All Products
Search
Document Center

VPN Gateway:Manage destination-based routes

Last Updated:Nov 26, 2024

After you create destination-based routes, a VPN gateway finds a destination-based route that matches the destination IP address of traffic, and then forwards the traffic by using the matching destination-based route.

Prerequisites

IPsec-VPN connections are created and associated with the VPN gateway. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode or Create and manage an IPsec-VPN connection in dual-tunnel mode.

Limits

  • Do not set the destination CIDR block of a destination-based route to 0.0.0.0/0.

  • Do not set the destination CIDR block of a destination-based route to a subnet of 100.64.0.0/10 or 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10. If such a route is added, the status of the IPsec-VPN connection cannot be displayed in the console, or IPsec negotiations fail.

Matching rules for destination-based routes

By default, a VPN gateway finds the matching destination-based route based on the longest prefix match rule.

If active and standby destination-based routes are configured on your VPN gateway, the VPN gateway selects destination-based routes based on the IPsec-VPN connection negotiation and health check status.

  • If the IPsec-VPN connection associated with the active destination-based route passes both the negotiation and health check, the active destination-based route is used.

  • If the IPsec-VPN connection associated with the active destination-based route fails the negotiation or health check but the IPsec-VPN connection associated with the standby destination-based route passes both the negotiation and health check, the standby destination-based route is used.

  • If both the IPsec-VPN connections associated with active destination-based route and the standby destination-based route fail the negotiation or health check, the active destination-based route is used.

For example, the destination CIDR block of a packet is 10.10.10.0/24. After the packet arrives at the VPN gateway, the VPN gateway finds the following two destination-based routes in the routing table matching the destination IP address. Route 2 has an IP address range with a subnet mask of /16 and Route 1 has an IP address range with a subnet mask of /8. The VPN gateway selects Route 2 to forward the packet because Route 2 has the longer subnet mask.

Name

Destination CIDR block

Next hop

Weight

Route 1

10.0.0.0/8

IPsec-VPN Connection 1

100

Route 2

10.10.0.0/16

IPsec-VPN Connection 2

100

Create a destination-based route

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region where the VPN gateway is deployed.
  3. On the VPN Gateways page, click the ID of the VPN gateway and that you want to manage.

  4. On the Destination-based Route Table tab, click Add Route Entry.

  5. In the Add Route Entry panel, configure the following parameters and click OK.

    Parameter

    Description

    Destination CIDR Block

    The private CIDR block of the data center that you want to access.

    Next Hop Type

    The type of the next hop. Select IPsec-VPN connection.

    Next Hop

    The IPsec-VPN connection that you created.

    Advertise to VPC

    Specify whether to advertise the route to the VPC route table.

    • Yes (recommend): advertises the route to the VPC route table. The route is advertised to the VPC system route table, but not to a VPC custom route table.

      You can manually add the route to a VPC custom route table. For more information, see Add a custom route.

    • No: does not advertise the route to the VPC route table.

      If you select No, you must manually add a destination-based route that points to the VPN gateway to the VPC custom route table and system route table. Otherwise, the VPC cannot access resources in the CIDR block through an IPsec-VPN connection.

    Important

    If you create a route with the same destination CIDR block in both the policy-based route table and the destination-based route table, and advertise both routes to the same VPC route table, when you withdraw the route in the destination-based route table, the route in the policy-based route table is also withdrawn.

    Weight

    The weight of the destination-based route.

    If you use the same VPN gateway to establish active and standby IPsec-VPN connections, you can configure route weights to specify which destination-based route is active. A value of 100 specifies the active destination-based route, whereas a value of 0 specifies the standby destination-based route.

    You can configure health checks to automatically check the connectivity of IPsec-VPN connections. If the IPsec-VPN connection associated with the active destination-based route is down, the system automatically switches to the IPsec-VPN connection associated with the standby destination-based route. For more information about health checks, see the "Health checks" section of the Create and manage IPsec-VPN connections in single-tunnel mode topic.

    • 100(Active): The destination-based route is active. This is the default value.

    • 0(Standby): The destination-based route is standby.

    Note
    • The active and standby destination-based routes must point to the same destination CIDR block but are associated with different IPsec-VPN connections. In addition, the active and standby destination-based routes must have different weights.

    • If you want to modify the weight of the active destination-based route, you must delete the standby destination-based route. After the weight of the active destination-based route is modified, reconfigure the standby destination-based route. If you want to modify the weight of the standby destination-based route, you must delete the active destination-based route. After the weight of the standby destination-based route is modified, reconfigure the active destination-based route.

    If the overlapping route error is reported when you add a destination-based route to a VPN gateway, see the "How do I troubleshoot the overlapping route error that is reported when I add a route to a VPN gateway?" section of the FAQ about VPN gateways topic.

Advertise a destination-based route

If you do not choose to advertise the destination-based route to the VPC route table when you create the route, you can perform this operation to advertise the route to the VPC route table. The route is advertised to the VPC system route table, but not to a VPC custom route table.

You can manually add the route to a VPC custom route table. For more information, see Add a custom route.

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region where the VPN gateway is deployed.
  3. On the VPN Gateways page, click the ID of the VPN gateway and that you want to manage.

  4. On the Destination-based Route Table tab, find the destination-based route that you want to advertise and click Advertise in the Actions column.

  5. In the Advertise Route message, click OK.

    If you want to withdraw the destination-based route, click Withdraw in the Actions column.

    Important

    If you create a route with the same destination CIDR block in both the policy-based route table and the destination-based route table, and advertise both routes to the same VPC route table, when you withdraw the route in the destination-based route table, the route in the policy-based route table is also withdrawn.

Modify a destination-based route

You can change the weight of an existing destination-based route.

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region where the VPN gateway is deployed.
  3. On the VPN Gateways page, click the ID of the VPN gateway and that you want to manage.

  4. On the Destination-based Route Table tab, find the destination-based route that you want to manage and click Actions in the Edit column.

  5. In the panel that appears, change the weight of the destination-based route and click OK.

Delete a destination-based route

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region where the VPN gateway is deployed.
  3. On the VPN Gateways page, click the ID of the VPN gateway and that you want to manage.

  4. On the Destination-based Route Table tab, find the destination-based route that you want to delete and click Delete in the Actions column.

  5. In the Delete Route Entry message, click OK.

Call API operations to manage destination-based routes

You can use tools such as Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS) to manage destination-based routes by calling the following API operations: The following API operations can be called: