All Products
Search
Document Center

Cloud Enterprise Network:Routing policy overview

Last Updated:Mar 08, 2024

Transit routers support routing policies. You can configure routing policies to filter and modify routes. This allows you to manage network communication in the cloud.

How it works

A transit router in a region contains route tables and routing policies. Routing policies filter routes based on the route tables associated with the transit router. Transit routers are available in two editions: Basic Edition and Enterprise Edition.

  • A Basic Edition transit router supports only one system route table. Routing policies that you create are automatically associated with the system route table.

  • An Enterprise Edition transit router supports one system route table and custom route tables. When you create a routing policy, you can associate the routing policy with the system route table or a custom route table. The routing policy affects only how the routes in the route table are advertised.

    For more information about Basic Edition transit routers and Enterprise Edition transit routers, see How transit routers work.

You can configure routing policies in the Ingress Regional Gateway or Egress Regional Gateway direction. Each routing policy is a collection of conditional statements and execution statements. Routing policies are sorted by priority. A smaller value indicates a higher priority. Routes are matched against match conditions specified in routing policies in descending order of policy priority. Routes that meet all match conditions are allowed or rejected based on the specified policy action. You can modify the priority, autonomous system (AS) path and community value of an allowed route. Routes that do not match all match conditions are allowed by default.

路由策略-2022年08月

Components

A routing policy consists of the following components: basic information, match conditions, and policy values. The following tables describe the details about each component.

Note

You can specify policy values and associated policy priorities only when Routing Policy Action is set to Allow.

Table 1. Basic information

Parameter

Description

Routing Policy Priority

The priority of the routing policy.

Valid values: 1 to 100. A smaller value indicates a higher priority.

You cannot specify the same priority for routing policies that apply in the same region and direction. The system matches routes against the match conditions of routing policies in descending order of priority. A smaller value indicates a higher priority. Therefore, specify proper values to sort the routing policies in the desired order.

Description

The description of the routing policy.

Region

The region in which the routing policy applies.

Note

This parameter is supported only by Basic Edition transit routers. After you create a routing policy in a region, the routing policy applies to the route tables of all Basic Edition transit routers in the region.

Associated Route Table

The ID of the route table that is associated with the routing policy.

Note

This parameter is supported only by Enterprise Edition transit routers. After you create a routing policy, the routing policy applies only to the Enterprise Edition transit router that is associated with the routing policy.

Policy Direction

The direction in which the routing policy applies.

  • Ingress Regional Gateway: Routes are advertised to the transit router deployed in the current region. For example, routes are advertised from network instances deployed in the current region or other regions to the transit router deployed in the current region.

  • Egress Regional Gateway: Routes are advertised from the transit router deployed in the current region. For example, routes are advertised from the transit router deployed in the current region to network instances deployed in the current region or to transit routers deployed in other regions.

Action Policy

The action that is performed on routes that meet all match conditions. The following actions are supported:

  • Allow: allows routes that match the routing policy.

  • Reject: rejects routes that match the routing policy.

Associated Route Policy Priority

The priority of the routing policy that is associated with the current policy.

  • This parameter is supported only if you set Action Policy to Allow. Only allowed routes are matched against the routing policy that has the specified priority.

  • The region and direction of the routing policy to be associated must be the same as those of the current routing policy.

  • The priority of the routing policy to be associated must be lower than the priority of the current routing policy.

Table 2. Match conditions

Parameter

Description

Source Region

The system checks whether routes are advertised from a specified region.

The system only checks whether the source regions of the routes meet the specified condition. The destination regions of the routes are not checked.

Source Instance ID List

The system checks whether routes are advertised from specified network instances. The following network instance types are supported:

  • Virtual private cloud (VPC)

  • Express Connect Router (ECR)

  • IPsec-VPN connection

  • Virtual border router (VBR)

  • Cloud Connect Network (CCN) instance

  • Smart Access Gateway (SAG) instance

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised from the specified IDs, the routes match the condition. Otherwise, the routes do not match the condition.

Destination Instance ID List

The system checks whether routes are advertised to specified network instances. The following network instance types are supported:

  • VPC

  • ECR

  • IPsec-VPN connection

  • VBR

  • CCN instance

  • SAG instance

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised to the specified IDs, the routes match the condition. Otherwise, the routes do not match the condition.

Note

The destination instance IDs take effect only when Direction is set to Egress Regional Gateway and the destination instances are deployed in the current region.

Destination Route Table

The system checks whether routes are advertised to specified route tables.

Note

The destination route table IDs take effect only when Direction is set to Egress Regional Gateway and the destination route tables belong to network instances deployed in the current region.

Source Instance Type

The system checks whether routes are advertised from specified network instance types. The following network instance types are supported:

  • VPC: VPC

  • ECR: ECR

  • VPN: VPN gateway or IPsec connection

    • If an IPsec connection or an SSL server is associated with a VPN gateway, VPN indicates a VPN gateway. The Source Instance Type parameter takes effect only if the VPC associated with the VPN gateway is attached to a transit router and the VPN gateway has Border Gateway Protocol (BGP) enabled.

    • If the IPsec connection is directly connected to a transit router, VPN indicates an IPsec connection. The Source Instance Type parameter takes effect.

  • VBR: VBR

  • CCN: CCN instance

Destination Instance Type

The system checks whether routes are advertised to specified network instance types. The following network instance types are supported:

  • VPC: VPC

  • ECR: ECR

  • VPN: IPsec connection

    Note
    • If you set Destination Instance Type to VPN, and the IPsec connection or SSL server is connected to a transit router through a VPN gateway, The Destination Instance Type parameter does not take effect. The Destination Instance Type parameter takes effect only if the IPsec connection is directly connected to the transit router.

    • The destination instance types take effect only if Direction is set to Egress Regional Gateway and the destination instance types are supported in the current region.

  • VBR: VBR

  • CCN: CCN instance

IP Type

The system checks whether IP addresses in routes are of the specified version. The following IP versions are supported:

  • IPv4

  • IPv6

Route Type

The system checks whether routes are of specified types. The following route types are supported:

  • System: routes that are automatically created by the system.

  • Custom: routes that are added by you. For example, you can specify a custom route in a VPC or VBR route table.

    Note

    Custom routes do not match static routes in route tables of Enterprise Edition transit routers.

  • BGP: routes that are advertised over BGP.

Route Prefix

The system filters routes based on the specified route prefixes. The following match methods are supported:

  • Fuzzy Match: If the prefix of a route falls within one of the specified prefixes, the route matches the condition.

    For example, if you set the match condition to 10.10.0.0/16 and fuzzy match is applied, routes whose prefix is 10.10.10.0/24 match the condition.

  • Exact Match: A route matches the condition only when the prefix of the route is the same as one of the specified prefixes.

    For example, if the match value is set to 10.10.0.0/16 and the match method is set to Exact Match, only routes whose prefix is 10.10.0.0/16 match the condition.

AS Path

The system matches routes based on the specified AS path. The following match methods are supported:

  • Fuzzy Match: A route matches the condition if the AS path of the route overlaps with that specified in the match condition.

    For example, if you set the AS path to 65001, 65002 and the match method to Fuzzy Match, routes whose AS path is 65501, 65001 match the condition because both AS paths contain 65001.

  • Exact Match: A route matches the condition only if the AS path of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65501, 65001, 60011 and the match method to Exact Match, only routes whose AS path is 65501, 65001, 60011 match the condition.

Note

AS Path is a mandatory attribute, which describes the AS numbers that a BGP route passes through when it is advertised.

Community

The system matches routes based on the community. The following match methods are supported:

  • Fuzzy Match: A route matches the condition if the community of the route overlaps with that specified in the match condition.

    For example, if you set the match condition to 65001:1000, 65002:2000 and the match method to Fuzzy Match, routes whose community is 65501:1000, 65001:1000 match the condition because both communities contain 65001:1000.

  • Exact Match: A route matches the condition only if the community of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65001:65001, 65002:65005, 65003:65001 and the match method to Exact Match, only routes whose community is 65001:65001, 65002:65005, 65003:65001 match the condition.

Note

Community is an optional transitive attribute. You can specify a specific community value for a specific route. Downstream routers can filter routes based on the specified community value when routing policies are applied.

Table 3. Policy values

Parameter

Description

Route Priority

The priorities of the routes that are allowed.

Valid values: 1 to 100. Default value: 50. A smaller value indicates a higher priority.

Community

The community values of the routes. The following methods are supported:

  • Add: adds the specified community value to the routes that match the routing policy.

  • Replace: replaces the community values of the routes that match the routing policy with the specified community value.

Appended AS Path

The AS path to be appended when the transit router receives or advertises a route.

For routing policies that are used in different directions, the requirements for AS paths that are appended are different.

  • If the direction of a routing policy is set to Ingress Regional Gateway and you want to specify appended AS paths, you must specify source instance IDs and source region in match conditions. The source region that you specify must be the same region to which the routing policy applies.

  • If the direction of a routing policy is set to Egress Regional Gateway and you want to specify appended AS paths, you must specify destination instance IDs in match conditions.

Matching process

Routing policies evaluate routes in match-action mode. Actions are performed after conditions are matched. The system matches routes against match conditions in descending order of routing policy priority.

  • If a route meets all the match conditions in a routing policy, the specified action is performed on the route.

    • If you set Routing Policy Action to Allow, the route is allowed. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.

    • If you set Routing Policy Action to Reject, the route is rejected. By default, the system stops matching the route against the next routing policy and the matching process ends.

  • If a route does not meet a match condition specified in a routing policy, the current matching process ends and the system matches the route against the next routing policy.

  • If the route meets all the match conditions specified in the next routing policy, the action specified in the routing policy is performed on the route.

    • If you set Routing Policy Action to Allow, the route is allowed. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.

    • If you set Routing Policy Action to Reject, the route is rejected. By default, the system stops matching the route against the next routing policy and the matching process ends.

  • If a route does not meet a match condition specified in the next routing policy, the current matching process ends and the system matches the route against the next routing policy. The preceding processes are repeated until the system matches the route against the last routing policy.

  • If the route does not meet a match condition specified in the last routing policy, the route is allowed.

路由策略-新版

Default routing policy

Each transit router contains a default routing policy that applies in the Egress Regional Gateway direction. The priority of the default routing policy is 5000, and the policy action is Reject. The default routing policy disables network communication among Express Connect Routers (ECRs), VBRs, CCN instances, and IPsec connections that are connected to the same transit router. The following section describes whether VPCs, ECRs, VBRs, CCN instances, and IPsec connections that are connected to the same transit router can communicate with each other by default:

  • By default, a VPC that is connected to a transit router can communicate with VPCs, ECRs, VBRs, CCN instances, and IPsec connections that are also connected to the transit router.

    默认路由策略.png

  • By default, an ECR that is connected to a transit router cannot communicate with ECRs, VBRs, CCN instances, or IPsec connections that are also connected to the transit router.路由策略ECR-CN

  • By default, an IPsec connection that is attached to a transit router cannot communicate with ECRs, VBRs, CCN instances, or IPsec connections that are also attached to the transit router.路由策略IPsec连接-CN

  • By default, a VBR that is connected to a transit router cannot communicate with ECRs, VBRs, CCN instances, or IPsec connections that are also connected to the transit router.

    路由策略VBR-CN

  • By default, a CCN instance that is connected to a transit router cannot communicate with ECRs, VBRs, CCN instances, or IPsec connections that are also connected to the transit router.路由策略CCN-CN

Quotas

Item

Default value

Adjustable

The maximum number of routing policies in the Ingress Regional Gateway direction that you can create on a transit router

100

No

The maximum number of routing policies in the Egress Regional Gateway direction that you can create on a transit router

100

No

References

Routing policies allow you to flexibly manage network communication in the cloud. For more information, see the following topics: