A route table forwards network traffic in a Virtual Private Cloud (VPC). Think of it as a network signpost, where you configure route entries to guide packets from a source, like an ECS instance, to their destination.
Features
Route tables
When you create a VPC, a system route table is automatically created. By default, it is attached to all vSwitches within the VPC to control network traffic.
If different ECS instances within a VPC need to send traffic to the same destination CIDR block along different network paths, you can use a custom route table. Deploying the ECS instances on different vSwitches and attaching a dedicated custom route table to each one provides granular traffic control.
To direct inbound public traffic through a self-managed firewall, you can use a gateway route table. A gateway route table is a custom route table attached to an IPv4/IPv6 gateway. This setup directs inbound traffic to your firewall, enabling unified filtering, auditing, and security policy enforcement.
This table compares these types of route tables.
Item | System route table | Custom route table | |
Attached to | vSwitch | vSwitch | IPv4/IPv6 gateway |
Diagram |  |  |  |
Use cases | Attached to all new vSwitches by default to centrally control vSwitch traffic. | Attached to specific vSwitches to control their traffic paths. | Attached to an IPv4/IPv6 gateway to securely redirect inbound public traffic. |
Creation method | Automatically created when you create a VPC. | Manually created. You select the vSwitch type when you create the route table. | Manually created. You select the gateway type when you create the route table. |
Deletion | Cannot be deleted. | Can be deleted once detached from all associated vSwitches. | Can be deleted once detached from the IPv4/IPv6 gateway. |
Quota | One system route table per VPC. | By default, you can create up to 9 custom route tables for vSwitches in a VPC. You can request a quota increase. | You can create only one route table for an IPv4/IPv6 gateway in a VPC. |
You must attach each vSwitch to exactly one route table. However, you can attach a route table to multiple vSwitches.
Route entries
A route entry is a rule in a route table. It defines the next hop, such as a NAT Gateway or an ECS instance, for traffic destined for a specific destination CIDR block.
VPC route entries fall into two types:
1. Static routes: Routes automatically added by the system or manually by you.
2. Dynamic routes: Routes propagated to a VPC from other network instances, such as a Transit Router (TR) or VPN Gateway.
1. Static routes
Static routes, which are automatically added by the system or manually by you, include two types:
System routes: Routes with a
Localnext hop, automatically added by the system when you create a VPC and a vSwitch. These routes are used for communication between instances within the VPC or for accessing cloud services.Custom routes: Routes you manually add to customize traffic forwarding paths.
The following figure shows an example where two VPCs are connected through a VPC peering connection. The system route table of VPC1 contains the following static routes:
After you create the VPC and vSwitch, the system automatically adds system routes with
Localas the next hop:Cloud service route: The destination CIDR block is
100.64.0.0/10. This route is used by instances in VPC1 to access cloud services.vSwitch route: The destination CIDR block is
10.0.0.0/24. This route enables private communication among vSwitches in VPC1.
After you create the VPC peering connection, you must manually add the following custom route:
The destination CIDR block is
172.16.0.0/16and the next hop is theVPC peering connection. This route forwards traffic destined forVPC2to the VPC peering connection.
The route entries in the system route table of VPC2 follow the same principles as those in VPC1 and are not detailed here.
Comparison of system and custom routes
Item | System route | Custom route |
Definition | A route with a next hop of | A route that you add manually. |
IPv4 route | The system automatically adds the following routes to all route tables in the VPC:
| You can manually add the following routes:
|
IPv6 route | If you enable IPv6 for a VPC, the system automatically adds the following route to all route tables in the VPC:
| If you enable IPv6 for a VPC, you can add the following routes:
|
Next hop modification |
| If a custom route is created by modifying the next hop of a system route, the next hop of this custom route can be changed only to Local, an ECS instance, an elastic network interface (ENI), or a Gateway Load Balancer endpoint. |
Creation and deletion | You cannot create or delete system routes. | You can create and delete them. |
2. Dynamic routes
Dynamic routes are routes that are propagated to a VPC from other network instances. Unlike static routes, they do not require manual configuration in the VPC route table. Instead, they are automatically received and updated from a dynamic route source.
2.1 Dynamic route sources
Network instances that automatically propagate routes to a VPC include Transit Router (TR) Enterprise Edition, TR Basic Edition, VPN Gateway, and Express Connect Router (ECR). You can view the source and details of dynamic routes on the tab of the route table details page in the console.
Details for routes received from a TR Enterprise Edition appear on the tab.
2.2 Enable or disable dynamic route reception
By default, all route tables receive dynamic routes. If you require a purely static routing configuration, you can disable dynamic route reception for each route table. This provides the flexibility to plan and manage your route tables as needed.
2.3 Limitations
A VPC route table can receive dynamic routes from only one source at a time.
For example, if you associate a VPC with an Express Connect Router (ECR) and then connect the VPC to a Transit Router (TR) Enterprise Edition, enabling route synchronization for the VPC on the TR will fail. Similarly, if you create a VPN Gateway and enable route propagation, the VPN Gateway automatically propagates the BGP routes that it learns to the VPC's system route table. In this case, you cannot associate the VPC with the ECR.
If a received dynamic route overlaps with an existing route entry in the route table, see Route priority to understand which routing rules apply.
Only route tables attached to vSwitches can receive dynamic routes. Route tables attached to gateways do not support dynamic routes.
By default, a route table can receive a maximum of 200 active dynamic routes from an ECR. If this quota is exceeded, dynamic routes are still received but their status becomes
Exceededand they are not active. After you increase the quota, the new quota takes effect after the next route update from the ECR. The routes that previously exceeded the quota become active in the order they were configured.
Route priority
Routes in a VPC route table are prioritized based on the following rules:
When route entries have overlapping destination CIDR blocks:
IPv4 and IPv6 traffic are routed independently. The system uses the longest prefix match rule to select the most specific route that matches the destination IP address. This route determines the traffic's next hop.
Longest prefix match: When multiple route entries have destination CIDR blocks that match a packet's destination IP address, the system selects the route with the longest subnet mask (the most specific range). For example, traffic destined for
192.168.1.100matches the192.168.1.0/24route instead of the192.168.0.0/16route.When a new route entry overlaps with an existing route entry:
Actions
Existing system route
Existing custom route
Existing dynamic route
Create a vSwitch
The CIDR block of the vSwitch cannot overlap with that of an existing system route.
The CIDR block of the vSwitch cannot:
Be identical to the destination CIDR block of an existing custom route.
Contain the destination CIDR block of an existing custom route.
The CIDR block of the vSwitch cannot:
Be identical to the destination CIDR block of an existing dynamic route.
Contain the destination CIDR block of an existing dynamic route.
Add a custom route
The destination CIDR block of the new custom route cannot:
Be identical to the CIDR block of an existing system route.
Be more specific than an existing system route for intra-VPC communication.
The destination CIDR block of a new custom route cannot be identical to that of an existing custom route.
If the next hop type is router interface (to VBR), you can configure active/standby or ECMP routes. For more information, see Route to a router interface.
The destination CIDR block of a new custom route cannot be identical to that of an existing dynamic route.
If the next hop of a new custom route is a VPN Gateway or a router interface, and an existing dynamic route from CEN has the same destination CIDR block, the dynamic route is withdrawn, and the custom route takes effect.
Receive a dynamic route
Cannot be identical to the destination CIDR block of an existing system route.
If a dynamic route is more specific than an existing system route, the dynamic route does not take effect:
If the dynamic route source is an ECR, the route is displayed in the VPC route table with a
Candidatestatus and is not used for forwarding.If the dynamic route source is a VPN Gateway, TR Enterprise Edition, or TR Basic Edition, the route is not propagated to the VPC route table.
A dynamic route does not take effect if its destination CIDR block is identical to that of an existing custom route.
If the dynamic route source is an ECR, the route is displayed in the VPC route table with a
Candidatestatus and is not used for forwarding.If the dynamic route source is a VPN Gateway, TR Enterprise Edition, or TR Basic Edition, the route is not propagated to the VPC route table.
After the custom route is deleted, the dynamic route automatically takes effect.
Not applicable. A VPC route table supports only a single route propagation source.
Manage route tables
When you create a VPC, the system automatically creates a system route table. By default, this route table is associated with all vSwitches in the VPC to centrally manage their traffic.
To control traffic for a specific vSwitch in a VPC, create a custom route table for vSwitches and associate it with the target vSwitch.
To control traffic entering your VPC from the internet, create a custom route table for border gateways and associate it with an IPv4 or IPv6 gateway.
Create and delete route tables
You must create a custom route table before you can associate it with a target vSwitch, an IPv4 gateway, or an IPv6 gateway.
Console
Create a route table
Go to the Route Tables page in the VPC console and click Create Route Table.
Select the target VPC, enter a Name, and select the associated resource type:
vSwitch: After you associate this route table with a vSwitch, you can control the traffic paths of specific vSwitches.
Border gateway: After this route table is associated with an IPv4/IPv6 gateway, you can control the path of traffic from the Internet to the VPC.
After you create a custom route table, the system automatically adds the following system routes to it:
Routes to vSwitches: Routes destined for the CIDR blocks of all vSwitches in the VPC. These routes enable instances within the vSwitches to communicate with each other.
Cloud service route: A route with a destination of
100.64.0.0/10that allows instances in the VPC to access cloud services.
Delete a route table
In the Actions column for the target route table or on its details page, click Delete. Before you delete a route table, ensure that you disassociate it from all resources and delete all of its custom routes.
You can only delete custom route tables. System route tables cannot be deleted.
API
Call CreateRouteTable to create a route table.
Call DeleteRouteTable to delete a custom route table.
Terraform
Resources: alicloud_route_table
variable "name" {
default = "terraform-example"
}
resource "alicloud_vpc" "defaultVpc" {
vpc_name = var.name
}
resource "alicloud_route_table" "default" {
description = "test-description"
vpc_id = alicloud_vpc.defaultVpc.id
route_table_name = var.name
associate_type = "VSwitch"
}Associate and disassociate a route table
A new custom route table is not associated with any resources by default. You must associate it with a vSwitch or an IPv4 or IPv6 gateway to activate it.
Console
Associate a route table
Go to the Route Tables page in the VPC console. Find the route table that you want to manage and click Associate in the Associated Resource column:
If the associated resource type is vSwitch, click Associate vSwitch. In the dialog box that appears, select the target vSwitch.
When you associate a vSwitch with a custom route table, the system automatically disassociates it from the system route table.
If the associated resource type is Border Gateway, click Associate Border Gateway. In the dialog box that appears, select the target IPv4 Gateway or IPv6 Gateway.
For a tutorial on using route tables that are associated with a border gateway, see Use a gateway route table to control inbound traffic to a VPC.
Disassociate a route table
Go to the details page of the target route table:
If the associated resource type is vSwitch: On the tab, select the vSwitches that you want to disassociate and then click Disassociate. After you disassociate a vSwitch, the system automatically re-associates it with the system route table.
If the associated resource type is Border Gateway: On the tab, find the target IPv4 or IPv6 gateway and click Disassociate in the Actions column.
Before you disassociate a route table, carefully assess the potential impact of route changes on your services to prevent disruptions.
API
Call AssociateRouteTable to associate a route table with a vSwitch.
Call AssociateRouteTableWithGateway to associate a route table with an IPv4 or IPv6 gateway.
Before you disassociate a route table, carefully assess the potential impact of route changes on your services to prevent disruptions.
Call UnassociateRouteTable to disassociate a route table from a vSwitch.
Call DisassociateRouteTableFromGateway to disassociate a route table from an IPv4 or IPv6 gateway.
Terraform
Associate a route table with a vSwitch
Resources: alicloud_route_table_attachment
Data Sources: alicloud_zones
variable "name" {
default = "terraform-example"
}
resource "alicloud_vpc" "foo" {
cidr_block = "172.16.0.0/12"
vpc_name = var.name
}
data "alicloud_zones" "default" {
available_resource_creation = "VSwitch"
}
resource "alicloud_vswitch" "foo" {
vpc_id = alicloud_vpc.foo.id
cidr_block = "172.16.0.0/21"
zone_id = data.alicloud_zones.default.zones[0].id
vswitch_name = var.name
}
resource "alicloud_route_table" "foo" {
vpc_id = alicloud_vpc.foo.id
route_table_name = var.name
description = "route_table_attachment"
}
resource "alicloud_route_table_attachment" "foo" {
vswitch_id = alicloud_vswitch.foo.id
route_table_id = alicloud_route_table.foo.id
}Associate a route table with an IPv4/IPv6 gateway
Resources: alicloud_vpc_gateway_route_table_attachment
resource "alicloud_vpc" "example" {
cidr_block = "172.16.0.0/12"
vpc_name = "terraform-example"
}
resource "alicloud_route_table" "example" {
vpc_id = alicloud_vpc.example.id
route_table_name = "terraform-example"
description = "terraform-example"
associate_type = "Gateway"
}
resource "alicloud_vpc_ipv4_gateway" "example" {
ipv4_gateway_name = "terraform-example"
vpc_id = alicloud_vpc.example.id
enabled = true
}
resource "alicloud_vpc_gateway_route_table_attachment" "example" {
ipv4_gateway_id = alicloud_vpc_ipv4_gateway.example.id
route_table_id = alicloud_route_table.example.id
}Manage route entries
Add and delete route entries
In a route table associated with a vSwitch, you can add route entries to direct its traffic. These are known as custom route entries.
You cannot add route entries to a route table associated with an IPv4 or IPv6 gateway. However, you can change the next hop of a route entry.
Console
Add a route entry
Go to the details page of the target route table. On the tab, click Add Route Entry.
In the Add Route Entry dialog box, configure the destination CIDR block and next hop type. See Configuration examples for typical scenarios that use different next hop types.
If an error occurs while you add the route entry, ensure that it meets the route priority requirements.
Delete a route entry
In the Actions column for the target route entry, click Delete.
Before you delete a route entry, carefully assess the potential impact on your services to prevent disruptions.
API
Call CreateRouteEntry to add a single route entry, or call CreateRouteEntries to add multiple route entries at once.
Before you delete a route entry, carefully assess the potential impact on your services to prevent disruptions.
Call DeleteRouteEntry to delete a single custom route entry, or call DeleteRouteEntries to delete multiple custom route entries at once.
Terraform
Resources: alicloud_route_entry
resource "alicloud_route_entry" "foo" {
route_table_id = "rt-12345xxxx" # Enter the route table ID.
destination_cidrblock = "172.16.1.1/32"
nexthop_type = "Instance" # Enter the next hop type.
nexthop_id = "i-12345xxxx" # Enter the next hop instance ID.
}Change the next hop
You can change the next hop of a route entry to redirect traffic for its destination CIDR block.
system route entry: You can change the next hop of a system route entry only when it is in a custom route table (including a gateway route table). This change converts it into a custom route entry. Deleting this custom route entry reverts it to a system route entry.
custom route entry: You can change the next hop of a custom route entry in both system and custom route tables.
For supported destination CIDR block and next hop types, see Comparison between system and custom route entries.
Before you change the next hop of a route entry, carefully assess the potential impact on your services to prevent disruptions.
Console
In the Actions column for the target route entry, click Edit. In the dialog box that appears, select a new next hop from the Next hop type drop-down list.
See Configuration examples for typical scenarios that use different next hop types.
API
Call ModifyRouteEntry to change the next hop of a route entry in a route table associated with a vSwitch.
Call UpdateGatewayRouteTableEntryAttribute to change the next hop of a route entry in a route table associated with an IPv4 or IPv6 gateway.
Terraform
Resources: alicloud_route_entry
resource "alicloud_route_entry" "foo" {
route_table_id = "rt-12345xxxx" # Enter the route table ID.
destination_cidrblock = "172.16.1.1/32"
nexthop_type = "Instance" # Change the next hop type.
nexthop_id = "i-12345xxxx" # Enter the next hop instance ID.
}Publish and withdraw static routes
You can propagate routes from a route table to an ECR or a TR. This, combined with dynamic route receiving, simplifies your routing configuration.
Publish static routes to an ECR: When you publish a static route to an ECR, the ECR dynamically propagates it to your on-premises data center. If no route conflicts exist, all on-premises data centers associated with the ECR can learn the route.
How it works
When you associate a VPC with an ECR, its system route entries are published to the ECR by default.
After a static route is published to an ECR:
The ECR propagates the route to its associated VBR. If BGP is enabled on the VBR, the VBR then propagates the route to the on-premises data center.
The ECR does not propagate the route to other VPCs associated with it.
If a published static route entry conflicts with an existing route entry, you can view the route entry on the Route Entries tab of the ECR. Its status is displayed as Conflicting and it will not become Active.
Limitations
You cannot publish route entries from a custom route table of a VPC to an ECR.
You cannot publish route entries to an ECR if their destination CIDR block is a prefix list.
ECMP routes and active/standby routes whose next hop is a router interface (to a VBR) cannot be published to an ECR. After a VPC route is published to an ECR, you can no longer configure ECMP routes or active/standby routes for it.
After a VPC route is published to an ECR, if you want to modify the published route, you can set its next hop only to a route type that supports the publish operation (see the following table).
The following table lists the default publishing status for various types of route entries in a VPC and indicates whether they support publish and withdraw operations in an ECR.
Example scenario
An enterprise with a VPC in the China (Hangzhou) region and an on-premises data center wants to establish stable cloud-to-on-premises connectivity and allow services deployed in the on-premises data center to access the Internet.
The enterprise can connect the VPC and a VBR to an ECR. After creating a NAT Gateway and associating an EIP with it, the enterprise can publish the route. If no route conflicts exist, the on-premises data center associated with the ECR learns the route to the NAT Gateway through BGP, enabling it to access the Internet.
Publish static routes to a TR: When a static route is published to a TR, all connected network instances can learn the route, provided there are no route conflicts and route synchronization is enabled for the TR.
If your VPC is connected to both an ECR and a TR, publishing routes to the ECR and publishing routes to the TR are independent actions that do not affect each other.
Console
Publish a static route
In the VPC Route Publishing Status column of the target route entry, click Publish.
The VPC Route Publishing Status column appears only after the VPC is connected to a TR or an ECR.
Withdraw a static route
In the VPC Route Publishing Status column of the target route entry, click Withdraw.
The VPC Route Publishing Status column appears only after the VPC is connected to a TR or an ECR.
API
For ECR:
Call PublishVpcRouteEntries to publish static routes to an ECR.
Call WithdrawVpcPublishedRouteEntries to withdraw routes that are published to an ECR.
For TR:
Call PublishRouteEntries to publish static routes to a TR.
Call WithdrawPublishedRouteEntries to withdraw routes that are published to a TR.
Tab body
Enable or disable dynamic route receiving
By default, all route tables receive dynamic route entries. If you want to use a static-only routing configuration, you can disable dynamic route receiving for each route table. This provides the flexibility to plan and manage your route configurations as needed.
You can disable this feature in the following cases: The dynamic route entry source is Route Propagation-Type ECR, or no dynamic routes are propagated to the VPC. If no dynamic routes are propagated, the Source of Dynamic Route Entry field is not displayed on the Route Entry List > Dynamic Route Entries tab of the route table details page.
You cannot disable dynamic route receiving in the following scenarios: The VPC is connected to a Basic Edition TR. The VPC is connected to an Enterprise Edition TR and route synchronization is enabled for the VPC on the TR. The VPC is associated with a VPN Gateway and automatic route propagation is enabled for the VPN Gateway.
Impacts of disabling the feature:
The VPC route table stops receiving routes propagated from other network instances. All existing dynamic route entries in the route table are deleted. Proceed with caution.
You cannot connect the VPC to a Basic Edition TR. A TR connected to this VPC cannot have route synchronization enabled for the VPC. A VPN Gateway associated with this VPC cannot have automatic route propagation enabled.
Impacts of re-enabling the feature:
After you re-enable the feature, the VPC route table is updated with the routes currently propagated from the dynamic route source.
For example, assume an ECR has four dynamic route entries. If you disable this feature, the dynamic route entries are cleared from the VPC route table. If two more route entries are added to the ECR and you then re-enable the feature, the VPC route table receives six dynamic route entries from the ECR.
Console
Go to the Basic Information page of the target route table. Use the Accept Propagated Routes switch to enable or disable dynamic route receiving.
Before you enable or disable dynamic route receiving, carefully assess the potential impact of route changes on your services to prevent disruptions.
API
Call ModifyRouteTableAttributes and set the RoutePropagationEnable parameter to enable or disable dynamic route receiving.
Before you enable or disable dynamic route receiving, carefully assess the potential impact of route changes on your services to prevent disruptions.
Terraform
Before you enable or disable dynamic route receiving, carefully assess the potential impact of route changes on your services to prevent disruptions.
Resources: alicloud_route_table
variable "name" {
default = "terraform-example"
}
resource "alicloud_vpc" "defaultVpc" {
vpc_name = var.name
}
resource "alicloud_route_table" "default" {
description = "test-description"
vpc_id = alicloud_vpc.defaultVpc.id
route_table_name = var.name
associate_type = "VSwitch"
route_propagation_enable = true # Set this parameter to true to enable or false to disable dynamic route receiving.
}Use a gateway route table
A gateway route table directs inbound internet traffic to security devices for deep inspection and filtering to prevent malicious attacks and unauthorized access. You can also combine it with a custom route table to redirect outbound traffic to security devices and secure traffic in both directions.
To use this feature, create a route table, attach it to an IPv4 gateway, and then change the next hop of the system route for the vSwitch's CIDR block to one of the following:
ECS instance/elastic network interface: Redirects inbound internet traffic to a specific ECS instance or elastic network interface for security inspection.
Gateway Load Balancer endpoint: Redirects inbound internet traffic to third-party security devices in Gateway Load Balancer (GWLB) deployments.
Only these regions support changing the next hop to a Gateway Load Balancer endpoint.
Use a self-managed firewall
You can deploy a self-managed firewall on an ECS instance in your VPC and use a gateway route table to redirect traffic entering the VPC to the firewall for filtering.
GWLB high-availability architecture
You can use a Gateway Load Balancer (GWLB) to distribute traffic across multiple security devices to enhance application security and availability.
Configuration examples
The type of next hop that you select for a route determines the scenario:
Route to an IPv4 gateway
You can use an IPv4 gateway as a unified ingress and egress point for internet traffic to and from your VPC. Combining an IPv4 gateway with a custom route table enables centralized traffic control, unified security policies, and auditing, which reduces the security risks of decentralized access.
Route to an IPv6 gateway
After you enable IPv6 for a VPC, the system automatically adds the following route to the system route table:
The destination CIDR block is
::/0, and the next hop is the IPv6 gateway.
This route directs default IPv6 traffic to the IPv6 gateway. After you enable internet bandwidth for an IPv6 address, vSwitches associated with the system route table can communicate with the internet.
For an IPv6-enabled vSwitch that is associated with a custom route table, you must manually add the preceding route to the custom route table to enable IPv6 internet access.
For a custom route with an IPv6 gateway instance as its next hop, the destination CIDR block can be set only to ::/0.
Route to a NAT Gateway
If many servers in your VPC need to access the internet and consume a large number of public IP addresses, you can use the SNAT feature of an Internet NAT gateway. SNAT allows multiple ECS instances to share Elastic IP Addresses (EIPs) for internet access. This conserves public IP resources and enhances security by preventing the private IP addresses of the ECS instances from being exposed.
When you use a NAT Gateway, you must add a custom route that points to the Internet NAT gateway to the VPC route table to enable internet access.
If the vSwitch to which the ECS instance belongs is associated with a custom route table, you must manually add a route where the destination CIDR block is
0.0.0.0/0and the next hop is the Internet NAT gateway.If the vSwitch to which the ECS instance belongs is associated with the system route table:
If no route with the destination CIDR block
0.0.0.0/0exists in the system route table, the system automatically adds a route that points to the Internet NAT gateway.If a route with the destination CIDR block
0.0.0.0/0already exists in the system route table, you must replace the existing route with a new one that points to the Internet NAT gateway.
Route to a VPC peering connection
VPCs are isolated from each other by default. You can use a VPC peering connection to enable private communication between two VPCs, even if they belong to different accounts or are in different regions. Once a peering connection is established, cloud resources in the VPCs can access each other by using private IPv4 or IPv6 addresses.
Route to a transit router
When you use Cloud Enterprise Network (CEN) to connect VPCs, you must add routes that point to the transit router to the VPC route tables. You can add the routes in one of the following ways:
When you create a VPC connection, select Automatically add routes to all of the VPC's route tables to point to the transit router.
After you enable this feature, the system automatically adds three routes with the destination CIDR blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 to all route tables of the VPC. The next hop for these routes is the VPC connection. These routes direct IPv4 traffic from the VPC to the transit router.
After you enable route learning in the transit router, you can either enable route propagation for each VPC or manually add a route to the peer VPC in each VPC route table.
The following figure shows an example where route learning is enabled in the transit router and a route is manually added to the VPC route table. For this route, the destination CIDR block is the CIDR block of the peer VPC, and the next hop is the transit router.
Route to a VPN Gateway
You can use a VPN Gateway to establish an encrypted tunnel, creating a secure and reliable network connection between your on-premises data center and your VPC.
To use a VPN Gateway, add a route to the VPC route table with the destination CIDR block set to your on-premises data center's CIDR block and the next hop set to the VPN Gateway. This allows the VPC to access the on-premises data center over an IPsec-VPN connection.
Route to an ECS instance or ENI
To inspect, analyze, and protect traffic between two vSwitches in a VPC, you can insert a third-party security device, such as a firewall or a Web Application Firewall (WAF), into the traffic path by adjusting the route tables.
To do so, associate each of the two vSwitches with a separate custom route table and change the next hop of the system routes for the corresponding CIDR blocks to the firewall's ECS instance or its elastic network interface (ENI):
Route to a router interface
You can use the Express Connect VBR-to-VPC connection feature to connect an on-premises data center to your cloud network.
The VBR-to-VPC connection feature is not enabled by default. To use this feature, contact your account manager.
When you use this feature, you must configure a route for the VPC with the destination CIDR block set to the CIDR block of the on-premises data center and the next hop type set to router interface (to VBR). This allows the VPC to access the on-premises data center through a Virtual Border Router (VBR). This next hop type supports equal-cost multi-path (ECMP) and active/standby mode, which requires health checks.
Active/standby mode: You can specify only two instances as next hops. The active next hop has a weight of 100, and the standby next hop has a weight of 0. If the health check on the active route fails, the standby route takes over.
Equal-cost multi-path (ECMP): You can select 2 to 16 instances as next hops. The weights of the instances must be the same. Valid weights are integers from 0 to 255. The system evenly distributes traffic among the next hop instances.
The following figure shows an active/standby deployment.
Route to an Express Connect Router
You can use an Express Connect Router (ECR) to connect an on-premises data center to your cloud network.
By default, a VPC accepts dynamic routes from the ECR. The destination CIDR block of these routes is the CIDR block of the on-premises data center, and their next hop is the ECR. These routes enable communication between the VPC and the on-premises data center.
If dynamic route advertisement is disabled for the VPC route table, you must manually add a route to the table with the destination CIDR block set to the CIDR block of the on-premises data center and the next hop set to the Express Connect Router. This enables communication between the VPC and the on-premises data center.
Route to a Gateway Load Balancer endpoint
Gateway Load Balancer endpoints are supported only in these regions. For specific use cases, see Use a gateway route table - GWLB high-availability architecture.
More information
Supported regions
System route tables are supported in all regions. The following tables list the regions that support custom route tables.
Public cloud regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region, Closing Down), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Zhongwei), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region, Closing Down) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and Malaysia (Johor Bahru) |
Europe and Americas | Germany (Frankfurt), UK (London), France (Paris), US (Silicon Valley), US (Virginia), and Mexico |
Middle East | UAE (Dubai) and SAU (Riyadh - Partner Region) |
Alibaba Finance Cloud regions
Area | Regions |
Asia Pacific | China South 1 Finance Cloud, China East 2 Finance Cloud, and China North 2 Finance Cloud (Invitation-only Beta) |
Alibaba Gov Cloud regions
Area | Regions |
Asia Pacific | China North 2 Alibaba Cloud for Government 1 |
Quotas
Quota name | Description | Default limit | Adjustable |
vpc_quota_route_tables_num | Custom route tables per VPC. | 9 | Yes. Go to the Quota Management page or Quota Center to request a quota increase. |
vpc_quota_route_entrys_num | Custom route entries per route table (excluding dynamically propagated route entries). | 200 | |
vpc_quota_dynamic_route_entrys_num | Dynamically propagated routes per table. | 500 | |
vpc_quota_havip_custom_route_entry | Maximum custom routes pointing to HaVip. | 5 | |
vpc_quota_vpn_custom_route_entry | Maximum custom routes pointing to VPN gateway. | 50 | |
None | Tags per route table. | 20 | No. |
vRouters per VPC. | 1 | ||
Routes pointing to TR connection. | 600 |
Usage notes
Route tables
You must associate each vSwitch with exactly one route table. A route table can be associated with multiple vSwitches.
You can delete only custom route tables. You cannot delete system route tables.
Route entries
Static route entries:
You cannot create or delete system route entries.
You can create a custom route with a destination CIDR block that is more specific than the 100.64.0.0/10 system route for cloud services, but the destination CIDR block cannot be identical to 100.64.0.0/10. Configure more specific routes with caution. An incorrect configuration may make some cloud services inaccessible.
For a custom route entry whose next hop is an IPv6 gateway, you can set the destination CIDR block only to
::/0.The VPC Route Advertisement Status column appears for a route entry in the console only after you connect the VPC to a Transit Router (TR) or an Express Connect Router (ECR).
If the destination CIDR block of a new route entry overlaps with that of an existing route entry, you may not be able to add the new route entry in some cases. For more information, see Route priorities.
Static route publishing:
You cannot publish route entries from a custom route table of a VPC to an ECR.
You cannot publish route entries to an ECR if their destination CIDR block is a prefix list.
ECMP routes and active/standby routes whose next hop is a router interface (to a VBR) cannot be published to an ECR. After a VPC route is published to an ECR, you can no longer configure ECMP routes or active/standby routes for it.
After a VPC route is published to an ECR, if you want to modify the published route, you can set its next hop only to a route type that supports the publish operation (see the following table).
The following table lists the default publishing status for various types of route entries in a VPC and indicates whether they support publish and withdraw operations in an ECR.
Dynamic route entries:
A VPC route table can receive dynamic routes from only one source at a time.
For example, if you associate a VPC with an Express Connect Router (ECR) and then connect the VPC to a Transit Router (TR) Enterprise Edition, enabling route synchronization for the VPC on the TR will fail. Similarly, if you create a VPN Gateway and enable route propagation, the VPN Gateway automatically propagates the BGP routes that it learns to the VPC's system route table. In this case, you cannot associate the VPC with the ECR.
If a received dynamic route overlaps with an existing route entry in the route table, see Route priority to understand which routing rules apply.
Only route tables attached to vSwitches can receive dynamic routes. Route tables attached to gateways do not support dynamic routes.
By default, a route table can receive a maximum of 200 active dynamic routes from an ECR. If this quota is exceeded, dynamic routes are still received but their status becomes
Exceededand they are not active. After you increase the quota, the new quota takes effect after the next route update from the ECR. The routes that previously exceeded the quota become active in the order they were configured.
Billing
The VPC route table feature is free of charge.