Policy-based routes

This document provides an overview of policy-based routes.

Policy-based routes let you select a next hop based on more than a packet's destination IP address. You can match traffic by protocol and source IP address as well. Matching traffic is redirected to an internal passthrough Network Load Balancer. This can help you insert appliances such as firewalls into the path of network traffic.

Specifications

  • When you create a policy-based route, you select which resources can have their traffic processed by the route. The route can apply to the following:
    • Select VM instances in the VPC network
    • All traffic entering the VPC network by way of VLAN attachments for Cloud Interconnect in a region
    • All virtual machine (VM) instances, VLAN attachments for Cloud Interconnect, and Cloud VPN tunnels in the VPC network
  • The next hop of a policy-based route must be a valid internal passthrough Network Load Balancer that is in the same VPC network as the policy-based route.
  • Policy-based routes have higher priority than other route types, except for special return paths. Special return path routes are not affected by policy-based routes. The special return path route takes precedence.
  • If two policy-based routes have the same priority, Google Cloud uses a deterministic, internal algorithm to select a single policy-based route, ignoring other routes with the same priority. Policy-based routes do not use longest-prefix matching and only select the highest priority route.
  • You can create a single rule for one-way traffic or multiple rules to handle bidirectional traffic.
  • To use policy-based routes with Cloud Interconnect, the route must be applied to all Cloud Interconnect connections in an entire region. Policy-based routes cannot be applied to an individual Cloud Interconnect connection only.
  • The VM instances that receive traffic from a policy-based route must have IP forwarding enabled.

Limitations

  • Policy-based routes do not support matching traffic based on port.
  • Policy-based routes are not exchanged through VPC Network Peering.
  • It is not possible to update a policy-based route after it is created. If you want to update a route, delete the route and create a new one.
  • Policy-based routes support only IPv4 traffic and do not support IPv6.
  • The internal passthrough Network Load Balancer forwarding rule must have a dedicated IP address. Using a shared IP address (IP address purpose set to SHARED_LOADBALANCER_VIP) is not supported.
  • Policy-based routes can interfere with communication between the GKE control plane and nodes. For more information, see Use policy-based routes with GKE.
  • Policy-based routes do not support consuming published services with Private Service Connect endpoints or backends. For more information, see Use policy-based routes with Private Service Connect.
  • Source network address translation (SNAT) is required if policy-based routes apply to traffic for Private Google Access or Private Service Connect for Google APIs. For more information, see Use policy-based routes with Private Google Access or endpoints for Google APIs.
  • The VLAN attachments must have Dataplane v2. To inspect your VLAN attachment to check what version it is on, see the instructions for Dedicated Interconnect or Partner Interconnect.

Skipping other policy-based routes

You can create a policy-based route that skips other policy-based routes by using the Google Cloud CLI or sending an API request. For the gcloud CLI, use the --next-hop-other-routes=DEFAULT_ROUTING flag. For an API request, include "nextHopOtherRoutes": "DEFAULT_ROUTING" with the request body.

If a policy-based route of this type matches a packet's characteristics and has a higher priority than other matching policy-based routes, Google Cloud ignores the other policy-based routes and proceeds to the most specific destination step of the VPC routing order.

For example, consider a policy-based route that uses a next hop internal passthrough Network Load Balancer. This policy-based route has a source range of 0.0.0.0/0 and a network tag of compute-vm.

To skip evaluation of the first policy-based route when packet sources match a specific IP address range, create a higher-priority policy-based route that is configured to skip other policy-based routes. Set the source IP address range for this higher-priority policy-based route to the source IP address range of the systems that need to skip policy-based routing.

Quota

There is a limit for how many policy-based routes you can create in a single project. For more information, see the per-project quotas in the VPC documentation.