About Route Tables

Route tables enable you to control subnet traffic routing thanks to routes that you create in them. Every Virtual Private Cloud (VPC) is created with a default route table that you can modify, but you can also create your own custom route table for each subnet.

You can route traffic to different elements like an Internet gateway or a VPC endpoint. Traffic targeting an IP of the VPC CIDR block is always locally routed.

Route Tables and Subnets

Route tables control network traffic routing thanks to rules called routes that indicate where network traffic is directed. They are created for a VPC and are used by its router, which is automatically created within your VPC, to determine how to route traffic.

Any subnet in a VPC must be associated with a route table, which controls routing for all instances in the subnet. A same route table can be associated with several subnets, but a subnet can only be associated with a single route table.

As it is recommended to dedicate a subnet to one application only, it is also recommended to use one route table and one security group per subnet.

In the following schema, each subnet is associated with a route table. Instances in Subnet 1 can access the Internet through the Internet gateway, and instances in Subnet 2 can access an object storage service using the VPC endpoint.

Subnets, Route Tables and Routes

sch General RouteTables

For more information about routes to an Internet gateway and to a VPC endpoint, see the Routes and Routing Options section below.

Main Route Table and Custom Route Tables

Main Route Table

When creating a VPC, a route table is also automatically created and considered as the main route table. The main route table acts as an implicit router in your VPC: it controls traffic routing for all subnets that are not explicitly associated with a route table. It is therefore implicitly associated with any subnet you create in the VPC until you explicitly associate it with a route table.

The main route table created with the VPC only contains the local route at creation, which routes any traffic directed to a target within the VPC CIDR block within the VPC itself. This route cannot be modified or deleted. You can add or remove routes in the main route table, and also modify them. However, you cannot delete the main route table.

You can also define which route table is the main one for the VPC, which modifies the route table used for any new subnet or for subnets that are not explicitly associated with any route table.

You can explicitly associate a subnet with the main route table so that the route table used by this subnet is not modified in case you define another route table as the main one.

Custom Route Tables

You can create additional route tables for your VPC that you can then associate with one or more subnets. You can then add the routes you need to the route table, replace them or remove them if needed. You can also delete a custom route table that is not associated with any subnet anymore.

Any route table you create contains the local route that you cannot delete or modify. To protect your VPC, you can leave the main route table with only the default local route, and explicitly associate each new subnet with a custom route table you created. Any new subnet can therefore only direct traffic within the VPC until you explicitly allow it to direct traffic elsewhere using routes that you add to its route table. This enables you to control how outbound traffic is routed for each subnet of your VPC.

Routes and Routing Options

A route specifies:

  • The traffic destination, in CIDR notation. It can be a range of IPs or a single IP (using a /32 prefix).

  • The target, that is the network device used to reach the traffic destination.

You can route traffic using the following targets:

  • Local: A local route is automatically added to any route table created in a VPC, with the VPC CIDR block as destination and local as target. Therefore, traffic from instances to an IP belonging to the VPC CIDR block remains in the VPC local network.

    You cannot delete or modify the local route.

  • An Internet gateway: This enables instances in the subnet and that have an associated External IP (EIP) to directly connect to the Internet through the Internet gateway attached to the VPC. To do this, you need to add a route with the 0.0.0.0/0 CIDR block as destination and the ID of an Internet gateway as target. For more information about Internet gateways, see About Internet Gateways.
    For example, the route table of a subnet with instances directly connected to the Internet in a VPC with the 10.0.0.0/16 CIDR block and the igw-12345678 Internet gateway attached to it has the following routes:

    Destination Target

    10.0.0.0/16

    local

    0.0.0.0/0

    igw-12345678

  • A Network Address Translation (NAT) gateway: This enables instances in the subnet to indirectly connect to the Internet through a NAT gateway. To do so, you need to add a route with the 0.0.0.0/0 CIDR block as destination and the ID of the NAT gateway as target. For more information about NAT gateways, see About NAT Gateways.
    For example, the route table of a subnet with instances indirectly connected to the Internet in a VPC with the 10.0.0.0/16 CIDR block and using the nat-12345678 NAT gateway attached to the VPC to direct traffic to the Internet has the following routes:

    Destination Target

    10.0.0.0/16

    local

    0.0.0.0/0

    nat-12345678

  • An instance or a network interface within the VPC: This enables instances in a subnet to send traffic to an instance or a network interface in particular. You can route traffic to an instance when it only has one network interface. If the instance have flexible network interfaces (FNI) attached, you need to route traffic to one of its network interfaces. To do so, you need to add a route with the appropriate CIDR block as destination, and the ID of the instance or of the network interface as target.
    For example, in a VPC with the 10.0.0.0/16 CIDR block, if an administration instance has an eni-11111111 network interface in a subnet A with the 10.10.0.10 IP and another network interface in a subnet B, the route table of a subnet with instances that need to connect to this administration instance in subnet A has the following routes:

    Destination Target

    10.0.0.0/16

    local

    10.10.0.10/32

    eni-11111111

  • A Virtual Private gateway (VGW): This enables instances in your subnet to direct traffic to a distant network using a VPN or DirectLink connection. To do so, you need to add a route with the CIDR block of the distant network as destination and the ID of a VGW attached to your VPC as target, and create a VPN or DirectLink connection using this VGW. For more information, see VPN Connections and DirectLink.
    For example, the route table of a subnet in a VPC with the 10.0.0.0/16 CIDR block directing traffic to your internal network with the 192.168.1.0/24 CIDR block through a VPN connection using the vgw-12345678 VGW has the following routes:

    Destination Target

    10.0.0.0/16

    local

    192.168.1.0/24

    vgw-12345678

  • A VPC endpoint: This enables you to create a private connection between your VPC and an OUTSCALE service. The appropriate route with the prefix list ID of the service (pl-xxxxxxxx) as destination and the VPC endpoint ID (vpce-xxxxxx) as target is automatically added to the route tables you specify for the VPC endpoint. For more information about VPC endpoints, see About VPC Endpoints. For more information about prefix lists, see Getting Information About Prefix Lists.

    You cannot delete or modify this route, but you can modify the route tables used by the VPC endpoint.

  • A VPC peering connection: This enables you to direct traffic to a peered VPC. To do so, you need to add a route with all or part of the peered VPC CIDR block as destination and the ID of the VPC peering connection as target. For more information about VPC peering connections, see About VPC Peering Connections.

    The owner of the peered VPC must add a route in its VPC route tables to route traffic to your VPC.

    For example, the route table of a subnet in a VPC A with the 10.0.0.0/16 CIDR block directing traffic to a peered VPC B with the 192.168.1.0/24 CIDR block using the pcx-12345678 VPC peering connection has the following routes:

    Destination Target

    10.0.0.0/16

    local

    192.168.1.0/24

    pcx-12345678

    The peered VPC B route tables must has the following routes:

    Destination Target

    192.168.1.0/24

    local

    10.0.0.0/16

    pcx-12345678

    If the traffic destination matches several routes in the associated route table, the most specific route with the narrowest CIDR block matching this destination is always the one used to route traffic.

A route can be in one of the following states:

  • Active: The route is active and is used to route traffic.

  • Blackhole: The target of the route is not available, and the route cannot be used to route traffic.

Related Pages