Using Routes

This page describes how to create and manage routes for Google Cloud Platform (GCP) VPC networks. This page assumes that you are familiar with the different types of GCP routes and their characteristics as described in the Routes Overview.

Every new network has two types of system-generated routes: a default route, which you can remove or replace, and one subnet route for each of its subnets. You cannot remove a subnet route unless you delete the corresponding subnet itself.

In addition to the system-generated routes, you can create other custom static routes.

Inspecting routes

Listing routes for VPC networks

You can view routes using either of these methods:

Console

To list routes for all networks:

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. You can use the Filter routes text box to limit the routes shown. For example, you can type the name of a VPC network and press enter to show the routes for a specific network.
  3. The All tab shows all types of routes. To view just custom dynamic routes, click the Dynamic tab.

gcloud

To list default routes, subnet routes, and custom static routes, use the following gcloud command, replacing [NETWORK_NAME] with the name of your network:

gcloud compute routes list --filter="network=[NETWORK_NAME]"

Custom dynamic routes are not shown by gcloud compute routes list. To view dynamic routes, you must query the status of the Cloud Router that learned the route. Use the following command as a template, replacing [CLOUD_ROUTER_NAME] with the name of a Cloud Router and [REGION] with its region:

gcloud compute routers get-status [CLOUD_ROUTER_NAME] \
    --region=[REGION] \
    --format="flattened(result.bestRoutes)"

Describing routes

To view details for system-generated and custom static routes, including destinations and next hops:

Console

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. Click the name of a route.

gcloud

To view details for system generated and custom static routes, use the following gcloud command, replacing [ROUTE_NAME] with the name of the route to inspect:

gcloud compute routes describe [ROUTE_NAME] --format="flattened()"

Routes for VMs

You can view applicable routes and effective routes from the perspective of a given network interface for a VM instance by following the instructions in this section. Effective routes are a subset of applicable routes that take routing order into consideration.

Applicable routes for a network interface

You can use the GCP Console to view applicable routes for a VM's network interface. This view narrows the list of routes that could be used for egress traffic.

To view applicable routes for a specific network interface of a VM:

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Locate a VM instance in the list. In its more actions menu (), select View network details.
  3. If an instance has multiple network interfaces, select the network interface to view in the Network interface details section.
  4. Click the Routes tab to see all the routes that apply to the network interface, sorted by route name.

Route analysis and effective routes

Route analysis helps you determine effective routes, taking applicable routes and routing order into consideration. Routes are listed by destination IP range, so you can tell which applicable route will be used to send traffic to a given destination range.

For example, a network interface might use more than one applicable route. Refer to routing order on the Routes Overview for more information.

To view the routes based on applicability and routing order, use route analysis:

  1. Go to the VM instances page in the Google Cloud Platform Console and find the instance to view.
    Go to the VM instances page
  2. In the instance's more actions menu (), select View network details.
  3. If an instance has multiple network interfaces, select the network interface to view in the Network interface details section.
  4. In the Network Analysis section, select the Route analysis tab.
  5. View the table, which is sorted from the most specific to least specific IP address range, to determine what route applies for a given destination range.

Example output of the routes analysis tab is:

Effective routes for a VM instance (click to enlarge)
Effective routes for a VM instance (click to enlarge)

Adding and removing routes

Adding a static route

Follow these steps to create a new static route. Before doing so, make sure you are familiar with the following:

  • Custom static routes cannot have destination ranges that match or are more specific than the destination ranges used by any subnet route. in your VPC network.

    • When using VPC Network Peering to connect two VPC networks, custom static routes in one network cannot have matching or more specific destinations than subnet routes in both of the networks. GCP rejects custom static routes that would conflict with subnet routes in this way.
  • To avoid conflicts when using an auto mode network, don't create static routes whose destinations fit within 10.128.0.0/9. Review the IP ranges reserved for auto mode networks for details.

  • Destinations for custom static routes can't overlap with any internal allocated range.

Console

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. Click Create route.
  3. Specify a Name and a Description for the route.
  4. Select an existing Network where the route will apply.
  5. Specify a Destination IP range to define the destination of the route.
  6. Specify a Priority for the route. A priority is only used to to determine routing order if routes have equivalent destinations. See static route parameters for more details.
  7. To make the route applicable only to select instances with matching network tags, specify those in the Instance tags field. Leave the field blank to make the route applicable to all instances in the network.
  8. Select a Next hop for the route:
    • Default internet gateway creates a route to the Internet.
    • Specify an instance allows you to select an instance by name. Traffic will be routed to that instance (or any replacement instance with the same name in the same zone) even if its IP address changes.
    • Specify IP address allows you to enter an IP address of an existing instance in the VPC network. Refer to static route next hops for important restrictions on valid next hop IP addresses.
    • Specify VPN tunnel allows you to select an existing Cloud VPN tunnel as a next hop. The tunnel must use policy based routing or it must be a route based VPN.
  9. Click Create.

gcloud

Create a new custom static route with the following gcloud command:

gcloud compute routes create [ROUTE_NAME] \
    --destination-range=[DEST_RANGE] \
    --network=[NETWORK] \
    [NEXT_HOP_SPECIFICATION]

Replace the placeholders with valid values:

  • [ROUTE_NAME] is the name of the route.
  • [DESTINATION_RANGE] represents the destination IP addresses to which this route will apply. The broadest possible destination is 0.0.0.0/0.
  • [NETWORK] is the name of the VPC network that will contain the route.
  • [NEXT_HOP_SPECIFICATION] represents the next hop for the custom static route. You must specify only one of the following as a next hop. For more information about the different types of next hops, see Static route next hops in the Routes Overview.
    • --next-hop-gateway=default-internet-gateway: Use this next hop to send traffic outside of the VPC network, including to the Internet or to the IP addresses for Private Google Access.
    • --next-hop-instance=[INSTANCE_NAME] and --next-hop-instance-zone=[ZONE]: Use this next hop to direct traffic to an existing VM instance by name and zone. Traffic is sent to the primary internal IP address for the VM's network interface located in the same network as the route. See instances as next hops for considerations for the destination VM.
    • --next-hop-address=[ADDRESS]: Use this next hop to direct traffic to the IP address of an existing VM instance. See instances as next hops for considerations for the destination VM.
    • --next-hop-vpn-tunnel=[VPN_TUNNEL_NAME] and --next-hop-vpn-tunnel-region=[REGION]: Use this next hop to direct traffic to a Cloud VPN tunnel that uses static routing.

To make the custom static route only apply to select VMs by network tag, add the --tags flag and specify one or more network tags. For more information about how network tags and custom static routes work together, see Applicable routes in the Routes Overview.

See the SDK documentation for additional information about the gcloud syntax.

Deleting routes

You can delete a system-generated default route or any custom static route. For other types of routes:

  • You cannot delete a subnet route unless you delete the corresponding subnet.

  • To delete a dynamic route learned by a Cloud Router, you need to configure its BGP peer router to stop advertising the route.

Console

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. Select the checkbox next to the rule you want to delete.
  3. Click Delete.
  4. Click Delete again to confirm.

gcloud

Delete a custom static route using the following gcloud command, replacing [ROUTE_NAME] with the name of the route to be removed:

gcloud compute routes delete [ROUTE_NAME]

Order of operations

When you make a request to add or delete a route, your changes are staged then propagated to instances in your network using an eventually consistent design. Change requests with either PENDING or RUNNING status indicate that the request has not yet been processed. After processing, the status of the change request is DONE.

If you make a sequence of change requests, the changes can be applied in any order. There is no guarantee that the order in which you submit change requests will be the order in which they are processed. Further, different instances might become aware of the changes at different times.

Enabling IP forwarding for instances

By default, GCP performs strict source and destination checking for packets so that:

  • VM instances can only send packets whose sources are set to match an internal IP address of its interface in the network.
  • Packets are only delivered to an instance if their destinations match the IP address of the instance's interface in the network.

So by default, a VM cannot forward a packet originated by another VM.

To use a VM as a next hop for a route, the VM necessarily needs to receive packets having destinations other than itself. Because it forwards those packets, their sources will be different from its own internal IP. To accomplish this, you must enable IP forwarding for the VM. When IP forwarding is enabled, GCP does not enforce packet source and destination checking.

Console

  1. Go to the VM instances page.
    Go to the VM instances page
  2. Click Create instance.
  3. Click Management, disks, networking, SSH keys.
  4. Click Networking.
  5. Select a network interface by clicking the edit button.
  6. For the network interface, choose On from the IP forwarding menu.
  7. Specify any other instance parameters.
  8. Click Create.

gcloud

When creating an instance using gcloud, add the --can-ip-forward flag to your command:

gcloud compute instances create ... --can-ip-forward

What's next

Was this page helpful? Let us know how we did:

Send feedback about...