Stay organized with collections Save and categorize content based on your preferences.

Policy-based routes

This document provides an overview of policy-based routes.

Policy-based routes let you select a next hop based on more than a packet's destination IP address. You can match traffic by protocol and source IP address as well. Matching traffic is redirected to an internal TCP/UDP load balancer. This can help you insert appliances such as firewalls into the path of network traffic.


  • When you create a policy-based route, you select which resources can have their traffic processed by the route. The route can apply to the following:
    • Select VM instances in the VPC network
    • All traffic entering the VPC network by way of VLAN attachments that you identify
  • The next hop of a policy-based route must be a valid internal TCP/UDP load balancer that is in the same VPC network as the policy-based route.
  • Internal TCP/UDP load balancers use symmetric hashing by default, so traffic can reach the same appliance on the outgoing and return paths without configuring source NAT.
  • Policy-based routes have higher priority than other route types, except for special return paths. Special return path routes are not affected by policy-based routes. The special return path route takes precedence.
  • If two policy-based routes have the same priority, Google Cloud uses a deterministic, internal algorithm to select a single policy-based route, ignoring other routes with the same priority. Policy-based routes do not use longest-prefix matching and only select the highest priority route.
  • You can create a single rule for one-way traffic or multiple rules to handle bidirectional traffic.
  • To use policy-based routes with Cloud Interconnect, the route must be applied to all Cloud Interconnect connections in an entire region. Policy-based routes cannot be applied to an individual Cloud Interconnect connection only.
  • The VM instances that receive traffic from a policy-based route must have IP forwarding enabled.


  • Policy-based routes do not support matching traffic based on port.
  • Policy-based routes are not exchanged through VPC Network Peering.
  • It is not possible to update a policy-based route after it is created. If you want to update a route, delete the route and create a new one.
  • Policy-based routes support only IPv4 traffic and do not support IPv6.
  • The internal TCP/UDP load balancer forwarding rule must have a dedicated IP address. Using a shared IP address (IP address purpose set to SHARED_LOADBALANCER_VIP) is not supported.


There is a limit for how many policy-based routes you can create in a single project. For more information, see the per-project quotas in the VPC documentation.