After you create a virtual private cloud (VPC), the system creates a system route table for the VPC and adds system routes to the route table. You can use the route table to manage network traffic transmitted over the VPC. You cannot create or delete system route entries. However, you can create custom route entries to route traffic from specific CIDR blocks to the specified destination.
Route tables
After you create a VPC, the system creates a system route table to manage routes of the VPC. By default, VSwitches in the VPC use this route table. You cannot create or delete the system route table of a VPC. However, you can disassociate a VSwitch from the system route table and then associate it with a custom route table to manage your network in a more flexible way. For more information, see Create a custom route table.
Each item in a route table is a route entry. A route entry specifies the destination of traffic and consists of the destination CIDR block, next hop type, and next hop. Route entries include system route entries and custom route entries.
- Each VPC supports at most 10 route tables, including the system route table.
- Each VSwitch can be associated with only one route table. The routing policies of a VSwitch are managed by the route table that is associated with the VSwitch.
- After you create a VSwitch, it is associated with the system route table by default.
- If the VSwitch is associated with a custom route table and you want to associate the VSwitch with the system route table, you must disassociate the custom route table from the VSwitch first. Before you can associate the VSwitch with another route table, you must disassociate the current route table from the VSwitch.
- All regions support custom route tables, except the China (Beijing), China (Shenzhen), and China (Hangzhou) regions.
- Custom route tables do not support active or standby routes, or load-balancing routes.
System routes
- A route entry with a destination CIDR block of 100.64.0.0/10. This route is used for communication among cloud resources within the VPC.
- Route entries whose destination CIDR blocks are the same as the CIDR blocks of the VSwitches in the VPC. These routes are used for communication among cloud resources within VSwitches.
Destination CIDR block | Next hop | Route entry type |
---|---|---|
100.64.0.0/10 | - | System route |
192.168.1.0/24 | - | System route |
192.168.0.0/24 | - | System route |
Custom routes
You can add custom routes to replace system routes or route traffic to a specific destination. You can specify the following next hop types when you create a custom route:
- ECS instance: Traffic destined for the destination CIDR block is routed to a specified
Elastic Compute Service (ECS) instance in the VPC.
You can select this type if you want to access the Internet or other applications through the applications deployed on the ECS instance.
- VPN gateway: Traffic destined for the destination CIDR block is routed to a specified
VPN gateway.
You can select this type if you want to connect a VPC to another VPC or an on-premises network through the VPN gateway.
- NAT gateway: Traffic destined for the destination CIDR block is routed to a specified
NAT gateway.
You can select this type if you want to connect a VPC to the Internet through the NAT gateway.
- VPC-facing router interface: Traffic destined for the destination CIDR block is routed
to a specified VPC.
You can select this type if you want to connect two VPCs through Express Connect.
- VBR-facing router interface: Traffic destined for the destination CIDR block is routed
to a specified virtual border router (VBR).
You can select this type if you want to connect a VPC to an on-premises network through Express Connect.
- Secondary ENI: Traffic destined for the destination CIDR block is routed to a specified secondary elastic network interface (ENI).
- IPv6 gateway: Traffic destined for the destination CIDR block is routed to a specified
IPv6 gateway.
You can select this type if you want to implement IPv6 communication through an IPv6 gateway.
IPv6 routes
- A custom route entry whose destination CIDR block is ::/0 and whose next hop is the IPv6 gateway. Cloud resources deployed in the VPC network use this route to access the Internet through IPv6 addresses.
- A system route entry whose destination CIDR block is the IPv6 CIDR block of a VSwitch.
This route is used for communication within the VSwitch.
Note If you create a custom route table and associate the custom route table with a VSwitch whose IPv6 CIDR block is enabled, you must add a custom route entry whose destination CIDR block is ::/0 and the next hop is the IPv6 gateway instance. For more information, see Add a custom route entry.
Routing rules
If multiple route entries match the destination CIDR block, the route entry with the largest suffix prevails and determines the next hop. This ensures that the traffic is routed to the most precise destination.
Destination CIDR block | Next hop type | Next hop | Route entry type |
---|---|---|---|
100.64.0.0/10 | - | - | System |
192.168.0.0/24 | - | - | System |
0.0.0.0/0 | Instance | i-12345678 | Custom |
10.0.0.0/24 | Instance | i-87654321 | Custom |
The route entries destined for 100.64.0.0/10
and 192.168.0.0/24
are system route entries. The route entries destined for 0.0.0.0/0
and 10.0.0.0/24
are custom route entries. Traffic destined for 0.0.0.0/0
is routed to the ECS instance i-12345678
, and traffic destined for 10.0.0.0/24
is routed to the ECS instance i-87654321
. Based on the preceding rule, traffic destined for 10.0.0.1
is routed to the ECS instance i-87654321
, and traffic destined for 10.0.1.1
is routed to the ECS instance i-12345678
.
Limits
Routing examples
You can add custom route entries to a route table to control inbound and outbound traffic transmitted over the VPC.
- Routes within a VPC
A NAT gateway is deployed on an ECS instance (ECS 01) in a VPC, as shown in the following figure. To enable the cloud resources in the VPC to access the Internet through the ECS instance, you must add the following route entry to the route table:
Destination CIDR block Next hop type Next hop 0.0.0.0/0 ECS instances ECS01 - Connect two VPCs through Express Connect
VPC 1 (172.16.0.0/12) is connected to VPC 2 (192.168.0.0/16) through Express Connect as shown in the following figure. After you create router interfaces, you must add the following route entry in both VPCs:
- VPC 1
Destination CIDR block Next hop type Next hop 192.168.0.0/16 VPC-facing router interface VPC2 - VPC 2
Destination CIDR block Next hop type Next hop 172.16.0.0/12 VPC-facing router interface VPC1
- VPC 1
- Connect two VPCs through a VPN gateway
VPC 1 (172.16.0.0/12) is connected to VPC 2 (10.0.0.0/8) through a VPN gateway as shown in the following figure. After you configure the VPN gateway, you must add the following route entry in both VPCs.
- VPC 1
Destination CIDR block Next hop type Next hop 10.0.0.0/8 VPN gateways VPN gateway 1 - VPC 2
Destination CIDR block Next hop type Next hop 172.16.0.0/12 VPN gateways VPN gateway 2
- VPC 1
- Connect a VPC to an on-premises data center through Express Connect
A VPC network is connected to an on-premises network through Express Connect as shown in the following figure. After you configure the leased line and VBR, you must add the following route entries:
- VPC
Destination CIDR block Next hop type Next hop 192.168.0.0/16 Router interfaces (general routing) Router interface RI 1 - VBR
Destination CIDR block Next hop type Next hop 192.168.0.0/16 Leased lines Router interface RI 3 172.16.0.0/12 VPCs Router interface RI 2 - On-premises network
Destination CIDR block Next hop type Next hop 172.16.0.0/12 — On-premises gateway device
- VPC
- Connect a VPC to an on-premises data center through a VPN gateway
A VPC (172.16.0.0/12) is connected to an on-premises data center (192.168.0.0/16) as shown in the following figure. After you configure the VPN gateway, you must add the following route entry to the VPC:
Destination CIDR block Next hop type Next hop 192.168.0.0/16 VPN gateways The VPN gateway that you created