Skip to main content
AWS Route Tables define how network traffic is directed within and outside a Virtual Private Cloud (VPC). They determine where packets go based on their destination IP address — similar to routing tables in traditional networks or routers.

Key Concepts

TermDescription
VPCVirtual Private Cloud — logically isolated section of AWS network
Route TableA set of rules (routes) that determine where traffic for a subnet is directed
Subnet AssociationEach subnet must be explicitly or implicitly associated with a route table
Main Route TableThe default route table automatically associated with all subnets unless overridden
Custom Route TableManually created route table for specific subnets or routing domains
TargetThe next hop for a route (e.g. Internet Gateway, NAT Gateway, Transit Gateway)

How Routing Works in AWS

1

Identify Source Subnet

When an instance sends a packet, AWS identifies which subnet the instance belongs to
2

Check Route Table

AWS checks which route table is associated with that subnet
3

Match Destination

AWS finds which route in the table matches the destination CIDR
4

Forward to Target

AWS forwards the packet to the appropriate target (IGW, NATGW, TGW, ENI)

Example: Default Route Table

DestinationTargetPurpose
10.0.0.0/16localRoutes traffic within the VPC (always present)
Every VPC has an implicit local route that enables internal communication between subnets.

Example Route Tables

Destination        Target              Description
---------------------------------------------------------
10.0.0.0/16        local               Intra-VPC routing
0.0.0.0/0          igw-0abc12345       Internet access via IGW
Explanation:
  • local allows private communication within the VPC
  • 0.0.0.0/0 sends all non-local traffic to the Internet Gateway
  • Subnets associated with this table become public subnets

Peering & Transit Gateway Routes

ScenarioRoute ExampleTargetPurpose
VPC Peering10.2.0.0/16pcx-0abc9fghEnables routing to peer VPC
Transit Gateway (TGW)10.3.0.0/16tgw-0xyz1234Central routing hub for multi-VPC or hybrid networks
Direct Connect172.31.0.0/16dxvif-0de12345Private connection to on-premises environment
Always ensure both sides of the peering or TGW connection have reciprocal routes configured.

Route Propagation

AWS can automatically propagate routes from:
  • VPN connections
  • Direct Connect gateways
  • Transit Gateways

Enable Route Propagation

aws ec2 enable-vgw-route-propagation \
  --gateway-id vgw-0aa123bb \
  --route-table-id rtb-0ff56789

Subnet Types and Route Tables

SubnetCIDRRoute TableInternet AccessDescription
Public-A10.0.1.0/24rtb-publicInternet via IGW
Private-A10.0.2.0/24rtb-privateNATGW via Public subnet
VPN-Subnet10.0.3.0/24rtb-hybrid🔄VPN via VGW
TGW-Subnet10.0.4.0/24rtb-tgw🔄Transit Gateway

Security & Best Practices

Least Privilege Routing

Only add routes that are needed

Separation of Environments

Use separate route tables for prod/dev/test

Audit Regularly

Periodically review with aws ec2 describe-route-tables

Avoid IGW on Private Subnets

Prevents accidental Internet exposure

Tag Route Tables

Use consistent tags (e.g., Environment, SubnetType)

CLI Commands

# List all route tables
aws ec2 describe-route-tables

Lab Exercise

1

Create VPC

Create a VPC with CIDR 10.0.0.0/16
2

Create Subnets

Create two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private)
3

Deploy Gateways

Deploy an Internet Gateway and a NAT Gateway
4

Configure Route Tables

Create route tables for public and private subnets
5

Test Connectivity

Test connectivity:
  • Public subnet → Internet ✅
  • Private subnet → Internet via NAT ✅
  • Private subnet inbound ❌

Further Reading

Build docs developers (and LLMs) love

Get started for freeTalk to us