Understanding Route Tables in Your AWS VPC (part 3)

When managing your Virtual Private Cloud (VPC), one crucial aspect is controlling the routing path of traffic entering your VPC. This is where gateway route tables come into play. A gateway route table can be associated with either an internet gateway or a virtual private gateway, providing fine-grain control over the routing path.

What is a Gateway Route Table?

A gateway route table is a route table associated with a gateway, either an internet gateway or a virtual private gateway. This association allows you to intercept and redirect traffic entering your VPC. For instance, you can redirect traffic entering through an internet gateway to a middlebox appliance, such as a security appliance, within your VPC.

Targets for Gateway Route Tables

Depending on the type of gateway, the supported targets for routes in a gateway route table vary:

• Internet Gateway:
  • The default local route
  • A Gateway Load Balancer endpoint
  • A network interface for a middlebox appliance
• Virtual Private Gateway:
  • The default local route
  • A Gateway Load Balancer endpoint
  • A network interface for a middlebox appliance

Allowed Destinations

When the target is a Gateway Load Balancer endpoint or a network interface, the following destinations are allowed:

• The entire IPv4 or IPv6 CIDR block of your VPC, replacing the target of the default local route.
• The entire IPv4 or IPv6 CIDR block of a subnet in your VPC, which is a more specific route than the default local route.

If you change the target of the local route in a gateway route table to a network interface in your VPC, you can later restore it to the default local target.

Rules and Considerations

There are specific rules and considerations to keep in mind when associating a route table with a gateway:

• The route table must not contain existing routes with targets other than a network interface, Gateway Load Balancer endpoint, or the default local route.
• The route table must not contain existing routes to CIDR blocks outside of the ranges in your VPC.
• Route propagation must not be enabled for the route table.
• You cannot add routes to any CIDR blocks outside of the ranges in your VPC, including ranges larger than the individual VPC CIDR blocks.
• Only local, a Gateway Load Balancer endpoint, or a network interface can be specified as a target. Other types of targets, including individual host IP addresses, are not allowed.
• Prefix lists cannot be specified as a destination.
• Gateway route tables cannot be used to control or intercept traffic outside of your VPC, such as traffic through an attached transit gateway. They can only intercept traffic that enters your VPC and redirect it to another target within the same VPC.

Ensuring Traffic Flow

To ensure that traffic reaches your middlebox appliance, the target network interface must be attached to a running instance. For traffic flowing through an internet gateway, the target network interface must also have a public IP address.

When configuring your middlebox appliance, consider the following:

• The return traffic from the destination subnet must be routed through the same appliance, as asymmetric routing is not supported.
• Route table rules apply to all traffic that leaves a subnet, defined as traffic destined to that subnet’s gateway router’s MAC address. Traffic destined for the MAC address of another network interface in the subnet uses data link (layer 2) routing instead of network (layer 3), so the rules do not apply to this traffic.

Lastly, note that not all Local Zones support edge association with virtual private gateways.

By understanding and properly configuring gateway route tables, you can effectively manage and secure the traffic entering your VPC, ensuring a robust and efficient network architecture.