Understanding VPC Routing: The Longest Prefix Match Rule
When you create a Virtual Private Cloud (VPC) in AWS, you are creating your own private network in the cloud. At the heart of this network is the VPC Router, an implicit, highly available component that directs all traffic flowing into, out of, and within your VPC. To control this router, you use Route Tables.
Understanding how the VPC router makes decisions is critical for building complex and predictable network architectures. The primary rule it follows is the Longest Prefix Match.
The Golden Rule: Longest Prefix Match
When your VPC router evaluates a packet of traffic, it looks at the destination IP address and checks it against the list of routes in its associated route table. If multiple routes in the table could potentially match the destination IP, the router will always choose the route with the most specific network path.
"Most specific" simply means the route with the longest subnet mask (the highest number after the /). For example:
-
A route to
10.0.1.0/24is more specific than a route to10.0.0.0/16. -
A route to
192.168.1.10/32(a single IP address) is more specific than a route to192.168.1.0/24.
A Practical Routing Scenario
Let's imagine a common scenario where a VPC is connected to multiple destinations.
The Route Table
Consider the following route table associated with a subnet in VPC-A:
| Destination | Target | Comment |
| :--- | :--- | :--- |
| 10.0.0.0/16 | local | Route for traffic within VPC-A |
| 0.0.0.0/0 | igw-xxxxxxxx | Default route to the Internet Gateway |
| 10.10.0.0/16 | vgw-yyyyyyyy | Route to an on-premises network via VPN |
| 172.16.1.0/24| pcx-zzzzzzzz | Route to a specific subnet in a peered VPC |
Test Case 1: Traffic to a Peered VPC
-
Packet Destination:
172.16.1.55 -
Evaluation:
-
Does
172.16.1.55match10.0.0.0/16? No. -
Does
172.16.1.55match0.0.0.0/0? Yes (prefix length: 0). -
Does
172.16.1.55match10.10.0.0/16? No. -
Does
172.16.1.55match172.16.1.0/24? Yes (prefix length: 24).
-
-
Decision: The router has two matching routes:
/0and/24. Since24is longer than0, the Longest Prefix Match rule applies. -
Result: The traffic is sent to the VPC Peering connection (
pcx-zzzzzzzz).
Test Case 2: Traffic to an On-Premises Server
-
Packet Destination:
10.10.50.100 -
Evaluation:
-
Does
10.10.50.100match10.0.0.0/16? No. -
Does
10.10.50.100match0.0.0.0/0? Yes (prefix length: 0). -
Does
10.10.50.100match10.10.0.0/16? Yes (prefix length: 16). -
Does
10.10.50.100match172.16.1.0/24? No.
-
-
Decision: The router has two matching routes:
/0and/16. Since16is longer than0, the Longest Prefix Match rule applies. -
Result: The traffic is sent to the Virtual Private Gateway (
vgw-yyyyyyyy).
Test Case 3: Traffic to the Internet
-
Packet Destination:
52.95.110.81(a public AWS IP) -
Evaluation:
-
Does
52.95.110.81match10.0.0.0/16? No. -
Does
52.95.110.81match0.0.0.0/0? Yes (prefix length: 0). -
Does
52.95.110.81match10.10.0.0/16? No. -
Does
52.95.110.81match172.16.1.0/24? No.
-
-
Decision: The router has only one matching route:
/0. -
Result: The traffic is sent to the Internet Gateway (
igw-xxxxxxxx).
The Tie-Breaker: Route Priority
There is one rule that comes before the Longest Prefix Match:
- Local Routes are always prioritized. If a destination IP falls within the VPC's own CIDR block, the traffic will always be routed locally, regardless of other, more specific routes you may have added. For example, if you added a static route for
10.0.1.0/24pointing to a gateway, traffic to an EC2 instance at10.0.1.50would still be routed locally because it matches the10.0.0.0/16local route first.
Why It Matters
Understanding the Longest Prefix Match rule is essential for designing predictable and secure networks. It allows you to carve out exceptions from broad routes. You can send most traffic to the internet (0.0.0.0/0) while ensuring that traffic destined for a peered VPC or an on-premises network is always directed to the correct gateway, preventing accidental data exposure and ensuring proper connectivity.