Did this page help you? Yes No Tell us about it...

Route Tables

Topics

This section describes route tables in your VPC and how they work.

Basic Things to Know about Route Tables

Here are the basic things you need to know about VPC route tables:

Your VPC has an implicit router (represented by the R enclosed in a circle in the diagrams in this guide).
Your VPC automatically comes with a modifiable main route table.
You can create other route tables in your VPC (for the limit on the number you can create, see Appendix B: Limits).
Each subnet must be associated with a route table, which controls the routing for the subnet. If you don't explicitly associate a subnet with a particular table, the subnet uses the main route table.
You can replace the main route table with a custom table you've created (if you want a different table to be the default table each new subnet is associated with).
Each route in a table specifies a destination CIDR and a target (e.g., traffic destined for 172.16.0.0/8 is targeted for the virtual private gateway); we use the most specific route that matches the traffic to determine how to route the traffic.

Route Table Details

When you create a VPC, it automatically has a main route table. The following image from the VPC console shows the main route table in the list of route tables for a VPC.

Initially the main route table (and every route table in a VPC) contains only a single route: a local route that enables communication within the VPC. The following diagram shows an empty VPC with a main route table.

You can't modify the local route in a route table. Whenever you launch an instance in the VPC, the local route automatically covers that instance; you don't need to add the new instance to a route table.

Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. Multiple subnets can be associated with the same route table, but a subnet can be associated with only one route table.

If you don't explicitly associate a subnet with a table, the subnet is implicitly associated with the main route table. However, you can still explicitly associate a subnet with the main route table. You might do that if you change which table is the main route table (see Replacing the Main Route Table).

The console shows the number of subnets associated with each table. Only explicit associations are included in that number (see Determining Which Subnets Are Explicitly Associated with a Table).

When you add a gateway to the VPC (either an Internet gateway or a virtual private gateway), you must update the route table for any subnet that needs to use that gateway. For example, in the following diagram, you've added a virtual private gateway and a subnet that needs to use that gateway. The subnet uses the main route table by default, so you add a route to the main table that routes all the subnet's traffic to the VPN gateway.

Main route table with route for virtual private gateway

	Note
	When you use the wizard in the console to create a VPC with a gateway, the wizard automatically updates VPC's routing appropriately for the gateway. If you're using the command line tools or API to set up your VPC, you must update the routing yourself.

Custom Route Tables

Your VPC can have other route tables than the default table. One way to protect your VPC is to leave the main route table in its original default state (with only the local route), and explicitly associate each new subnet you create with one of the custom route tables you've created. This ensures that you must explicitly control how each subnet's outbound traffic is routed.

The following diagram shows the routing for the VPC from scenario 3 earlier in this guide (see Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access). The VPC has both an Internet gateway and a virtual private gateway, plus a public subnet and a VPN-only subnet. The VPC has a main route table which came with the VPC (labeled 1 in the diagram), and a custom route table that is associated with the public subnet (labeled 2).

The custom route table has a route to cover the public subnet's communication over the Internet gateway (Destination=0.0.0.0/0, and Target=Internet gateway).

The main route table also has a route to cover the VPN-only subnet's communication over the VPN gateway.

The VPN-only subnet isn't explicitly associated with any route table, so it uses the main route table. This implicit association is indicated in the diagram by an absence of a line between the VPN-only subnet and the table.

The custom route table is explicitly associated with the private subnet, so the table is connected with a line to the subnet in the diagram.

If you were to create a new subnet in this VPC, it would automatically be associated with the main route table, which routes its traffic to the virtual private gateway in this scenario. For the purposes of controlling your subnet's exposure to the Internet, this is the preferred configuration. If you were to set up the reverse configuration (the main route table with the route to the Internet gateway, and the custom route table with the route to the virtual private gateway), then when you created a new subnet, it would automatically have a route to the Internet gateway.

Adding Multiple VPN Connections

You can add up to ten VPN connections to a single VPC. Multiple VPN connections enable you to establish VPN connections from each of your branch offices to your VPC. For example, if you have offices in Los Angeles, Chicago, New York, and Miami, you can link each of these offices to your VPC. In addition, multiple VPN connections provide for hardware redundancy. You can configure a second Customer Gateway on the same physical network as your first Customer Gateway. If one Customer Gateway needs to be taken down for maintenance, traffic continues to flow with the VPC over the second Customer Gateway.

Working with Route Tables

Topics

This section gives procedures for working with route tables.

Determining Which Route Table A Subnet Is Associated With

You can determine which route table a subnet is associated with by looking at the subnet's details in the AWS Management Console.

To determine which route table a subnet is associated with

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Subnets, and then select the check box for the subnet.
Its details are displayed in the lower pane. The ID of the route table the subnet is associated with is included in the details (see the following image). If it's the main route table, the console doesn't indicate whether the association is implicit or explicit. To determine if the association to the main route table is explicit, see Determining Which Subnets Are Explicitly Associated with a Table.

Determining Which Subnets Are Explicitly Associated with a Table

You can determine how many and which subnets are explicitly associated with a route table.

The main route table can have explicit and implicit associations. Custom route tables have only explicit associations.

Subnets that aren't explicitly associated with any route table have an implicit association with the main route table. You can explicitly associate a subnet with the main route table (for an example of why you might do that, see Replacing the Main Route Table).

To determine how many subnets are explicitly associated

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Route Tables.
Your VPC's route tables are listed. The list includes an Associated With column that indicates the number of explicitly associated subnets.

To determine which subnets are explicitly associated

Select the check box for the route table of interest.
Its details are displayed in the lower pane.
Click the Associations tab.
The subnets explicitly associated with the table are listed on the tab. The subnets not associated with any route table (and thus implicitly associated with the main route table) are also listed.

Creating a Custom Route Table

Depending on your situation, you might need to create your own route tables. Some of the scenarios presented in this guide include instructions for creating your own route table. For more information, see Task 3: Create a Custom Route Table and Add Routes in scenario 2.

Adding and Removing Routes from a Table

You can't modify routes in a table; you can only add and delete routes.

Some of the scenarios presented in this guide include instructions for adding routes to route tables. For more information, see Task 3: Create a Custom Route Table and Add Routes in scenario 2.

To delete a route from a table

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Route Tables, and then select the check box for the route table.
Right-click the route you want to delete, and then click Delete.
In the Delete Route Table dialog box, click Yes, Delete.
The route is deleted from the route table.

Associating a Subnet with a Route Table

To apply a route table's routes to a particular subnet, you must associate the route table with the subnet. A route table can be associated with multiple subnets; however, a subnet can be associated with only one route table. Any subnet not explicitly associated with a table is implicitly associated with the main route table by default.

To associate a table with a subnet

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Route Tables.
Your VPC's route tables are listed.
Select the check box for the route table.
In the lower pane, on the Associations tab, select the subnet to associate with the table and click Associate.
In the Associate Route Table dialog box, click Yes, Associate.
The route table is associated with the subnet. The instances in the subnet are now subject to the routes in the table.

Changing a Subnet's Route Table

You can change which route table a subnet is associated with. For example, when you create a subnet, it is implicitly associated with the main route table. You might want to instead associate it with a custom route table you've created.

To change a subnet's route table association

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Subnets, and then select the check box for the subnet.
In the lower pane, next to the ID of the route table associated with the subnet, click Replace.
The Replace Route Table dialog box is displayed.
From the drop-down list, select the route table to associate the subnet with and click Yes, Replace.
The subnet is associated with the route table. The instances in the subnet are now subject to the routes in the new table.

Disassociating a Subnet from a Route Table

You might want to disassociate a subnet from a route table. For example, you might have a subnet that is associated with a custom route table, and you instead want it associated with the main route table. By disassociating the subnet from the custom route table, the subnet implicitly becomes associated with the main route table.

To disassociate a subnet from a route table

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Route Tables.
Select the route table you want to disassociate, and then in the lower pane, click its Associations tab.
On the tab, you can verify that the subnet is currently associated with the table.
Click Disassociate for the subnet you want to disassociate.
In the Disassociate Route Table dialog box, click Yes, Disassociate.
The subnet is no longer associated with the route table; it's now implicitly associated with the main route table. You can confirm this association by looking at the subnet's details on the Subnets page.

Replacing the Main Route Table

The main route table is the default table that subnets use if they're not explicitly associated with another table. When you add new subnets, they automatically use the routes specified in the main route table. You can change which table is labeled main (and thus change the default for new subnets).

Subnets can be implicitly or explicitly associated with the main route table. Subnets typically won't have an explicit association to the main route table, although it might happen temporarily if you're replacing the main route table.

You might want to make changes to the main route table, but to avoid any disruption to your traffic, you decide to first test the route changes using a custom route table. After you're satisfied with the testing, you then replace the main route table with the new custom table. The following series of diagrams illustrates the process in more detail.

In the first diagram, you have a VPC with two subnets that are implicitly associated with the main route table (Route Table A).

Note that if you add any additional subnets, they are implicitly associated with the main route table by default. The following diagram illustrates that concept with the addition of Subnet3 and Subnet4.

You want to make a change to the main route table, but you want to test it first with Subnet1. So you create a custom route table (Route Table B) with the same routes as Route Table A and explicitly associate Subnet1 with the new table. The following diagram shows Subnet1 explicitly associated with the new route table.

After you've tested the changes, you replace the main route table association with the new custom route table you just tested. After you do this, Route Table B is now the main route table. As shown in the following diagram, Subnet1 still has an explicit association with the new main route table, and the other subnets have implicit associations with it. Route Table A is no longer in use.

You then disassociate Subnet1 from the new main route table, leaving an implicit association as shown in the following diagram. If you no longer need Route Table A, you can delete it.

Replace main table: Disassociate subnet #1

The following procedure describes how to change which table is the main route table in your VPC.

To replace the main route table

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Route Tables.
Locate the route table that you want to be the new main route table, and then right-click the table and select Set as Main Table.
In the Set Main Route Table dialog box, click Yes, Set.
The table is now the new main route table. You can confirm this by looking at the table in the list of tables.

The following procedure describes how to remove an explicit association between a subnet and the main route table. The result is an implicit association between the subnet and the main route table. The process is the same as disassociating any subnet from any route table.

To remove an explicit association with the main route table

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Route Tables.
On the Route Tables page, select the main route table and click its Associations tab.
Click Disassociate.
In the Disassociate Route Table dialog box, click Yes, Disassociate.
The subnet is now implicitly associated with the main route table. You can confirm this by refreshing the page and looking at the associations for the table.

Deleting a Route Table

You can delete a route table only if there are no subnets associated with it. You can't delete the main route table.

To delete a route table

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the Navigation pane, click Route Tables page.
Select the check box for the route table and click Delete.
In the Delete Route Table dialog box, click Yes, Delete.

VPC to VPC Communication

If you’re using multiple VPCs, you can enable communication between them through the Internet or through your own virtual private gateways. If you use the virtual private gateway to communicate between the VPCs, you will experience slower connections and will pay standard data transfer rates. It is not possible for VPCs to communicate with each other without using an Internet Gateway or a Virtual Private Gateway.

The following diagram shows how you can send data from VPC to VPC in the same region when those VPCs are not linked internally within AWS.

API and Command Overview

The following table summarizes the available route table commands and corresponding API actions. For more information about the commands, go to the Amazon Elastic Compute Cloud Command Line Reference. For more information about the API actions, go to the Amazon Elastic Compute Cloud API Reference.

Command and API Action	Description
`ec2-create-route-table` `CreateRouteTable`	Creates a custom route table for your VPC.
`ec2-describe-route-tables` `DescribeRouteTables`	Lists the route tables in your VPC.
`ec2-delete-route-table` `DeleteRouteTable`	Deletes a route table from your VPC.
`ec2-create-route` `CreateRoute`	Adds a new route to a route table.
`ec2-delete-route` `DeleteRoute`	Removes a route from a route table.
`ec2-replace-route` `ReplaceRoute`	Replaces an existing route in a route table (i.e., changes the target for a destination CIDR range specified in the route table).
`ec2-associate-route-table` `AssociateRouteTable`	Associates a subnet with a route table.
`ec2-disassociate-route-table` `DisassociateRouteTable`	Disassociates a subnet from a route table.
`ec2-replace-route-table-association` `ReplaceRouteTableAssociation`	Changes the route table that a subnet is associated with. Also changes which route table is the main route table.

Document Conventions
Terms of Use

Did this page help you? Yes No Tell us about it...