Policy-based routes

This document provides an overview of Policy-based Routing.

Policy-based routes let you select a next hop based on more than a packet's destination IP address. You can match traffic by protocol and source IP address as well. Matching traffic is redirected to an internal passthrough Network Load Balancer. This can help you insert appliances such as firewalls into the path of network traffic.

Specifications

• When you create a policy-based route, you select which resources the policy-based route applies to. The route can apply to:
  • All VM instances, Cloud Interconnect VLAN attachments, and Cloud VPN tunnels that are in the same VPC network as the route
  • Only VM instances that are in the same VPC network as the route and identified by network tags
  • Only VLAN attachments that are in a specific region of the same VPC network as the route. You can't create a policy-based route that only applies to a single VLAN attachment or Cloud VPN tunnel
• The next hop of a policy-based route must be a valid internal passthrough Network Load Balancer. This internal passthrough Network Load Balancer must either be in the same VPC network as the policy-based route or in a VPC network that is connected to the route's VPC network through VPC Network Peering.
• The backend VM instances of the next hop internal passthrough Network Load Balancer must have IP forwarding enabled.
• Policy-based routes are evaluated before subnet routes, static routes, and dynamic routes, but after special routing paths. For more information, see the Policy-based routes step in the routing order.
• If two or more policy-based routes have the same priority, and a packet's characteristics match at least two of those policy-based routes, Google Cloud selects a single policy-based route by using an internal algorithm. The selected policy-based route might not be the most specific match for the packet's characteristics because policy-based routes don't use longest-prefix matching. Make sure that all policy-based routes in the same VPC network have unique priorities.
• A policy-based route can apply to either IPv4 or IPv6 traffic.
• You can create a single rule for one-way traffic or multiple rules to handle bidirectional traffic.

Limitations

• Policy-based routes are not exchanged between VPC networks that are connected through VPC Network Peering.
• Policy-based routes are not exchanged between Network Connectivity Center spokes and hubs.
• Policy-based routes don't support matching traffic based on port.
• It is not possible to update a policy-based route after it is created. If you want to update a route, delete the route and then create a new one.
• The internal passthrough Network Load Balancer forwarding rule must have a dedicated IP address that's not used by any other internal passthrough Network Load Balancer. Using a shared IP address (IP address purpose set to SHARED_LOADBALANCER_VIP) is not supported.
• Policy-based routes can interfere with communication between the GKE control plane and nodes. For more information, see Use policy-based routes with GKE.
• Policy-based routes can't route packets to Private Service Connect endpoints or backends.
  • For information about using policy-based routes in VPC networks with endpoints or backends that access published services, see Policy-based routes and Private Service Connect for published services.
  • For information about using policy-based routes in VPC networks with endpoints or backends that access Google APIs and services, see Policy-based routes and accessing Google APIs and services.
• Only VLAN attachments that use Dataplane v2 can use policy-based routes. To inspect your VLAN attachment to check what version it uses, see the instructions for Dedicated Interconnect or Partner Interconnect.

Skipping other policy-based routes

You can create a policy-based route that skips other policy-based routes by using the Google Cloud CLI or sending an API request. For the gcloud CLI, use the --next-hop-other-routes=DEFAULT_ROUTING flag. For an API request, include "nextHopOtherRoutes": "DEFAULT_ROUTING" with the request body.

If a policy-based route of this type matches a packet's characteristics and has a higher priority than other matching policy-based routes, Google Cloud ignores the other policy-based routes and proceeds to the most specific destination step of the VPC routing order.

For example, consider a policy-based route that uses a next hop internal passthrough Network Load Balancer. This policy-based route has a source range of 0.0.0.0/0 and a network tag of compute-vm.

To skip evaluation of the first policy-based route when packet sources match a specific IP address range, create a higher-priority policy-based route that is configured to skip other policy-based routes. Set the source IP address range for this higher-priority policy-based route to the source IP address range of the systems that need to skip policy-based routing.

Quota

There is a limit for how many policy-based routes you can create in a single project. For more information, see the per-project quotas in the VPC documentation.