After you create an IPsec-VPN connection, you can create a policy-based route for the IPsec-VPN connection. A policy-based route forwards traffic based on source and destination IP addresses. This topic describes how to create, advertise, modify, and delete a policy-based route.

Prerequisites

An IPsec-VPN connection is created. For more information, see Create an IPsec-VPN connection.

Usage notes

  • You cannot create a policy-based route whose destination CIDR block is 0.0.0.0/0.
  • When you create a policy-based route for an IPsec-VPN connection, do not create a policy-based route that meets the following conditions: The destination CIDR block is 100.64.0.0/10 or one of its subnets. The next hop is the IPsec-VPN connection. If you create such a route, the status of the IPsec-VPN connection cannot be displayed in the console, or the negotiations of the IPsec-VPN connection fail.

Match rules of policy-based routes

When a VPN gateway forwards traffic, policy-based routes are not matched based on the longest prefix match algorithm. The VPN gateway matches policy-based routes in sequence. After a policy-based route is matched, traffic is forwarded based on the matched route.

The sequence number of a policy-based route is determined by the time when the route is delivered to the system. In most cases, routes that are configured earlier are delivered to the system first and have higher priorities than routes that are configured later. However, this is not guaranteed. In some cases, routes that are configured later are delivered to the system first and have higher priorities than routes that are configured earlier.

Recommendations

To ensure that traffic is forwarded through the desired path, we recommend that you create specific policy-based routes and make sure that traffic can be matched by only one policy-based route.

Example

Match rules

As shown in the preceding figure, the data center IDC_1 communicates with VPC_1 through IPsec-VPN Connection 1, and the data center IDC_2 communicates with VPC_1 through IPsec-VPN Connection 2. The CIDR blocks of IDC_1 to be connected to VPC_1 are 192.168.1.0/24 and 192.168.2.0/24, the CIDR block of IDC_2 to be connected to VPC_1 is 192.168.5.0/24, and the CIDR block of VPC_1 to be connected to the data centers is 172.16.0.0/16.

When you create policy-based routes, you first create a route that forwards traffic from VPC_1 to IDC_2. Then, you create a route that forwards traffic from VPC_1 to IDC_1 and you set the destination CIDR block of the route to 192.168.0.0/21. After the routes are created, the routes are not delivered to the system in the sequence in which you configure them. The following table describes the sequence numbers of the routes.

Sequence number Destination CIDR block Source CIDR Block Next hop
1 192.168.0.0/21 172.16.0.0/16 IPsec-VPN Connection 1
2 192.168.5.0/24 172.16.0.0/16 IPsec-VPN Connection 2

When the VPN gateway forwards traffic from VPC_1 to IDC_2, the routes are matched in sequence. Traffic from VPC_1 to IDC_2 is matched by the route whose sequence number is 1. As a result, traffic from VPC_1 to IDC_2 is routed to IDC_1 through IPsec-VPN Connection 1.

In the preceding scenario, you cannot control the time at which policy-based routes are delivered to the system. As a result, the policy-based routes are not sorted in the desired sequence, and traffic is not forwarded through the desired path. To prevent this issue, we recommend that you create specific policy-based routes to ensure that traffic can be matched by only one route. This way, traffic can be routed without being affected by the sequence of policy-based routes.

In this example, you can configure the policy-based routes based on the following table. When the VPN gateway forwards traffic from VPC_1 to IDC_2, the traffic is matched only by the policy-based route whose sequence number is 2, and the traffic is forwarded to IDC_2 through the desired path.

Sequence number Destination CIDR block Source CIDR Block Next hop
1 192.168.1.0/24 172.16.0.0/16 IPsec-VPN Connection 1
2 192.168.5.0/24 172.16.0.0/16 IPsec-VPN Connection 2
3 192.168.2.0/24 172.16.0.0/16 IPsec-VPN Connection 1

Add a policy-based route

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
  4. Click the Policy-based Routing tab, and then click Add Route Entry.
  5. In the Add Route Entry panel, set the following parameters and click OK.
    Parameter Description
    Destination CIDR Block Enter the private CIDR block that you want to access.
    Source CIDR Block Enter the private CIDR block of the VPC.
    Next Hop Type Select IPsec Connection.
    Next Hop Select the IPsec-VPN connection for which you want to create a policy-based route.
    Publish to VPC Specify whether to advertise the route to the virtual private cloud (VPC) route table.
    • Yes: automatically advertises the route to the route table of the VPC. We recommend that you select this value.
    • No: does not advertise the policy-based route to the VPC route table.
    Note If you select No, you must manually advertise the route to the VPC route table.
    Weight Select a weight. Valid values:
    • 100 (default): specifies a high priority for the route.
    • 0: specifies a low priority for the route.
    Note If a route table contains multiple policy-based routes that have the same source CIDR block, destination CIDR block, and weight, a policy-based route is randomly selected to forward traffic.

Advertise a policy-based route

You can specify Routing Mode when you create an IPsec-VPN connection. If you set the parameter to Protected Data Flows, the system automatically creates a policy-based route that is in the Not Published state for the VPN gateway. To advertise the policy-based route to the VPC route table, perform the following steps:

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
  4. On the Policy-based Routing tab, find the policy-based route that you want to advertise and click Publish in the Actions column.
  5. In the Publish Route Entry message, click OK.
    If you want to withdraw the policy-based route, click Unpublish.

Modify a policy-based route

You can change the weight of an existing policy-based route.

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
  4. On the Policy-based Routing tab, find the policy-based route that you want to modify and click Edit in the Actions column.
  5. In the panel that appears, specify a new weight for the route and click OK.

Delete a policy-based route

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
  4. On the Policy-based Routing tab, find the policy-based route that you want to delete and click Delete in the Actions column.
  5. In the Delete Route Entry message, click OK.