Cloud Enterprise Network (CEN) supports routing policies. You can configure routing policies to filter and modify routes. This allows you to manage network communication in the cloud.

How it works

CEN has a gateway in each Alibaba Cloud region. Regional gateways are one of the basic components that CEN uses to establish communication between networks. CEN uses regional gateways to pass routes to networks that are attached to CEN.

You can configure routing policies for inbound network traffic or outbound network traffic. Each routing policy is a collection of conditional statements and execution statements. Routing policies are sorted by priority. A smaller value indicates a higher priority. Routes are matched against match conditions specified in routing policies in descending order of policy priority. Routes that meet all match conditions are permitted or denied based on the specified policy action. You can modify the priority, autonomous system (AS) path, and community value of a route that is permitted. Routes that do not match all match conditions are matched against the next routing policy by default. If a route does not match any routing policy, the route is permitted by default.

Routing policies in the previous console version

Components

A routing policy consists of three components: basic information, match conditions, and policy values. The following tables describe the details of each component.
Note You can set Policy Value and Routing Policy Priority only when Routing Policy Action is set to Permit.
Table 1. Basic information
Parameter Description
Routing Policy Priority The priority of the routing policy.

Valid values: 1 to 100. A smaller value indicates a higher priority.

You cannot specify the same priority for routing policies that apply in the same region and direction. The system compares routes against the match conditions of routing policies in descending order of priority. A smaller value indicates a higher priority. Therefore, set appropriate values to sort the routing policies in the desired order.

Description Enter a description for the routing policy.

The description cannot start with http:// or https://. It must start with a letter and can contain letters, digits, hyphens (-), periods (.), and underscores (_).

Region Select the region in which the routing policy applies.
Direction The direction in which the routing policy is applied.
  • Import to Regional Gateway: If you select this option, the routing policy applies to routes that are advertised to the regional gateway. For example, routes are advertised to a regional gateway from a network instance in the same region, or from a network instance in a different region.
  • Export from Regional Gateway: If you select this option, the routing policy applies to routes that are advertised from the regional gateway. For example, routes are advertised from a regional gateway to a network instance in the same region or to a regional gateway in a different region.
Routing Policy Action The action to be performed on a route that meets all match conditions. The following actions are supported:
  • Permit: permits routes that are matched.
  • Deny: denies routes that are matched.
Priority of Associated Routing Policy Specify a priority for the routing policy that you want to associate with the current one.
  • You can set the parameter only if you set Permit to Routing Action Policy. Only permitted routes are matched against the routing policies that have the specified priority.
  • The region and direction of the routing policy that you want to associate with the current routing policy must be the same as those of the current routing policy.
  • The priority of the routing policy that you want to associate with the current routing policy must be lower than the priority of the current routing policy.
Table 2. Match conditions
Parameter Description
Source Region The system checks whether routes are advertised from a specified region.

The system only checks whether the source regions of the routes meet the specified condition. The destination regions of the routes are not checked.

Source Instance IDs The system checks whether routes are advertised from specified network instances. The following network instance types are supported:
  • Virtual private cloud (VPC)
  • Virtual border router (VBR)
  • Cloud Connect Network (CCN) instance
  • Smart Access Gateway (SAG) instance

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised from the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition.

Destination Instance IDs The system checks whether routes are advertised to specified network instances. The following network instance types are supported:
  • Virtual private cloud (VPC)
  • Virtual border router (VBR)
  • Cloud Connect Network (CCN) instance
  • Smart Access Gateway (SAG) instance

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised to the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition.

Note The destination instance IDs take effect only when Direction is set to Export from Regional Gateway and the destination instances are deployed in the current region.
Destination Route Table The system checks whether routes are advertised to specified route tables.
Note The destination route table IDs take effect only when Direction is set to Export from Regional Gateway and the destination route tables belong to network instances deployed in the current region.
Source Instance Type The system checks whether routes are advertised from specified network instance types. The following network instance types are supported:
  • VPC: a virtual private cloud (VPC)
  • VBR: virtual border router (VBR)
  • CCN: Cloud Connect Network (CCN) instance
Destination Instance Type The system checks whether routes are advertised to specified network instance types. The following network instance types are supported:
  • VPC: a virtual private cloud (VPC)
  • VBR: virtual border router (VBR)
  • CCN: Cloud Connect Network (CCN) instance
Note The destination instance types take effect only when Direction is set to Export from Regional Gateway and the destination instance types are supported in the current region.
Route Type The system checks whether routes are of specified types. The following route types are supported:
  • System: routes created by the system.
  • Custom: routes manually added by the user.
  • BGP: routes that are advertised over Border Gateway Protocol (BGP).
Route Prefix The system filters routes based on the specified route prefixes. The following match methods are supported:
  • Fuzzy Match: If the prefix of a route falls within one of the specified prefixes, the route meets the match condition.

    For example, if you set the match condition to 10.10.0.0/16 and fuzzy match is applied, the route whose prefix is 10.10.10.0/24 meets the match condition.

  • Exact Match: A route meets the match condition only when the prefix of the route is the same as one of the specified prefixes.

    For example, if the match value is set to 10.10.0.0/16 and the match method is set to Exact Match, only the route with the prefix 10.10.0.0/16 meets the match condition.

AS Path The system filters routes based on the specified AS path. The following match methods are supported:
  • Fuzzy Match: A route meets the match condition if the AS path of the route overlaps with that specified in the match condition.

    For example, if you set the AS path to 65001,65002 and the match method to Fuzzy Match, the route whose AS path is 65501,65001 matches the condition because both AS paths contain 65001.

  • Exact Match: A route meets the match condition only if the AS path of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65501,65001,60011 and exact match is applied, only the route whose AS path is 65501,65001,60011 meets the match condition.

Note AS path is a mandatory attribute, which describes the AS numbers that a BGP route passes through when it is advertised.
Community The system matches routes based on the community. The following match methods are supported:
  • Fuzzy Match: A route meets the match condition if the community of the route overlaps with that specified in the match condition.

    For example, if you set the match condition to 65001:1000,65002:2000 and fuzzy match is applied, the route whose community is 65501:1000,65001:1000 meets the match condition, because both communities contain 65501:1000.

  • Exact Match: A route meets the match condition only if the community of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65001:65001,65002:65005,65003:65001 and exact match is applied, only the route whose community is 65001:65001,65002:65005,65003:65001 meets the match condition.

Note Community is an optional transitive attribute. You can specify a specific community value for a specific route. Downstream routers can filter routes based on the specified community value when routing policies are implemented.
Table 3. Policy values
Parameter Description
Preference Specify a priority for the routes that are permitted.

Valid values: 1 to 100. Default value: 50. A smaller value indicates a higher priority.

Community Specify a community value for routes. The following methods are supported:
  • Add: adds the specified community value to matched routes.
  • Replace: replaces the community values of matched routes with the specified community value.
Appended AS Path The AS paths that are prepended by using an action statement when regional gateways receive or advertise routes.
For routing policies that are used in different directions, the requirements for AS paths that are prepended are different:
  • If the direction of a routing policy is set to Import to Regional Gateway and you want to specify appended AS paths, you must specify source instance IDs and source region in match conditions. The source region that you specify must be the same region to which the routing policy applies.
  • If the direction of a routing policy is set to Export from Regional Gateway and you want to specify appended AS paths, you must specify destination instance IDs in match conditions.

Matching process

Routing policies - new version

CEN matches routes against routing policies in match-action mode. Actions are performed after conditions are matched. The system matches routes against match conditions in descending order of routing policy priority.

  • If a route meets all the match conditions in a routing policy, the specified action is performed on the route.
    • If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.
    • If you set Routing Policy Action to Deny, the route is denied. By default, the system stops matching the route against the next routing policy and the matching process ends.
  • If a route does not meet a match condition specified in a routing policy, the current matching process ends and the system matches the route against the next routing policy.
  • If the route meets all the match conditions specified in the next routing policy, the action specified in the routing policy is performed on the route.
    • If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.
    • If you set Routing Policy Action to Deny, the route is denied. By default, the system stops matching the route against the next routing policy and the matching process ends.
  • If a route does not meet a match condition specified in a routing policy, the current matching process ends and the system matches the route against the next routing policy. The preceding processes are repeated until the system matches the route against the last routing policy.
  • If the route does not meet a match condition specified in the last routing policy, the route is permitted.

Default routing policy

If a VBR or CCN instance is attached to a CEN instance, the system automatically adds a routing policy whose priority is 5000, action is Deny, and direction is Export from Regional Gateway to the regional gateway. This routing policy disallows the VBR or CCN instance from communicating with the other VBRs or CCN instances that are attached to the CEN instance. The following rules describe whether VPCs, VBRs, and CCN instances that are attached to the same CEN instance can communicate with each other.

  • A VPC that is attached to a CEN instance can communicate with other VPCs, VBRs, and CCN instances that are attached to the CEN instance. Routing policies - VPCs can communicate with each other
  • A VBR that is attached to a CEN instance cannot communicate with other VBRs or CCN instances that are also attached to the CEN instance. VBRs cannot communicate with each other
  • A CCN instance that is attached to a CEN instance cannot communicate with VBRs or other CCN instances that are also attached to the CEN instance. CCN instances cannot communicate with each other

Limits

Resource Limit Adjustable
Number of routing policies that can be created in the Import to Regional Gateway direction for each regional gateway 100 Not supported
Number of routing policies that can be created in the Export to Regional Gateway direction for each regional gateway 100 Not supported

References

The routing policy feature allows you to flexibly manage network communication in the cloud. For more information, see the following topics: