Configure route tables
A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.
Contents
- Route table concepts
- Subnet route tables
- Gateway route tables
- Route priority
- Example routing options
- Change a subnet route table
- Replace the main route table
- Control traffic entering your VPC with a gateway route table
- Disassociate a gateway from a route table
- Replace or restore the target for a local route
- Troubleshoot reachability issues
Route priority
In general, we direct traffic using the most specific route that matches the traffic. This is known as the longest prefix match. If your route table has overlapping or matching routes, additional rules apply.
The following list shows a route priority summary with links to sections below with more detailed information and examples:
Longest prefix (for example, 10.10.2.15/32 has priority over 10.10.2.0/24)
Static routes (like VPC peering and internet gateway connections)
-
Direct Connect BGP routes (dynamic routes)
VPN static routes
VPN BGP routes (dynamic routes) (like virtual private gateways)
Longest prefix match
Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other. We use the most specific route that matches either IPv4 traffic or IPv6 traffic to determine how to route the traffic.
The following example subnet route table has a route for IPv4 internet traffic
(0.0.0.0/0
) that points to an internet gateway, and a route for
172.31.0.0/16
IPv4 traffic that points to a peering connection
(pcx-11223344556677889
). Any traffic from the subnet that's
destined for the 172.31.0.0/16
IP address range uses the peering
connection, because this route is more specific than the route for internet gateway.
Any traffic destined for a target within the VPC (10.0.0.0/16
) is
covered by the local
route, and therefore is routed within the VPC. All
other traffic from the subnet uses the internet gateway.
Destination | Target |
---|---|
10.0.0.0/16 | local |
172.31.0.0/16 | pcx-11223344556677889 |
0.0.0.0/0 | igw-12345678901234567 |
Route priority for static and dynamically propagated routes
If you've attached a virtual private gateway to your VPC and enabled route propagation on your subnet route table, routes representing your Site-to-Site VPN connection automatically appear as propagated routes in your route table.
If the destination of a propagated route is identical to the destination of a static route, the static route takes priority. The following resources use static routes:
-
internet gateway
-
NAT gateway
-
Network interface
-
Instance ID
-
Gateway VPC endpoint
-
Transit gateway
-
VPC peering connection
-
Gateway Load Balancer endpoint
For more information, see Route tables and VPN route priority in the AWS Site-to-Site VPN User Guide.
The following example route table has a static route to an internet gateway and a
propagated route to a virtual private gateway. Both routes have a destination of
172.31.0.0/24
. Because a static route to an internet gateway takes
priority, all traffic destined for 172.31.0.0/24
is routed to the
internet gateway.
Destination | Target | Propagated |
---|---|---|
10.0.0.0/16 | local | No |
172.31.0.0/24 | vgw-11223344556677889 | Yes |
172.31.0.0/24 | igw-12345678901234567 | No |
Route priority for prefix lists
If your route table references a prefix list, the following rules apply:
-
If your route table contains a static route with a destination CIDR block that overlaps a static route with a prefix list, the static route with the CIDR block takes priority.
-
If your route table contains a propagated route that matches a route that references a prefix list, the route that references the prefix list takes priority. Please note that for routes that overlap, more specific routes always take priority irrespective of whether they are propagated routes, static routes, or routes that reference prefix lists.
-
If your route table references multiple prefix lists that have overlapping CIDR blocks to different targets, we randomly choose which route takes priority. Thereafter, the same route always takes priority.
Disassociate a gateway from a route table
You can disassociate an internet gateway or a virtual private gateway from a route table.
To associate a gateway with a route table using the console
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Route tables, and then select the route table.
-
From the Edge associations tab, choose Edit edge associations.
-
Clear the checkbox for the gateway.
-
Choose Save changes.
To disassociate a gateway from a route table using the command line
-
disassociate-route-table (AWS CLI)
-
Unregister-EC2RouteTable (AWS Tools for Windows PowerShell)