Using routes

This page describes how to create and manage routes for Google Cloud (Google Cloud) VPC networks. This page assumes that you are familiar with the different types of Google Cloud routes and their characteristics as described in the Routes Overview.

Every new network has two types of system-generated routes: a default route, which you can remove or replace, and one subnet route for each of its subnets. You cannot remove a subnet route unless you delete the corresponding subnet itself.

In addition to the system-generated routes, you can create other custom static routes.

Inspecting routes

Listing routes for VPC networks

You can view routes using either of these methods:

Console

To list routes for all networks:

  1. Go to the Routes page in the Google Cloud Console.
    Go to the Routes page
  2. You can use the Filter routes text box to limit the routes shown. For example, you can type the name of a VPC network and press enter to show the routes for a specific network.
  3. The All tab shows all types of routes. To view just custom dynamic routes, click the Dynamic tab.

gcloud

To list default routes, subnet routes, and custom static routes, use the following gcloud command, replacing NETWORK_NAME with the name of your network:

gcloud compute routes list --filter="network=NETWORK_NAME"

Custom dynamic routes are not shown by gcloud compute routes list. To view dynamic routes, you must query the status of the Cloud Router that learned the route. Use the following command as a template, replacing CLOUD_ROUTER_NAME with the name of a Cloud Router and REGION with its region:

gcloud compute routers get-status CLOUD_ROUTER_NAME \
    --region=REGION \
    --format="flattened(result.bestRoutes)"

API

List default routes, subnet routes, and custom static routes in your VPC network.

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes?filter=network="NETWORK_URL

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where your VPC network is located.
  • NETWORK_URL is the URL of the VPC network that contains the routes to list.

For more information, refer to the routes.list method.

Custom dynamic routes are not shown by the list routes API. To view dynamic routes, you must query the status of the Cloud Router that learned the route. For more information, refer to the Cloud Router documentation.

Describing routes

To view details for system-generated and custom static routes, including destinations and next hops:

Console

  1. Go to the Routes page in the Google Cloud Console.
    Go to the Routes page
  2. Click the name of a route.

gcloud

To view details for system generated and custom static routes, use the following gcloud command, replacing ROUTE_NAME with the name of the route to inspect:

gcloud compute routes describe ROUTE_NAME --format="flattened()"

API

Describe a system-generated or custom static route to view its details.

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes/ROUTE_NAME

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where your route is located.
  • ROUTE_NAME is the name of the route to describe.

For more information, refer to the routes.get method.

Routes for VMs

You can view applicable routes and effective routes from the perspective of a given network interface for a VM instance by following the instructions in this section. Effective routes are a subset of applicable routes that take routing order into consideration.

Applicable routes for a network interface

You can use the Cloud Console to view applicable routes for a VM's network interface. This view narrows the list of routes that could be used for egress traffic.

To view applicable routes for a specific network interface of a VM:

  1. Go to the VM instances page in the Google Cloud Console.
    Go to the VM instances page
  2. Locate a VM instance in the list. In its more actions menu (), select View network details.
  3. If an instance has multiple network interfaces, select the network interface to view in the Network interface details section.
  4. Click the Routes tab to see all the routes that apply to the network interface, sorted by route name.

Route analysis and effective routes

Route analysis helps you determine effective routes, taking applicable routes and routing order into consideration. Routes are listed by destination IP range, so you can tell which applicable route will be used to send traffic to a given destination range.

For example, a network interface might use more than one applicable route. Refer to routing order on the Routes Overview for more information.

To view the routes based on applicability and routing order, use route analysis:

  1. Go to the VM instances page in the Google Cloud Console and find the instance to view.
    Go to the VM instances page
  2. In the instance's more actions menu (), select View network details.
  3. If an instance has multiple network interfaces, select the network interface to view in the Network interface details section.
  4. In the Network Analysis section, select the Route analysis tab.
  5. View the table, which is sorted from the most specific to least specific IP address range, to determine what route applies for a given destination range.

Example output of the routes analysis tab is:

Effective routes for a VM instance (click to enlarge)
Effective routes for a VM instance (click to enlarge)

Adding and removing routes

Adding a static route

Follow these steps to create a new static route. Before doing so, make sure you are familiar with the following:

  • Custom static routes cannot have destination ranges that match or are more specific than the destination ranges used by any subnet route. in your VPC network.

    • When using VPC Network Peering to connect two VPC networks, custom static routes in one network cannot have matching or more specific destinations than subnet routes in both of the networks. Google Cloud rejects custom static routes that would conflict with subnet routes in this way.
  • To avoid conflicts when using an auto mode network, don't create static routes whose destinations fit within 10.128.0.0/9. Review the IP ranges reserved for auto mode networks for details.

  • Destinations for custom static routes can't overlap with any internal allocated range.

  • Make sure you're familiar with instances as next hops before you create a custom static route that uses a VM as its next hop. Google Cloud only validates that a VM exists at the time when you create the route if you choose a next hop instance.

Console

  1. Go to the Routes page in the Google Cloud Console.
    Go to the Routes page
  2. Click Create route.
  3. Specify a Name and a Description for the route.
  4. Select an existing Network where the route will apply.
  5. Specify a Destination IP range to define the destination of the route.
  6. Specify a Priority for the route. A priority is only used to to determine routing order if routes have equivalent destinations. See static route parameters for more details.
  7. To make the route applicable only to select instances with matching network tags, specify those in the Instance tags field. Leave the field blank to make the route applicable to all instances in the network, or if you select an internal TCP/UDP load balancer as the route's next hop. Network tags don't apply to routes that have an internal TCP/UDP load balancer as a next hop.
  8. Select a Next hop for the route:

    • Default internet gateway creates a route to the Internet.
    • Specify an instance allows you to select an instance by name. Traffic will be routed to that instance (or any replacement instance with the same name in the same zone) even if its IP address changes.
    • Specify IP address allows you to enter an IP address of an existing instance in the VPC network. Refer to static route next hops for important restrictions on valid next hop IP addresses.
    • Specify VPN tunnel allows you to select an existing Cloud VPN tunnel as a next hop. The tunnel must use policy based routing or it must be a route based VPN.
    • Specify a forwarding rule of internal TCP/UDP load balancer reveals a text box that allows you to specify an existing internal TCP/UDP load balancer as a next hop.

    For more information about the different types of next hops, see Static route next hops in the Routes overview.

  9. Click Create.

gcloud

Create a new custom static route with the following gcloud command:

gcloud compute routes create ROUTE_NAME \
    --destination-range=DEST_RANGE \
    --network=NETWORK \
    NEXT_HOP_SPECIFICATION

Replace the placeholders with valid values:

  • ROUTE_NAME is the name of the route.
  • DESTINATION_RANGE represents the destination IP addresses to which this route will apply. The broadest possible destination is 0.0.0.0/0.
  • NETWORK is the name of the VPC network that will contain the route.
  • NEXT_HOP_SPECIFICATION represents the next hop for the custom static route. You must specify only one of the following as a next hop. For more information about the different types of next hops, see Static route next hops in the Routes Overview.
    • --next-hop-gateway=default-internet-gateway: Use this next hop to send traffic outside of the VPC network, including to the Internet or to the IP addresses for Private Google Access.
    • --next-hop-instance=INSTANCE_NAME and --next-hop-instance-zone=ZONE: Use this next hop to direct traffic to an existing VM instance by name and zone. Traffic is sent to the primary internal IP address for the VM's network interface located in the same network as the route.
    • --next-hop-address=ADDRESS: Use this next hop to direct traffic to the IP address of an existing VM instance.
    • --next-hop-ilb=FORWARDING_RULE_NAME and --next-hop-ilb-region=REGION: Use this next hop with Internal TCP Load Balancing to distribute traffic to the load balancer, specified by internal forwarding rule name and region. The load balancer distributes traffic among healthy backends where the load balancer is transparent to the clients in a bump-in-the-wire fashion.
    • --next-hop-vpn-tunnel=VPN_TUNNEL_NAME and --next-hop-vpn-tunnel-region=REGION: Use this next hop to direct traffic to a Cloud VPN tunnel that uses static routing.

For more information about the different types of next hops, see Static route next hops in the Routes overview.

To make the custom static route only apply to select VMs by network tag, add the --tags flag and specify one or more network tags. For more information about how network tags and custom static routes work together, see Applicable routes in the Routes overview. You can use tags with any custom static route except for ones that have a next hop specification of --next-hop-ilb.

See the SDK documentation for additional information about the gcloud syntax.

API

Create a new custom static route.

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes
{
  "destRange": "DESTINATION_RANGE",
  "name": "ROUTE_NAME",
  "network": "NETWORK_NAME",
  "priority": PRIORITY,
  "NEXT_HOP_SPECIFICATION": VALUE
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where your route is created.
  • DESTINATION_RANGE represents the destination IP addresses to which this route will apply. The broadest possible destination is 0.0.0.0/0.
  • ROUTE_NAME a name for the route.
  • NETWORK_NAME is the name of the VPC network that will contain the route.
  • The VALUE for the NEXT_HOP_SPECIFICATION represents the next hop for the custom static route. For NEXT_HOP_SPECIFICATION, you must specify only one of the following next-hop fields: nextHopIp, nextHopGateway, nextHopInstance, nextHopIlb, or nextHopVpnTunnel. For more information about the different types of next hops, see Static route next hops in the Routes overview.

For more information, refer to the routes.insert method.

Deleting routes

You can delete a system-generated default route or any custom static route. For other types of routes:

  • You cannot delete a subnet route unless you delete the corresponding subnet.

  • To delete a dynamic route learned by a Cloud Router, you need to configure its BGP peer router to stop advertising the route.

Console

  1. Go to the Routes page in the Google Cloud Console.
    Go to the Routes page
  2. Select the checkbox next to the rule you want to delete.
  3. Click Delete.
  4. Click Delete again to confirm.

gcloud

Delete a custom static route using the following gcloud command, replacing ROUTE_NAME with the name of the route to be removed:

gcloud compute routes delete ROUTE_NAME

API

Delete a custom static route to remove it from your VPC network.

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes/ROUTE_NAME

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where your route is located.
  • ROUTE_NAME is the name of the route to delete.

For more information, refer to the routes.delete method.

Order of operations

When you make a request to add or delete a route, your changes are staged then propagated to instances in your network using an eventually consistent design. Change requests with either PENDING or RUNNING status indicate that the request has not yet been processed. After processing, the status of the change request is DONE.

If you make a sequence of change requests, the changes can be applied in any order. There is no guarantee that the order in which you submit change requests will be the order in which they are processed. Further, different instances might become aware of the changes at different times.

Enabling IP forwarding for instances

By default, Google Cloud performs strict source and destination checking for packets so that:

  • VM instances can only send packets whose sources are set to match an internal IP address of its interface in the network.
  • Packets are only delivered to an instance if their destinations match the IP address of the instance's interface in the network.

So by default, a VM cannot forward a packet originated by another VM.

To use a VM as a next hop for a route, the VM necessarily needs to receive packets having destinations other than itself. Because it forwards those packets, their sources will be different from its own internal IP. To accomplish this, you must enable IP forwarding for the VM. When IP forwarding is enabled, Google Cloud does not enforce packet source and destination checking.

Console

  1. Go to the VM instances page.
    Go to the VM instances page
  2. Click Create instance.
  3. Click Management, disks, networking, SSH keys.
  4. Click Networking.
  5. Select a network interface by clicking the edit button.
  6. For the network interface, choose On from the IP forwarding menu.
  7. Specify any other instance parameters.
  8. Click Create.

gcloud

When creating an instance using gcloud, add the --can-ip-forward flag to your command:

gcloud compute instances create ... --can-ip-forward

API

When creating an instance, use the canIpForward field to enable IP forwarding.

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
{
  "canIpForward": true,
  ...other fields
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where your instance will be created.
  • ZONE is the Google Cloud zone where the instance will be created.

For more information, refer to the instances.insert method.

What's next

Var denne siden nyttig? Si fra hva du synes:

Send tilbakemelding om ...