Configure route tables - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure route tables

A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

Route priority

In general, we direct traffic using the most specific route that matches the traffic. This is known as the longest prefix match. If your route table has overlapping or matching routes, additional rules apply.

Longest prefix match

Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other. We use the most specific route that matches either IPv4 traffic or IPv6 traffic to determine how to route the traffic.

The following example subnet route table has a route for IPv4 internet traffic (0.0.0.0/0) that points to an internet gateway, and a route for 172.31.0.0/16 IPv4 traffic that points to a peering connection (pcx-11223344556677889). Any traffic from the subnet that's destined for the 172.31.0.0/16 IP address range uses the peering connection, because this route is more specific than the route for internet gateway. Any traffic destined for a target within the VPC (10.0.0.0/16) is covered by the local route, and therefore is routed within the VPC. All other traffic from the subnet uses the internet gateway.

Destination Target
10.0.0.0/16 local
172.31.0.0/16 pcx-11223344556677889
0.0.0.0/0 igw-12345678901234567

Route priority and propagated routes

If you've attached a virtual private gateway to your VPC and enabled route propagation on your subnet route table, routes representing your Site-to-Site VPN connection automatically appear as propagated routes in your route table.

If the destination of a propagated route overlaps a static route, the static route takes priority.

If the destination of a propagated route is identical to the destination of a static route, the static route takes priority if the target is one of the following:

  • internet gateway

  • NAT gateway

  • Network interface

  • Instance ID

  • Gateway VPC endpoint

  • Transit gateway

  • VPC peering connection

  • Gateway Load Balancer endpoint

For more information, see Route tables and VPN route priority in the Amazon Site-to-Site VPN User Guide.

The following example route table has a static route to an internet gateway and a propagated route to a virtual private gateway. Both routes have a destination of 172.31.0.0/24. Because a static route to an internet gateway takes priority, all traffic destined for 172.31.0.0/24 is routed to the internet gateway.

Destination Target Propagated
10.0.0.0/16 local No
172.31.0.0/24 vgw-11223344556677889 Yes
172.31.0.0/24 igw-12345678901234567 No

Route priority and prefix lists

If your route table references a prefix list, the following rules apply:

  • If your route table contains a static route with a destination CIDR block that overlaps a static route with a prefix list, the static route with the CIDR block takes priority.

  • If your route table contains a propagated route that matches a route that references a prefix list, the route that references the prefix list takes priority. Please note that for routes that overlap, more specific routes always take priority irrespective of whether they are propagated routes, static routes, or routes that reference prefix lists.

  • If your route table references multiple prefix lists that have overlapping CIDR blocks to different targets, we randomly choose which route takes priority. Thereafter, the same route always takes priority.