Configure route tables - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure route tables

A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

Route priority

In general, we direct traffic using the most specific route that matches the traffic. This is known as the longest prefix match. If your route table has overlapping or matching routes, additional rules apply.

The following list shows a route priority summary with links to sections below with more detailed information and examples:

  1. Longest prefix (for example, 10.10.2.15/32 has priority over 10.10.2.0/24)

  2. Static routes (like VPC peering and internet gateway connections)

  3. Prefix list routes

  4. Propagated routes

    1. Direct Connect BGP routes (dynamic routes)

    2. VPN static routes

    3. VPN BGP routes (dynamic routes) (like virtual private gateways)

Longest prefix match

Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other. We use the most specific route that matches either IPv4 traffic or IPv6 traffic to determine how to route the traffic.

The following example subnet route table has a route for IPv4 internet traffic (0.0.0.0/0) that points to an internet gateway, and a route for 172.31.0.0/16 IPv4 traffic that points to a peering connection (pcx-11223344556677889). Any traffic from the subnet that's destined for the 172.31.0.0/16 IP address range uses the peering connection, because this route is more specific than the route for internet gateway. Any traffic destined for a target within the VPC (10.0.0.0/16) is covered by the local route, and therefore is routed within the VPC. All other traffic from the subnet uses the internet gateway.

Destination Target
10.0.0.0/16 local
172.31.0.0/16 pcx-11223344556677889
0.0.0.0/0 igw-12345678901234567

Route priority for static and dynamically propagated routes

If you've attached a virtual private gateway to your VPC and enabled route propagation on your subnet route table, routes representing your Site-to-Site VPN connection automatically appear as propagated routes in your route table.

If the destination of a propagated route is identical to the destination of a static route, the static route takes priority. The following resources use static routes:

  • internet gateway

  • NAT gateway

  • Network interface

  • Instance ID

  • Gateway VPC endpoint

  • Transit gateway

  • VPC peering connection

  • Gateway Load Balancer endpoint

For more information, see Route tables and VPN route priority in the Amazon Site-to-Site VPN User Guide.

The following example route table has a static route to an internet gateway and a propagated route to a virtual private gateway. Both routes have a destination of 172.31.0.0/24. Because a static route to an internet gateway takes priority, all traffic destined for 172.31.0.0/24 is routed to the internet gateway.

Destination Target Propagated
10.0.0.0/16 local No
172.31.0.0/24 vgw-11223344556677889 Yes
172.31.0.0/24 igw-12345678901234567 No

Route priority for prefix lists

If your route table references a prefix list, the following rules apply:

  • If your route table contains a static route with a destination CIDR block that overlaps a static route with a prefix list, the static route with the CIDR block takes priority.

  • If your route table contains a propagated route that matches a route that references a prefix list, the route that references the prefix list takes priority. Please note that for routes that overlap, more specific routes always take priority irrespective of whether they are propagated routes, static routes, or routes that reference prefix lists.

  • If your route table references multiple prefix lists that have overlapping CIDR blocks to different targets, we randomly choose which route takes priority. Thereafter, the same route always takes priority.

Disassociate a gateway from a route table

You can disassociate an internet gateway or a virtual private gateway from a route table.

To associate a gateway with a route table using the console
  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Route tables, and then select the route table.

  3. From the Edge associations tab, choose Edit edge associations.

  4. Clear the checkbox for the gateway.

  5. Choose Save changes.

To disassociate a gateway from a route table using the command line