After you create a Virtual Private Cloud (VPC) network, the system creates a system route table for the VPC network and adds system routes to the route table. You can use the route table to manage network traffic transmitted over the VPC network. You cannot create or delete system routes. However, you can create custom routes to direct traffic to the destination CIDR block.

Route tables

After you create a VPC network, the system creates a system route table to manage routes of the VPC. By default, VSwitches in the VPC use this route table. You cannot create or delete the system route table. However, you can unbind the system route table from VSwitches, create a custom route table in your VPC network, and then bind the custom route table to VSwitches to manage the routes of the subnets. For more information, see Create a custom route table.

Each item in a route table is a route entry. A route entry specifies the destination of traffic and consists of the destination CIDR block, next hop type, and next hop. Route entries include system route entries and custom route entries.

You must be aware of the following notes when you manage route tables
  • Each VPC network supports up to 10 route tables, including system route tables.
  • Each VSwitch can be bound to only one route table. The routing policies of the subnets attached to a VSwitch are managed by the route table that is bound to the VSwitch.
  • After you create a VSwitch, it is bound to the system route table.
  • For a VSwitch that is already bound to a custom route table, it is automatically bound to the system route table after you unbind the custom route table. To bind a VSwitch to another custom route table, unbind the current route table and then bind the required custom route table to the VSwitch.
  • All regions support custom route tables, except China (Beijing), China (Shenzhen), and China (Hangzhou).
  • Custom route tables do not support active or standby routes, or load balancing routes.

System routes

After you create a VPC, the system automatically adds the following system routes to the route table:
  • The route entry whose destination CIDR block is 100.64.0.0/10. This route is used for communication among cloud resources over the VPC network.
  • The route entry whose destination CIDR block is the CIDR block of the VSwitch. This route is used for communication among cloud resources in the VSwitch.
For example, if you create a VPC whose CIDR block is 192.168.0.0/16 and two VSwitches whose CIDR blocks are 192.168.1.0/24 and 192.168.0.0/24, three system routes are automatically added to the route table of the VPC. The following table describes these system routes.
Destination CIDR block Next hop Type
100.64.0.0/10 - System routes
192.168.1.0/24 - System routes
192.168.0.0/24 - System routes

Custom routes

You can add custom routes to replace system routes or route traffic to a specified destination. You can specify the following next hop types when you create a custom route entry:

  • Elastic Compute Service (ECS) instance: Traffic destined for the destination CIDR block is forwarded to an ECS instance in the VPC.

    You can select this type if you want to access the Internet or other applications through the applications deployed on the ECS instance.

  • VPN gateway: Traffic destined for the destination CIDR block is forwarded to a VPN gateway.

    You can select this type if you want to connect to another VPC or a data center through a VPN gateway.

  • NAT gateway: Traffic destined for the destination CIDR block is forwarded to a NAT gateway.

    You can select this type if you want to connect to the Internet through the NAT gateway.

  • Router interface (To VPC): Traffic destined for the destination CIDR block is forwarded to a VPC.

    You can select this type if you want to connect two VPCs through Express Connect.

  • Router interface (To VBR): Traffic destined for the destination CIDR block is forwarded to a Virtual Border Router (VBR).

    You can select this type if you want to connect a VPC to a data center through Express Connect.

  • Secondary ENI: Traffic destined for the destination CIDR block is forwarded to a specified secondary Elastic Network Interface (ENI).
  • IPv6 gateway: Traffic destined for the destination CIDR block is forwarded to an IPv6 gateway.

    You can select this type if you want to implement IPv6 communication through an IPv6 gateway.

IPv6 routes

If IPv6 is enabled for your VPC, the following route entries are automatically added to the system route table of the VPC:
  • A custom route entry whose destination CIDR block is ::/0 and whose next hop is the IPv6 gateway. Cloud resources deployed in the VPC network use this route to access the Internet through IPv6 addresses.
  • A system route entry whose destination CIDR block is the IPv6 CIDR block of a VSwitch. This route is used for communication within the VSwitch.
    Note If you create a custom route table and bind the custom route table to a VSwitch whose IPv6 CIDR block is enabled, you must add a custom route entry whose destination CIDR block is ::/0 and the next hop is the IPv6 gateway instance. For more information, see Add a custom route entry.

Routing rules

Longest prefix match is used to route traffic if more than one route entry matches the destination CIDR block. If a destination address matches more than one entry in the route table, the VSwitch uses the algorithm to select the entry with the longest subnet mask and determine the next hop. The longest subnet mask indicates the most precise route.

The following table describes a route table of a VPC.
Destination CIDR block Next hop type Next hop Route entry type
100.64.0.0/10 - - System route
192.168.0.0/24 - - System route
0.0.0.0/0 Instance i-12345678 Custom route
10.0.0.0/24 Instance i-87654321 Custom route

The route entries destined for the 100.64.0.0/10 and 192.168.0.0/24 CIDR blocks are system route entries. The route entries destined for the 0.0.0.0/0 and 10.0.0.0/24 CIDR blocks are custom route entries. Traffic destined for 0.0.0.0/0 is forwarded to the ECS instance i-12345678, and traffic destined for 10.0.0.0/24 is forwarded to the ECS instance i-87654321. Based on longest prefix match, traffic destined for 10.0.0.1 is forwarded to the ECS instance i-87654321, and traffic destined for 10.0.1.1 is forwarded to the ECS instance i-12345678.

Limits

Item Limit Quota increase supported
The maximum number of VRouters that can be created in a VPC 1 No.
The maximum number of route tables that can be created in a VPC 10 Submit a ticket.
The maximum number of custom route entries that can be created in a route table 48 Submit a ticket.
Regions that support custom route tables Custom route tables are applicable in all regions except China (Beijing), China (Shenzhen), and China (Hangzhou). No.
VPCs that do not support custom route tables VPCs that are associated with ECS instances of the following instance families:

ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

For more information, see VPC advanced features overview.

Upgrade or release an Elastic Compute Service (ECS) instance that does not support advanced network features.
Note If your VPC network is associated with instances of the specified instance families and uses a custom route table, you must upgrade or release the instance. Otherwise, the custom route table cannot work as expected.

Routing examples

You can add custom route entries to the route table to control inbound and outbound traffic in a VPC.

  • Routing within a VPC
    As shown in the following figure, a NAT gateway is deployed on an ECS instance (ECS01) in a VPC. To enable cloud resources in the VPC to access the Internet through this ECS instance, you can add the following route entry to the route table.
    Destination CIDR block Next hop type Next hop
    0.0.0.0/0 ECS instance ECS01
    Routing within a VPC
  • Connect two VPCs through Express Connect

    As shown in the following figure, VPC1 (172.16.0.0/12) is connected to VPC2 (192.168.0.0/16) through Express Connect. You must add a route entry in both VPC networks after you create router interfaces.

    • Route entry added to VPC1
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 Router interface (to VPC) VPC2
    • Route entry added to VPC2
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 Router interface (to VPC) VPC1
      Connect two VPCs through Express Connect
  • Connect two VPCs through a VPN gateway
    As shown in the following figure, VPC1 (172.16.0.0/12) is connected to VPC2 (10.0.0.0/8) through a VPN gateway. You must add a route entry in both VPC networks after you configure the VPN gateway.
    • Route entry added to VPC1
      Destination CIDR block Next hop type Next hop
      10.0.0.0/8 VPN gateway VPN gateway 1
    • Route entry added to VPC2
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 VPN gateway VPN gateway 2
  • Connect a VPC to a data center through Express Connect

    As shown in the following figure, a VPC network is connected to a data center through Express Connect. You must add the following route entries after you configure a physical connection and a VBR:

    • Route entry added to VPC
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 Router interface (general routing) Router interface RI1
    • Route entry added to VBR
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 To the physical connection Router interface RI3
      172.16.0.0/12 To VPC Router interface RI2
    • Route entry added to the data center
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 - A specified local gateway device
      Connect a VPC to a data center through Express Connect
  • Connect a VPC to a data center through a VPN gateway
    As shown in the following figure, when you use a VPN gateway to connect a VPC (172.16.0.0/12) to a data center (192.168.0.0/16), you must add the following route entry to the VPC.
    Destination CIDR block Next hop type Next hop
    192.168.0.0/16 VPN gateway A specified VPN gateway
    Connect a VPC to a data center through a VPN gateway