CodeWisdom

VPC Route Tables: How AWS Routing Works and Common Misconfigurations

3 min readCloud Infrastructure

Route tables determine where traffic goes in a VPC. The most-specific-route-wins rule, the local route you can't delete, and the subnet association model have practical consequences that trip up most engineers the first time.

awsvpcrouting

How route table evaluation works

Every subnet in a VPC has exactly one route table. When traffic leaves an EC2 instance, the VPC router checks the subnet's route table and forwards the packet to the most specific matching route.

Longest prefix match: if two routes match the destination IP, the more specific one (longer prefix) wins.

Routes in a route table:
  10.0.0.0/16  → local      (the VPC's CIDR — stays within VPC)
  0.0.0.0/0    → igw-abc    (default route — everything else → internet gateway)

Traffic to 10.0.1.5:
  Matches 10.0.0.0/16 (more specific) → local routing within VPC

Traffic to 8.8.8.8 (Google DNS):
  Matches 0.0.0.0/0 → internet gateway

The local route and why it matters

ConceptAWS VPC

Every route table has a local route for the VPC's CIDR block. This route cannot be deleted or modified. All traffic destined for any IP within the VPC stays within the VPC — it does not leave to an internet gateway or any other target, regardless of other routes.

Prerequisites

  • CIDR notation
  • IP routing basics
  • VPC and subnet basics

Key Points

  • Local route: VPC_CIDR → local. Present in every route table. Cannot be removed.
  • A subnet without any explicit route table is automatically associated with the VPC's main route table.
  • Each subnet can be associated with only one route table. One route table can serve multiple subnets.
  • Route table changes take effect immediately for new connections; existing connections are not affected.

Public vs private subnets: the route that makes the difference

The distinction between a public and private subnet is a single route table entry:

Public subnet route table:

Destination     Target
10.0.0.0/16     local
0.0.0.0/0       igw-abc123    ← internet gateway

Private subnet route table:

Destination     Target
10.0.0.0/16     local
0.0.0.0/0       nat-abc123    ← NAT gateway (for outbound-only internet access)
                              ← or no default route (isolated subnet)

An EC2 instance in a public subnet with a public IP can send traffic to and receive traffic from the internet because:

  1. It has a public IP (or Elastic IP).
  2. Its subnet's route table has a route to an internet gateway.
  3. The internet gateway allows bidirectional traffic.

An EC2 instance in a private subnet can reach the internet (for software updates, API calls) only if there is a NAT gateway in a public subnet and a route to it — traffic flows outbound through the NAT, but inbound connections from the internet cannot reach the instance directly.

NAT gateway placement is a common mistake

NAT gateways belong in public subnets. Private subnets route outbound internet traffic to the NAT gateway, which then uses its own public IP to communicate with the internet.

Private subnet (10.0.2.0/24) route table:
  0.0.0.0/0 → nat-abc (NAT gateway in public subnet 10.0.1.0/24)

Public subnet (10.0.1.0/24) route table:
  0.0.0.0/0 → igw-xyz (internet gateway)

If you put a NAT gateway in a private subnet (no internet gateway route), it cannot reach the internet, and your private instances fail to make outbound connections. The error is not obvious — the NAT gateway will exist but all traffic through it returns no response.

For high availability, deploy one NAT gateway per Availability Zone and configure each AZ's private subnets to route through the NAT gateway in the same AZ. Cross-AZ NAT traffic is charged at the data transfer rate.

The main route table and implicit association

When you create a VPC, AWS creates a main route table with just the local route. Subnets you create are automatically associated with the main route table unless you explicitly assign them a custom route table.

This is a common source of accidental public subnet exposure:

  1. Add an internet gateway route to the main route table (to make one subnet public).
  2. Create new subnets later — they implicitly inherit the main route table with the internet gateway route.
  3. Those new subnets are now unintentionally public.

Best practice: keep the main route table minimal (local route only). Create explicit custom route tables for public and private subnets, and explicitly associate each subnet with the correct table.

📝Route propagation for VPN and Direct Connect

When you attach a virtual private gateway (VGW) to a VPC for a VPN or Direct Connect connection, you can enable route propagation on a route table. The VGW automatically injects routes for the on-premises network CIDRs into the route table.

Without route propagation, you must add static routes for each on-premises CIDR manually. With propagation, new BGP routes learned from your on-premises router appear automatically.

Route propagation can override manually added routes if the CIDRs overlap — more specific routes still win, but if an on-premises CIDR is less specific than a manual route, the manual route takes precedence.

Manual route:       10.100.0.0/24  → vpn-gw     (specific)
Propagated route:   10.100.0.0/16  → vpn-gw     (less specific)
Traffic to 10.100.0.5 → takes the /24 manual route

EC2 instances in a private subnet can communicate with each other but cannot reach the internet or AWS services. The subnet has a route to a NAT gateway. What should you check first?

easy

The NAT gateway status shows 'Available'. The instances have security groups allowing all outbound traffic. Private subnet CIDR: 10.0.2.0/24.

  • AThe security group on the instances is blocking outbound traffic
    Incorrect.The question states all outbound traffic is allowed in security groups. Security groups are stateful — if outbound is allowed, return traffic is automatically permitted.
  • BThe NAT gateway is in a private subnet without a route to an internet gateway
    Correct!A NAT gateway in a private subnet has no path to the internet — its subnet's route table must have a 0.0.0.0/0 route to an internet gateway. Without this, the NAT gateway cannot forward traffic outbound. Check that the NAT gateway's subnet is a public subnet (has an internet gateway route) and that instances can route to the NAT gateway.
  • CThe EC2 instances need public IP addresses to use the NAT gateway
    Incorrect.NAT gateways are specifically designed for instances without public IPs. The NAT gateway provides the public IP — instances in private subnets intentionally do not have public IPs.
  • DRoute propagation needs to be enabled for the private subnet
    Incorrect.Route propagation is for VPN/Direct Connect routes. Internet access through a NAT gateway uses a static route, not propagated routes.

Hint:The NAT gateway is Available, but where is it, and what route table does that subnet have?