Routes in GCP Explained: System Routes, Custom Routes, and Cloud Router
When a VM in your VPC sends a packet, GCP has to decide where to forward it next. That decision is made by the routing table. Routes are the entries in that table. Each one says: for traffic going to this destination, forward it here. Understanding routes is essential for hybrid connectivity, appliance routing, and anything beyond the simplest GCP setup.
This page explains how GCP routing works from first principles: what routes GCP creates automatically, how to add your own, when to use Cloud Router for dynamic routing, and how routes relate to firewall rules and other networking controls.
Simple explanation
A route is an instruction. It tells GCP: when a VM sends traffic to this range of IP addresses, forward it to this next hop. That next hop might be the internet gateway, a VPN tunnel, another VM acting as a firewall, or a specific IP address inside the VPC.
Think of routes as road signs directing couriers to the right exit from a building. Firewall rules are the security desk deciding which couriers are allowed through at all. The courier needs both: correct directions and clearance to pass.
Routes only affect outbound forwarding decisions. They determine where traffic goes, not whether it is allowed. Allowing or blocking traffic is the job of firewall rules. These are separate, independent mechanisms — a packet needs both a valid route and passing firewall rules to reach its destination.
How routing works in a GCP VPC
When a VM sends a packet, GCP looks at the destination IP and finds all routes whose destination range includes that IP. It then selects the best match using this logic:
- Longest prefix match: the most specific destination range wins. A
/28beats a/16when both match the destination IP. This rule always takes precedence. - Priority: if two routes cover the same prefix length, the one with the lower priority number wins. Priority 100 beats priority 1000.
- ECMP: if two routes share the same prefix length and priority, GCP distributes traffic across all matching routes using equal-cost multi-path routing. This is useful for balancing load across multiple VPN tunnels.
Think of it like a GPS with multiple routes to a destination. The most specific road wins (a street-level turn beats a highway exit). If two options are equally specific, the one with the lower “cost” wins. If they are truly equal, the GPS splits the journey across both.
Every route specifies a next hop. The available next hop types are:
- Default internet gateway: for outbound internet traffic from VMs with external IPs
- VM instance: used for appliance-style routing through a firewall VM, IDS, or proxy
- IP address: a specific internal IP within the VPC
- VPN tunnel: for traffic going to on-premises or other networks via Cloud VPN
- Cloud Router (BGP): for dynamically learned routes over a BGP session
Routes are defined at the VPC level and apply to all VMs in the network by default. You can restrict a route to specific VMs by adding a network tag to the route. Only VMs carrying that tag will use it for outbound traffic. Tags have no effect on which traffic arrives at those VMs.
System-generated routes
GCP automatically creates two categories of routes in every VPC. You do not need to add these. They exist as soon as the VPC and its subnets do.
Subnet routes
For each subnet in your VPC, GCP creates a route covering that subnet’s IP range with the virtual network as the next hop. This is what allows VMs in the same VPC to reach each other using private IP addresses, even across regions. A VM in us-central1 and one in europe-west1 can communicate privately because subnet routes exist for both.
Subnet routes cannot be deleted manually. GCP manages them and removes them only when you delete the subnet itself.
Default internet route
Every new VPC also gets a default route with destination 0.0.0.0/0 pointing to the default internet gateway. This catch-all route is why VMs with external IP addresses can reach the internet straight away. The 0.0.0.0/0 route matches any destination not covered by a more specific route.
Cloud NAT, which provides internet access for VMs without external IPs, also depends on this default route. If you delete it, both directly-reachable VMs and Cloud NAT lose internet access.
Deleting the default route cuts off all external connectivity from the VPC, including GCP APIs and Cloud NAT. Only do this if you have a replacement path already in place — such as a VPN tunnel or Interconnect connection with routes to the destinations your VMs need. This mistake is easy to make and painful to recover from if it locks you out of the environment.
# View all routes in your VPC
gcloud compute routes list --filter="network:production-vpc"
# Describe a specific route to see its full configuration
gcloud compute routes describe default-route-abc123Custom static routes
Static routes are routes you create manually to direct traffic to a specific next hop. GCP will not add or remove them automatically. They persist until you delete them.
Common reasons to create a static route:
- Sending traffic for an on-premises subnet through a VPN tunnel
- Routing specific traffic through a network appliance (firewall VM, IDS, proxy)
- Using network tags to give a subset of VMs a different outbound path from the rest
- Overriding or replacing the default route to control internet egress
# Route traffic for an on-premises subnet through a VPN tunnel
gcloud compute routes create route-to-onprem \
--network=production-vpc \
--destination-range=192.168.10.0/24 \
--next-hop-vpn-tunnel=vpn-tunnel-1 \
--next-hop-vpn-tunnel-region=us-central1 \
--priority=100
# Route all internet-bound traffic through a network appliance VM
gcloud compute routes create route-via-appliance \
--network=production-vpc \
--destination-range=0.0.0.0/0 \
--next-hop-instance=network-appliance \
--next-hop-instance-zone=us-central1-a \
--priority=100
# Apply the appliance route only to VMs tagged inspect-traffic
gcloud compute routes create tagged-route-via-appliance \
--network=production-vpc \
--destination-range=0.0.0.0/0 \
--next-hop-instance=network-appliance \
--next-hop-instance-zone=us-central1-a \
--tags=inspect-traffic \
--priority=100When routing traffic through a VM as a next hop, that VM must have IP forwarding enabled. By default, GCP drops packets at a VM when the destination IP is not the VM’s own address. Enable IP forwarding with —can-ip-forward when you create the appliance VM. This setting cannot be changed after the VM is created.
Static routes work well when your network topology is stable and predictable. When subnets change frequently, when you have multiple tunnels with failover requirements, or when remote routes change without notice, maintaining static routes by hand becomes error-prone. That is where Cloud Router helps.
Dynamic routing with Cloud Router
Cloud Router is a managed GCP service that runs BGP (Border Gateway Protocol) on behalf of your VPC. It exchanges route information dynamically with connected networks, such as an on-premises router over a Cloud VPN tunnel, or a partner’s edge router over a Cloud Interconnect connection.
Cloud Router does not forward packets. It is a control-plane service that updates the VPC routing table automatically as topology changes. When a VPN tunnel comes up, Cloud Router learns the remote routes and adds them. When a tunnel drops, it removes them — without any manual intervention on your part.
This matters in practice. If your on-premises network has subnets that change occasionally, Cloud Router keeps the VPC routing table in sync automatically. With static routes, you would need to add, update, or delete entries by hand every time something changed on the other side.
# Create a Cloud Router to enable dynamic BGP routing
gcloud compute routers create prod-router \
--network=production-vpc \
--region=us-central1 \
--asn=65001
# Check the Cloud Router status and BGP session state
gcloud compute routers get-status prod-router \
--region=us-central1The —asn flag sets the Autonomous System Number for your VPC. Use a private ASN in the range 64512–65534 if you do not have a registered public ASN. For a broader overview of connecting GCP to on-premises infrastructure, see Hybrid Connectivity Overview.
When to use this
Routes are relevant whenever you need to control how traffic leaves a VM or moves through the network. Here are the situations where routing decisions matter most:
- Connecting to an on-premises network: traffic going to a non-GCP network needs a route pointing to the VPN tunnel or Interconnect connection. Use static routes for simple, fixed setups. Use Cloud Router when remote subnets change or you have multiple tunnels.
- Routing through an inspection appliance: security teams often require that certain VM traffic passes through a firewall VM or intrusion detection system before leaving the VPC. This needs a custom route pointing to that appliance VM (with IP forwarding enabled), and optionally a network tag to apply it only to specific VMs.
- Controlling internet egress: if you want to restrict which VMs can reach the internet, replace or remove the default 0.0.0.0/0 route, or use a tagged custom route to steer specific VMs through a proxy or controlled gateway.
- Hybrid networking with Cloud Router: when using HA VPN or Cloud Interconnect, Cloud Router handles route exchange and failover dynamically. Managing routes manually for these setups is impractical as the topology grows.
- Steering specific workloads differently: network tags let you apply different routes to different sets of VMs. A VM tagged
inspect-trafficcan use a different default path while other VMs use the standard internet route.
Routes vs related networking concepts
Routes vs firewall rules
This is the most common source of confusion. Routes and firewall rules solve different problems and are evaluated independently.
A route answers: where should this packet go next? A firewall rule answers: is this packet allowed to pass? If you want to block traffic, use a firewall deny rule. Do not rely on deleting a route. Removing a route may cause packets to take a different path or be silently dropped, rather than being blocked with a clear error. See Firewall Rules Explained for how to control access properly.
Static routes vs dynamic routes
Static routes are permanent entries you create manually. They do not change unless you update them. They are a good fit for stable, well-understood topologies with a small number of fixed paths.
Dynamic routes are learned by Cloud Router via BGP. They are added and removed automatically as connected networks change. For VPC Peering and Shared VPC, routes are also exchanged automatically without needing Cloud Router.
A practical rule of thumb: use static routes for simple, fixed paths you control completely. Switch to Cloud Router when you have more than one or two remote subnets, when tunnels might fail over, or when the remote network topology could change without warning.
Routes vs Cloud NAT
Routes and Cloud NAT are often confused because both affect how VMs reach the internet. The distinction is straightforward: Cloud NAT provides source address translation for VMs without external IPs so they can initiate outbound internet connections. It does not change routing. Cloud NAT relies on the default route (0.0.0.0/0) already being present in the VPC. Routes determine the path; Cloud NAT handles the address translation for private VMs. Delete the default route and Cloud NAT stops working.
Common beginner mistakes
- Deleting the default route without an alternative path. Removing
0.0.0.0/0cuts off all external connectivity including GCP APIs and Cloud NAT. Ensure a replacement route is in place first. This mistake can be difficult to recover from if it locks you out of managing the environment. - Forgetting to enable IP forwarding on appliance VMs. GCP drops packets at a VM when the destination IP is not the VM’s own address. This is correct default behaviour, but it breaks appliance routing. Set
—can-ip-forwardat creation time. It cannot be changed on a running VM. - Misunderstanding what route tags do. A tag on a route means only VMs carrying that tag will use that route for outbound traffic. The tag does not affect which traffic arrives at those VMs. Inbound access is controlled by firewall rules, not route tags. See Network Tags for how tagging works across routes and firewall rules.
- Confusing routes with firewall rules when troubleshooting. If traffic is not getting through, the problem is almost always a firewall rule, not a missing route. Routes control where traffic goes; firewall rules control whether it is permitted. Check firewall rules first. See Troubleshooting Network Issues for a step-by-step approach.
- Assuming subnet routes can be deleted or overridden for local traffic. Subnet routes are managed by GCP and cannot be manually deleted. A conflicting custom route with a broader destination range will lose to the more specific subnet route for local VPC traffic. Understand existing routes before adding new ones.
- Not checking priority and specificity before troubleshooting an unused route. When a custom route is not being used, the most common causes are: a more specific route already exists, or another route has a lower priority number. Run
gcloud compute routes list —sort-by=priorityto see the full picture.
How to check and manage routes
# List all routes in your VPC
gcloud compute routes list --filter="network:production-vpc"
# List routes sorted by priority to understand which routes take precedence
gcloud compute routes list \
--filter="network:production-vpc" \
--sort-by=priority
# Describe a specific route to see all its fields
gcloud compute routes describe route-to-onprem
# Delete a custom route that is no longer needed
gcloud compute routes delete route-via-applianceAudit your routing table periodically. Static routes pointing to VPN tunnels that no longer exist, or to VM IPs that have been reassigned, cause silent routing failures that are harder to diagnose than firewall problems. For a systematic approach, see Troubleshooting Network Issues.
Summary
- Routes determine where packets are forwarded. Firewall rules determine whether packets are allowed. These are separate mechanisms.
- GCP selects routes by longest prefix match first, then priority (lower number wins), then ECMP for ties.
- Every VPC gets subnet routes (GCP-managed, not deletable) and a default route (0.0.0.0/0) to the internet gateway.
- Custom static routes direct traffic to a specific next hop: internet gateway, VM, VPN tunnel, or IP address.
- Route tags restrict a custom route to VMs carrying that tag. This affects outbound routing only, not inbound traffic.
- Appliance VMs used as next hops must have IP forwarding enabled with
—can-ip-forward. - Cloud Router enables dynamic BGP routing and is preferred over static routes for hybrid connectivity with HA VPN or Interconnect.
- Cloud Router is a control-plane service that updates the routing table. It does not forward packets itself.
- Cloud NAT relies on the default route being present. Deleting the default route breaks Cloud NAT.
Frequently asked questions
What routes does a GCP VPC create automatically?
Every VPC gets two types of system-generated routes: a subnet route for each subnet (so VMs can reach each other using private IPs), and a default route with destination 0.0.0.0/0 pointing to the default internet gateway. Subnet routes are managed by GCP and are removed only when you delete the subnet. The default route can be deleted if you want to cut off all internet access from the VPC.
How does GCP choose between multiple matching routes?
GCP uses longest prefix match first — the most specific destination range wins. A /28 route beats a /16 route when both match the destination IP. If two routes have the same prefix length, the one with the lower priority number wins (priority 100 beats priority 1000). If prefix length and priority are identical, GCP distributes traffic across all matching routes using ECMP (equal-cost multi-path).
What is the difference between a route and a firewall rule?
Routes and firewall rules solve different problems. A route decides where a packet is sent next — which gateway, tunnel, or VM to forward it to. A firewall rule decides whether a packet is allowed to pass at all. Both apply independently: a packet needs both a valid route (to know where to go) and passing firewall rules (to be permitted). Deleting a route does not block traffic the same way a firewall deny rule does.
When should I use Cloud Router instead of a static route?
Use Cloud Router when your network topology changes frequently or when you need BGP for dynamic route exchange. Static routes are fine for stable configurations — for example, a fixed on-premises subnet connected over a single VPN tunnel. But for HA VPN, Cloud Interconnect, multiple tunnels, or any setup with failover requirements, Cloud Router handles route updates automatically as topology changes, without manual intervention.
Can I delete the default route in GCP?
Yes. Deleting the default route (0.0.0.0/0) cuts off all internet access from the VPC — VMs can no longer reach external IPs, including GCP APIs. Teams do this in high-security environments where all traffic must exit through a controlled gateway such as a VPN tunnel or Interconnect. Before deleting it, ensure VMs have an alternative path for any external traffic they need, or they will lose all external connectivity.