AWS VPC Route Preference

A quick peek into AWS VPC route selection logic

AWS route preferences are often the centre of discussion on various forums and discussion boards, and often the source of confusion is the behaviour with a VPC + VGW scenario. Here I've attempted to summarise and hopefully clarify the topic.

VPC Setup.jpg

A VPC router is created with the VPC. For every subnet in the VPC, the router IP is network address + 1. Ex: For a subnet of 10.0.0.0/24, the network address will be 10.0.0.0, and the router will be 10.0.0.1.

The whole process is auto-managed by the AWS; every subnet, public or private, will be connected with the VPC router. This VPC router holds the default route table or any custom route tables we later create and attach to a given subnet. All the entities inside the VPC follow the routes defined in this VPC router. The route selection works on the below set of preference rules in the order of priority: 1) Local Routes 2) Longest Prefix match 3) Static Routes 4) Dynamic rules

Local Routes:

This refers to the CIDR block of the VPC itself. There is no way to route traffic overlapping the VPC CIDR outside the VPC. Ex: Say VPC CIDR is 10.0.0.0/16, and if we add a route for 10.0.1.0/24 or 10.0.10.10/32 static or via VGW, these routes will be ignored.

Longest Prefix match:

This rule is the same as industry-standard routers like Cisco, Juniper, etc. When two or more route points to the same network, the route with a higher subnet mask always wins. Ex: if the VPC route table has below routes:

DestinationTarget
10.0.0.0/16local
172.1.0.0/16vgw-id
172.1.0.0/24igw-id

Traffic for the destination of 172.1.0.10 will always go over the IGW (Internet Gateway), i.e. 3rd entry in the routing table as it has the longer prefix of /24 compared to /16 for the 2nd entry.

Static Routes:

As per this rule, if two same routes exist, one is static, and the other is propagated, the static will always take precedence. Ex: if the VPC route table has below routes:

DestinationTargetPropogated
10.0.0.0/16localNo
172.1.0.0/16vgw-idYes
172.1.0.0/24igw-idNo

In the above scenario, VPC will always redirect all the traffic to 172.1.0.0/16 over the VPC peer link instead of the propagated VGW destination.

Dynamic Routes:

These routes are distributed by the VGW (DX &/or VPN). This only happens if the "route propagation" is enabled on the associated route table.

Now, let's consider a VGW (Virtual private Gateway) in the mix. A VGW is a separate router connected with the VPC router. If route propagation is enabled, then the best route from the VGW is shared and added to the VPC route table. The dynamic route propagation to the VPC router is a two-step process:

Step 1: VGW runs an internal selection process to pick the best route for each target. The VGW best route preference is as below:

  1. Direct Connection routes: DX only supports BGP. Users can not configure static routes over DX.
  2. Static VPN routes
  3. Dynamic VPN routes
Step 2: Only the best route from "step 1" is propagated to the VPC route table for each target.

At this stage, there could be conflict in the VPC route table between the routes already present in the VPC route table and routes propagated by the VGW. No new rules are applied for this scenario; the VPC follows the earlier defined rules.

I hope you've found this article useful. Follow me if you are interested in:

  • Python
  • AWS Architecture & Security.
  • AWS Serverless solutions.