Policy-based routes
This document provides an overview of Policy-based Routing.
Policy-based routes let you select a next hop based on more than a packet'sdestination IP address. You can match traffic by protocol and source IP addressas well. Matching traffic is redirected to an internal passthrough Network Load Balancer. This can helpyou insert appliances such as firewalls into the path of network traffic.
Specifications
- When youcreate a policy-basedroute, you select which resourcesthe policy-based route applies to. The route can apply to:
- All VM instances, Cloud Interconnect VLAN attachments, andCloud VPN tunnels that are in the same VPC networkas the route
- Only VM instances that are in the same VPC networkas the route and identified bynetworktags
- Only VLAN attachments that are in a specific region of the sameVPC network as the route. You can't create a policy-basedroute that only applies to a single VLAN attachment or Cloud VPNtunnel
- The next hop of a policy-based route must be a validinternal passthrough Network Load Balancer. This internal passthrough Network Load Balancer musteither be in the same VPC network as the policy-based route orin a VPC network that is connected to the route'sVPC network throughVPC Network Peering.
- The backend VM instances of the next hop internal passthrough Network Load Balancer must haveIPforwarding enabled.
- Policy-based routes are evaluated before subnet routes, static routes, anddynamic routes, but afterspecial routingpaths. For more information, see thePolicy-based routes step in the routingorder.
- If two or more policy-based routes have the same priority, and a packet'scharacteristics match at least two of those policy-based routes, Google Cloudselects a single policy-based route by using an internal algorithm. Theselected policy-based route might not be the most specific match for thepacket's characteristics because policy-based routes don't use longest-prefixmatching. Make sure that all policy-based routes in the sameVPC network have unique priorities.
- A policy-based route can apply to either IPv4 or IPv6 traffic.
- You can create a single rule for one-way traffic or multiple rules to handlebidirectional traffic.
Limitations
- Policy-based routes are not exchanged between VPC networks thatare connected throughVPC Network Peering.
- Policy-based routes are not exchanged betweenNetwork Connectivity Center spokes and hubs.
- Policy-based routes don't support matching traffic based on port.
- It is not possible to update a policy-based route after it is created. If youwant to update a route,delete the routeand then create a new one.
- The internal passthrough Network Load Balancer forwarding rule must have a dedicated IP address that'snot used by any other internal passthrough Network Load Balancer. Using a shared IP address (IP addresspurpose set to
SHARED_LOADBALANCER_VIP) is not supported. - Policy-based routes can interfere with communication between theGKE control plane and nodes. For more information, seeUse policy-based routes with GKE.
- Policy-based routes can't route packets to Private Service Connectendpoints or backends.
- For information about using policy-based routes in VPCnetworks with endpoints or backends that access published services, seePolicy-based routes and Private Service Connect for published services.
- For information about using policy-based routes in VPCnetworks with endpoints or backends that access Google APIs and services,seePolicy-based routes and accessing Google APIs and services.
- Only VLAN attachments that useDataplane v2can use policy-based routes.To inspect your VLAN attachment to check what version it uses, see theinstructions forDedicated InterconnectorPartner Interconnect.
Skipping other policy-based routes
You can create a policy-based route that skips other policy-basedroutes by using the Google Cloud CLI or sending an API request. For thegcloud CLI, use the--next-hop-other-routes=DEFAULT_ROUTING flag. For an API request,include"nextHopOtherRoutes": "DEFAULT_ROUTING" with the request body.
If a policy-basedroute of this type matches a packet's characteristics and hasa higher priority than other matching policy-based routes, Google Cloudignores the other policy-based routes and proceeds to themost specificdestination step of theVPC routing order.
For example, consider a policy-based route that uses a next hopinternal passthrough Network Load Balancer. This policy-based route has a sourcerange of0.0.0.0/0 and a network tag ofcompute-vm.
To skip evaluation of the first policy-based route when packet sources matcha specific IP address range, create a higher-priority policy-based route thatis configured to skip other policy-based routes. Set the source IPaddress range for this higher-priority policy-based route to thesource IP address range of the systems that need to skip policy-based routing.
Quota
There is a limit for how many policy-based routes you can create in a singleproject. For more information, see the per-projectquotasin the VPC documentation.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.