This topic provides an overview of route tables and all associated system routes. After a VPC is created, the system automatically creates a default route table and adds system routes to the route table for traffic management. You cannot create or delete system routes. However, you can create custom routes to direct traffic to the destination CIDR block.

Route tables

After a VPC is created, the system creates a default route table to control routes of the VPC. All VSwitches in the VPC use the route table by default. You cannot create or delete the default route table. However, you can create a custom route table and associate it with a VSwitch to control the routes of the corresponding subnet. For more information, see Create a custom route table.

Each item in a route table is a route entry. A route entry specifies the destination of traffic and consists of the destination CIDR block, the next hop type, and the next hop. Route entries include system route entries and custom route entries.

Note the following when you manage route tables:
  • Each VPC can contain up to 10 route tables, which include the system route table.
  • Each VSwitch can be associated with only one route table. The routes of a VSwitch (subnet) are managed by the associated route table.
  • After a VSwitch is created, it is associated with the system route table by default.
  • To change a custom route table associated with a VSwitch to a system route table, you only need to disassociate the custom route table from the VSwitch. To associate the VSwitch with another route table, you need to disassociate the current route table from the VSwitch and then associate the VSwitch with the target custom route table.
  • All regions except China (Beijing), China (Shenzhen), and China (Hangzhou) support custom route tables.
  • Custom route tables do not support active/standby routes and load balancing routes.

System routes

After a VPC is created, the system automatically adds the following system routes to the route table:
  • The route entry whose destination CIDR block is 100.64.0.0/10. This route is used for communication among cloud resources in the VPC.
  • The route entry whose destination CIDR block is the CIDR block of the VSwitch. This route is used for communication among cloud resources in the VSwitch.
For example, if you have created a VPC whose CIDR block is 192.168.0.0/16 and two VSwitches whose CIDR blocks are respectively 192.168.1.0/24 and 192.168.0.0/24, three system routes are automatically added to the route table of the VPC, as shown in the following table.
Destination CIDR block Next hop Type
100.64.0.0/10 - System route
192.168.1.0/24 - System route
192.168.0.0/24 - System route

Custom routes

You can add custom routes to replace system routes or route traffic to a specified destination. You can specify the following next hop types when you create a custom route entry:

  • ECS instance: Traffic pointing to the destination CIDR block is forwarded to an ECS instance in the VPC.

    You need to select this type if you want to access the Internet or other applications through the applications deployed on the ECS instance.

  • VPN Gateway: Traffic pointing to the destination CIDR block is forwarded to a VPN Gateway.

    You need to select this type if you want to connect to another VPC or an on-premises data center through VPN Gateway.

  • NAT Gateway: Traffic pointing to the destination CIDR block is forwarded to a NAT Gateway.

    You need to select this type if you want to connect to the Internet through the NAT gateway.

  • Router Interface (To VPC): Traffic pointing to the destination CIDR block is forwarded to a VPC.

    You need to select this type if you want to connect two VPCs through Express Connect.

  • Router Interface (To VBR): Traffic pointing to the destination CIDR block is forwarded to a VBR.

    You need to select this type if you want to connect a VPC to an on-premises data center through Express Connect (physical connection access).

  • Secondary ENI: Traffic pointing to the destination CIDR block is forwarded to a secondary ENI.
  • IPv6 Gateway: Traffic pointing to the destination CIDR block is forwarded to an IPv6 Gateway.

    You need to select this type if you want to implement IPv6 communication through an IPv6 Gateway.

IPv6 routes

If IPv6 is enabled for your VPC, the following route entries are automatically added to the system route table of the VPC:
  • The custom route entry whose destination CIDR block is ::/0 and whose next hop is the IPv6 Gateway. This route is used by the cloud resources in a VPC to communicate with the Internet through IPv6 addresses.
  • The system route entry whose destination CIDR block is the IPv6 CIDR block of the VSwitch. This route is used for communication within a VSwitch.
    Note If you have created a custom route table and associated it with a VSwitch whose IPv6 CIDR block is enabled, you must add a custom route entry whose destination CIDR block is ::/0 and the next hop is the IPv6 Gateway instance. For more information, see Add a custom route entry.

Routing rules

The longest prefix match is used to route traffic if more than one route entries match the destination CIDR block. The route entry with the longest subnet mask (the most specific route) is used.

The following table describes a route table of a VPC.
Destination CIDR block Next hop type Next hop Route entry type
100.64.0.0/10 - - System route
192.168.0.0/24 - - System route
0.0.0.0/0 Instance i-12345678 Custom route
10.0.0.0/24 Instance i-87654321 Custom route

The route entries destined for the 100.64.0.0/10 and 192.168.0.0/24 CIDR blocks are system route entries. The route entries destined for the 0.0.0.0/0 and 10.0.0.0/24 CIDR blocks are custom route entries. Traffic destined for 0.0.0.0/0 is forwarded to the ECS instance i-12345678, and traffic destined for 10.0.0.0/24 is forwarded to the ECS instance i-87654321. According to the longest prefix match algorithm, traffic destined for 10.0.0.1 is forwarded to the ECS instance i-87654321, and traffic destined for 10.0.1.1 is forwarded to the ECS instance i-12345678.

Routing examples

You can add custom route entries to the route table to control traffic.

  • Routing within a VPC
    As shown in the following figure, a NAT Gateway is deployed on an ECS instance (ECS01) in a VPC. To enable cloud resources in the VPC to access the Internet through this ECS instance, you can add the following route entry to the route table.
    Destination CIDR block Next hop type Next hop
    0.0.0.0/0 Ecs instance ECS01

    Routing within a VPC
  • Connect two VPCs through Express Connect

    As shown in the following figure, when you use Express Connect to connect VPC1 (172.16.0.0/12) and VPC2 (192.168.0.0/16), you must add a route entry in both VPCs after you create route interfaces.

    • Route entry added to VPC1
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 Router interface (To VPC) VPC2
    • Route entry added to VPC2
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 Router interface (To VPC) VPC1

      Connect two VPCs through Express Connect
  • Connect two VPCs through a VPN Gateway
    As shown in the following figure, when you use a VPN Gateway to connect VPC1 (172.16.0.0/12) and VPC2 (10.0.0.0/8), you must add a route entry in both VPCs after you configure the VPN Gateway.
    • Route entry added to VPC1
      Destination CIDR block Next hop type Next hop
      10.0.0.0/8 VPN Gateway VPN Gateway 1
    • Route entry added to VPC 2
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 VPN Gateway VPN Gateway 2


  • Connect a VPC to an on-premises data center through Express Connect

    As shown in the following figure, when you use Express Connect to connect a VPC to an on-premises data center, you must add the following route entries after you configure the leased line and the VBR.

    • Route entry added to VPC
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 Router interface (general routing) Router interface (RI1)
    • Route entry added to VBR
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 To leased line Router interface (RI3)
      172.16.0.0/12 To VPC Router interface (RI2)
    • Route entry added to the on-premises data center
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 - Local gateway device

      Local IDC connection (Express Connect)
  • Connect a VPC to an on-premises data center through a VPN Gateway
    As shown in the following figure, when you use a VPN Gateway to connect a VPC (172.16.0.0/12) to an on-premises data center (192.168.0.0/16), you must add the following route entry to the VPC.
    Destination CIDR block Next hop type Next hop
    192.168.0.0/16 VPN Gateway The created VPN Gateway

    Connect a VPC to an on-premises data center through a VPN Gateway