All Products
Search

This Product

    VPN Gateway:Configure destination-based routes

    Document Center

    VPN Gateway:Configure destination-based routes

    Last Updated:Nov 21, 2025

    After you create destination-based routes, a VPN Gateway forwards traffic based on routes that match the destination IP address of the traffic.

    Prerequisites

    Before you can configure destination-based routes, you must create an IPsec-VPN connection for the VPN Gateway instance. For more information, see Create and manage an IPsec-VPN connection in single-tunnel mode or Create and manage an IPsec-VPN connection in dual-tunnel mode.

    Limits

    • You cannot add a destination-based route whose destination CIDR block is 0.0.0.0/0.

    • Do not add a destination-based route whose destination CIDR block is 100.64.0.0/10, a subnet of 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10. Such routes may prevent the status of the IPsec-VPN connection from being displayed in the console or cause the IPsec-VPN connection to fail.

    Route matching rules

    By default, a VPN Gateway uses the longest prefix match rule to match destination-based routes when forwarding traffic.

    If a VPN Gateway instance is configured with active/standby routes, only active routes are used for matching. The rules for active/standby routes are as follows:

    • If the system detects that the IPsec-VPN connection associated with the active route is connected (the IPsec-VPN connection is successfully established and the health check is normal), the active route is used and the standby route is not.

    • If the system detects that the IPsec-VPN connection for the active route is disconnected (the connection fails to establish, or is established but the health check is abnormal) and the connection for the standby route is connected, the standby route is used and the active route is not.

    • If the system detects that the connections for both the active and standby routes are disconnected, the active route is used by default and the standby route is not.

    For example, a VPN Gateway has the following two destination-based routes in its route table. When the VPN Gateway receives a packet with a destination IP address in the 10.10.10.0/24 range, the packet matches both routes. However, Route 2 has a subnet mask of /16 and Route 1 has a subnet mask of /8. Based on the longest prefix match rule, the VPN Gateway uses Route 2 to forward the packet.

    Route Name

    Destination CIDR block

    Next hop

    Weight

    Route 1

    10.0.0.0/8

    IPsec-VPN Connection 1

    100

    Route 2

    10.10.0.0/16

    IPsec-VPN Connection 2

    100

    Create a destination-based route

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region where the VPN gateway is deployed.

    3. On the VPN Gateways page, click the ID of the VPN gateway that you want to manage.

    4. On the Destination-based Route Table tab, click Add Route Entry.

    5. In the Add Route Entry panel, configure the destination-based route and click OK.

      Configuration

      Description

      Destination CIDR Block

      Enter the CIDR block of the data center that you want to access.

      Next Hop Type

      Select IPsec-VPN Connection.

      Next Hop

      Select the IPsec-VPN connection that you want to use.

      Advertise to VPC

      Select whether to publish the new route to the VPC.

      • Yes (Recommended): The new route is automatically published to the VPC. The route is published only to the system route table of the VPC, not to any custom route tables.

        To add this route to a custom route table, you must add it manually. For more information, see Add a custom route entry to a custom route table.

      • No: The new route is not published to the VPC.

        After you select No, you must manually add a route to the system and custom route tables of the VPC. The route must point to the data center CIDR block and use the VPN Gateway instance as the next hop. Otherwise, the VPC cannot access resources in the CIDR block through the IPsec-VPN connection.

      Important

      If you create routes with the same destination CIDR block in both the policy-based route table and the destination-based route table, and publish both routes to the same VPC, when you withdraw the route from the destination-based route table, the route in the policy-based route table is also withdrawn.

      Weight

      Select a weight for the destination-based route.

      In a scenario where you use the same VPN Gateway instance to build active/standby IPsec-VPN connections, you can configure route weights to specify the active and standby links. A route with a weight of 100 is the active link by default. A route with a weight of 0 is the standby link by default.

      You can configure health checks for the IPsec-VPN connection to automatically detect link connectivity. If the active link fails, the system automatically switches traffic to the standby link to ensure high availability. For more information about health checks for IPsec-VPN connections, see Health check.

      • 100(Active) (Default): The IPsec-VPN connection associated with the current destination-based route is the active link.

      • 0(Standby): The IPsec-VPN connection associated with the current destination-based route is the standby link.

      Note

      • When you specify active and standby links, the active and standby routes must have the same destination CIDR block, but different next hops and different weights.

      • After you specify the active and standby links, to modify the weight of the active route, you must first delete the standby route. After you modify the active route, reconfigure the standby route. Similarly, to modify the weight of the standby route, you must first delete the active route. After you modify the standby route, reconfigure the active route.

      If you encounter a route conflict error when adding a destination-based route, see What do I do if I receive an error message, such as a duplicate route, when adding a route to a VPN Gateway instance?.

    Publish a destination-based route

    If you did not publish the destination-based route to the VPC when you created it, you can use this procedure to publish the route. The route is published only to the system route table of the VPC, not to any custom route tables.

    To add this route to a custom route table, you must add it manually. For more information, see Add a custom route entry to a custom route table.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region where the VPN gateway is deployed.

    3. On the VPN Gateways page, click the ID of the VPN gateway that you want to manage.

    4. On the Destination-based Route Table tab, find the target route entry and click Advertise in the Actions column.

    5. In the Advertise Route dialog box, click OK.

      After the route is published, you can click Withdraw to withdraw it.

      Important

      If you create routes with the same destination CIDR block in both the policy-based route table and the destination-based route table, and publish both routes to the same VPC, when you withdraw the route from the destination-based route table, the route in the policy-based route table is also withdrawn.

    Delete a destination-based route

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region where the VPN gateway is deployed.

    3. On the VPN Gateways page, click the ID of the VPN gateway that you want to manage.

    4. On the Destination-based Route Table tab, find the target route entry and click Delete in the Actions column.

    5. In the Delete Route Entry dialog box, click OK.

    Configure destination-based routes by calling API operations

    You can call API operations using tools such as Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service to configure and manage destination-based routes. For more information about the API operations, see the following topics: