Policy-based routes
This document provides an overview of policy-based routes.
Policy-based routes let you select a next hop based on more than a packet's destination IP address. You can match traffic by protocol and source IP address as well. Matching traffic is redirected to an internal TCP/UDP load balancer. This can help you insert appliances such as firewalls into the path of network traffic.
Specifications
- When you create a policy-based route, you select which resources can have
their traffic processed by the route. The route can apply to the following:
- Select VM instances in the VPC network
- All traffic entering the VPC network by way of VLAN attachments that you identify
- The next hop of a policy-based route must be a valid internal TCP/UDP load balancer that is in the same VPC network as the policy-based route.
- Internal TCP/UDP load balancers use symmetric hashing by default, so traffic can reach the same appliance on the outgoing and return paths without configuring source NAT.
- Policy-based routes have higher priority than other route types, except for special return paths. Special return path routes are not affected by policy-based routes. The special return path route takes precedence.
- If two policy-based routes have the same priority, Google Cloud uses a deterministic, internal algorithm to select a single policy-based route, ignoring other routes with the same priority. Policy-based routes do not use longest-prefix matching and only select the highest priority route.
- You can create a single rule for one-way traffic or multiple rules to handle bidirectional traffic.
- To use policy-based routes with Cloud Interconnect, the route must be applied to all Cloud Interconnect connections in an entire region. Policy-based routes cannot be applied to an individual Cloud Interconnect connection only.
- The VM instances that receive traffic from a policy-based route must have IP forwarding enabled.
Limitations
- Policy-based routes do not support matching traffic based on port.
- Policy-based routes are not exchanged through VPC Network Peering.
- It is not possible to update a policy-based route after it is created. If you want to update a route, delete the route and create a new one.
- Policy-based routes support only IPv4 traffic and do not support IPv6.
- The internal TCP/UDP load balancer forwarding rule must have a dedicated IP address. Using
a shared IP address (IP address purpose set to
SHARED_LOADBALANCER_VIP
) is not supported.
Quota
There is a limit for how many policy-based routes you can create in a single project. For more information, see the per-project quotas in the VPC documentation.