Use routes

This page describes how to create and manage routes for Virtual Private Cloud (VPC) networks in Google Cloud. This page assumes that you are familiar with the different types of Google Cloud routes and their characteristics as described in Routes.

Every new network has two types of system-generated routes: a default route, which you can remove or replace, and one subnet route for each of its subnets. You cannot remove a subnet route unless you delete the corresponding subnet itself.

In addition to the system-generated routes, you can create other custom static routes.

Inspect routes

List routes for VPC networks

You can view routes using either of these methods:

Console

To list routes for all networks:

Go to the Routes page in the Google Cloud console.
Go to the Routes page
You can use the Filter routes text box to limit the routes shown. For example, you can type the name of a VPC network and press enter to show the routes for a specific network.
The All tab shows all types of routes. To view just custom dynamic routes, click the Dynamic tab.

gcloud

To list default routes, subnet routes, and custom static routes, use the following gcloud command, replacing NETWORK_NAME with the name of your network:

gcloud compute routes list --filter="network=NETWORK_NAME"

Custom dynamic routes are not shown by gcloud compute routes list. To view dynamic routes, you must query the status of the Cloud Router that learned the route. Use the following command as a template, replacing CLOUD_ROUTER_NAME with the name of a Cloud Router and REGION with its region:

gcloud compute routers get-status CLOUD_ROUTER_NAME \
    --region=REGION \
    --format="flattened(result.bestRoutes)"

API

List default routes, subnet routes, and custom static routes in your VPC network.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes?filter=network="NETWORK_URL

Replace the placeholders with valid values:

PROJECT_ID is the ID of the project where your VPC network is located.
NETWORK_URL is the URL of the VPC network that contains the routes to list.

For more information, refer to the routes.list method.

Custom dynamic routes are not shown by the list routes API. To view dynamic routes, you must query the status of the Cloud Router that learned the route. For more information, refer to the Cloud Router documentation.

Describe routes

To view details for system-generated and custom static routes, including destinations and next hops:

Console

Go to the Routes page in the Google Cloud console.
Go to the Routes page
Click the name of a route.

gcloud

To view details for system generated and custom static routes, use the following gcloud command, replacing ROUTE_NAME with the name of the route to inspect:

gcloud compute routes describe ROUTE_NAME --format="flattened()"

API

Describe a system-generated or custom static route to view its details.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes/ROUTE_NAME

Replace the placeholders with valid values:

PROJECT_ID is the ID of the project where your route is located.
ROUTE_NAME is the name of the route to describe.

For more information, refer to the routes.get method.

Routes for VMs

You can view applicable routes and effective routes from the perspective of a given network interface for a VM instance by following the instructions in this section. Effective routes are a subset of applicable routes that take routing order into consideration.

Applicable routes for a network interface

You can use the Google Cloud console to view applicable routes for a VM's network interface. This view narrows the list of routes that could be used for egress traffic.

To view applicable routes for a specific network interface of a VM, follow these steps:

In the Google Cloud console, go to the VM instances page.

Go to VM instances
Locate a VM instance in the list. In the More actions menu at the end of the row, select View network details.
If an instance has multiple network interfaces, in the Network interface details section, select the network interface that you want to view.
In the Firewall and routes details section, click the Routes tab to see all the routes that apply to the network interface, sorted by route name.

Add and remove routes

Add a static route

Follow these steps to create a new static route. Before doing so, make sure you are familiar with the following:

Custom static routes cannot have destination ranges that match or are more specific than the destination ranges used by any subnet route in your VPC network.
- When using VPC Network Peering to connect two VPC networks, custom static routes in one network cannot have matching or more specific destinations than subnet routes in both of the networks. Google Cloud rejects custom static routes that would conflict with subnet routes in this way.
To avoid conflicts when using an auto mode network, don't create static routes whose destinations fit within 10.128.0.0/9. Review the IP ranges reserved for auto mode networks for details.
Destinations for custom static routes can't overlap with any internal allocated range.
Make sure you're familiar with instances as next hops before you create a custom static route that uses a VM as its next hop. Google Cloud only validates that a VM exists at the time when you create the route if you choose a next hop instance.
If you create a route using a network tag, then only VMs with that tag receive that route. However, tagged VMs still receive all routes that have no network tag.

Console

Go to the Routes page in the Google Cloud console.
Go to the Routes page
Click Create route.
Specify a Name and a Description for the route.
Select an existing Network where the route will apply.
Specify a Destination IP range to define the destination of the route.
Specify a Priority for the route. A priority is only used to to determine routing order if routes have equivalent destinations. See static route parameters for more details.
To make the route applicable only to select instances with matching network tags, specify those in the Instance tags field. Leave the field blank to make the route applicable to all instances in the network, or if you select an internal TCP/UDP load balancer as the route's next hop. Network tags don't apply to routes that have an internal TCP/UDP load balancer as a next hop.
Select a Next hop for the route:
- Default internet gateway creates a route to the Internet.
- Specify an instance allows you to select an instance by name. Traffic will be routed to that instance (or any replacement instance with the same name in the same zone) even if its IP address changes.
- Specify IP address allows you to enter an IP address of an existing instance in the VPC network. Refer to static route next hops for important restrictions on valid next hop IP addresses.
- Specify VPN tunnel allows you to select an existing Cloud VPN tunnel as a next hop. The tunnel must use policy based routing or it must be a route based VPN.
- Specify a forwarding rule name or IP address of an internal TCP/UDP load balancer reveals a text box that allows you to specify an existing internal TCP/UDP load balancer as a next hop.
For more information about the different types of next hops, see Static route next hops in the Routes overview.
Click Create.

gcloud

Create a new custom static route with the following gcloud command:

gcloud compute routes create ROUTE_NAME \
    --destination-range=DEST_RANGE \
    --network=NETWORK \
    NEXT_HOP_SPECIFICATION

Replace the placeholders with valid values:

ROUTE_NAME is the name of the route.
DESTINATION_RANGE represents the destination IP addresses to which this route will apply. The broadest possible destination is 0.0.0.0/0.
NETWORK is the name of the VPC network that will contain the route.
NEXT_HOP_SPECIFICATION represents the next hop for the custom static route. You must specify only one of the following as a next hop. For more information about the different types of next hops, see Static route next hops.
- --next-hop-gateway=default-internet-gateway: Use this next hop to send traffic outside of the VPC network, including to the Internet or to the IP addresses for Private Google Access.
- --next-hop-instance=INSTANCE_NAME and --next-hop-instance-zone=ZONE: Use this next hop to direct traffic to an existing VM instance by name and zone. Traffic is sent to the primary internal IP address for the VM's network interface located in the same network as the route.
- --next-hop-address=ADDRESS: Use this next hop to direct traffic to the IP address of an existing VM instance.
- --next-hop-ilb=FORWARDING_RULE_NAME and --next-hop-ilb-region=REGION: Use this next hop with Internal TCP/UDP load balancer to distribute traffic to the load balancer, specified by internal forwarding rule name (or IP address) and region. The load balancer distributes traffic among healthy backends where the load balancer is transparent to the clients in a bump-in-the-wire fashion.
- --next-hop-vpn-tunnel=VPN_TUNNEL_NAME and --next-hop-vpn-tunnel-region=REGION: Use this next hop to direct traffic to a Cloud VPN tunnel that uses static routing.

For more information about the different types of next hops, see Static route next hops in the Routes overview.

To make the custom static route only apply to select VMs by network tag, add the --tags flag and specify one or more network tags. For more information about how network tags and custom static routes work together, see Applicable routes in the Routes overview. You can use tags with any custom static route.

See the SDK documentation for additional information about the gcloud syntax.

API

Create a new custom static route.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes
{
  "destRange": "DESTINATION_RANGE",
  "name": "ROUTE_NAME",
  "network": "NETWORK_NAME",
  "priority": PRIORITY,
  "NEXT_HOP_SPECIFICATION": "VALUE"
}

Replace the placeholders with valid values:

PROJECT_ID is the ID of the project where your route is created.
DESTINATION_RANGE represents the destination IP addresses to which this route will apply. The broadest possible destination is 0.0.0.0/0.
ROUTE_NAME a name for the route.
NETWORK_NAME is the name of the VPC network that will contain the route.
The VALUE for the NEXT_HOP_SPECIFICATION represents the next hop for the custom static route. For NEXT_HOP_SPECIFICATION, you must specify only one of the following next-hop fields: nextHopIp, nextHopGateway, nextHopInstance, nextHopIlb, or nextHopVpnTunnel. For more information about the different types of next hops, see Static route next hops in the Routes overview.

For more information, refer to the routes.insert method.

Terraform

You can create a static route by using a Terraform module.

This static route creates a default route to the internet.

examples/routes/main.tf

View on GitHub Feedback

module "google_compute_route" {
  source       = "terraform-google-modules/network/google//modules/routes"
  version      = "~> 6.0"
  project_id   = var.project_id # Replace this with your project ID in quotes
  network_name = "default"

  routes = [
    {
      name              = "egress-internet"
      description       = "route through IGW to access internet"
      destination_range = "0.0.0.0/0"
      tags              = "egress-inet"
      next_hop_internet = "true"
    }
  ]
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Add an IPv6 default route

The only supported IPv6 route is the default route (::/0), with the next-hop-gateway set to default-internet-gateway.

This route is automatically configured for the VPC network when you create a dual-stack subnet. You can delete the route to block all IPv6 traffic from VMs to the internet. You can recreate the route if needed.

Console

Go to the Routes page in the Google Cloud console.
Go to the Routes page
Click Create route.
Specify a Name and a Description for the route.
Select an existing Network where the route will apply.
For Destination IP range, enter ::/0.
Specify a Priority for the route. A priority is only used to to determine routing order if routes have equivalent destinations. See static route parameters for more details.
For Next hop, select Default internet gateway.
Click Create.

gcloud

Recreate the IPv6 default route for a network.

gcloud compute routes create ROUTE_NAME \
    --destination-range=::/0 \
    --network=NETWORK \
    --next-hop-gateway=default-internet-gateway

Replace the placeholders with valid values:

ROUTE_NAME a name for the route.
NETWORK is the name of the VPC network that will contain the route.

API

Recreate the IPv6 default route for a network.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes
{
  "destRange": "::/0",
  "name": "ROUTE_NAME",
  "network": "NETWORK_NAME",
  "nextHopGateway": "projects/PROJECT_ID/global/gateways/default-internet-gateway"
}

Replace the placeholders with valid values:

PROJECT_ID is the ID of the project where your route is created.
ROUTE_NAME a name for the route.
NETWORK_NAME is the name of the VPC network that will contain the route.

Delete routes

You can delete a system-generated default route or any custom static route. For other types of routes:

You cannot delete a subnet route unless you delete the corresponding subnet.
To delete a dynamic route learned by a Cloud Router, you need to configure its BGP peer router to stop advertising the route.

To delete an IPv6 default route, use the Google Cloud CLI or API instructions. If you delete the default route for IPv6, VMs cannot connect to VMs in other regions using their IPv6 addresses.

Console

Go to the Routes page in the Google Cloud console.
Go to the Routes page
Select the checkbox next to the rule you want to delete.
Click Delete.
Click Delete again to confirm.

gcloud

Delete a custom static route using the following gcloud command, replacing ROUTE_NAME with the name of the route to be removed:

gcloud compute routes delete ROUTE_NAME

API

Delete a custom static route to remove it from your VPC network.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes/ROUTE_NAME

Replace the placeholders with valid values:

PROJECT_ID is the ID of the project where your route is located.
ROUTE_NAME is the name of the route to delete.

For more information, refer to the routes.delete method.

Order of operations

When you make a request to add or delete a route, your changes are staged then propagated to instances in your network using an eventually consistent design. Change requests with either PENDING or RUNNING status indicate that the request has not yet been processed. After processing, the status of the change request is DONE.

If you make a sequence of change requests, the changes can be applied in any order. There is no guarantee that the order in which you submit change requests will be the order in which they are processed. Further, different instances might become aware of the changes at different times.

Enable IP forwarding for instances

By default, Google Cloud performs strict source and destination checking for packets so that:

VM instances can only send packets whose sources are set to match an internal IP address of its interface in the network.
Packets are only delivered to an instance if their destinations match the IP address of the instance's interface in the network.

So by default, a VM cannot forward a packet originated by another VM.

To use a VM as a next hop for a route, the VM needs to receive packets having destinations other than itself. Because it forwards those packets, their sources will be different from its own internal IP. To accomplish this, you must enable IP forwarding for the VM. When IP forwarding is enabled, Google Cloud does not enforce packet source and destination checking.

You can enable IP forwarding when you create a VM, or by updating the canIpForward instance property on an existing VM. IP forwarding is enabled at the VM level and applies to all interfaces attached to the VM.

Enable IP forwarding when creating a VM

These instructions describe how to enable IP forwarding when you create a VM. If you need to enable IP forwarding on an existing VM, update the canIpForward instance property.

Console

Go to the VM instances page.
Go to the VM instances page
Click Create instance.
Expand the Networking, disks, security, management, sole-tenancy section.
Expand the Networking section.
In the IP forwarding section, select Enable.

After you have enabled IP forwarding, continue with the VM creation process.

gcloud

When creating an instance using gcloud, add the --can-ip-forward flag to your command:

gcloud compute instances create ... --can-ip-forward

API

When creating an instance, use the canIpForward field to enable IP forwarding.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
{
  "canIpForward": true,
  ...other fields
}

Replace the placeholders with valid values:

PROJECT_ID is the ID of the project where your instance will be created.
ZONE is the Google Cloud zone where the instance will be created.

For more information, refer to the instances.insert method.

Terraform

You can use the Terraform resource to create a VM instance with IP forwarding enabled.

In this example, the Terraform arguments have assigned values that you can change.

examples/compute_instance/next_hop/main.tf

View on GitHub Feedback

resource "google_compute_instance" "default" {
  project      = var.project_id # Replace this with your project ID in quotes
  zone         = "southamerica-east1-b"
  name         = "instance-next-hop"
  machine_type = "e2-medium"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }
  network_interface {
    network = "default"
  }
  can_ip_forward = true
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

What's next

For information about routes, see Routes.
For information about Google Cloud VPC networks, see the Virtual Private Cloud (VPC) overview.
For instructions about creating and modifying VPC networks, see Create and manage VPC networks.