After you create a virtual private cloud (VPC), the system creates a system route table for the VPC and adds system routes to the route table. The system routes are used to route traffic within the VPC. You cannot create or delete system routes. However, you can create custom routes to route traffic from specific CIDR blocks to a specified destination.

Route tables

  • System route tables

    After you create a VPC, the system creates a system route table to manage routes of the VPC. By default, vSwitches in the VPC use the system route table. You cannot create or delete a system route table. However, you can add custom route entries to a system route table.

  • Custom route tables

    You can create a custom route table in a VPC and associate the custom route table with a vSwitch. This allows you to manage networks in a more flexible manner. For more information, see Create a custom route table.

When you manage route tables, take note of the following limits:
  • Each VPC can contain at most 10 route tables including the system route table.
  • Each vSwitch can be associated with only one route table. The routing policies of a vSwitch are managed by the route table that is associated with the vSwitch. You can associate the same route table to multiple vSwitches.
  • By default, a vSwitch is associated with the system route table after you create the vSwitch.
  • If you want to associate the system route table with a vSwitch that is associated with a custom route table, you must disassociate the custom route table from the vSwitch. If you want to associate a different custom route table with a vSwitch that is associated with a custom route table, you can directly replace the original custom route table.

Regions that support custom route tables

The following table describes the regions that support custom route tables by default.
Area Supported region
Asia Pacific China (Qingdao), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shanghai), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), and Indonesia (Jakarta)
Europe & Americas US (Silicon Valley), US (Virginia), Germany (Frankfurt), and UK (London)
Middle East & India India (Mumbai) and UAE (Dubai)
The custom route table feature is in public preview in the following regions. You can apply for public review qualification.
Area Supported region
Asia Pacific China (Beijing), China (Shanghai), and China (Shenzhen)

Route entries

Each item in a route table is a route entry. A route entry consists of the destination CIDR block, the next hop type, and the next hop. The destination CIDR block is the IP address range to which you want to forward network traffic. The next hop type specifies the type of the cloud resource that is used to transmit network traffic, such as an Elastic Compute Service (ECS) instance, a VPN gateway, or a secondary elastic network interface (ENI). The next hop is the specific cloud resource that is used to transmit network traffic.

Route entries include system routes, custom routes, and dynamic routes.

  • System routes

    System routes are classified into IPv4 routes and IPv6 routes. You cannot modify system routes.

    • After you create a VPC and a vSwitch, the system automatically adds the following IPv4 routes to the route table:
      • A route entry whose destination CIDR block is 100.64.0.0/10. This route is used for communication among cloud resources within the VPC.
      • Route entries whose destination CIDR blocks are the same as the CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.
      For example, if you create a VPC whose CIDR block is 192.168.0.0/16 and two vSwitches whose CIDR blocks are 192.168.1.0/24 and 192.168.0.0/24, the following system routes are automatically added to the route table of the VPC. The "-" sign in the following table indicates that the item is not applicable.
      Destination CIDR block Next hop Route type Description
      100.64.0.0/10 - System route Created by system.
      192.168.1.0/24 - System route Created with VSwitch(vsw-m5exxjccadi03tvx0****) by system.
      192.168.0.0/24 - System route Created with VSwitch(vsw-m5exxjccadi03tvx0****) by system.
    • If IPv6 is enabled for your VPC, the following IPv6 routes are automatically added to the system route table of the VPC:
      • A custom route entry whose destination CIDR block is ::/0 and whose next hop is the IPv6 gateway. Cloud resources deployed in the VPC use this route to access the Internet through IPv6 addresses.
      • System route entries whose destination CIDR blocks are the same as the IPv6 CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.
        Note If you create a custom route table and associate the custom route table with a vSwitch for which IPv6 CIDR block is enabled, you must add a custom route entry whose destination CIDR block is ::/0 and whose next hop is the IPv6 gateway. For more information, see Add a custom route entry.
  • Custom routes
    You can add custom routes to replace system routes or route traffic to a specified destination. You can specify the following types of next hops when you create a custom route:
    • Elastic Compute Service (ECS) instance: Traffic that is destined for the destination CIDR block is routed to the specified ECS instance in the VPC.

      You can select this type if you want to access the Internet or other applications through the applications deployed on the ECS instance.

    • VPN gateway: Traffic destined for the destination CIDR block is routed to the specified VPN gateway.

      You can select this type if you want to connect a VPC to another VPC or an on-premises network through the VPN gateway.

    • NAT gateway: Traffic destined for the destination CIDR block is routed to the specified NAT gateway.

      You can select this type if you want to connect a VPC to the Internet through the NAT gateway.

    • Router interface (to VPC): Traffic that is destined for the destination CIDR block is routed to the specified VPC.

      You can select this type if you want to connect two VPCs through Express Connect circuits.

    • Router interface (to VBR): Traffic that is destined for the destination CIDR block is routed to the specified virtual border router (VBR).

      You can select this type if you want to connect a VPC to an on-premises network through Express Connect circuits.

    • Secondary ENI: Traffic that is destined for the destination CIDR block is routed to the specified secondary ENI.
    • Transit router: Traffic that is destined for the destination CIDR block is routed to the specified transit router.
    • IPv6 gateway: Traffic that is destined for the destination CIDR block is routed to the specified IPv6 gateway.

      You can select this type if you want to implement IPv6 communication through an IPv6 gateway. You can forward traffic to the specified IPv6 gateway only if a route is added to the system route table and an IPv6 gateway is created in the region where the vSwitch associated with the system route table is deployed.

  • Dynamic routes

    Dynamic routes are routes learned by Cloud Enterprise Network (CEN) instances, or routes learned by VPN gateways or VBRs through Border Gateway Protocol (BGP).

Route priorities

The priorities of routes take effect based on the following rules:
  • If the same destination CIDR block is specified for different routes:
    • You can implement load balancing only if you select router interface (to VBR) as the next hop type and configure health checks.
    • You can implement active/standby routing only if you select router interface (to VBR) as the next hop type and configure health checks.
    • In other cases, the destination CIDR blocks of different routes must be unique. The destination CIDR blocks of custom routes and dynamic routes cannot be the same as those of system routes. The destination CIDR blocks of custom routes cannot be the same as those of dynamic routes.
  • If the destination CIDR blocks of different routes overlap:

    The route with the longest prefix prevails and determines how network traffic is routed. The destination CIDR blocks of custom routes and dynamic routes can contain the CIDR blocks of system routes, but cannot be more specific than the CIDR blocks of system routes.

  • If the destination CIDR blocks of different routes are different:

    You can specify the same next hop for different routes.

The following table shows the route table of a VPC. The "-" sign indicates that the item is not applicable.
Destination CIDR block Next hop type Next hop Route entry type
100.64.0.0/10 - - System route
192.168.0.0/24 - - System route
0.0.0.0/0 ECS instance i-bp15u6os7nx2c9h9**** Custom route
10.0.0.0/24 ECS instance i-bp1966ss26t47ka4**** Custom route

The routes whose destination CIDR blocks are 100.64.0.0/10 and 192.168.0.0/24 are system routes. The routes whose destination CIDR blocks are 0.0.0.0/0 and 10.0.0.0/24 are custom routes. Traffic destined for 0.0.0.0/0 is forwarded to the ECS instance whose ID is i-bp15u6os7nx2c9h9****, and traffic destined for 10.0.0.0/24 is forwarded to the ECS instance whose ID is i-bp1966ss26t47ka4****. According to longest prefix matching, traffic destined for 10.0.0.1 is forwarded to i-bp1966ss26t47ka4****, while traffic destined for 10.0.1.1 is forwarded to i-bp15u6os7nx2c9h9****.

Limit

Item Default limit Adjustable
Maximum number of vRouters that can be created in each VPC 1 N/A
Maximum number of route tables that can be created in each VPC 9

Go to the Quota Management page to increase the quota. For more information, see Manage resource quotas.

Maximum number of custom route entries that can be created in each route table 200
VPCs that do not support custom route tables VPCs that contain ECS instances of the following instance families:

ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

For more information, see Advanced VPC features.

If your Elastic Compute Service (ECS) instance does not support advanced virtual private cloud (VPC) features, upgrade or release the ECS instance.
Maximum number of tags that can be added to each route table 20

Examples

You can add custom route entries to a route table to control inbound and outbound traffic transmitted over the VPC.

  • Connect a VPC to the Internet
    On-premises routesThe preceding figure shows a NAT gateway that is deployed on an ECS instance (ECS 01) in a VPC. To enable the cloud resources in the VPC to access the Internet through the ECS instance, you must add the following custom route to the route table.
    Destination CIDR block Next hop type Next hop
    0.0.0.0/0 ECS instance ECS01
  • Connect two VPCs through Express Connect
    Express Connect routesThe preceding figure shows that VPC 1 (172.16.0.0/12) is connected to VPC 2 (192.168.0.0/16) through Express Connect. After you create router interfaces, you must add the following routes to the VPCs:
    • Add the following route to VPC 1
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 Router interface (to VPC) VPC2
    • Add the following route to VPC 2
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 Router interface (to VPC) VPC1
  • Connect two VPCs through a VPN gateway
    VPN gateway routesThe preceding figure shows that VPC 1 (172.16.0.0/12) is connected to VPC 2 (10.0.0.0/8) through a VPN gateway. After you configure the VPN gateway, you must add the following routes to the VPCs.
    • Add the following route to VPC 1
      Destination CIDR block Next hop type Next hop
      10.0.0.0/8 VPN gateway VPN gateway 1
    • Add the following route to VPC 2
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 VPN gateway VPN gateway 2
  • Connect a VPC to a data center through Express Connect
    VBR routesThe preceding figure shows that a VPC is connected to an on-premises network through Express Connect. After you configure the Express Connect circuit and the VBR, you must add the following routes:
    • Add the following route to the VPC
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 Router interface (to VBR) Router interface RI 1
    • Add the following routes to the VBR
      Destination CIDR block Next hop type Next hop
      192.168.0.0/16 Express Connect circuit Router interface RI 3
      172.16.0.0/12 VPC Router interface RI 2
    • Add the following route to the on-premises network
      Destination CIDR block Next hop type Next hop
      172.16.0.0/12 On-premises gateway On-premises gateway device
  • Connect a VPC to a data center through a VPN gateway
    On-premises VPN gatewayThe preceding figure shows that a VPC (172.16.0.0/12) is connected to a data center (192.168.0.0/16) through a VPN gateway. After you configure the VPN gateway, you must add the following route to the VPC.
    Destination CIDR block Next hop type Next hop
    192.168.0.0/16 VPN gateway The configured VPN gateway