Shadowed dynamic route insights

This page describes the Network Analyzer insights for shadowed dynamic routes. For information about all the insight types, see Insight groups and types.

The shadowed dynamic route insights type detects dynamic routes shadowed by a subnet or static routes. The dynamic route being shadowed can be a route learned from a Cloud Router in the local Virtual Private Cloud (VPC) network, or it can be a dynamic route imported as a custom route from a peering VPC network.

In the Insight Summary table, the resource name of the insight is the next hop of the dynamic route where the dynamic route can be learned from either of the following:

• A Cloud Router in the local VPC network
• The VPC network where the dynamic route is configured when the dynamic route is imported from a peering network

The Insight details page for all insights in this category includes the following information:

• Network name: The VPC network where the dynamic route is configured.
• Next hop: The next hop of the dynamic route. It could be a VPN tunnel, VLAN attachment, or router appliance. This field is applicable if the dynamic route being shadowed is learned from a Cloud Router in the local VPC network.
• Router name: The router where the route was received. This field is applicable if the dynamic route being shadowed is learned from a Cloud Router in the local VPC network.
• Peering network name: The peering VPC network where the dynamic route originates. This field is applicable if the dynamic route being shadowed is imported from a peering network.
• Region: The region of the dynamic route.
• Destination IP address range: The destination IP address range of the dynamic route.
• Route priority: The priority of the dynamic route.
• Shadowed by: The subnet route that shadows the dynamic route.

View insights in the Recommender API

To view these insights in the gcloud CLI or the Recommender API, use the following insight type:

• google.networkanalyzer.hybridconnectivity.dynamicRouteInsight

You need the following permissions:

• recommender.networkAnalyzerDynamicRouteInsights.list
• recommender.networkAnalyzerDynamicRouteInsights.get

For more information about using the Recommender API for Network Analyzer insights, see Use the Recommender CLI and API.

Fully shadowed by subnet route

This insight shows that the entire destination IP address range of a dynamic route overlaps with a subnet route. Because the subnet route takes highest precedence in route ordering resolution, the dynamic route is shadowed. The dynamic route being shadowed can be learned from a Cloud Router in the local VPC network, or it can be a dynamic route imported from a peering network. The subnet route that shadows the dynamic route is generated by a subnet in the local VPC network. As a result, the dynamic route is not effective, and the packet matching the destination IP address range is sent to the subnet inside the VPC.

Related topics

For more information about how Google Cloud selects routes for a packet, see Route Order.

Recommendations

To make the dynamic route effective, you need to modify the subnet IP address range to make the subnet range and dynamic route destination range disjoint.

To find the subnet from which the route originates, click the link in the Shadowed by field and find the destination IP address range of the subnet route. Click the Network name field to go to VPC network details, and find the subnet that has the matching IP address range.

For more information about modifying subnet ranges, see Subnet rules.

Fully shadowed by peering subnet route

This insight shows that the whole destination IP address range of a dynamic route is completely shadowed by a peering subnet route. The peering subnet route originates from a subnet in a peering network. As a result, the dynamic route is not effective, and the packet matching the destination IP address range is sent to the subnet in the peering network.

Related topics

For more information, see Select the route order.

Recommendations

Verify whether this configuration is as intended. If not, modify the subnet IP range in the peering network to make the subnet range and dynamic route destination range disjoint.

To find the subnet that originates the peering subnet route, click the route URI in Shadowed by field, and then use the name of the next hop to find the network peering. In the console of VPC network peering, find the peered network name and the peered project ID. Go to the VPC network details console of the peered network, and find the subnet with the matching IP address range.

Fully shadowed by static route

This insight shows that the whole destination IP address range of a dynamic route is completely shadowed by a static route configured in the local VPC network. As a result, the dynamic route is not effective, and the packet matching the destination IP address range is sent to the next hop of the static route.

Related topics

For more information about route precedence, see Select the route order.

Recommendations

Verify whether this configuration is as intended. If not, you need to delete the shadowing static route to make the dynamic route effective.

To find the shadowing static route, click the route URI in Shadowed by field, and you are redirected to the Route details page of the static route.

Fully shadowed by peering static route

This insight shows that the whole destination IP address range of a dynamic route is completely shadowed by a peering static route. The peering static route is imported from a static route in a peering network. As a result, the dynamic route is not effective, and the packet matching the destination IP address range will be sent to the peering network.

Related topics

For more information about route precedence, see Select the route order.

Recommendations

Verify whether this configuration is as intended. If not, delete the static route in the peering network to make the dynamic route effective.

To find the static route in the peering network that generates the shadowing peering static route, click the network URI in the Peering network name field to go to the VPC network details page. In the Routes tab, find the static route with the matching IP address range.

Partially shadowed by subnet route

This insight shows that part of the destination IP address range of a dynamic route is shadowed by a subnet route. As a result, the packet matched by both the dynamic route destination range and the subnet range is sent to the subnet.

Related topics

For more information about route precedence, see Select the route order.

Recommendations

Verify whether this configuration is intended. If not, modify the subnet IP address range and dynamic route destination range disjoint. See the recommendations for the Fully shadowed by subnet route insight type on how to modify the subnet IP address range.

Partially shadowed by peering subnet route

This insight shows that the part of the destination IP address range of a dynamic route is shadowed by a peering subnet route. The peering subnet route originates from a subnet in a peering network. As a result, the packet matched by both the dynamic route destination range and the peering subnet route range is sent to the subnet in the peering network.

Related topics

For more information about route precedence, see Select the route order.

Recommendations

Verify whether this configuration is as intended. If not, modify the subnet IP range in the peering network to make the subnet range and dynamic route destination range disjoint.

See the recommendations for the Fully shadowed by peering subnet route insight on how to modify the subnet IP address range in the peering network.

Partially shadowed by static route

This insight shows that a part of the destination IP address range of a dynamic route is shadowed by a static route configured in the local VPC network.

As a result, a packet matched by both the dynamic route destination range and the static route destination range is sent to the next hop of the static route.

Related topics

For more information about route precedence, see Select the route order.

Recommendations

Verify whether this configuration is as intended. If not, delete the shadowing static route to make the whole destination range of the dynamic route effective.

To find the shadowing static route, click the route URI in the Shadowed by field, and you are redirected to the Route details page of the static route.

Partially shadowed by peering static route

This insight shows that part of the destination IP address range of a dynamic route is shadowed by a peering static route. The peering static route is imported from a static route in a peering network. As a result, a packet matching the destination IP address range of both the dynamic route and the peering static route is sent to the peering network.

Related topics

For more information about route precedence, see Select the route order.

Recommendations

Verify whether this configuration is as intended. If not, delete the static route in the peering network to make the whole destination range of the dynamic route effective.

See the recommendations for the Fully shadowed by peering static route insight on how to find the shadowing static route in the peering network.