Routes
Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside your Google Cloud Virtual Private Cloud (VPC) network (for example, in another VM) or outside it.
In a VPC network, a route consists of a single destination prefix in CIDR format and a single next hop. When an instance in a VPC network sends a packet, Google Cloud delivers the packet to the route's next hop if the packet's destination address is within the route's destination range.
This page provides an overview of how routes work in Google Cloud.
Routing in Google Cloud
Every VPC network uses a scalable, distributed virtual routing mechanism. There is no physical device that's assigned to the network. Some routes can be applied selectively, but the routing table for a VPC network is defined at the VPC network level.
Each VM instance has a controller that is kept informed of all applicable routes from the network's routing table. Each packet leaving a VM is delivered to the appropriate next hop of an applicable route based on a routing order. When you add or delete a route, the set of changes is propagated to the VM controllers by using an eventually consistent design.
Route types
The following tables summarize how Google Cloud categorizes routes in VPC networks.
Type and destination | Next hop | Notes |
---|---|---|
Policy-based routes: Policy-based routes are evaluated before any other type of route. | ||
Policy-based route Policy-based routes can apply to packets based on source IP address, destination IP address, protocol, or a combination thereof. |
|
Policy-based routes can apply to all VMs in the network, to certain VMs selected by network tag, or to traffic entering the VPC network through VLAN attachments for Cloud Interconnect (in only one region, or in all regions). Policy-based routes are never exchanged through VPC Network Peering. |
Subnet routes: All subnet route types are evaluated after policy based routes but before custom routes. | ||
Local subnet route Created automatically for each subnet IP address range |
VPC network | Created, updated, and removed automatically by Google Cloud during subnet lifecycle events. Local subnet routes apply to the whole VPC network. |
Peering subnet route Represents a subnet IP address range in a different VPC network connected using VPC Network Peering |
Next hop in the peer VPC network | VPC Network Peering provides options for exchanging subnet routes. Created, updated, and removed automatically by Google Cloud during subnet lifecycle events. Imported peering subnet routes apply to the whole VPC network. |
Network Connectivity Center subnet route Represents a subnet IP address range in a VPC spoke (a different VPC network connected to the Network Connectivity Center hub) |
Network Connectivity Center hub | Network Connectivity Center spoke administrators can exclude the export of subnet routes. Created, updated, and removed automatically by Google Cloud during subnet lifecycle events. Imported Network Connectivity Center subnet routes apply to the whole VPC network. |
Custom routes: Custom routes are evaluated after policy based routes and after subnet routes. | ||
Local static route Supports various destinations |
Forwards packets to a static route next hop | For details about each static route next hop, see considerations for: |
Local dynamic route Destinations that don't conflict with subnet routes or static routes |
Peer of a BGP session on a Cloud Router | Routes are added and removed automatically based on
learned routes
from Cloud Routers in your VPC network. Routes apply to VMs according to the VPC network's dynamic routing mode. |
Peering static route, peering dynamic route Static or dynamic routes in a different VPC network connected using VPC Network Peering |
Next hop in the peer VPC network |
VPC Network Peering provides options for exchanging static routes. Imported peering static routes apply to the whole VPC network. VPC Network Peering provides options for exchanging dynamic routes. Peering dynamic routes apply to one region or all regions of the VPC network according to the dynamic routing mode of the VPC network that exports the routes. |
Network Connectivity Center dynamic route Dynamic routes imported from Network Connectivity Center hybrid spokes located in different VPC networks |
Network Connectivity Center hub |
A Network Connectivity Center hub can have both VPC spokes and hybrid spokes. Network Connectivity Center dynamic routes apply to one region or all regions of the VPC network according to the dynamic routing mode of the VPC network that contains the hybrid spoke. |
System-generated routes | ||
System-generated default routes
0.0.0.0/0 for IPv4
::/0 for IPv6 |
default-internet-gateway |
Applies to the whole VPC network Can be removed or replaced |
Subnet routes
Each subnet has at least one subnet route for each IP address range that is associated with the subnet. For more information about subnet IP ranges, see Subnets.
Types of subnet routes
A VPC network can include the following types of subnet routes:
- Subnet routes for subnets in the same VPC network, referred to as local subnet routes.
- Network Connectivity Center subnet routes that are imported from VPC spokes of a Network Connectivity Center hub.
- Peering subnet routes that are imported from networks connected using VPC Network Peering.
Destination ranges for all types of subnet routes must be unique. For more information, see:
Options for exchanging subnet routes and Subnet and peering subnet route interactions in the VPC Network Peering documentation
Subnet route uniqueness and VPC spokes overview in the Network Connectivity Center documentation
Lifecycle of subnet routes
All IP address ranges that are part of a subnet—primary IPv4 address ranges, secondary IPv4 address ranges, and IPv6 address ranges—have a corresponding subnet route. Google Cloud creates and deletes subnet routes in these scenarios:
You make a subnet configuration change, for example:
- Add or delete a subnet.
- Expand a primary IPv4 range.
- Add or delete a secondary IPv4 range.
- Add or delete an IPv6 range.
Google Cloud adds a new region, which automatically adds a new subnet to auto VPC mode networks. For information about the IPv4 address ranges for each subnet by its region, see auto mode IPv4 ranges.
Dynamic routes
Cloud Routers instruct the VPC network to create, update, and remove dynamic routes based on received Border Gateway Protocol (BGP) messages, applicable BGP route policies (Preview), and Cloud Router custom learned routes.
Dynamic routes are created in one region or in all regions based on the dynamic routing mode and best path selection mode of the VPC network that contains the Cloud Router. For more information, see the following:
The next hop of a dynamic route can be one of the following:
A VLAN attachment backed by either a Dedicated Interconnect connection or a Partner Interconnect connection
A Cloud VPN tunnel, either a HA VPN tunnel or a Classic VPN configured to use dynamic routing
If a next hop for a dynamic route becomes inaccessible, the Cloud Router that manages its BGP session instructs the VPC network to remove the dynamic route. For more information, see BGP state changes.
Types of dynamic routes
A VPC network can include the following types of dynamic routes:
- Dynamic routes learned by Cloud Routers in the same VPC network are referred to as local dynamic routes.
- Peering dynamic routes that are imported with custom route exchange from networks connected using VPC Network Peering .
- Network Connectivity Center dynamic routes that are imported from hybrid spokes located in different VPC networks of a Network Connectivity Center hub.
Google Cloud resolves conflicts between dynamic routes and subnet routes as described in Interactions with dynamic routes.
System-generated default routes
A default route has the broadest possible destination: 0.0.0.0/0
for IPv4 and
::/0
for IPv6. Google Cloud only uses a default route to deliver a
packet when the packet doesn't match a more specific route in the routing
order.
The absence of a default route doesn't necessarily isolate your network from the internet because special routing paths for external passthrough Network Load Balancers and external protocol forwarding don't depend on a default route.
When you create a VPC
network,
Google Cloud adds a system-generated IPv4 default
route to the
VPC network. The system-generated IPv4 default route is a local
static route that has a 0.0.0.0/0
destination and default internet gateway
next hop. A local static route with the 0.0.0.0/0
destination and default
internet gateway next hop provides a path to external IPv4
addresses, including IPv4 addresses on the internet.
The following example resources use this path:
- VMs with external IPv4 addresses assigned to their network interfaces, when the packets they send have sources matching the network interface primary internal IPv4 address.
- A public Cloud NAT gateway
configured to provide NAT services to subnets used by VM network interfaces.
Depending on which subnet IPv4 address ranges the Cloud NAT gateway
is configured to serve, packet sources can match either of the following:
- An internal IPv4 address from an alias IP address range of the VM's network interface (whether or not the network interface has an external IPv4 address), or
- The primary internal IPv4 address of the VM's network interface if the network interface doesn't have an external IPv4 address assigned.
When you create a subnet that has an external IPv6 address range,
Google Cloud adds a system-generated IPv6 default route to the
VPC network if it doesn't already have one. The system-generated
IPv6 default route is a local static route that has a ::/0
destination and
default internet gateway next hop. A local static route with the ::/0
destination and default internet gateway next hop provides a path to external
IPv6 addresses, including IPv6 addresses on
the internet. This path can be used by the following:
- VMs with
/96
external IPv6 address ranges assigned to their network interfaces, when the packets they send have sources in that/96
address range.
Accessing global Google APIs sometimes depends on a local IPv4 or IPv6 default route with default internet gateway next hop:
If you access global Google APIs and services by sending packets to a Private Service Connect endpoint for global Google APIs, your VPC network doesn't require a default route with default internet gateway next hop. Google Cloud adds a special routing path to the endpoint.
If you access global Google APIs and services by sending packets to IPv4 or IPv6 addresses for the default domains, the IPv4 or IPv6 addresses for
private.googleapis.com
, or the IPv4 or IPv6 addresses forrestricted.googleapis.com
, you can either use default IPv4 and IPv6 routes that have default internet gateway next hops, or you can create and use IPv4 and IPv6 static routes that have more specific destinations and default internet gateway next hops:- If your VMs have only internal IP addresses, see Routing options for Private Google Access.
- If your VMs have external IP addresses, see Routing options.
Route interactions
The following sections describe the interactions between subnet routes and other route types.
Interactions between subnet routes and static routes
Google Cloud enforces the following rules for local subnet routes, peering subnet routes, and Network Connectivity Center subnet routes unless the corresponding subnet has been configured as a hybrid subnet.
Google Cloud doesn't let you create a new static route if the destination of the new static route exactly matches or fits within the destination of an existing local, peering, or Network Connectivity Center subnet route. For example:
If a local, peering, or Network Connectivity Center subnet route exists with the
10.70.1.0/24
destination, you cannot create a new static route for10.70.1.0/24
,10.70.1.0/25
,10.70.1.128/25
, or any other destination that fits within10.70.1.0/24
.If a local or peering subnet route exists with the
2001:0db8:0a0b:0c0d::/64
destination, you can't create a new static route for2001:0db8:0a0b:0c0d::/64
,2001:0db8:0a0b:0c0d::/96
, or any other destination that fits within2001:0db8:0a0b:0c0d::/64
.
Google Cloud doesn't let you make any changes to subnets that result in a subnet IP address range that exactly matches or contains the destination of an existing local or peering static route. For example:
If your VPC network has a static route with the
10.70.1.128/25
destination, you can't create a new subnet that has a primary or secondary IPv4 address range of10.70.1.128/25
,10.70.1.0/24
, or any other IP address range that contains all the IPv4 addresses in10.70.1.128/25
.If your VPC network has a static route with the
2001:db8:a0b:c0d:e0f:f0e::/96
destination, Google Cloud prohibits the creation of a new local or peering subnet route that has an IPv6 address range of2001:db8:a0b:c0d::/64
or any other range that contains all the IPv6 addresses in2001:db8:a0b:c0d:e0f:f0e::/96
.
Interactions between subnet routes and dynamic routes
Google Cloud enforces the following rules unless a subnet has been configured as a hybrid subnet.
Google Cloud doesn't create a dynamic route if a Cloud Router sends a prefix that either exactly matches or fits within the destination of an existing local, peering, or Network Connectivity Center subnet route. For example:
If a local, peering, or Network Connectivity Center subnet route exists with the
10.70.1.0/24
destination, and if a Cloud Router in the VPC network, a peered VPC network, or a network containing a Network Connectivity Center hybrid spoke receives10.70.1.128/25
,10.70.1.0/24
, or any other prefix that fits within10.70.1.0/24
, Google Cloud doesn't create any local, peering, or Network Connectivity Center dynamic routes for the received conflicting prefixes.If a local, peering, or Network Connectivity Center subnet route exists with the
2001:0db8:0a0b:0c0d::/64
destination, and if a Cloud Router in the VPC network, a peered VPC network, or a network containing a Network Connectivity Center hybrid spoke receives2001:0db8:0a0b:0c0d::/96
,2001:0db8:0a0b:0c0d::/64
, or any other prefix that fits within2001:0db8:0a0b:0c0d::/64
, Google Cloud doesn't create any local, peering, or Network Connectivity Center dynamic routes for the received conflicting prefixes.
Google Cloud removes any existing dynamic route if any change to subnets results in the creation of a new local, peering, or Network Connectivity Center subnet route whose destination exactly matches or contains the destination of the existing local, peering, or Network Connectivity Center dynamic route. For example:
If your VPC network has a local, peering, or Network Connectivity Center dynamic route with the
10.70.1.128/25
destination, Google Cloud removes the dynamic route when a new local, peering, or Network Connectivity Center subnet route for10.70.1.128/25
,10.70.1.0/24
, or any other IP address range that contains all the IPv4 addresses in10.70.1.128/25
is created.If your VPC network has a local, peering, or Network Connectivity Center dynamic route with the
2001:db8:a0b:c0d::/96
destination, Google Cloud removes the dynamic route when a new local, peering, or Network Connectivity Center subnet route for2001:db8:a0b:c0d::/64
is created.
Applicability and order
Applicable routes
Each instance, Cloud VPN tunnel, and VLAN attachment has a set of applicable routes—routes that apply to that specific resource. Applicable routes are a subset of all routes in the VPC network.
The following route types always apply to all VM instances, VLAN attachments, and Cloud VPN tunnels:
The following route types can be configured to apply only to certain VM instances, VLAN attachments, or Cloud VPN tunnels:
Policy-based routes can apply to:
- All VM instances, VLAN attachments, and Cloud VPN tunnels
- Only VM instances identified by network tags
- Only VLAN attachments in a particular region
Static routes can apply to:
- All VM instances, VLAN attachments, and Cloud VPN tunnels
- Only VM instances identified by network tags
Dynamic routes can apply to VM instances, VLAN attachments, and Cloud VPN tunnels in either the region containing the dynamic route's next hop or all regions, based on the dynamic routing mode of the VPC network.
Special routing paths
VPC networks have special routes for certain services. These special routing paths don't appear in your VPC network route table. You can't remove any special routing paths. However, you can allow or deny packets by using VPC firewall rules or firewall policies.
Paths for external passthrough Network Load Balancers and external protocol forwarding
External passthrough Network Load Balancers and external protocol forwarding use Maglev systems to route packets from clients on the internet to backend VMs and target instances in your VPC network. These Maglev systems route packets that have destinations that match the destination of the external forwarding rule.
Each forwarding rule for an external passthrough Network Load Balancer or for external protocol forwarding also provides a routing path for its backend VMs or target instance to send packets to destinations outside of the VPC network:
- Packets sent by backend VMs or target instances can be either outbound response packets (sent back to the client) or they can be outbound packets that initiate a new connection.
- Packet sources must match the forwarding rule's IP address. Packet protocol and source port don't have to match the forwarding rule's protocol and port specification.
- Forwarding rule routing paths don't depend on a default route or the use of the default internet gateway next hop.
- Backend VMs and target instances don't need to have IP forwarding enabled.
Paths between Google Front Ends and backends
External Application Load Balancers and external proxy Network Load Balancers use Google Front Ends (GFEs). Second layer GFEs open TCP connections to your backend VMs and send packets from the following sources:
35.191.0.0/16
and130.211.0.0/22
for IPv42600:2d00:1:1::/64
for IPv6
Google Cloud uses routes in Google's network to deliver packets from those source ranges to backend VMs in your VPC network. Each VPC network includes routing paths that allow VMs to send response packets to the ranges.
Paths for health checks
Health checks for all load balancers and for managed instance group autohealing send packets to your backend VMs from health check probe IP address ranges.
Google Cloud uses routes in Google's network to deliver packets from health check probe systems to VMs in your VPC network. Each VPC network includes routing paths that allow VMs to send response packets to the health check probe systems.
Paths for Identity-Aware Proxy (IAP)
TCP forwarding using IAP uses
35.235.240.0/20
for IPv4 and 2600:2d00:1:7::/64
for IPv6 as internal-only
ranges with next hops that are entirely within Google's network. Google doesn't
publish routes to these ranges on the internet.
Routes in Google's network deliver packets from 35.235.240.0/20
or
2600:2d00:1:7::/64
to VMs in your
VPC network when you use IAP TCP forwarding. Each
VPC network includes routing paths that allow VMs to send
response packets to these ranges.
Paths for Cloud DNS and Service Directory
The following Cloud DNS and Service Directory features use
35.199.192.0/19
as an internal-only range with next hops that are entirely
within Google's network. Google doesn't publish routes to 35.199.192.0/19
on
the internet.
- Cloud DNS forwarding targets that use private routing
- Cloud DNS alternative name servers that use private routing
- Private network access for Service Directory
Routes in Google's network deliver packets from 35.199.192.0/19
to VMs in your
VPC network when you use these Cloud DNS and
Service Directory features. Each VPC network includes routing
paths that allow VMs to send response packets to 35.199.192.0/19
.
Paths for Serverless VPC Access
Serverless VPC Access uses
35.199.224.0/19
as an internal-only range with next hops that are entirely
within Google's network. Google doesn't publish routes to 35.199.224.0/19
on
the internet.
Routes in Google's network deliver packets from 35.199.224.0/19
to
Serverless VPC Access connector instances. Each VPC
network includes routing paths that allow connector instances to send response
packets to 35.199.224.0/19
.
Paths for Private Service Connect endpoints for global Google APIs
When you create a Private Service Connect endpoint for global Google APIs, Google Cloud adds a route for the endpoint to your VPC network. The route's destination is the global internal IP address of the endpoint.
Routing order
There might be more than one applicable route for a given packet. The following steps model the process that is used to select a route.
Special routing paths: Some Google Cloud special routing paths not shown in your VPC network route table. For details, see Special routing paths.
If a special routing path is applicable, your route selection model contains only the special path. All other routes are disregarded, and evaluation stops at this step.
Policy-based routes: Policy-based routes are evaluated after special routing paths but before other types of routes. If no policy-based routes exist in the VPC network, Google Cloud skips this step and continues to the subnet routes step.
Google Cloud evaluates policy-based routes solely by their priority. Google Cloud evaluates a packet's source and destination for each policy-based route, starting with the highest priority policy-based route or routes. If a packet's characteristics don't match a policy-based route, Google Cloud disregards that policy-based route and continues to evaluate the next policy-based route in the sorted list. The next policy-based route to evaluate might share the same priority as the disregarded policy-based route, or it might have a lower priority.
If a packet's characteristics don't match any policy-based route after evaluating all policy-based routes in your route selection model, Google Cloud disregards all policy-based routes and continues to the subnet routes step.
If a packet's characteristics match a highest-priority policy-based route, Google Cloud first disregards all lower-priority policy-based routes. If two or more policy-based routes are left in the list, Google Cloud evaluates each of the remaining policy-based routes that have identical priorities. Google Cloud disregards any remaining policy-based routes if a packet's characteristics don't match it. After this step, your route selection model might contain one or more policy-based routes.
If your route selection model includes two or more matching highest-priority policy-based routes, Google Cloud selects a single policy-based route by using an internal algorithm. The selected policy-based route might not be the most specific match for the packet's source or destination. To avoid this ambiguity, we recommend that you create policy-based routes that have unique priorities.
If your route selection model includes only a single highest-priority policy-based route that is configured to skip other policy-based routes, Google Cloud disregards all policy-based routes and continues to the subnet routes step.
If your route selection model includes only a single highest-priority policy-based route that is not configured to skip other policy-based routes, Google Cloud delivers the packet to the next hop internal passthrough Network Load Balancer, and disregards all non-policy-based routes.
Subnet routes: Google Cloud determines whether the packet's destination fits within the destination range of a local, peering, or Network Connectivity Center subnet route in the VPC network.
If a packet's destination doesn't match the destination range of any local, peering, or Network Connectivity Center subnet route, Google Cloud disregards all subnet routes and continues to the Most specific destination step.
If a packet's destination does match the destination range of a local, peering, or Network Connectivity Center subnet route in the VPC network, the behavior is different depending on whether the subnet has been configured as a hybrid subnet:
For most subnets, Google Cloud exclusively uses the subnet route, attempting to send the packet to a resource in the subnet, like a VM network interface or internal forwarding rule. All other routes are disregarded, and evaluation stops at this step. If no resource is present using the packet's destination or if the resource is a stopped VM instance, the packet is dropped.
However, if the matched subnet route comes from a hybrid subnet, Google Cloud attempts to locate a matching destination resource in the subnet, like a VM network interface or internal forwarding rule:
If a resource exists in the subnet, Google Cloud exclusively uses the subnet route and attempts to send the packet to the resource. All other routes are disregarded, and evaluation stops at this step. If no resource is present at the packet's destination, the packet is dropped. If the resource is a VM that isn't running, the packet is also dropped.
If a resource doesn't exist in the subnet, Google Cloud ignores all subnet routes, including the matched subnet route, and continues to the Most specific destination step.
Most specific destination: At the beginning of this step, your route selection model contains no special routing paths, no policy-based routes, and no local, peering, or Network Connectivity Center subnet routes.
Google Cloud determines which of the remaining applicable routes have the most specific destination that contains the destination IP address of the packet. Google Cloud disregards all other routes with less specific destinations. For example,
10.240.1.0/24
is a more specific destination than10.240.0.0/16
.At the end of this step, your route selection model contains only custom routes with identical destinations.
Select only the most favorable custom route type: In this step, Google Cloud removes all custom routes except the most favorable custom route type. Local custom routes are preferred over Network Connectivity Center dynamic routes, and Network Connectivity Center dynamic routes are preferred over peering custom routes.
The following table summarizes the logic that Google Cloud uses in this step.
Custom route category What happens Local dynamic and local static routes If your route model contains at least one local dynamic or local static route for the destination, Google Cloud removes the following custom route types, if they are present in the route model:
- Network Connectivity Center dynamic routes from hybrid spokes, in different VPC networks
- Peering dynamic routes (imported from other VPC networks connected using VPC Network Peering)
Network Connectivity Center dynamic routes If all of the following conditions are met, Google Cloud removes all peering dynamic and peering static routes from the route model: - Your route model doesn't contain any local custom routes for the destination
- Your route mode does contain at least one Network Connectivity Center dynamic route for the destination
- The Network Connectivity Center dynamic route comes from from a hybrid spoke in a different VPC network
Peering dynamic and peering static routes The least favorable custom route type contains peering custom routes. Peering custom routes for the destination are used only when the route model doesn't contain any local custom routes or Network Connectivity Center dynamic routes for the destination. Select next hops for peering custom routes from a single VPC network: Next hops for the same destination must be located in the same VPC network. This step only applies if your route model contains peering dynamic or peering static routes that are imported from two or more different VPC networks connected using VPC Network Peering.
Google Cloud uses an internal algorithm to import peering custom routes from a single VPC network. The peer network that Google Cloud selects might change if your VPC network peers with a new VPC network or if it disconnects from an existing peer VPC network.
Disregard static and dynamic routes with unusable next hops: This step models situations where Google Cloud disregards next hops that are down or invalid.
Invalid next hop VM IP address specification: The
next-hop-address
of a static route must match an IP address that is assigned to a VM in the route's VPC network. The IP address must be assigned to the VM's network interface as one of the following:- A primary internal IPv4 address
- An internal IPv6 address
- An external IPv6 address
If the IP address specified by
next-hop-address
matches a different type of resource (like an alias IP range) or doesn't match any resource, Google Cloud disregards the route.Next hop VM stopped or deleted: Google Cloud disregards each static route whose next hop VM instance has been stopped or deleted. This behavior applies to routes whose next hops are specified using either
next-hop-instance
ornext-hop-address
. For more information, see Behavior when instances are stopped or deleted.Invalid next hop load balancer IP address specification: For static routes that have a next hop load balancer specified by IP address, the IP address must match a forwarding rule of an internal passthrough Network Load Balancer that is located in the route's VPC network or in a peered VPC network. If the next hop IP address matches the forwarding rule of a different type of load balancer or doesn't match any forwarding rule, Google Cloud disregards the route.
Unestablished next hop Classic VPN tunnel: Google Cloud disregards each static route with a next hop Classic VPN tunnel that doesn't have an active Phase 1 (IKE) security association (SA). For more details, see Order of routes in the Classic VPN documentation.
Dynamic route with nonfunctional next hop: Even before the BGP session responsible for programming a dynamic route goes down, Google Cloud disregards a dynamic route if its next hop Cloud VPN tunnel, VLAN attachment, or Router appliance VM isn't functional. This situation generally only exists for a few seconds before the dynamic route is removed when the corresponding Cloud Router BGP session goes down.
Google Cloud doesn't validate whether the guest OS of a next hop VM or a backend VM for a next hop load balancer is processing packets. For more information, see Considerations common to instance and internal passthrough Network Load Balancer next hops.
Disregard low priority routes: This step models how Google Cloud discards all routes except for those with the highest priority.
After this step, your route model might be empty, or it might contain one or more routes. If your model isn't empty, all routes in your model have the following characteristics:
- Identical priorities
- Next hops that haven't been disregarded
- Identical destinations
- Route types that aren't policy-based or subnet routes
Select next hops for Network Connectivity Center dynamic routes from a single VPC network: Next hops for the same destination must be located in the same VPC network. This step only applies if your route model contains Network Connectivity Center dynamic routes imported from two or more hybrid spokes located in different VPC networks.
Google Cloud uses an internal algorithm to import Network Connectivity Center dynamic routes from hybrid spokes located in a single VPC network. The selected hybrid spokes might change if you add hybrid spokes to or remove hybrid spokes from the Network Connectivity Center hub. To avoid this ambiguity, ensure that Network Connectivity Center dynamic routes have unique priorities when the following applies:
- The routes have identical destinations.
- The routes are imported from two or more hybrid spokes in different VPC networks.
Select only the most favorable preference category: Google Cloud doesn't perform equal-cost multipath (ECMP) among routes that belong to different preference categories, as defined in this step.
Preference category Route type and next hop type First preference (most preferred) One or more static routes with next hop instances ( next-hop-instance
ornext-hop-address
) or next hop Classic VPN tunnels.Second preference One or more dynamic routes of a single type. Third choice A single static route with next hop internal passthrough Network Load Balancer. Fourth preference (least preferred) One or more static routes with next hop default-internet-gateway
.In this step, when two or more static routes with next hop load balancer exist, Google Cloud selects a single static route using an internal algorithm—Google Cloud doesn't perform ECMP among multiple load balancers. For more information, see Considerations for internal passthrough Network Load Balancer next hops.
After this step, your route model might be empty, or it might contain one or more routes. If your model isn't empty, all routes in your model have these characteristics:
- Identical preference category
- Identical priorities
- Next hops that haven't been disregarded
- Next hops in one VPC network
- Identical destinations
- Route types that aren't policy-based or subnet routes
Send or drop packet: Depending on the number of routes remaining in the route model, Google Cloud sends or drops the packet:
If your route model contains a single route, Google Cloud sends the packet to the next hop, with the following exception:
Next hop internal passthrough Network Load Balancers that don't have global access enabled aren't reachable from regions outside of the load balancer's region. Consequently, if a next hop load balancer doesn't have global access enabled, Google Cloud drops all packets sent from VM instances, VLAN attachments, and Cloud VPN tunnels in regions different from the load balancer's region. To change this behavior, enable global access.
If your route model contains two or more routes, Google Cloud performs ECMP, distributing packets among the next hops. Selection of the next hop depends on a hash calculation and the number of next hops. Google Cloud uses a five-tuple hash if the packet contains port information; otherwise, it uses a three-tuple hash. If the route model changes as subsequent packets are sent, Google Cloud might direct those packets to a different next hop even if the hash is the same.
If your route model is empty, Google Cloud drops the packet with an ICMP type 3, code 0 (network unreachable) message.
What's next
- To create and manage routes, see Use routes.
- To learn more about static routes, see Static routes.
- To get an overview of Google Cloud VPC networks, see VPC networks.
- To create, modify, or delete VPC networks, see Create and manage VPC networks.