What is Cloud Routing? A Complete Technical Guide
Cloud routing is the software-defined abstraction layer that enables IP packets to traverse massive, distributed virtual infrastructures without the constraints of physical hardware. This guide explains the fundamentals, architecture, and implementation details that every DevOps engineer and network architect needs to understand.
The Paradigm Shift: From Hardware to Software-Defined Networking
In traditional enterprise networking, routing decisions are made by dedicated hardware devices—routers with ASICs (Application-Specific Integrated Circuits) that forward packets based on routing tables stored in TCAM (Ternary Content-Addressable Memory). These physical routers have fixed capacity, require manual configuration, and take weeks to provision.
Cloud routing fundamentally changes this model. When a packet leaves an EC2 instance, Azure VM, or Google Compute Engine workload, it doesn't immediately hit a physical switch. Instead, it encounters a virtual switch running on the hypervisor—the software layer that manages virtual machines. This virtual switch, whether it's AWS Nitro, Azure's Virtual Filtering Platform (VFP), or Google's Andromeda, makes forwarding decisions in software.
This abstraction enables capabilities that were impossible with physical hardware:
- Instant provisioning: New routes can be programmed via API in seconds, not days
- Infinite scale: Route tables aren't limited by physical TCAM capacity
- Programmable policies: Routes can be created, modified, and deleted through Infrastructure as Code
- Multi-tenancy: Thousands of customers share the same physical infrastructure with complete isolation
Core Components of Cloud Routing Architecture
1. Virtual Private Clouds (VPCs) and Virtual Networks
Every cloud routing implementation starts with a logically isolated network segment—called a VPC in AWS, a Virtual Network (VNet) in Azure, or simply a VPC in Google Cloud. These constructs provide:
- Address space isolation: Each VPC has its own IPv4 CIDR block (e.g., 10.0.0.0/16) that doesn't conflict with other customers
- Subnet segmentation: VPCs are divided into subnets, each assigned to a specific Availability Zone
- Implicit routing: All subnets within a VPC can communicate by default (this is the "local" route)
The VPC model creates a software-defined boundary that mimics a traditional data center network but operates at cloud scale. Understanding how cloud routing works within these boundaries is essential for designing resilient architectures.
2. The Virtual Router (vRouter)
Unlike physical networks where routers are discrete boxes, cloud VPCs have an implicit virtual router. This vRouter exists as a distributed software function running across all the hosts in the region. Key characteristics include:
- Per-VPC scope: Each VPC has its own virtual router that handles all traffic entering/leaving subnets
- Implicit creation: In AWS, the vRouter is invisible—it just works. In GCP, Cloud Router is an explicit construct
- Route table association: Each subnet is associated with a route table that tells the vRouter where to send traffic
The vRouter evaluates packets against route tables using longest prefix match—the same algorithm physical routers use. If a packet is destined for 10.0.5.42 and you have routes for 10.0.0.0/16 (local) and 10.0.5.0/24 (to a NAT gateway), the /24 wins because it's more specific.
3. Route Tables and Routing Logic
Route tables are the core data structure of cloud routing. Each entry contains:
- Destination: A CIDR block (e.g., 0.0.0.0/0 for default route, 10.0.0.0/8 for RFC1918 space)
- Target: Where to send matching traffic (local, internet gateway, NAT gateway, VPN gateway, transit gateway, peering connection)
- Priority: Determined by prefix length (longer = higher priority)
| Destination | Target | Description |
|---|---|---|
| 10.0.0.0/16 | local | Traffic within the VPC stays local |
| 0.0.0.0/0 | igw-12345 | Default route to Internet Gateway |
| 192.168.0.0/16 | vgw-67890 | On-premise network via VPN |
| 172.16.0.0/12 | pcx-abcde | Peered VPC via VPC Peering |
4. Network Gateways
Gateways are the connection points between your VPC and other networks:
Internet Gateway (IGW)
The Internet Gateway provides NAT (Network Address Translation) for instances with public IPs and routes traffic to/from the public internet. It's horizontally scaled and highly available by default—you don't need to configure redundancy.
NAT Gateway
For private subnets that need outbound internet access (to download packages, call APIs) without exposing public IPs, NAT Gateways translate private addresses to a public Elastic IP. Important consideration: NAT Gateways are Availability Zone specific—deploy one per AZ for resilience.
Virtual Private Gateway (VGW)
The VGW is the cloud-side endpoint for VPN connections and Direct Connect. It supports BGP for dynamic routing or static routes for simpler configurations.
Transit Gateway
For complex multi-VPC and multi-cloud architectures, Transit Gateway provides a hub-and-spoke model. Instead of creating N² peering connections, you connect all VPCs to a central transit gateway.
Cloud Routing vs. Traditional Routing
Understanding the differences between cloud and traditional routing helps explain why certain design patterns exist:
| Aspect | Traditional Routing | Cloud Routing |
|---|---|---|
| Control Plane | Distributed (each router runs OSPF/BGP) | Centralized SDN controller |
| Route Updates | Seconds to minutes (convergence) | Near-instant (API-driven) |
| Scale Limit | TCAM capacity (thousands of routes) | Millions of routes (soft limits) |
| Configuration | CLI or SNMP | API, Terraform, CloudFormation |
| Failure Domain | Single device | Availability Zone or Region |
For a deeper comparison, see our guide on cloud routing vs. traditional routing.
BGP in Cloud Environments
While internal cloud routing uses proprietary SDN protocols, external connectivity relies heavily on Border Gateway Protocol (BGP). BGP is the standard language for exchanging reachability information between autonomous systems on the internet.
Cloud providers expose BGP in several contexts:
- Direct Connect / Interconnect / ExpressRoute: When you establish a private connection to the cloud, BGP advertises your on-premise prefixes and receives cloud prefixes
- Site-to-Site VPN: Dynamic VPNs use BGP to automatically update routing tables when links fail
- Transit Gateway: In AWS, Transit Gateway supports BGP for route exchange between connected VPCs and on-premise networks
Following BGP best practices is critical for production hybrid cloud deployments.
Performance Implications of Cloud Routing
Understanding cloud routing architecture helps engineers optimize for latency. Several patterns emerge:
VPC Peering Traffic Stays on Backbone
Traffic between peered VPCs travels over the cloud provider's private backbone—never touching the public internet. This provides consistent latency (typically 1-2ms within a region) versus potentially hundreds of milliseconds over VPN.
Cross-Region Traffic Adds Latency
While cloud backbones are fast, physics still applies. US-East to US-West adds ~60ms RTT. US to Europe adds ~80-100ms. Design your architecture with latency reduction in mind.
NAT Gateway Can Be a Bottleneck
NAT Gateways max out at 45 Gbps. For high-throughput workloads, consider multiple NAT Gateways with routing rules or direct internet access with public IPs.
Multi-Cloud Routing Considerations
Organizations increasingly deploy across multiple cloud providers. This introduces routing complexity:
- Overlapping CIDR blocks: Each cloud may use 10.0.0.0/8 by default—careful IP planning is essential
- Transit between clouds: Cloud exchange providers (Equinix, Megaport) can connect AWS to GCP without internet traversal
- Consistent policy: Different clouds use different terminology and constructs—Terraform helps abstract these differences
Learn more about designing multi-cloud architectures with unified routing.
Practical Examples
Example 1: Basic Public/Private Subnet Architecture
A common pattern uses public subnets (with Internet Gateway routes) for load balancers and private subnets (with NAT Gateway routes) for application servers:
# Public subnet route table
10.0.0.0/16 -> local
0.0.0.0/0 -> igw-xxxx
# Private subnet route table
10.0.0.0/16 -> local
0.0.0.0/0 -> nat-xxxxExample 2: Hub-and-Spoke with Transit Gateway
For multi-VPC environments, Transit Gateway provides centralized routing:
# Spoke VPC route table
10.0.0.0/16 -> local # This VPC
10.0.0.0/8 -> tgw-xxxx # All other VPCs via TGW
0.0.0.0/0 -> tgw-xxxx # Internet via shared egress VPCKey Takeaways
- Cloud routing is software-defined—routes are API calls, not CLI commands
- VPCs provide isolated network domains with implicit virtual routers
- Route tables control traffic flow using longest prefix match
- BGP remains the standard for hybrid cloud connectivity
- Understanding routing architecture is essential for traffic optimization
Need Help With Cloud Routing?
Our engineers specialize in cloud network architecture across AWS, Google Cloud, and Azure. Get in touch for a free consultation.