Use routes

This page describes how to create and manage routes for Virtual Private Cloud (VPC) networks in Google Cloud. This page assumes that you are familiar with the different types of Google Cloud routes and their characteristics as described in Routes.

Every new network has two types of system-generated routes: a default route, which you can remove or replace, and one subnet route for each of its subnets. You cannot remove a subnet route unless you delete the corresponding subnet itself.

In addition to the system-generated routes, you can create other custom static routes.

List routes for a VPC network

You can use the Google Cloud CLI or the API to list and view details about the following types of routes:

Neither the gcloud CLI commands nor the API methods show the following types of routes:

To see the complete route view, use the Google Cloud console. To list and describe policy-based routes, see Use policy-based routes.

Console

  1. In the Google Cloud console, go to the Routes page.

    Go to Routes

  2. On the Effective routes tab, do the following:

    • Choose a VPC network.
    • Choose a region.
  3. Click View.

  4. You can filter based on route type, destination IP range, next hop type, and more.

gcloud

Use the following gcloud CLI commands to list and view details about the routes listed earlier:

gcloud compute routes list \
    --filter="network=NETWORK_NAME" \
    --project=PROJECT_ID
gcloud compute routes describe ROUTE_NAME \
    --format="flattened()" \
    --project=PROJECT_ID

Replace the following:

  • NETWORK_NAME: the name of the VPC network.
  • PROJECT_ID: the project ID that contains your VPC network.
  • ROUTE_NAME: the name of the route.

API

Use the following API methods to list and view details about the routes listed earlier:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes?filter=network="NETWORK_URL
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes/ROUTE_NAME

Replace the following:

  • PROJECT_ID: the project ID that contains your VPC network.
  • NETWORK_URL: the URL of the VPC network.
  • ROUTE_NAME: the name of the route.

For more information, see the routes.list method and the routes.get method.

List applicable routes for a VM network interface

You can use the Google Cloud console to view applicable routes for a VM's network interface. This view narrows the list of routes that you can use for egress traffic.

To view applicable routes for a specific network interface of a VM, follow these steps.

Console

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Locate a VM instance in the list. In the More actions menu at the end of the row, select View network details.

  3. If an instance has multiple network interfaces, in the Network interface details section, select the network interface that you want to view.

  4. In the Firewall and routes details section, click the Routes tab to see all the routes that apply to the network interface, sorted by route name.

Add and remove static routes

You can add or remove static routes and policy-based routes that are local to your VPC network. This section describes how to add and delete local static routes. For more information about how to add and remove policy-based routes, see Use policy-based routes.

Subnet routes are added and deleted automatically when you add or delete a subnet. For more information about how to add and remove subnets, see Work with subnets.

All routes in a VPC network that are connected by VPC Network Peering must be manipulated in the VPC network that exports those routes. For more information, see Route exchange options.

Before you add a static route

Before you add a static route, make sure that you understand the following:

  • Make sure you understand the different types of next hops that static routes can use. For information about the different types of static route next hops, including which ones support IPv6 destinations, see Next hops and features.
  • Unless you use hybrid subnets, a static route cannot have a destination range that matches or is more specific than the destination range of a subnet or peering subnet route. For more details, see Interactions with custom static routes in the Routes overview and Subnet and static route interactions in the VPC Network Peering documentation.
  • To avoid conflicts when using an auto mode network, don't create static routes whose destinations fit within 10.128.0.0/9. Review the IP ranges reserved for auto mode networks for details.
  • Destinations for custom static routes can't overlap with any internal allocated range.
  • Make sure you're familiar with instances as next hops before you create a custom static route that uses a VM as its next hop. Google Cloud only validates that a VM exists at the time when you create the route if you choose a next-hop instance.
  • If you create a route using a network tag, then only VMs with that tag receive that route. However, tagged VMs still receive all routes that have no network tag.

Add a static route

Add a static route to a network. For more information about the different types of static route next hops, including which ones support IPv6 destinations, see Next hops and features.

Console

  1. In the Google Cloud console, go to the Routes page.

    Go to Routes

  2. Click the Route management tab.

  3. Click Create route.

  4. Specify a name and a description for the route.

  5. In the Network list, select an existing network for the route.

  6. In the Route type list, select Static route.

  7. In the IP version list, select the required IP version:

    • To create an IPv4 static route, select IPv4.
    • To create an IPv6 static route, select IPv6.
  8. Specify a destination IP range. The broadest possible destination is 0.0.0.0/0 for IPv4 or ::/0 for IPv6.

  9. Specify a priority for the route. The priority can be from 0 (the highest priority) to 65535 (the lowest priority).

  10. To make the route applicable only to select instances with matching network tags, specify those in the Instance tags field. Leave the field blank to make the route applicable to all instances in the network.

  11. Select a next hop for the route:

    • Default internet gateway: delivers packets to the internet and to Google APIs and services
    • Specify an instance: delivers packets to a VM instance's network interface. Specify the VM instance by name and zone. If the route destination is an IPv6 address, the VM instance must be dual-stack.
    • Specify IP address of an instance: specify the primary internal IPv4 address of an existing instance in the VPC network.
    • Specify VPN tunnel: delivers packets to an existing Classic VPN tunnel using static routing.
    • Specify a forwarding rule name or IP address of an internal passthrough Network Load Balancer: delivers packets to an internal passthrough Network Load Balancer that is specified by its internal forwarding rule name (or IPv4 address) and region.
  12. Click Create.

gcloud

Create a new custom static route with the following gcloud CLI command:

gcloud compute routes create ROUTE_NAME \
    --network=NETWORK \
    --destination-range=DESTINATION_RANGE \
    --priority=PRIORITY \
    NEXT_HOP_SPECIFICATION

Replace the following:

  • ROUTE_NAME: the name of the route
  • NETWORK: the name of the VPC network that contains the route
  • DESTINATION_RANGE: the destination IPv4 or IPv6 addresses to which this route applies. The broadest possible destination is 0.0.0.0/0 for IPv4 or ::/0 for IPv6.
  • PRIORITY: the route priority, which can be from 0 (the highest priority) to 65535 (the lowest priority)
  • NEXT_HOP_SPECIFICATION: the next hop for the static route. Use one of the following parameters or combination of parameters:

    • --next-hop-gateway=default-internet-gateway: deliver packets to the internet and to Google APIs and services.
    • --next-hop-instance=INSTANCE_NAME and --next-hop-instance-zone=ZONE: deliver packets to an existing VM instance's network interface. Specify the VM instance by name and zone. If the route destination is an IPv6 address, the VM instance must be dual-stack.
    • --next-hop-address=ADDRESS: specify the primary IPv4 address of an existing instance in the VPC network.
    • --next-hop-vpn-tunnel=VPN_TUNNEL_NAME and --next-hop-vpn-tunnel-region=REGION: deliver packets to an existing Classic VPN tunnel using static routing.
    • --next-hop-ilb=FORWARDING_RULE and --next-hop-ilb-region=REGION: deliver packets to an internal passthrough Network Load Balancer. Specify the VM instance by its internal forwarding rule name (or IPv4 address) and region.

    To make the custom static route apply to only select VMs by network tag, add the --tags flag and specify one or more network tags. For more information about how network tags and custom static routes work together, see Applicable routes in the Routes overview. You can use tags with any custom static route.

For more information about the gcloud CLI syntax, see the SDK documentation.

API

Create a new custom static route.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes
{
  "name": "ROUTE_NAME",
  "network": "NETWORK_NAME",
  "destRange": "DESTINATION_RANGE",
  "priority": PRIORITY,
  "NEXT_HOP_SPECIFICATION"
}

Replace the following:

  • PROJECT_ID: the ID of the project where your route is created
  • ROUTE_NAME: the name of the route
  • NETWORK: the name of the VPC network that contains the route.
  • DESTINATION_RANGE: the destination IPv4 or IPv6 address range to which this route applies. The broadest possible destination is 0.0.0.0/0 for IPv4 or ::/0 for IPv6.
  • PRIORITY: the route priority, which can be from 0 (the highest priority) to 65535 (the lowest priority)
  • NEXT_HOP_SPECIFICATION: the next hop for the static route. Use one of the following parameters or combination of parameters:
    • nextHopGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/gateways/default-internet-gateway: delivers packets to the internet and to Google APIs and services
    • nextHopInstance: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME: delivers packets to a VM instance's network interface. Specify the VM instance by name and zone. If the route destination is an IPv6 address, the VM instance must be dual-stack.
    • nextHopIp: ADDRESS: specify the primary IPv4 address of an existing instance in the VPC network.
    • nextHopVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels/VPN_TUNNEL_NAME: delivers packets to an existing Classic VPN tunnel using static routing.
    • nextHopIlb: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules/FORWARDING_RULE: delivers packets to an internal passthrough Network Load Balancer. Specify the VM instance by its internal forwarding rule name (or IPv4 address) and region.

To make the custom static route apply to only select VMs by network tag, add the tags field and specify one or more network tags. For more information about how network tags and custom static routes work together, see Applicable routes in the Routes overview. You can use tags with any custom static route.

For more information, refer to the routes.insert method.

Terraform

You can create a static route by using a Terraform module.

This static route creates a default route to the internet.

module "google_compute_route" {
  source       = "terraform-google-modules/network/google//modules/routes"
  version      = "~> 9.0"
  project_id   = var.project_id # Replace this with your project ID in quotes
  network_name = "default"

  routes = [
    {
      name              = "egress-internet"
      description       = "route through IGW to access internet"
      destination_range = "0.0.0.0/0"
      tags              = "egress-inet"
      next_hop_internet = "true"
    }
  ]
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Add an IPv4 default route

The IPv4 default static route (0.0.0.0/0) with the next-hop-gateway set to default-internet-gateway is automatically configured for each VPC network. Use these steps to re-create this route if necessary.

Console

  1. In the Google Cloud console, go to the Routes page.

    Go to Routes

  2. Click the Route management tab.

  3. Click Create route.

  4. Specify a name and a description for the route.

  5. Select an existing network for the route.

  6. For Destination IP range, enter 0.0.0.0/0.

  7. Specify a priority for the route. The priority can be from 0 (the highest priority) to 65535 (the lowest priority).

  8. For Next hop, select Default internet gateway.

  9. Click Create.

gcloud

Recreate the IPv4 default route for a network.

gcloud compute routes create ROUTE_NAME \
    --destination-range=0.0.0.0/0 \
    --network=NETWORK \
    --next-hop-gateway=default-internet-gateway

Replace the following:

  • ROUTE_NAME: a name for the route
  • NETWORK: the name of the VPC network that contains the route

API

Recreate the IPv4 default route for a network.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes
{
  "destRange": "0.0.0.0/0",
  "name": "ROUTE_NAME",
  "network": "NETWORK_NAME",
  "nextHopGateway": "projects/PROJECT_ID/global/gateways/default-internet-gateway"
}

Replace the following:

  • PROJECT_ID: the ID of the project where your route is created
  • ROUTE_NAME: a name for the route
  • NETWORK_NAME: the name of the VPC network that contains the route

Add an IPv6 default route

The IPv6 default static route (::/0) with the next-hop-gateway set to default-internet-gateway is automatically configured for the VPC network when you create a dual-stack subnet with the external IP access type. You can delete the route to block all IPv6 traffic from VMs to the internet. You can also recreate the route if needed.

Console

  1. In the Google Cloud console, go to the Routes page.

    Go to Routes

  2. Click the Route management tab.

  3. Click Create route.

  4. Specify a name and a description for the route.

  5. Select an existing network for the route.

  6. For Destination IP range, enter ::/0.

  7. Specify a priority for the route. The priority can be from 0 (the highest priority) to 65535 (the lowest priority).

  8. For Next hop, select Default internet gateway.

  9. Click Create.

gcloud

Recreate the IPv6 default route for a network.

gcloud compute routes create ROUTE_NAME \
    --destination-range=::/0 \
    --network=NETWORK \
    --next-hop-gateway=default-internet-gateway

Replace the following:

  • ROUTE_NAME: a name for the route.
  • NETWORK: the name of the VPC network that contains the route.

API

Recreate the IPv6 default route for a network.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes
{
  "destRange": "::/0",
  "name": "ROUTE_NAME",
  "network": "NETWORK_NAME",
  "nextHopGateway": "projects/PROJECT_ID/global/gateways/default-internet-gateway"
}

Replace the following:

  • PROJECT_ID: the ID of the project where your route is created
  • ROUTE_NAME: a name for the route
  • NETWORK_NAME: the name of the VPC network that contains the route

Modify a static route

You cannot edit or update a static route after you create it. To modify a static route, you must delete it and create a replacement.

Delete a static route

To delete a route, do the following.

Console

  1. In the Google Cloud console, go to the Routes page.

    Go to Routes

  2. Click the Route management tab.

  3. Select the checkbox next to the rule that you want to delete.

  4. Click Delete.

  5. Click Delete again to confirm.

gcloud

Delete a custom static route by using the following gcloud CLI command:

gcloud compute routes delete ROUTE_NAME

Replace ROUTE_NAME with the name of the route that you want to delete.

API

Delete a custom static route to remove it from your VPC network by using the routes.delete method:

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes/ROUTE_NAME

Replace the following:

  • PROJECT_ID: the ID of the project where your route is located.
  • ROUTE_NAME: the name of the route to delete.

Propagation of route changes

When you add or delete a static route, the route propagates to all regions and VM instances in your VPC network. A route operation status of PENDING or RUNNING indicates that the route change is queued.

After queueing, the route operation status changes to DONE. It might take an additional 30 seconds before all VM instances in your VPC network and VPC Network Peering networks use a new route or stop using an old route.

If you add or remove several static routes simultaneously, the changes can be applied in any order. There is no guarantee that the order in which you submit route changes is the order in which they are processed. Different instances might become aware of the changes at different times.

If you need to make route changes that depend on each other, you must make those changes sequentially by performing subsequent changes only after the previous change's status is DONE and an additional 30 seconds has elapsed.

Enable IP forwarding for instances

By default, IP forwarding is disabled, and Google Cloud performs strict source address checking. Subject to the effective egress firewall configuration, a VM can emit packets with the following sources:

  • The primary internal IPv4 address of an instance's network interface (NIC).
  • Any configured alias IP range on an instance's NIC.
  • If an IPv6 address range is configured on the subnet, and the instance is dual-stack, any of the IPv6 addresses that are assigned to the NIC.
  • An internal or external IP address associated with a forwarding rule, for pass-through load balancing or protocol forwarding, if the instance is a backend for an internal passthrough Network Load Balancer, an external passthrough Network Load Balancer, or is referenced by a target instance.

To use a VM as a next hop for a route, the VM needs to forward packets whose sources don't match one of the IP addresses or ranges in the preceding list. To forward packets with arbitrary source addresses, you must enable IP forwarding:

  • When you create or update a VM, you enable IP forwarding by following the directions in this section. Enabling IP forwarding applies to all of the NICs on the VM.
  • In addition to the steps in this section, you must enable IP forwarding within the VM guest operating system. To do this on Linux, set the value of one or both of the following kernel parameters to 1: net.ipv4.ip_forward (for IPv4) or net.ipv6.conf.all.forwarding (for IPv6).

To enable IP forwarding when you create a VM, complete the following steps.

Console

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Click Create instance.

  3. In the Advanced options section, expand Networking, disks, security, management, sole-tenancy.

  4. Expand the Networking section.

  5. In the IP forwarding section, select the Enable checkbox.

gcloud

When creating an instance, add the --can-ip-forward flag to your command:

gcloud compute instances create ... --can-ip-forward

API

When creating an instance, use the canIpForward field to enable IP forwarding:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
{
  "canIpForward": true,
  ...other fields
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the instance
  • ZONE: the Google Cloud zone containing the instance

For more information, see the instances.insert method.

Terraform

You can use the Terraform resource to create a VM instance with IP forwarding enabled.

In this example, the Terraform arguments have assigned values that you can change.

resource "google_compute_instance" "default" {
  project      = var.project_id # Replace this with your project ID in quotes
  zone         = "southamerica-east1-b"
  name         = "instance-next-hop"
  machine_type = "e2-medium"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }
  network_interface {
    network = "default"
  }
  can_ip_forward = true
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

After you enable IP forwarding, continue with the VM creation process.

To enable IP forwarding on an existing VM, update the canIpForward instance property.

What's next