All Products
Search
Document Center

Virtual Private Cloud:Route table overview

Last Updated:Mar 11, 2024

After you create a virtual private cloud (VPC), the system creates a system route table for the VPC and adds system routes to the route table. The system routes are used to route traffic of the VPC. You cannot create or delete a system route table. However, you can add custom routes to a system route table. Custom routes are used to route traffic to specified destinations.

Route tables

  • System route table

    After you create a VPC, the system creates a system route table to manage the routes of the VPC. By default, vSwitches in the VPC use the system route table. You cannot create or delete a system route table. However, you can add custom route entries to a system route table.

  • Custom route table

    You can create custom route tables in a VPC, associate custom route tables with vSwitches, and then set vSwitch CIDR blocks as destination CIDR blocks. This way, cloud services in vSwitches can communicate with each other. This facilitates network management. For more information, see Create a custom route table.

  • Gateway route table

    You can create a custom route table in a VPC and associate the custom route table with an IPv4 gateway. This route table is called a gateway route table. You can use a gateway route table to control traffic from the Internet to a VPC. You can redirect Internet traffic to security devices in the VPC, such as virtual firewalls. This allows you to protect cloud resources in the VPC in a centralized manner. For more information, see Create and manage an IPv4 gateway.

When you manage route tables, take note of the following limits:

  • Each VPC can contain at most 10 route tables including the system route table.

  • Only one route table can be associated with each vSwitch. The routing policies of a vSwitch are managed by the route table that is associated with the vSwitch. You can associate one route table with multiple vSwitches.

  • After you create a vSwitch, the system route table is associated with the vSwitch by default.

  • If a custom route table is associated with a vSwitch and you want to replace the custom route table with the system route table, you must disassociate the custom route table from the vSwitch. If you want to associate a different custom route table with the vSwitch, you can directly replace the original custom route table without the need to disassociate the original custom route table.

Regions that support custom route tables

Area

Region

Asia Pacific

China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

UAE (Dubai)

Routes

Each item in a route table is a route. A route consists of the destination CIDR block, the next hop type, and the next hop. The destination CIDR block is the IP address range to which you want to forward network traffic. The next hop type specifies the type of the cloud resource that is used to transmit network traffic, such as an Elastic Compute Service (ECS) instance, a VPN gateway, or a secondary elastic network interface (ENI). The next hop is the specific cloud resource that is used to transmit network traffic.

Routes are classified into system routes, custom routes, and dynamic routes.

  • System routes

    System routes are classified into IPv4 routes and IPv6 routes. You cannot modify system routes.

    • After you create a VPC and vSwitches, the system automatically adds the following IPv4 routes to the route table:

      • A route whose destination CIDR block is 100.64.0.0/10. This route is used for communication among cloud resources within the VPC.

      • Routes whose destination CIDR blocks are the same as the CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.

      For example, if you create a VPC whose CIDR block is 192.168.0.0/16 and two vSwitches whose CIDR blocks are 192.168.1.0/24 and 192.168.0.0/24, the following system routes are automatically added to the route table of the VPC. The "-" sign in the following table indicates the VPC.

      Destination CIDR block

      Next hop

      Route Type

      Description

      100.64.0.0/10

      -

      System route

      Created by system.

      192.168.1.0/24

      -

      System route

      Created with vSwitch(vsw-m5exxjccadi03tvx0****) by system.

      192.168.0.0/24

      -

      System route

      Created with vSwitch(vsw-m5esyy9l8ntpt5gsw****) by system.

    • If IPv6 is enabled for your VPC, the following IPv6 routes are automatically added to the system route table of the VPC:

      • A custom route whose destination CIDR block is ::/0 and whose next hop is an IPv6 gateway. Cloud resources deployed in the VPC use this route to access the Internet through IPv6 addresses.

      • System routes whose destination CIDR blocks are the same as the IPv6 CIDR blocks of the vSwitches in the VPC. These routes are used for communication among cloud resources within the vSwitches.

        Note

        If you create a custom route table and associate the custom route table with a vSwitch that resides in an IPv6 CIDR block, you must add a custom route whose destination CIDR block is ::/0 and whose next hop is the IPv6 gateway. For more information, see Add a custom route.

  • Custom routes

    You can add custom routes to replace system routes or route traffic to specified destinations. You can specify the following types of next hops when you create a custom route:

    Destination CIDR block

    Next hop type

    IPv4 CIDR block

    IPv4 gateway: Traffic that is destined for the destination CIDR block is routed to the specified IPv4 gateway.

    NAT gateway: Traffic that is destined for the destination CIDR block is routed to the specified NAT gateway.

    You can select this type if you want to access the Internet through a NAT gateway.

    VPC peering connection: Traffic that is destined for the destination CIDR block is routed to the specified VPC peering connection.

    Transit router: Traffic that is destined for the destination CIDR block is routed to a specified transit router.

    VPN gateway: Traffic that is destined for the destination CIDR block is routed to the specified VPN gateway.

    You can select this type if you want to connect a VPC to another VPC or an on-premises network through the VPN gateway.

    ECS instance: Traffic that is destined for the destination CIDR block is routed to the specified ECS instance in the VPC.

    You can select this type if you want to access the Internet or other applications through applications that are deployed on the ECS instance.

    ENI: Traffic that is destined for the destination CIDR block is routed to the specified ENI.

    High-availability virtual IP address (HAVIP): Traffic that is destined for the destination CIDR block is routed to the specified HAVIP.

    Router interface (to VBR): Traffic that is destined for the destination CIDR block is routed to the specified virtual border router (VBR).

    You can select this type if you want to connect a VPC to an on-premises network through Express Connect circuits.

    Router interface (to VPC): Traffic that is destined for the destination CIDR block is routed to the specified VBR.

    IPv6 CIDR block

    ECS instance: Traffic that is destined for the destination CIDR block is routed to the specified ECS instance in the VPC.

    You can select this type if you want to access the Internet or other applications through applications that are deployed on the ECS instance.

    IPv6 gateway: Traffic that is destined for the destination CIDR block is routed to the specified IPv6 gateway.

    You can select this type if you want to implement IPv6 communication through an IPv6 gateway. You can forward traffic to the specified IPv6 gateway only if a route is added to the system route table and an IPv6 gateway is created in the region where the vSwitch associated with the system route table is deployed.

    ENI: Traffic that is destined for the destination CIDR block is routed to the specified ENI.

    Router interface (to VBR): Traffic that is destined for the destination CIDR block is routed to the specified VBR.

    You can select this type if you want to connect a VPC to an on-premises network through Express Connect circuits.

    VPC peering connection: Traffic that is destined for the destination CIDR block is routed to the specified VPC peering connection.

  • Dynamic routes

    The routes that are learned through Cloud Enterprise Network (CEN), VPN gateways, or Border Gateway Protocol (BGP).

Route priorities

The priorities of routes take effect based on the following rules:

  • Same destination CIDR block

    • You can implement load balancing only if you select router interface (to VBR) as the next hop type and configure health checks.

    • You can implement active/standby routing only if you select router interface (to VBR) as the next hop type and configure health checks.

    • In other cases, the destination CIDR blocks of different routes must be unique. The destination CIDR blocks of custom routes and dynamic routes cannot be the same as those of system routes. The destination CIDR blocks of custom routes cannot be the same as those of dynamic routes.

  • Overlapping destination CIDR blocks

    Network traffic is routed based on the longest prefix match algorithm. The destination CIDR blocks of custom routes and dynamic routes can contain the CIDR blocks of system routes, and cannot be more specific than the CIDR blocks of system routes.

  • Different destination CIDR blocks

    You can specify the same next hop for different routes.

The following table shows the route table of a VPC. The "-" sign indicates the VPC.

Destination CIDR block

Next hop type

Next hop

Route type

100.64.0.0/10

-

-

System route

192.168.0.0/24

-

-

System route

0.0.0.0/0

ECS instance

i-bp15u6os7nx2c9h9****

Custom

10.0.0.0/24

ECS instance

i-bp1966ss26t47ka4****

Custom

The routes whose destination CIDR blocks are 100.64.0.0/10 and 192.168.0.0/24 are system routes. The routes whose destination CIDR blocks are 0.0.0.0/0 and 10.0.0.0/24 are custom routes. Traffic destined for 0.0.0.0/0 is forwarded to the ECS instance whose ID is i-bp15u6os7nx2c9h9****, and traffic destined for 10.0.0.0/24 is forwarded to the ECS instance whose ID is i-bp1966ss26t47ka4****. Based on the longest prefix match algorithm, traffic destined for 10.0.0.1 is forwarded to i-bp1966ss26t47ka4****, while traffic destined for 10.0.1.1 is forwarded to i-bp15u6os7nx2c9h9****.

Limits

Examples

You can add custom routes to a route table to control inbound and outbound traffic transmitted over a VPC.

  • Connect a VPC to the Internet

    本地网络路由The preceding figure shows a NAT gateway that is deployed on an ECS instance (ECS01) in a VPC. To enable the cloud resources in the VPC to access the Internet through the ECS instance, you must add the following custom route to the route table.

    Destination CIDR block

    Next hop type

    Next hop

    0.0.0.0/0

    ECS instance

    ECS01

  • Connect a VPC to a VPC through a VPC peering connection

    VPC对等连接After you establish a VPC peering connection between VPC1 (172.16.0.0/12) and VPC2 (192.168.0.0/16), you must also add the following routes to the VPCs:

    • Add the following route to VPC1

      Destination CIDR block

      Next hop type

      Next hop

      192.168.0.0/16

      VPC peering connection

      pcc-aaabbb (ID of the VPC peering connection)

    • Add the following route to VPC2

      Destination CIDR block

      Next hop type

      Next hop

      172.16.0.0/12

      VPC peering connection

      pcc-aaabbb (ID of the VPC peering connection)

  • Connect a VPC to a VPC through an IPsec-VPN connection

    VPN网关路由The preceding figure shows that VPC1 (172.16.0.0/12) is connected to VPC2 (10.0.0.0/8) through an IPsec-VPN connection. After you configure the VPN gateways, you must add the following routes to the VPCs:

    • Add the following route to VPC1

      Destination CIDR block

      Next hop type

      Next hop

      10.0.0.0/8

      VPN gateway

      VPN gateway 1

    • Add the following route to VPC2

      Destination CIDR block

      Next hop type

      Next hop

      172.16.0.0/12

      VPN gateway

      VPN gateway 2

  • Connect a VPC to a data center through an Express Connect circuit

    边界路由器路由The preceding figure shows that a VPC is connected to an on-premises network through an Express Connect circuit. After you configure the Express Connect circuit and the VBR, you must add the following routes:

    • Add the following route to the VPC

      Destination CIDR block

      Next hop type

      Next hop

      192.168.0.0/16

      Router interface (to VBR)

      Router interface RI1

    • Add the following routes to the VBR

      Destination CIDR block

      Next hop type

      Next hop

      192.168.0.0/16

      Express Connect circuit

      Router interface RI3

      172.16.0.0/12

      VPC

      Router interface RI2

    • Add the following route to the on-premises network

      Destination CIDR block

      Next hop type

      Next hop

      172.16.0.0/12

      On-premises gateway

      On-premises gateway device

  • Connect a VPC to a data center through a VPN gateway

    本地VPN网关The preceding figure shows that a VPC (172.16.0.0/12) is connected to a data center (192.168.0.0/16) through a VPN gateway. After you configure the VPN gateway, you must add the following route to the VPC:

    Destination CIDR block

    Next hop type

    Next hop

    192.168.0.0/16

    VPN gateway

    The configured VPN gateway