Using Routes

This page describes how to create and manage routes for Google Cloud Platform (GCP) VPC networks. This page assumes that you are familiar with the different types of GCP routes and their characteristics as described in the Routes Overview.

Every new network has two types of system-generated routes: a default route, which you can remove or replace, and one subnet route for each of its subnets. You cannot remove a subnet route unless you delete the corresponding subnet itself.

In addition to the system-generated routes, you can create other custom static routes.

Inspecting routes

Listing routes

You can view routes using either of these methods:

Console

To list routes for all networks:

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. You can use the Filter routes text box to limit the routes shown. For example, you can type the name of a VPC network and press enter to show the routes for a specific network.
  3. The All tab shows all types of routes. To view just custom dynamic routes, click the Dynamic tab.

To view the routes that apply to a specific network interface of a VM:

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Locate a VM instance in the list. In its more actions menu (), select View network details.
  3. If an instance has multiple network interfaces, select the network interface to view in the Network interface details section.
  4. Click the Routes tab to see all the routes that apply to the network interface.

gcloud

To list default routes, subnet routes, and custom static routes, use the following gcloud command, replacing [NETWORK-NAME] with the name of your network:

gcloud compute routes list --filter="network=[NETWORK-NAME]"

Custom dynamic routes are not shown by gcloud compute routes list. To view dynamic routes, you must query the status for the Cloud Router that learned the route. Use the following command as a template, replacing [CLOUD-ROUTER-NAME] with the name of a Cloud Router and [REGION] with its region:

gcloud compute routers get-status [CLOUD-ROUTER-NAME] \
    --region [REGION] \
    --format="flattened(result.bestRoutes)"

Describing routes

System-generated and custom static routes: To view details for these types of routes, including destinations and next hops:

Console

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. Click the name of a route.

gcloud

Use the following gcloud command, replacing [ROUTE-NAME] with the name of the route to inspect:

gcloud compute routes describe [ROUTE-NAME] --format="flattened()"

Adding and removing routes

Adding a static route

Follow these steps to create a new static route. Before doing so, make sure you are familiar with the following:

  • Custom static routes cannot have destination ranges that match or are more specific than the destination ranges used by any subnet route. in your VPC network.

    • When using VPC Network Peering to connect two VPC networks, custom static routes in one network cannot have matching or more specific destinations than subnet routes in both of the networks. GCP rejects custom static routes that would conflict with subnet routes in this way.
  • To avoid conflicts when using an auto mode network, don't create static routes whose destinations fit within 10.128.0.0/9. Review the IP ranges reserved for auto mode networks for details.

Console

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. Click Create route.
  3. Specify a Name and a Description for the route.
  4. Select an existing Network where the route will apply.
  5. Specify a Destination IP range to define the destination of the route.
  6. Specify a Priority for the route. A priority is only used to to determine routing order if routes have equivalent destinations. See static route parameters for more details.
  7. To make the route applicable only to select instances with matching network tags, specify those in the Instance tags field. Leave the field blank to make the route applicable to all instances in the network.
  8. Select a Next hop for the route:
    • Default internet gateway creates a route to the Internet.
    • Specify an instance allows you to select an instance by name. Traffic will be routed to that instance (or any replacement instance with the same name in the same zone) even if its IP address changes.
    • Specify IP address allows you to enter an IP address of an existing instance in the VPC network. Refer to static route next hops for important restrictions on valid next hop IP addresses.
    • Specify VPN tunnel allows you to select an existing Cloud VPN tunnel as a next hop. The tunnel must use policy based routing or it must be a route based VPN.
  9. Click Create.

gcloud

gcloud compute routes create [ROUTE] \
    --destination-range [DEST_RANGE] \
    --network [NETWORK]\
    [--tags=TAG,[TAG,…]] \
    [--next-hop-address=[ADDRESS]] |
    [--next-hop-gateway=default-internet-gateway]  |
    [--next-hop-instance=[INSTANCE_NAME] |
    [--next-hop-vpn-tunnel=[VPN_TUNNEL]]

  • --destination-range=[DESTINATION_RANGE] - The destination range of outgoing packets that the route will apply to. The broadest possible destination is 0.0.0.0/0.
  • --network - The network the route applies to.
  • --tags - You can restrict which VMs the route applies to by specifying one or more tags. Only traffic leaving a VM with one of those tags will use the tagged route.

One and only one of the following must be specified for a given route:

  • --next-hop-address=[ADDRESS] - specify the --next-hop-address flag and an IP address if you want the route to to send traffic to that IP address.
  • --next-hop-gateway=default-internet-gateway - specify this flag and the default-internet-gateway parameter if you want the route to send packets out of the network via the subnet's default gateway.
  • --next-hop-instance=[INSTANCE_NAME] - specify this flag and the name of an instance if you want the route to forward traffic to a particular instance.
  • --next-hop-vpn-tunnel=[VPN_TUNNEL] - specify this flag and a tunnel name if you want the route to send traffic to a Cloud VPN tunnel.

See the SDK documentation for more details.

Deleting routes

You can delete a system-generated default route or any custom static route. For other types of routes:

  • You cannot delete a subnet route unless you delete the corresponding subnet.

  • To delete a dynamic route learned by a Cloud Router, you need to configure its BGP peer router to stop advertising the route.

Console

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. Select the checkbox next to the rule you want to delete.
  3. Click Delete.
  4. Click Delete again to confirm.

gcloud

gcloud compute routes delete [ROUTE]

Order of operations

When you make a request to add or delete a route, your changes are staged then propagated to instances in your network using an eventually consistent design. Change requests with either PENDING or RUNNING status indicate that the request has not yet been processed. After processing, the status of the change request is DONE.

If you make a sequence of change requests, the changes can be applied in any order. There is no guarantee that the order in which you submit change requests will be the order in which they are processed. Further, different instances might become aware of the changes at different times.

Enabling IP forwarding for instances

By default, GCP performs strict source and destination checking for packets so that:

  • VM instances can only send packets whose sources are set to match an internal IP address of its interface in the network.
  • Packets are only delivered to an instance if their destinations match the IP address of the instance's interface in the network.

To use a VM as a next hop for a route, the VM necessarily needs to receive packets having destinations other than itself. Because it forwards those packets, their sources will be different from its own internal IP. To accomplish this, you must enable IP forwarding for the VM. When IP forwarding is enabled, GCP does not enforce packet source and destination checking.

Console

  1. Go to the VM instances page.
    Go to the VM instances page
  2. Click Create instance.
  3. Click Management, disks, networking, SSH keys.
  4. Click Networking.
  5. Select a network interface by clicking the edit button.
  6. For the network interface, choose On from the IP forwarding menu.
  7. Specify any other instance parameters.
  8. Click Create.

gcloud

When creating an instance with the gcloud command-line tool, add the --can-ip-forward flag like this:

gcloud compute instances create ... --can-ip-forward

What's next

Was this page helpful? Let us know how we did:

Send feedback about...