Route tables of virtual private clouds (VPCs) determine the path that network traffic takes from resources to destinations. By configuring route entries, you can direct traffic to follow specified paths.
Route tables
Aspect | System route table | Custom route table | |
vSwitch | Gateway | ||
Scenarios | A vSwitch is bound to the system route table by default after creation. All vSwitches in the VPC use the same routing method. | Bind vSwitches to custom route tables to control traffic flows for each vSwitch. | Control the routing of inbound Internet traffic to a VPC. |
Bound To | vSwitch | vSwitch | IPv4 or IPv6 gateway |
Method | The system automatically generates it, and users cannot manually create it. | Created by users | Created by users |
Deletion | Cannot be deleted. | Unbind from the vSwitch before deletion. | Unbind from the IPv4 or IPv6 gateway before deletion. |
Quota | One per VPC | Nine per VPC by default. Go to the Quota Management page to request an increase. | One per VPC. |
A vSwitch can be bound to only one route table. The routing policy of a vSwitch is controlled by the route table.
A route table can be bound to multiple vSwitches.
Change the route table bound to a vSwitch:
To change from a custom route table to the system one, unbind it from the vSwitch.
To bind to another custom route table, simply associate it with the vSwitch.
Route entries
Each item in a route table is a route entry, comprising a destination CIDR block and a next hop.
Destination CIDR Block: The range of IP addresses to which traffic is routed.
Next Hop: The destination to which traffic is transmitted.
Type: The type of resource to which traffic is transmitted, such as an Elastic Compute Service (ECS) instance, VPN gateway, or Elastic Network Interface (ENI).
Instance: The specific instance to which traffic is transmitted.
Route entries can be filtered via fuzzy search using Destination CIDR Block. Additionally, custom routes allow fuzzy search by route entry ID/name and next hop ID.
Static routes
Static routes do not automatically adapt to network changes. When the network topology changes, you must manually update the routing.
System: Route entries are automatically added to the route table after a VPC and vSwitches are created.
Custom: Route entries created by users to replace system ones or route traffic to a specified destination.
As shown in the following figure, VPC supports dual-stack and lets you configure both IPv4 and IPv6 CIDR blocks. The two types of traffic are isolated through independent routing policies.
After the dual-stack VPC1 is created, the following routes are automatically added:
172.16.1.0/24: IPv4 system route used for IPv4 communication among resources in the vSwitch.2408:XXXX:XXXX:3f00::/64: IPv6 system route used for IPv6 communication among resources in the vSwitch.::/0: Custom IPv6 route that directs default IPv6 traffic to the IPv6 gateway. After IPv6 Internet bandwidth is enabled, the IPv6 address can communicate with the Internet.
By configuring custom routes, traffic is routed along specified paths.
192.168.0.0/16: A route with a VPC2 CIDR block as the destination. The peering connection enables communication between instances in VPC1 and VPC2.0.0.0.0/0: A custom IPv4 route that directs default IPv4 traffic to the IPv4 gateway for Internet communication. Based on route priorities, all IPv4 traffic is routed to the IPv4 gateway and centrally controlled, except for system routes and custom routes of the peering connection.
Type | System route | Custom route |
Creation | Added to the route table by default after a VPC and vSwitches are created. | Created by users. Determine the path that the traffic takes to the destination. |
Destination CIDR block and next hop |
|
Note
|
Modification |
|
Static route configuration
Limitations
Note the following limits when configuring routes:
Destination CIDR block
That of a custom route cannot be the same as that of a system or a dynamic one.
Those of custom routes can contain the CIDR blocks of system routes. The CIDR blocks of custom routes cannot be more specific than those of system routes, excluding system routes of cloud services.
You can create a custom route with a more specific CIDR block than the system route
100.64.0.0/10, but it cannot be the same as this CIDR block. Because the system route with destination CIDR block100.64.0.0/10is used for communication among resources within the VPC, we recommend configuring more specific routes with caution. Incorrect configuration may cause some inaccessible services.
Next hop
If you create a custom route table and bind it to a vSwitch with the IPv6 feature enabled, you must manually add a custom route entry with
::/0as the destination and IPv6 Gateway as the next hop. IPv6 traffic with no specific routes configured is routed to the IPv6 gateway. The IPv6 address will have Internet communication capabilities when the IPv6 Internet bandwidth is enabled.When using an Express Connect circuit to connect to an on-premises network, select Next Hop Type as Router Interface (to VBR). This type supports ECMP and Active/Standby Routes, and must be used with health checks. In other cases, the destination CIDR blocks must be unique.
Examples
The accuracy of route configurations affects network connectivity. You can flexibly combine VPC and other products as needed, add custom route entries to control inbound and outbound traffic, and achieve network connectivity. For details, see the following configuration examples:
Internet access (Internet NAT Gateway)
When many servers need to access the Internet and require many public IP addresses, use the SNAT feature of Internet NAT Gateway to let ECS instances in a VPC share EIPs and save public IP resources. These ECS instances can access the Internet without exposing their private IP addresses, reducing security risks.
In this case, add a custom route entry pointing to the Internet NAT Gateway to enable Internet access.
When the vSwitch the ECS instance belongs to is bound to a custom route table: Manually configure a route entry with Destination CIDR Block as
0.0.0.0/0and Next Hop as the Internet NAT Gateway.When bound to the system route table:
If there is no route entry of
0.0.0.0/0, the system will automatically configure a route entry pointing to the Internet NAT Gateway.If there is a route entry of
0.0.0.0/0, delete the existing one, then add a route entry pointing to the Internet NAT Gateway.
Centralized Internet access control (IPv4 gateway)
Business departments with permissions to create and manage resources may configure public IP for ECS instances to gain Internet access without approval. This makes it difficult for the O&M department to centrally manage Internet access. To address this, use the IPv4 gateway as a unified entry and exit between the corporate VPC and the Internet.
Combined with custom route tables and components such as NAT Gateway, you can centrally control public traffic, centrally implement security policies and auditing, and reduce security risks from scattered accesses.
When there is a route entry whose next hop is the IPv4 gateway in the vSwitch route table, the route entry address can access the Internet. A vSwitch with a route pointing to the IPv4 gateway is called a public vSwitch, while a vSwitch without one is a private vSwitch.
Public vSwitch: Add a route with Destination CIDR Block as
0.0.0.0/0and Next Hop as the IPv4 gateway to let resources in the public vSwitch access the Internet.Private vSwitch:
Add a route with Destination CIDR Block as
0.0.0.0/0and Next Hop as the NAT Gateway. This routes IPv4 Internet traffic to the NAT Gateway, which lets the private vSwitch access the Internet through the IPv4 gateway.ECS2 is located in a private vSwitch whose route table does not have a route pointing to the IPv4 gateway. Even if ECS2 is assigned a public IPv4 address, it cannot communicate with the Internet.
Connect VPCs (VPC peering connection)
You can use the VPC peering connection to enable private communication between two VPCs in the same account or across accounts, in the same region or across regions. After creating a peering connection, resources in the VPCs can access each other through private IPv4 or IPv6 addresses.
In this example, a peering connection (pcc-aaabbb) has been created between VPC1 and VPC2. Configure route entries pointing to the peer VPC at both ends of the peering connection.
VPC1 route table: Add a route with Destination CIDR Block as the VPC2 CIDR block and Next Hop as the peering connection.
VPC2 route table: Add a route with Destination CIDR Block as the VPC1 CIDR block and Next Hop as the peering connection.
When using the VPC peering connection, plan your network in advance to ensure that the CIDR blocks of the VPCs and vSwitches at both ends do not overlap.
Connect to a data center (Express Connect)
Use an Express Connect circuit to connect a data center to the cloud through a virtual border router (VBR).
Configure a route entry with Destination CIDR Block as the data center and Next Hop Type as Router Interface (to VBR). This lets the VPC access the data center through the VBR.
You can also use an Express Connect circuit and an Express Connect router (ECR) to deliver lower latency and higher performance.
Configure a route entry with Destination CIDR Block as the data center and Next Hop as ECR. This lets the VPC access the data center through the ECR and VBR.
Connect to a data center (VPN Gateway)
Use a VPN gateway to connect a data center to a VPC through encrypted tunnels.
Configure a route entry with Destination CIDR Block as the data center and Next Hop as VPN Gateway. This lets the VPC access the data center through an IPsec-VPN connection.
Static route advertisement
Advertise to an ECR
You can advertise custom route entries configured in a VPC system route table to an ECR. If no route conflicts occur, the data center associated with the ECR will learn the route.
Advertise to a transit router
You can advertise routes from connected VPCs to a transit router. If no route conflicts occur, other network instances in the transit router can learn the route.
If you build a hybrid cloud for VPCs using an ECR and a transit router, the rules for CEN to advertise routes to the transit router and for the VPC to advertise static routes to the ECR remain unchanged.
Dynamic routes
Unlike static routes, dynamic ones do not require manual route configuration. They dynamically learn and update routes from dynamic sources through route advertisement.
Dynamic route sources
A dynamic route source refers to the source from which dynamic routes are learned, including CEN instances, VPN gateways, and ECRs. View the sources under Dynamic Route of the Route Entry List tab.
A VPC receives dynamic routes from only one dynamic source at a time. For example, when a VPC is associated with an ECR, adding it to a CEN with route advertisement enabled will cause enabling route advertisement to fail. After you create a VPN gateway and Enable automatic BGP advertising, BGP routes learned by the VPN gateway will be automatically propagated to the system route table of the VPC. In this case, the VPC cannot be added to an ECR.
A VPC cannot learn routes from a dynamic source if the destination CIDR blocks are the same as or more specific than vSwitch CIDR blocks.
Enable/disable route advertisement
You can enable or disable route advertisement to accept or reject dynamic routes.
The Accept Advertised Routes switch is enabled by default, allowing the route table to receive dynamic routes from route synchronization. View the Dynamic Route Source and information about route entries on the Dynamic Route tab.
On the Route Tables page, click the ID of the target route table.
In the Basic Information section, toggle on or off the switch to the right of Accept Advertised Routes.
NoteWhether it can be disabled
If no dynamic routes are synchronized to the VPC, you can disable this feature. There is no dynamic route source under the Dynamic Route tab of Route Entry List.
If the Dynamic Route Source is Route Advertisement Type ECR, you can disable this feature, after which the VPC will no longer learn dynamic routes from the ECR.
If the VPC is attached to a Basic Edition CEN, or if the associated transit router or VPN gateway has route advertisement enabled, this switch cannot be turned off.
Impact after disabling
The route table will no longer accept synchronized dynamic routes. Existing ones will be deleted.
The VPC cannot be attached to a Basic Edition CEN, and route advertisement cannot be enabled for the associated transit router or VPN gateway.
Impact after enabling
A VPC can be associated with only one ECR instance. After turning off Accept Advertised Routes and then turning it back on, the VPC route table will recalculate and configure dynamic routes based on the current ECR dynamic routes.
For example, four dynamic routes are synchronized from an ECR to the route table. After you turn off the switch, these routes are deleted. If two more dynamic routes are advertised and you turn on the switch, there are six dynamic routes in the VPC route table.
Route priority
Same destination CIDR block
When using an Express Connect circuit to connect to an on-premises network, select Next Hop Type as Router Interface (to VBR). You can configure route entries with the same destination CIDR block but different next hops.
This feature must be used with health checks. If not, the priorities of active/standby routes and ECMP will be ineffective.
Active/Standby Routes: Two instances are set as next hops, the active route having a weight of 100 and the standby one a weight of 0. The standby route takes over when the active route fails to pass the health check.
ECMP: Select 2-16 instances as next hops. Each instance must have the same weight, which is an integer from 0 to 255. The system distributes traffic evenly among the next hop instances.
Overlapping destination CIDR blocks
IPv4 and IPv6 traffic routing are independent of each other. According to the longest prefix match principle, the most specific route that matches the destination IP is selected as the next hop.
According to the longest prefix match, when multiple routing entries in a route table match the destination IP address, the router chooses the one with the longest subnet mask to forward the traffic.
For example, the following route table has custom routes pointing to different ECS instances.
Destination CIDR block | Next hop type | Next hop | Route entry type |
| - | - | System |
| - | - | System |
| ECS instance | ECS1 | Custom |
| ECS instance | ECS2 | Custom |
When the destination IPs are different, traffic will be forwarded according to different routes.
Destination IP | Route matching |
|
The subnet mask of According to the longest prefix match, traffic is forwarded to ECS2. |
| Only |
| Only |
Limits
Quota limits
Name/ID | Description | Default value | Adjustable |
vpc_quota_route_tables_num | Maximum number of custom route tables that can be created in each VPC | 9 | How to increase the quota:
|
vpc_quota_route_entrys_num | Maximum number of custom routes that can be created in each route table (excluding dynamic routes) | 200 | |
vpc_quota_dynamic_route_entrys_num | Maximum number of dynamic routes in each route table | 500 | |
vpc_quota_havip_custom_route_entry | Maximum number of custom routes that point to a high-availability virtual IP address (HAVIP) | 5 | |
vpc_quota_vpn_custom_route_entry | Maximum number of custom routes in a VPC that point to a VPN gateway | 50 | |
N/A | Maximum number of tags that can be added to each route table | 20 | N/A |
Maximum number of vRouters that can be created in each VPC | 1 | ||
Maximum number of routes that can point to a transit router supported by each VPC | 600 |
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), and Mexico |
Middle East | UAE (Dubai) and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |