Transit routers support routing policies. You can configure routing policies to filter and modify routes. This allows you to manage network communication in the cloud.

How it works

A transit router in a specified region contains route tables and routing policies that are configured for the region. Routing policies filter routes based on the route tables associated with the transit router. Transit routers are available in two editions: Basic Edition and Enterprise Edition.

  • A Basic Edition transit router has only one system route table. Routing policies that you create are automatically associated with the system route table.
  • An Enterprise Edition transit router has one system route table and supports custom route tables. When you add a routing policy, you can associate the routing policy with the system route table or a custom route table. The routing policy affects only how the associated route table advertises routes.

    For more information about Basic Edition and Enterprise Edition transit routers, see How transit routers work.

You can configure routing policies in the inbound direction or outbound direction. Each routing policy is a collection of conditional statements and execution statements. Routing policies are sorted by priority. A smaller value indicates a higher priority. Routes are matched against match conditions specified in routing policies in descending order of policy priority. Routes that meet all match conditions are permitted or denied based on the specified policy action. You can modify the priority, autonomous system (AS) path, and community value of a route that is permitted. Routes that do not match all match conditions are permitted by default.

Routing policies - August 2022

Components

A routing policy consists of three components: basic information, match conditions, and policy values. The following tables describe the details about each component.
Note You can set policy values and associated policy priorities only when Routing Policy Action is set to Permit.
Table 1. Basic information
Parameter Description
Routing Policy Priority Set a priority for the routing policy.

Valid values: 1 to 100. A smaller value indicates a higher priority.

You cannot specify the same priority for routing policies that apply in the same region and direction. The system matches routes against the match conditions of routing policies in descending order of priority. A smaller value indicates a higher priority. Therefore, set appropriate values to sort the routing policies in the desired order.

Description Enter a description for the routing policy.
Region Select the region in which the routing policy applies.
Note This parameter is supported only by Basic Edition transit routers.
Associated Route Table Select the ID of the route table to be associated with the routing policy.
Note This parameter is supported only by Enterprise Edition transit routers.
Direction Specify the direction in which the routing policy is applied.
  • Import to Regional Gateway: Routes are advertised to the transit router deployed in the current region. For example, routes are advertised from network instances deployed in the current region or other regions to the transit router deployed in the current region.
  • Export from Regional Gateway: Routes are advertised from the transit router deployed in the current region. For example, routes are advertised from the transit router deployed in the current region to network instances deployed in the current region or to transit routers deployed in other regions.
Routing Policy Action Select the action to be performed on routes that meet all match conditions. The following actions are supported:
  • Permit: permits routes that are matched.
  • Deny: denies routes that are matched.
Priority of Associated Routing Policy Specify a priority for the routing policy that you want to associate with the current one.
  • You can set the parameter only if you select Permit for Routing Action Policy. Only permitted routes are matched against the routing policy that has the specified priority.
  • The region and direction of the routing policy to be associated must be the same as those of the current routing policy.
  • The priority of the routing policy to be associated must be lower than the priority of the current routing policy.
Table 2. Match conditions
Parameter Description
Source Region The system checks whether routes are advertised from a specified region.

The system only checks whether the source regions of the routes meet the specified condition. The destination regions of the routes are not checked.

Source Instance IDs The system checks whether routes are advertised from specified network instances. The following network instance types are supported:
  • Virtual private cloud (VPC)
  • Virtual border router (VBR)
  • Cloud Connect Network (CCN) instance
  • Smart Access Gateway (SAG) instance
  • The ID of the IPsec connection.

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised from the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition.

Destination Instance IDs The system checks whether routes are advertised to specified network instances. The following network instance types are supported:
  • VPC
  • VBR
  • CCN instance
  • SAG instance
  • The ID of the IPsec connection.

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised to the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition.

Note The destination instance IDs take effect only when Direction is set to Export from Regional Gateway and the destination instances are deployed in the current region.
Destination Route Table The system checks whether routes are advertised to specified route tables.
Note The destination route table IDs take effect only when Direction is set to Export from Regional Gateway and the destination route tables belong to network instances deployed in the current region.
Source Instance Type The system checks whether routes are advertised from specified network instance types. The following network instance types are supported:
  • VPC: VPC
  • VBR: VBR
  • CCN: CCN instance
  • VPN: VPN gateway or IPsec connection
    • If an IPsec connection or an SSL server is associated with a VPN gateway, VPN indicates a VPN gateway. The Source Instance Type parameter takes effect only if the VPC associated with the VPN gateway is attached to a transit router and the VPN gateway has Border Gateway Protocol (BGP) enabled.
    • If the IPsec connections is directly connected to a transit router, VPN indicates an IPsec connection. The Source Instance Type parameter takes effect.
Destination Instance Type The system checks whether routes are advertised to specified network instance types. The following network instance types are supported:
  • VPC: VPC
  • VBR: VBR
  • CCN: Cloud Connect Network (CCN) instance
  • VPN: IPsec connection
Note
  • If you set Destination Instance Type to VPN, and the IPsec connection or SSL server is connected to a transit router through a VPN gateway, The Destination Instance Type parameter does not take effect. It takes effect only if the IPsec connection is directly connected to the transit router.
  • The destination instance types take effect only if Direction is set to Export from Regional Gateway and the destination instance types are supported in the current region.
Route Type The system checks whether routes are of specified types. The following route types are supported:
  • System: routes that are automatically created by the system.
  • Custom: routes that are added by you.
  • BGP: routes that are advertised over BGP.
Route Prefix The system filters routes based on the specified route prefixes. The following match methods are supported:
  • Fuzzy Match: If the prefix of a route falls within one of the specified prefixes, the route meets the match condition.

    For example, if you set the match condition to 10.10.0.0/16 and fuzzy match is applied, the route whose prefix is 10.10.10.0/24 meets the match condition.

  • Exact Match: A route meets the match condition only when the prefix of the route is the same as one of the specified prefixes.

    For example, if the match value is set to 10.10.0.0/16 and the match method is set to Exact Match, only the route with the prefix 10.10.0.0/16 meets the match condition.

AS Path The system filters routes based on the specified AS path. The following match methods are supported:
  • Fuzzy Match: A route meets the match condition if the AS path of the route overlaps with that specified in the match condition.

    For example, if you set the AS path to 65001,65002 and the match method to Fuzzy Match, the route whose AS path is 65501,65001 matches the condition because both AS paths contain 65001.

  • Exact Match: A route meets the match condition only if the AS path of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65501,65001,60011 and exact match is applied, only the route whose AS path is 65501,65001,60011 meets the match condition.

Note AS Path is a mandatory attribute, which describes the AS numbers that a BGP route passes through when it is advertised.
Community The system matches routes based on the community. The following match methods are supported:
  • Fuzzy Match: A route meets the match condition if the community of the route overlaps with that specified in the match condition.

    For example, if you set the match condition to 65001:1000,65002:2000 and fuzzy match is applied, the route whose community is 65501:1000,65001:1000 meets the match condition, because both communities contain 65001:1000.

  • Exact Match: A route meets the match condition only if the community of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65001:65001,65002:65005,65003:65001 and exact match is applied, only the route whose community is 65001:65001,65002:65005,65003:65001 meets the match condition.

Note Community is an optional transitive attribute. You can specify a specific community value for a specific route. Downstream routers can filter routes based on the specified community value when routing policies are implemented.
Table 3. Policy values
Parameter Description
Preference Specify a priority for the routes that are permitted.

Valid values: 1 to 100. Default value: 50. A smaller value indicates a higher priority.

Community Specify a community value for routes. The following methods are supported:
  • Add: adds the specified community value to matched routes.
  • Replace: replaces the community values of matched routes with the specified community value.
Appended AS Path Specify the AS path to be appended when the transit router receives or advertises a route.
For routing policies that are used in different directions, the requirements for AS paths that are prepended are different:
  • If the direction of a routing policy is set to Import to Regional Gateway and you want to specify appended AS paths, you must specify source instance IDs and source region in match conditions. The source region that you specify must be the same region to which the routing policy applies.
  • If the direction of a routing policy is set to Export from Regional Gateway and you want to specify appended AS paths, you must specify destination instance IDs in match conditions.

Matching process

Routing policies evaluate routes in match-action mode. Actions are performed after conditions are matched. The system matches routes against match conditions in descending order of routing policy priority.

  • If a route meets all the match conditions in a routing policy, the specified action is performed on the route.
    • If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.
    • If you set Routing Policy Action to Deny, the route is denied. By default, the system stops matching the route against the next routing policy and the matching process ends.
  • If a route does not meet a match condition specified in a routing policy, the current matching process ends and the system matches the route against the next routing policy.
  • If the route meets all the match conditions specified in the next routing policy, the action specified in the routing policy is performed on the route.
    • If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.
    • If you set Routing Policy Action to Deny, the route is denied. By default, the system stops matching the route against the next routing policy and the matching process ends.
  • If a route does not meet a match condition specified in the next routing policy, the current matching process ends and the system matches the route against the next routing policy. The preceding processes are repeated until the system matches the route against the last routing policy.
  • If the route does not meet a match condition specified in the last routing policy, the route is permitted.
Routing policies - new version

Default routing policy

Each transit router contains a default routing policy that applies in the outbound direction. The priority of the default routing policy is 5000, and the policy action is Deny. The default routing policy prevents VBRs, CCN instances, and IPsec connections that are connected to the same transit router from communicating with each other. The following section describes whether VPCs, VBRs, CCN instances, and IPsec connections that are connected to the same transit router can communicate with each other by default:

  • A VPC that is connected to a transit router can communicate with VPCs, VBRs, CCN instances, and IPsec connections that are also connected to the transit router. Default routing policy - VPCs can communicate with each other by default - August 2022
  • A VBR that is connected to a transit router cannot communicate with VBRs, CCN instances, or IPsec connections that are also connected to the transit router. Default routing policy - VBRs cannot communicate with each other by default - August 2022
  • A CCN instance that is connected to a transit router cannot communicate with VBRs, CCN instances, or IPsec connections that are also connected to the transit router. Default routing policy - CCN instances cannot communicate with each other by default - August 2022

Limits

Item Default quota Adjustable
The maximum number of routing policies in the inbound direction that you can create on a transit router 100 Not supported
The maximum number of routing policies in the outbound direction that you can create on a transit router 100 Not supported

References

The routing policy feature allows you to flexibly manage network communication in the cloud. For more information, see the following topics: