Transit routers support routing policies. You can configure routing policies to filter and modify routes. This allows you to manage network communication in the cloud.

How routing policies work

A transit router in a specified region contains route tables and routing policies that are configured for that region. Routing policies filter routes based on the route tables associated with the transit router. Transit routers have two editions: Basic Edition and Enterprise Edition.

  • A Basic Edition transit router has only a system route table. Routing polices that you create are automatically associated with the system route table.
  • An Enterprise Edition transit router has a system route table and supports custom route tables. When you add a routing policy, you can associate the routing policy with the system route table or a custom route table. The routing policy affects only how the associated route table advertises routes.

    For more information about Basic Edition and Enterprise Edition transit routers, see How transit routers work.

You can configure routing policies in the inbound direction or outbound direction. Each routing policy is a collection of conditional statements and execution statements. Routing policies are sorted by priority. A smaller value indicates a higher priority. Routes are matched against match conditions specified in routing policies in descending order of policy priority. Routes that meet all match conditions are permitted or denied based on the specified policy action. You can modify the priority, autonomous system (AS) path, and community value of a route that is permitted. Routes that do not match all match conditions are permitted by default.

Routing policies

Components

A routing policy consists of three components: basic information, match conditions, and policy values. The following tables describe the details of each component.
Note You can set policy values and associated policy priorities only when Routing Policy Action is set to Permit.
Table 1. Basic information
Parameter Description
Routing Policy Priority Set a priority for the routing policy.

Valid values: 1 to 100. A smaller value indicates a higher priority.

You cannot specify the same priority for routing policies that apply in the same region and direction. The system evaluates routes against the match conditions of routing policies in descending order of priority. A smaller value indicates a higher priority. Therefore, set appropriate values to sort the routing policies in the desired order.

Description Enter a description for the routing policy.
Region Select the region in which the routing policy applies.
Note You can set this parameter only for Basic Edition transit routers.
Associated Route Table Select the ID of the route table to be associated with the routing policy.
Note You can set this parameter only for Enterprise Edition transit routers.
Direction Select the direction in which the routing policy applies.
  • Import to Regional Gateway: Routes are advertised to the transit router deployed in the current region. For example, routes are advertised from network instances deployed in the current region or other regions to the transit router deployed in the current region.
  • Export from Regional Gateway: Routes are advertised from the transit router deployed in the current region. For example, routes are advertised from the transit router in the current region to network instances deployed in the current region or transit routers deployed in other regions.
Routing Policy Action Select the action to be performed on routes that meet all match conditions. The following actions are supported:
  • Permit: permits routes that are matched.
  • Deny: denies routes that are matched.
Priority of Associated Routing Policy Specify a priority for the routing policy to be associated.
  • You can set the parameter only if you select Permit for Routing Action Policy. Only permitted routes continue to match the routing policy that has the specified priority.
  • The region and direction of the routing policy to be associated must be the same as those of the current routing policy.
  • The priority of the routing policy to be associated must be lower than the priority of the current routing policy.
Table 2. Match conditions
Parameter Description
Source Region The system matches all routes that are advertised from the specified region.

The system only evaluates whether the source regions of the routes meet the specified condition. The destination regions of the routes are not evaluated.

Source Instance IDs The system matches all routes that are advertised from the specified network instances. The following network instance types are supported:
  • Virtual private cloud (VPC)
  • Virtual border router (VBR)
  • Cloud Connect Network (CCN) instance
  • Smart Access Gateway (SAG) instance

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised from the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition.

Destination Instance IDs The system matches all routes that are advertised to the specified network instances. The following network instance types are supported:
  • VPC
  • VBR
  • CCN instance
  • SAG instance

You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised to the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition.

Note The destination instance IDs take effect only when Direction is set to Export from Regional Gateway and the destination instances are deployed in the current region.
Destination Route Table The system matches all routes that are advertised to the specified route tables.
Note The destination route table IDs take effect only when Direction is set to Export from Regional Gateway and the destination route tables belong to network instances deployed in the current region.
Source Instance Type The system matches all routes that are advertised from the specified network instance types. The following network instance types are supported:
  • VPC: VPC
  • VBR: VBR
  • CCN: Cloud Connect Network (CCN) instance
Destination Instance Type The system matches all routes that are advertised to the specified network instance types. The following network instance types are supported:
  • VPC: VPC
  • VBR: VBR
  • CCN: CCN instance
Note The destination instance types take effect only when Direction is set to Export from Regional Gateway and the destination instance types are supported in the current region.
Route Type The system matches routes of the specified types. The following route types are supported:
  • System: routes created by the system.
  • Custom: routes manually added by the user.
  • BGP: routes that are advertised over Border Gateway Protocol (BGP).
Route Prefix The system filters routes based on the specified route prefixes. The following match methods are supported:
  • Fuzzy Match: If the prefix of a route falls within one of the specified prefixes, the route meets the match condition.

    For example, if you set the match condition to 10.10.0.0/16 and fuzzy match is applied, the route whose prefix is 10.10.10.0/24 meets the match condition.

  • Exact Match: A route meets the match condition only when the prefix of the route is the same as one of the specified prefixes.

    For example, if the match value is set to 10.10.0.0/16 and the match method is set to Exact Match, only the route with the prefix 10.10.0.0/16 meets the match condition.

AS Path The system filters routes based on the specified AS path. The following match methods are supported:
  • Fuzzy Match: A route meets the match condition if the AS path of the route overlaps with that specified in the match condition.

    For example, if you set the AS path to 65001,65002 and the match method to Fuzzy Match, the route whose AS path is 65501,65001 matches the condition because both AS paths contain 65001.

  • Exact Match: A route meets the match condition only if the AS path of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65501,65001,60011 and exact match is applied, only the route whose AS path is 65501,65001,60011 meets the match condition.

Note AS path is a mandatory attribute, which describes the AS numbers that a BGP route passes through when it is advertised.
Community The system matches routes based on the community. The following match methods are supported:
  • Fuzzy Match: A route meets the match condition if the community of the route overlaps with that specified in the match condition.

    For example, if you set the match condition to 65001:1000,65002:2000 and fuzzy match is applied, the route whose community is 65501:1000,65001:1000 meets the match condition, because both communities contain 65001:1000.

  • Exact Match: A route meets the match condition only if the community of the route is the same as that specified in the match condition.

    For example, if you set the match condition to 65001:65001,65002:65005,65003:65001 and exact match is applied, only the route whose community is 65001:65001,65002:65005,65003:65001 meets the match condition.

Note Community is an optional transitive attribute. You can specify a specific community value for a specific route. Downstream routers can filter routes based on the specified community value when routing policies are implemented.
Table 3. Policy values
Parameter Description
Preference Specify a priority for the routes that are permitted.

Valid values: 1 to 100. Default value: 50. A smaller value indicates a higher priority.

Community Specify a community value for routes. The following methods are supported:
  • Add: adds the specified community value to matched routes.
  • Replace: replaces the community values of matched routes with the specified community value.
Appended AS Path Specify the AS path to be appended when the transit router receives or advertises a route.
The requirements for appended AS paths vary based on the direction in which the routing policy is applied:
  • If the direction of a routing policy is set to Import to Regional Gateway and you want to configure Appended AS Path, you must specify Source Instance IDs and Source Region in match conditions. The source region that you specify must be the same region to which the routing policy applies.
  • If the direction of a routing policy is set to Export from Regional Gateway and you want to configure Appended AS Path, you must specify Destination Instance IDs in match conditions.

Matching process

Routing policies evaluate routes in match-action mode. Actions are performed after conditions are matched. The system compares routes with match conditions in descending order of routing policy priority.

  • If a route meets all the match conditions in a routing policy, the specified action is performed on the route.
    • If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not compare a matched route with the next routing policy. However, if you set associated priority, the system compares the route with the routing policy that has the associated priority. If you do not set associated priority, the matching process ends.
    • If you set Routing Policy Action to Deny, the system denies the route. By default, the system stops comparing the matched route with the next routing policy and the matching process ends.
  • If a route does not meet a match condition specified in a routing policy, the current matching process ends and the system compares the route with the next routing policy.
  • If the route meets all the match conditions specified in the next routing policy, the action specified in the routing policy is performed on the route.
    • If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not compare a matched route with the next routing policy. However, if you set associated priority, the system compares the route with the routing policy that has the associated priority. If you do not set associated priority, the matching process ends.
    • If you set Routing Policy Action to Deny, the system denies the route. By default, the system stops comparing the matched route with the next routing policy and the matching process ends.
  • If a route does not meet a match condition specified in the next routing policy, the current matching process ends and the system compares the route with the next routing policy. The preceding processes are repeated until the system compares the route with the last routing policy.
  • If the route does not meet a match condition specified in the last routing policy, the route is permitted.
Routing policies - new version

Default routing policy

Each transit router contains a default routing policy that applies in the outbound direction. The priority of the default routing policy is 5000, and the policy action is Deny. The default routing policy prevents VBRs or CCN instances that are connected to the same transit router from communicating with each other. The following section describes whether VPCs, VBRs, and CCN instances that are connected to the same transit router can communicate with each other by default:

  • A VPC that is connected to a transit router can communicate with VPCs, VBRs, or CCN instances that are connected to the same transit router. Routing policies - VPCs can communicate with each other
  • A VBR that is connected to a transit router cannot communicate with VBRs or CCN instances that are connected to the same transit router. VBRs cannot communicate with each other
  • A CCN instance that is connected to a transit router cannot communicate with VBRs or CCN instances that are connected to the same transit router. CCN instances cannot communicate with each other

Tutorials

The routing policy feature allows you to flexibly manage network communication in the cloud. For more information, see the following topics: