AWS - VPC Route Table Priority
Posted August 17, 2018 by Matthew McGeehan
While studying for the AWS Certified Advanced Networking exam, I came across a few things that I wanted to write down. First on the list is route priority. As a network engineer, I've been taught that the most specific route wins. That is not necessarily the case in a VPC. Instead a subnet that is marked as local in the VPC route table is always preferred. It does not matter if there is a more specific prefix pointing to a resource outside the VPC.
In the example shown below, resources within the VPC (10.0.0.0/16) will not be able to communicate with the data center (10.0.8.0/24). The VPC router will ignore the route learned from the virtual private gateway. This happens because the VPC owns the 10.0.0.0/16 IP space.
| Destination | Target |
|---|---|
| 10.0.0.0/16 | Local |
| 10.0.8.0/24 | vgw-xxxxxxxx |
AWS VPC Route Table Priority:
The VPC route table uses the following process to determine how to route traffic.
- Local routes are the most preferred.
- Next up is longest prefix match.
- Followed by static routes.
- Internet gateway
- Virtual private gateway
- Network interface
- Instance ID
- VPC peering connection
- NAT gateway
- VPC endpoint
For overlapping routes from a VPN connection:
- First, BGP routes learned over Direct Connect are the most preferred.
- Then, static routes from a VPN connection.
- Finally, BGP routes learned from a VPN connection