A route policy is a mechanism for controlling BGP routes in Alibaba Cloud. It allows you to filter routes, modify their attributes, and manipulate their paths. You can bind a route policy to an Enterprise Edition Transit Router (ECR) to control how routes propagate among its associated network instances. This helps you achieve goals such as traffic engineering, security isolation, and multi-link disaster recovery.
Use cases
Scenario 1: Active-standby failover
Requirement: An enterprise connects to Alibaba Cloud using two private connections: a primary 100 Gbit/s link and a backup 10 Gbit/s link. Under normal conditions, traffic uses the primary link. If the primary link fails, traffic automatically fails over to the backup link.
Solution:
In an inbound route policy, for routes received from the primary link's VBR, do not modify the AS path.
For routes received from the backup link's VBR, prepend to the AS path.
When the primary link fails, its routes are withdrawn, and traffic automatically switches to the backup link.
Scenario 2: Private network isolation
Requirement: Prevent routes for internal private address ranges, such as 10.0.0.0/8 and 172.16.0.0/12, from being advertised to an IDC or other external networks.
Solution:
In an outbound route policy, configure a match condition for the route prefixes
10.0.0.0/8and172.16.0.0/12.Set the action to deny to block these routes from being advertised.
Scenario 3: Community-based traffic engineering
Requirement: Distinguish video traffic (low-latency link) and file transfer traffic (high-bandwidth link) and steer them through different private connections.
Solution:
Tag routes for video traffic with the Community value
65000:100and routes for file transfers with65000:200.In a route policy, match the Community values to direct video traffic to the low-latency link and file transfer traffic to the high-bandwidth link.
How it works
Using a route policy involves three steps: creating the policy, adding rules, and binding it to a network instance.
Step | Object | Description |
1. Create a route policy | Route policy (RouteMap) | A container for rules. You must specify a direction (inbound or outbound) when you create a route policy. The direction cannot be changed after creation. |
2. Add rules | Rule (RouteMapRule) | A |
3. Bind to a network instance | Association (RouteMapAssociation) | Binds the route policy to a specific network instance or route table to apply the policy. |
Matching process
When a route enters or leaves a network instance, the system evaluates it against the rules in the corresponding direction in ascending order of priority.
Inbound: Controls which routes the instance's route table learns from an associated network instance.
Outbound: Controls which routes the instance advertises to an associated network instance.
Match result:
If a match is found, the system performs the specified action, either permit (pass the route and optionally modify its attributes) or deny (discard the route), and the matching process stops.
If no rules are matched, the route is permitted by default.
Match conditions
A single rule can contain multiple match conditions. For a rule to match, all of its conditions must be met (a logical AND).
Category | Match condition | Description | Example |
Route attributes | Route Prefix | Matches the destination IP prefix of the route. Supports both IPv4 and IPv6. You can specify an exact match or an inclusive match for all subnets. | Exact match for |
Community | Matches the BGP Community attribute. Supports exact match and inclusive match. |
| |
AS_PATH | Matches the BGP AS path. Supports exact match and inclusive match. |
| |
IP Address Type | Matches IPv4 or IPv6. |
| |
Route Type | Matches the route type. Currently, only BGP is supported. |
| |
Network instance | Source Instance IDs | Matches the ID of the instance where the route originates. |
|
Destination Instance IDs | Matches the ID of the route's destination instance. |
| |
Source Instance Type | Matches the type of the source instance. |
| |
Destination Instance Type | Matches the type of the destination instance. |
| |
Source Route Table | Matches the ID of the source route table. |
| |
Destination Route Table | Matches the ID of the destination route table. |
| |
Region | Source Region | Matches the source region of the route. You can specify up to 32 regions. |
|
Destination Region | Matches the destination region of the route. You can specify up to 32 regions. |
|
Actions
When a route matches a rule's conditions, the system performs one of the following actions:
Allow: Allows the route to be propagated.
Deny: Prevents the route from taking effect. For example, if a route entry in a TR matches a Deny rule, the Route Status of the entry is displayed as Prohibited.
If the action is Allow, you can also modify the BGP attributes of the route:
BGP attribute | Modification | Description | Typical use |
AS_PATH | Prepend / Modify | Prepends AS numbers to the AS path or directly modifies the AS path. | Lengthen the AS path to make a route less preferred. |
Community | Add / Delete | Adds or removes BGP Community tags. | Tag and classify routes. |
Create and manage route policies
A route policy is a container for rules. When you create a route policy, you must specify its name and direction (inbound or outbound). The direction cannot be changed after creation.
Console
Create a route policy: Go to the Route Policy page in the CEN console, click Create Routing Policy, and select the Policy Direction and Priority.
Edit a route policy: You can modify the Priority of a route policy. In the Actions column for the target route policy, click Edit.
Delete a route policy: In the Actions column for the target route policy, click Delete.
Before deleting a route policy, you must first disassociate it from all network instances.
API
Call the CreateRouteMap operation to create a route policy. The
NameandDirection(Inbound/Outbound) parameters are required.Call the DeleteRouteMap operation to delete a route policy.
Before deleting a route policy, you must first disassociate it from all network instances.
Call the ModifyRouteMap operation to modify the name or description of a route policy.
Call the DescribeRouteMaps operation to query a list of route policies. You can filter the results by ID, name, or direction.
Add and manage rules
Each rule in a route policy is a match-action unit that defines specific match conditions and a resulting action. Rules are evaluated in ascending order of their priority.
Console
Add a rule
Click the ID of the target route policy to open its details page.
Click Add Inbound Route Rule or Add Outbound Route Rule.
After a route policy is created, you cannot change its direction or the direction of its rules. You can create separate inbound and outbound route policies to control route propagation in each direction.
Configure the following parameters:
Priority: An integer from 1 to 100. It must be unique among all rules in the policy.
Conditions: For more information, see Match conditions.
Perform Action: Choose Allow (pass the route and optionally modify its attributes) or Deny (discard the route).
If you select Allow, you can Modify BGP Attributes. You can modify the AS Path or Community attributes by using the Add or Replace operations. For more information, see Actions.
Edit or delete a rule
In the upper-right corner of the target rule, click Edit or Delete.
API
Call the CreateRouteMapRule operation to create a rule. The
RouteMapId,Name, andDirectionparameters are required. Use the MatchConditions and SetActions parameters in your request to specify match conditions and actions.Call the DeleteRouteMapRule operation to delete a rule.
Call the ModifyRouteMapRule operation to modify a rule. You can change the priority, match conditions, and actions, but not the direction.
Call the DescribeRouteMapRules operation to query a list of rules.
Bind and unbind route policies
You apply a route policy by binding it to an ECR instance.
Console
Bind a route policy
On the details page of the ECR instance, go to the Route Maps tab and click Associate Routing Policy.
Select the target route policy, choose the Select Effective Region, and click Confirm.
If you bind multiple route policies to the same resource, the priority of each rule across all associated policies must be unique.
To change the effective regions later, click Modify Effective Region in the Actions column of the associated route policy.
Unbind a route policy
On the details page of the ECR instance, go to the Route Maps tab and click Disassociate.
To quickly navigate to each resource that a route policy is bound to, go to the details page of the target route policy and click the Associated Resources/Route Tables tab. You can click a resource ID to go directly to its details page.
API
Call the CreateRouteMapAssociation operation to bind a route policy to a network instance. The
RouteMapId,ResourceId, andResourceTypeparameters are required.Call the DeleteRouteMapAssociation operation to unbind a route policy from a network instance.
Call the DescribeRouteMapAssociation operation to query the binding relationship of a route policy.
More information
Quotas and limitations
Quotas:
Resource | Default quota | Adjustable |
Number of route policies per user | 100 | No Quota name: routemap_count_can_create_per_user |
Number of rules per route policy | 100 | Yes Quota Name: routemap_count_can_associate_per_Instance |
Number of instances a route policy can be bound to | 100 | No |
Number of route policies per instance or route table | 100 | Yes Quota Name: routemap_max_count_rule |
Route policy limitations:
You cannot change the direction of a route policy after it is created.
Before deleting a route policy, you must first unbind it from all resources, such as ECR instances.
Rule limitations:
Rules within the same route policy cannot have the same priority.
If a single resource is associated with multiple route policies, all rules within those policies must have unique priorities. If a rule modification causes a priority conflict, the Status of the route policy association for the resource changes to Association Failed.
ECR limitations:
A route policy on an ECR operates at the region level. You must specify the effective regions when you bind the policy.
If the ECR Sitelink or the route advertisement feature is disabled, routes are not propagated. If they are enabled, routes are matched against the route policy.
If an ECR's AllowedPrefixes feature is configured with prefix routes, the specified prefixes are always advertised, overriding any deny actions in the route policy. If this feature is not configured, routes are evaluated against the route policy.
If routes are propagated across regions on an ECR, you must configure and manage route policies for the cross-region connections.