are deployed on the ECS instance.

    ENI: Traffic that is destined for the destination CIDR block is routed to the specified ENI.

    High-availability virtual IP address (HAVIP): Traffic that is destined for the destination CIDR block is routed to the specified HAVIP.

    Router interface (to VBR): Traffic that is destined for the destination CIDR block is routed to the specified virtual border router (VBR).

    You can select this type if you want to connect a VPC to an on-premises network through Express Connect circuits.

    Router interface (to VPC): Traffic that is destined for the destination CIDR block is routed to the specified VBR.

    ECR: Traffic that is destined for the destination CIDR block is routed to the specified Express Connect Router (ECR).

    Note

    IPv6 CIDR block

    ECS instance: Traffic that is destined for the destination CIDR block is routed to the specified ECS instance in the VPC.

    You can select this type if you want to access the Internet or other applications through applications that are deployed on the ECS instance.

    IPv6 gateway: Traffic that is destined for the destination CIDR block is routed to the specified IPv6 gateway.

    You can select this type if you want to implement IPv6 communication through an IPv6 gateway. You can forward traffic to the specified IPv6 gateway only if a route is added to the system route table and an IPv6 gateway is created in the region where the vSwitch associated with the system route table is deployed.

    ENI: Traffic that is destined for the destination CIDR block is routed to the specified ENI.

    Router interface (to VBR): Traffic that is destined for the destination CIDR block is routed to the specified VBR.

    You can select this type if you want to connect a VPC to an on-premises network through Express Connect circuits.

    ECR: Traffic that is destined for the destination CIDR block is routed to the specified ECR.

    VPC peering connection: Traffic that is destined for the destination CIDR block is routed to the specified VPC peering connection.

  • Dynamic routes

    Dynamic routes are routes learned from dynamic sources through route synchronization. Cloud Enterprise Network (CEN) instances, VPN gateways, and ECRs can serve as dynamic sources.

    Note
    • A VPC can receive dynamic routes only from one dynamic source. For example, if a VPC is associated with an ECR and attached to a CEN instance, you cannot enable route advertisement for the VPC. After you create a VPN gateway and enable automatic route advertisement, BGP routes learned by the VPN gateway are automatically advertised to the VPC system route table. In this case, you cannot associate the VPC with an ECR.

    • A VPC cannot learn routes whose destination CIDR blocks are the same as or more specific than vSwitch CIDR blocks.

Advertise static routes

Advertise static routes to an ECR

A VPC can advertise static routes to an ECR. You can advertise custom routes configured in a system route table to an ECR. If no route conflicts occur, the data center associated with the ECR can learn the routes.

Note
  • Malaysia (Kuala Lumpur) now supports the advertisement of static routes to an ECR.

  • After a VPC is associated with an ECR, system routes of the VPC are advertised to the ECR by default.

  • After static routes are advertised to the ECR, the routes are advertised to data centers associated with the ECR but are not advertised to other VPCs associated with the ECR.

  • If conflicts occur between advertised routes, you can view the routes on the Routes tab of the ECR details page. The status of the routes is Conflicting and the routes do not take effect.

When you advertise static routes to an ECR, take note of the following information:

  • You cannot advertise routes in custom route tables of a VPC to an ECR.

  • You cannot advertise routes that use prefix lists to an ECR.

  • You cannot advertise active/standby routes and load balancing routes created by a VPC to an ECR. After VPC routes are advertised to an ECR, you cannot configure the routes as load balancing routes or active/standby routes.

  • If you modify the route after VPC routes are advertised to an ECR, you can specify only a next hop that supports route advertisement.

  • The following table describes the default advertisement status of different VPC route types, and whether the route types support advertisement or withdrawal.

    Route type

    Source instance

    Advertised by default

    Advertisement

    Withdrawal

    VPC system routes

    VPC

    Yes

    Supported

    Unsupported

    Routes that point to IPv4 gateways

    VPC

    No

    Supported

    Supported

    Routes that point to IPv6 gateways

    VPC

    No

    Supported

    Supported

    Routes that point to NAT gateways

    VPC

    No

    Supported

    Supported

    Routes that point to VPC peering connections

    VPC

    No

    Unsupported

    Unsupported

    Routes that point to transit routers

    VPC

    No

    Unsupported

    Unsupported

    Routes that point to VPN gateways

    VPC

    No

    Supported

    Supported

    Routes that point to ECS instances

    VPC

    No

    Supported

    Supported

    Routes that point to ENIs

    VPC

    No

    Supported

    Supported

    Routes that point to HAVIPs

    VPC

    No

    Supported

    Supported

    Routes that point to router interfaces (to VBR)

    VPC

    No

    Unsupported

    Unsupported

    Routes that point to router interfaces (to VPC)

    VPC

    No

    Unsupported

    Unsupported

    Routes that point to ECRs

    VPC

    No

    Unsupported

    Unsupported

Advertise routes to a transit router

Transit routers support route advertisement. You can advertise the routes of a VPC that is associated with a transit router to the transit router. If no route conflicts occur, other network instances associated with the transit router can learn the routes. For more information about the route status and whether route advertisement is supported for different route types, see Advertise routes to a transit router.

Note
  • If your VPC uses an ECR and a transit router to build a hybrid cloud, the rules for CEN to advertise routes and for the VPC to advertise static routes to the ECR remain unchanged.

Route priorities

The priorities of routes take effect based on the following rules:

  • Same destination CIDR block

    • Load balancing routes are supported only when the next hop type is router interface (to VBR) and must be used with health checks.

    • Active/standby routes are supported only when the next hop type is router interface (to VBR) and must be used with health checks.

    • In other cases, the destination CIDR blocks of different routes must be unique. The destination CIDR blocks of custom routes and dynamic routes cannot be the same as those of system routes. The destination CIDR blocks of custom routes cannot be the same as those of dynamic routes.

  • Overlapping destination CIDR blocks

    Network traffic is routed based on the longest prefix match algorithm. The destination CIDR blocks of custom routes and dynamic routes can contain the CIDR blocks of system routes, and the CIDR blocks of custom routes cannot be more specific than the CIDR blocks of system routes, excluding system routes of cloud services. You can create a custom route whose destination CIDR block is more specific than 100.64.0.0/10, but the destination CIDR block cannot be the same as 100.64.0.0/10.

    Important

    The system route whose destination CIDR block is 100.64.0.0/10 is used for communication within a VPC. We recommend that you configure a more specific route to make sure that your services can run as expected.

    The following table shows the route table of a VPC. The "-" sign indicates the VPC.

    Destination CIDR block

    Next hop type

    Next Hop

    Route type

    100.64.0.0/10

    -

    -

    System

    192.168.0.0/24

    -

    -

    System

    0.0.0.0/0

    ECS instance

    i-bp15u6os7nx2c9h9****

    Custom

    10.0.0.0/24

    ECS instance

    i-bp1966ss26t47ka4****

    Custom

    The routes whose destination CIDR blocks are 100.64.0.0/10 and 192.168.0.0/24 are system routes. The routes whose destination CIDR blocks are 0.0.0.0/0 and 10.0.0.0/24 are custom routes. Traffic destined for 0.0.0.0/0 is forwarded to the ECS instance whose ID is i-bp15u6os7nx2c9h9****, and traffic destined for 10.0.0.0/24 is forwarded to the ECS instance whose ID is i-bp1966ss26t47ka4****. Based on the longest prefix match algorithm, traffic destined for 10.0.0.1 is forwarded to i-bp1966ss26t47ka4****, while traffic destined for 10.0.1.1 is forwarded to i-bp15u6os7nx2c9h9****.

  • Different destination CIDR blocks

    You can specify the same next hop for different routes.

Limits and quotas

Regions that support custom route tables

Area

Supported region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

UAE (Dubai) and SAU (Riyadh - Partner Region)

Important

The SAU (Riyadh - Partner Region) region is operated by a partner.

Quotas

Name/ID

Description

Default value

Adjustable

vpc_quota_route_tables_num

Maximum number of custom route tables that can be created in each VPC

9

You can increase the quota by performing the following operations:

vpc_quota_route_entrys_num

Maximum number of custom routes that can be created in each route table (excluding dynamic routes)

200

vpc_quota_dynamic_route_entrys_num

Maximum number of dynamic routes in each route table

500

vpc_quota_havip_custom_route_entry

Maximum number of custom routes that point to a high-availability virtual IP address (HAVIP)

5

vpc_quota_vpn_custom_route_entry

Maximum number of custom routes in a VPC that point to a VPN gateway

50

N/A

Maximum number of tags that can be added to each route table

20

N/A

Maximum number of vRouters that can be created in each VPC

1

Maximum number of routes that can point to a transit router supported by each VPC

600

Examples

You can add custom routes to a route table to control inbound and outbound traffic transmitted over a VPC.

Private VPC route

If the traffic paths of vSwitches are significantly different and the system route table cannot meet your business requirements. You can create a custom route table in your VPC, associate the custom route table with a vSwitch, and specify the vSwitch CIDR block as the destination CIDR block for communication within the vSwitch. This facilitates network management.

image

Cross-VPC communication (VPC peering connection)

A VPC peering connection is a network connection that connects two VPCs. VPC peering connections support IPv4 and IPv6. You can use VPC peering connections to enable communication between IPv4 and IPv6 traffic. This enables two VPCs to communicate with each other through private networks.

image

Cross-VPC communication (VPN gateway)

You can use a VPN gateway to establish secure IPsec-VPN connections between two VPCs.

image

Connect a VPC to an on-premises network through an Express Connect circuit

You can use an Express Connect circuit to connect a data center to the cloud by using a VBR.

image

You can use an Express Connect circuit and an ECR to connect a data center to a VPC with low latency and high performance.

image

Connect a VPC to an on-premises network through a VPN gateway

You can use a VPN gateway to connect a data center to a VPC through encrypted tunnels.

image

References