Transit routers support routing policies. You can configure routing policies to filter and modify routes. This allows you to manage network communication in the cloud.
How it works
A transit router in a specified region contains route tables and routing policies that are configured for the region. Routing policies filter routes based on the route tables associated with the transit router. Transit routers are available in two editions: Basic Edition and Enterprise Edition.
- A Basic Edition transit router has only one system route table. Routing policies that you create are automatically associated with the system route table.
- An Enterprise Edition transit router has one system route table and supports custom
route tables. When you add a routing policy, you can associate the routing policy
with the system route table or a custom route table. The routing policy affects only
how the associated route table advertises routes.
For more information about Basic Edition and Enterprise Edition transit routers, see How transit routers work.
You can configure routing policies in the inbound direction or outbound direction. Each routing policy is a collection of conditional statements and execution statements. Routing policies are sorted by priority. A smaller value indicates a higher priority. Routes are matched against match conditions specified in routing policies in descending order of policy priority. Routes that meet all match conditions are permitted or denied based on the specified policy action. You can modify the priority, autonomous system (AS) path, and community value of a route that is permitted. Routes that do not match all match conditions are permitted by default.

Components
Parameter | Description |
---|---|
Routing Policy Priority | Set a priority for the routing policy.
Valid values: 1 to 100. A smaller value indicates a higher priority. You cannot specify the same priority for routing policies that apply in the same region and direction. The system matches routes against the match conditions of routing policies in descending order of priority. A smaller value indicates a higher priority. Therefore, set appropriate values to sort the routing policies in the desired order. |
Description | Enter a description for the routing policy. |
Region | Select the region in which the routing policy applies.
Note This parameter is supported only by Basic Edition transit routers.
|
Associated Route Table | Select the ID of the route table to be associated with the routing policy.
Note This parameter is supported only by Enterprise Edition transit routers.
|
Direction | Specify the direction in which the routing policy is applied.
|
Routing Policy Action | Select the action to be performed on routes that meet all match conditions. The following
actions are supported:
|
Priority of Associated Routing Policy | Specify a priority for the routing policy that you want to associate with the current
one.
|
Parameter | Description |
---|---|
Source Region | The system checks whether routes are advertised from a specified region.
The system only checks whether the source regions of the routes meet the specified condition. The destination regions of the routes are not checked. |
Source Instance IDs | The system checks whether routes are advertised from specified network instances.
The following network instance types are supported:
You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised from the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition. |
Destination Instance IDs | The system checks whether routes are advertised to specified network instances. The
following network instance types are supported:
You can select Exclude Specified IDs to specify network instance IDs that you want to exclude. If the routes are not advertised to the specified IDs, the routes meet the condition. Otherwise, the routes fail to meet the condition. Note The destination instance IDs take effect only when Direction is set to Export from Regional Gateway and the destination instances are deployed in the current region.
|
Destination Route Table | The system checks whether routes are advertised to specified route tables.
Note The destination route table IDs take effect only when Direction is set to Export from Regional Gateway and the destination route tables belong to network instances deployed in the current
region.
|
Source Instance Type | The system checks whether routes are advertised from specified network instance types.
The following network instance types are supported:
|
Destination Instance Type | The system checks whether routes are advertised to specified network instance types.
The following network instance types are supported:
Note
|
Route Type | The system checks whether routes are of specified types. The following route types
are supported:
|
Route Prefix | The system filters routes based on the specified route prefixes. The following match
methods are supported:
|
AS Path | The system filters routes based on the specified AS path. The following match methods
are supported:
Note AS Path is a mandatory attribute, which describes the AS numbers that a BGP route
passes through when it is advertised.
|
Community | The system matches routes based on the community. The following match methods are
supported:
Note Community is an optional transitive attribute. You can specify a specific community
value for a specific route. Downstream routers can filter routes based on the specified
community value when routing policies are implemented.
|
Parameter | Description |
---|---|
Preference | Specify a priority for the routes that are permitted.
Valid values: 1 to 100. Default value: 50. A smaller value indicates a higher priority. |
Community | Specify a community value for routes. The following methods are supported:
|
Appended AS Path | Specify the AS path to be appended when the transit router receives or advertises
a route.
For routing policies that are used in different directions, the requirements for AS
paths that are prepended are different:
|
Matching process
Routing policies evaluate routes in match-action mode. Actions are performed after conditions are matched. The system matches routes against match conditions in descending order of routing policy priority.
- If a route meets all the match conditions in a routing policy, the specified action
is performed on the route.
- If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.
- If you set Routing Policy Action to Deny, the route is denied. By default, the system stops matching the route against the next routing policy and the matching process ends.
- If a route does not meet a match condition specified in a routing policy, the current matching process ends and the system matches the route against the next routing policy.
- If the route meets all the match conditions specified in the next routing policy,
the action specified in the routing policy is performed on the route.
- If you set Routing Policy Action to Permit, the route is permitted. By default, the system does not match a matched route against the next routing policy. However, if you set a priority for the associated routing policy, the system matches the route against the routing policy that has the specified priority. If you do not set a priority, the matching process ends.
- If you set Routing Policy Action to Deny, the route is denied. By default, the system stops matching the route against the next routing policy and the matching process ends.
- If a route does not meet a match condition specified in the next routing policy, the current matching process ends and the system matches the route against the next routing policy. The preceding processes are repeated until the system matches the route against the last routing policy.
- If the route does not meet a match condition specified in the last routing policy, the route is permitted.

Default routing policy
Each transit router contains a default routing policy that applies in the outbound direction. The priority of the default routing policy is 5000, and the policy action is Deny. The default routing policy prevents VBRs, CCN instances, and IPsec connections that are connected to the same transit router from communicating with each other. The following section describes whether VPCs, VBRs, CCN instances, and IPsec connections that are connected to the same transit router can communicate with each other by default:
- A VPC that is connected to a transit router can communicate with VPCs, VBRs, CCN instances,
and IPsec connections that are also connected to the transit router.
- A VBR that is connected to a transit router cannot communicate with VBRs, CCN instances,
or IPsec connections that are also connected to the transit router.
- A CCN instance that is connected to a transit router cannot communicate with VBRs,
CCN instances, or IPsec connections that are also connected to the transit router.
Limits
Item | Default quota | Adjustable |
---|---|---|
The maximum number of routing policies in the inbound direction that you can create on a transit router | 100 | Not supported |
The maximum number of routing policies in the outbound direction that you can create on a transit router | 100 | Not supported |
References
The routing policy feature allows you to flexibly manage network communication in the cloud. For more information, see the following topics:
- Disable intercommunication among VPCs
- Use route maps to disable the communication between a VPC and a CIDR block
- Connect data centers by using CEN
- Connect branches to a data center by using CEN
- Configure active and standby static routes for VBRs in the same region by using route maps
- Use route maps to allow specified VPCs to communicate with each other