Working with VCN Route Tables and Route Rules
Learn about VCN route tables and route rules.
Each VCN automatically comes with a default route table that has implicit rules which include the routes for VCN CIDRs. If you don't specify otherwise, every subnet uses the VCN's default route table. When you add route rules to your VCN, you can simply add them to the default table. However, you can create custom route tables for each subnet if needed. For example, when you have a public subnet and a private subnet in your VCN (for an example, see Scenario C: Public and Private Subnets with a VPN), you'll need to use different route tables for the subnets because the route rules for the subnets need to be different.
Each subnet in a VCN uses a single route table. When you create the subnet, you specify which one to use. You can change which route table the subnet uses at any time. You can also edit a route table's rules, or remove all the rules from the table.
You can optionally assign a descriptive name to a custom route table during creation. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the route table a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.
A route rule specifies a destination CIDR block and the target (the next hop) for any traffic that matches that CIDR. Here are the allowed types of targets for a route rule:
- Dynamic Routing Gateway (DRG): For subnets that need private access to networks connected to your VCN (for example, your on-premises network connected with a Site-to-Site VPN or FastConnect, a peered VCN in the same region, or a peered VCN in another region).
- Internet gateway: For public subnets that need direct access to the internet.
- NAT gateway: For subnets with instances that do not have public IP addresses but need outbound access to the internet.
- Service gateway: For subnets that need private access to Oracle services such as Object Storage.
- Local peering gateway (LPG): For subnets that need private access to a peered VCN in the same region.
- Private IP: For subnets that need to route traffic to an instance in the VCN. For more information, see Using a Private IP as a Route Target. Also see Overview of Routing for Your VCN.
You can't delete a particular resource when it is the target for a route rule. For example, you can't delete an internet gateway that has traffic routed to it. Delete all rules (in all route tables) with that internet gateway as the target before you try to delete the gateway or other resource.
When adding a route rule to a route table, you provide the destination CIDR block and target (plus the compartment where the target resides). Exception: if the target is a service gateway , instead of a destination CIDR block, you specify an Oracle-provided string that represents the public endpoints for the service of interest. That way you don't need to know all the service's CIDR blocks, which might change over time.
If you misconfigure a rule (for example, enter the wrong destination CIDR block), the network traffic you intended to route might be dropped (blackholed) or sent to an unintended target.
You can move route tables from one compartment to another. Moving a route table doesn't affect its attachment to VCNs or subnets. When you move a route table to a new compartment, inherent policies apply immediately and affect access to the route table. For more information, see Access Control.
You can't delete a VCN's default route table. To delete a custom route table, it must not be associated with a subnet or a gateway, such as DRG, LPG, IGW, NGW or SGW.
See Service Limits for a list of applicable limits and instructions for requesting a limit increase.
The following management tasks can be performed with route tables:
For each VCN subnet that must send traffic to a connected DRG, you must add a route rule to the VCN route table associated with that subnet. If all the subnets in the VCN use the default route table, you must add a rule to only that one table.
If all non-intra-VCN traffic that's not covered by another rule in the table must be routed to the DRG, add this new rule:
- Target Type: Dynamic Routing Gateway. The VCN's attached DRG is automatically selected as the target, and you don't have to specify the target yourself.
- Destination CIDR Block = 0.0.0.0/0. If you want to limit the rule to a specific network (for example, your on-premises network), then use that network's CIDR instead of 0.0.0.0/0.
For step-by-step instructions, see Updating a VCN Route Table's Rules.
Perform this task only if you're setting up an advanced scenario for transit routing. See Transit Routing inside a hub VCN and Private Access to Oracle Services.
A DRG attachment always has a route table associated with it, but you can associate a different route table, edit the table's rules, or delete some or all rules.
Prerequisites: the VCN that the DRG is already attached to must have a route table.
-
- Click the DRG that is attached to the VCN that has the route table you want to use with the attachment.
-
Click the Actions menu (
), and then click either:- Associate Route Table: If the DRG attachment has no route table associated with it yet.
- Associate Different Route Table: If you're changing which route table is associated with the DRG attachment.
- Select the route table.
- Click Associate Route Table.
The route table is now associated with the DRG attachment.