AWS VPC Route Preference
A quick peek into AWS VPC route selection logic
AWS route preferences are often the centre of discussion on various forums and discussion boards, and often the source of confusion is the behaviour with a VPC + VGW scenario. Here I've attempted to summarise and hopefully clarify the topic.
A VPC router is created with the VPC. For every subnet in the VPC, the router IP is network address + 1. Ex: For a subnet of 10.0.0.0/24, the network address will be 10.0.0.0, and the router will be 10.0.0.1.
The whole process is auto-managed by the AWS; every subnet, public or private, will be connected with the VPC router. This VPC router holds the default route table or any custom route tables we later create and attach to a given subnet. All the entities inside the VPC follow the routes defined in this VPC router. The route selection works on the below set of preference rules in the order of priority: 1) Local Routes 2) Longest Prefix match 3) Static Routes 4) Dynamic rules
This refers to the CIDR block of the VPC itself. There is no way to route traffic overlapping the VPC CIDR outside the VPC. Ex: Say VPC CIDR is 10.0.0.0/16, and if we add a route for 10.0.1.0/24 or 10.0.10.10/32 static or via VGW, these routes will be ignored.
Longest Prefix match:
This rule is the same as industry-standard routers like Cisco, Juniper, etc. When two or more route points to the same network, the route with a higher subnet mask always wins. Ex: if the VPC route table has below routes:
Traffic for the destination of 220.127.116.11 will always go over the IGW (Internet Gateway), i.e. 3rd entry in the routing table as it has the longer prefix of /24 compared to /16 for the 2nd entry.
As per this rule, if two same routes exist, one is static, and the other is propagated, the static will always take precedence. Ex: if the VPC route table has below routes:
In the above scenario, VPC will always redirect all the traffic to 18.104.22.168/16 over the VPC peer link instead of the propagated VGW destination.
These routes are distributed by the VGW (DX &/or VPN). This only happens if the "route propagation" is enabled on the associated route table.
Now, let's consider a VGW (Virtual private Gateway) in the mix. A VGW is a separate router connected with the VPC router. If route propagation is enabled, then the best route from the VGW is shared and added to the VPC route table. The dynamic route propagation to the VPC router is a two-step process:
Step 1: VGW runs an internal selection process to pick the best route for each target. The VGW best route preference is as below:
- Direct Connection routes: DX only supports BGP. Users can not configure static routes over DX.
- Static VPN routes
- Dynamic VPN routes
At this stage, there could be conflict in the VPC route table between the routes already present in the VPC route table and routes propagated by the VGW. No new rules are applied for this scenario; the VPC follows the earlier defined rules.
I hope you've found this article useful. Follow me if you are interested in:
- AWS Architecture & Security.
- AWS Serverless solutions.