How does DRG route distribution work?

DRG route distributions are policies that control which routes are imported into or exported from a DRG route table. Import distributions determine which routes from attachments (VCN, IPSec, FastConnect, remote peering) are added to the route table. You can filter by attachment type, DRG attachment OCID, or match-all. This lets you create isolated routing domains — for example, a route table that only imports routes from production VCNs, not development VCNs.

Can I have multiple route tables on a single DRG?

Yes. A DRG supports multiple route tables, and each attachment is associated with exactly one route table. This enables per-attachment routing behavior. For example, you can create separate route tables for production VCN attachments, development VCN attachments, and on-premises connections, each with different route distribution policies and static routes. This is the foundation of network segmentation in OCI hub-and-spoke architectures.

OCI DRG Route Table Builder

NetworkingOCI

Build Dynamic Routing Gateway route tables and import distribution configurations.

OCI Dynamic Routing Gateway Configuration

Build Dynamic Routing Gateway route tables and import distribution configurations.

Required Fields

compartmentIddrgIddisplayNamerouteRules

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "drgId": "ocid1.drg.oc1.iad.aaaaaaaexample",
  "displayName": "hub-spoke-route-table",
  "importDrgRouteDistribution": {
    "distributionId": "ocid1.drgroutedistribution.oc1.iad.aaaaaaaexample",
    "displayName": "spoke-vcn-import-distribution",
    "distributionType": "IMPORT",
    "statements": [
      {
        "matchCriteria": [
          {
            "matchType": "DRG_ATTACHMENT_TYPE",
            "attachmentType": "VCN"
          }
        ],
        "action": "ACCEPT",
        "priority": 1
      },
      {
        "matchCriteria": [
          {
            "matchType": "DRG_ATTACHMENT_ID",
            "drgAttachmentId": "ocid1.drgattachment.oc1.iad.aaaaaaaexample"
          }
        ],
        "action": "ACCEPT",
        "priority": 2
      }
    ]
  },
  "routeRules": [
    {
      "destinationType": "CIDR_BLOCK",
      "destination": "10.1.0.0/16",
      "nextHopDrgAttachmentId": "ocid1.drgattachment.oc1.iad.aaaaaaspoke1",
      "description": "Route to spoke VCN 1"
    },
    {
      "destinationType": "CIDR_BLOCK",
      "destination": "10.2.0.0/16",
      "nextHopDrgAttachmentId": "ocid1.drgattachment.oc1.iad.aaaaaaspoke2",
      "description": "Route to spoke VCN 2"
    },
    {
      "destinationType": "CIDR_BLOCK",
      "destination": "0.0.0.0/0",
      "nextHopDrgAttachmentId": "ocid1.drgattachment.oc1.iad.aaaaaaaipsec",
      "description": "Default route to on-premises via IPSec VPN"
    }
  ],
  "freeformTags": {
    "topology": "hub-spoke",
    "managed-by": "network-team"
  }
}

Generated Output

Output will appear here...

About This Tool

The Dynamic Routing Gateway (DRG) is OCI's central hub for routing traffic between VCNs, on-premises networks (via IPSec VPN or FastConnect), and remote peering connections. DRG route tables control how traffic is forwarded between attachments, enabling hub-and-spoke topologies, transit routing, and network segmentation. This builder helps you configure DRG route tables with static routes, import/export route distributions, and attachment associations for complex multi-VCN and hybrid networking architectures.

When to Use This Tool

•Building a hub-and-spoke DRG topology where spoke VCNs route through a central firewall VCN for traffic inspection
•Configuring DRG route tables with import distributions that selectively accept routes from specific VCN attachments for network segmentation
•Setting up transit routing through the DRG to enable on-premises networks to reach multiple VCNs without direct attachments to each
•Creating static routes in DRG route tables to direct specific CIDR ranges to a network virtual appliance for inspection or NAT

Frequently Asked Questions

How does DRG route distribution work?: DRG route distributions are policies that control which routes are imported into or exported from a DRG route table. Import distributions determine which routes from attachments (VCN, IPSec, FastConnect, remote peering) are added to the route table. You can filter by attachment type, DRG attachment OCID, or match-all. This lets you create isolated routing domains — for example, a route table that only imports routes from production VCNs, not development VCNs.
Can I have multiple route tables on a single DRG?: Yes. A DRG supports multiple route tables, and each attachment is associated with exactly one route table. This enables per-attachment routing behavior. For example, you can create separate route tables for production VCN attachments, development VCN attachments, and on-premises connections, each with different route distribution policies and static routes. This is the foundation of network segmentation in OCI hub-and-spoke architectures.

Related Learning Guides

OCI VCN Networking Deep Dive25 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.

OCI DRG Route Table Builder

NetworkingOCI

Build Dynamic Routing Gateway route tables and import distribution configurations.

OCI Dynamic Routing Gateway Configuration

Build Dynamic Routing Gateway route tables and import distribution configurations.

Required Fields

compartmentIddrgIddisplayNamerouteRules

Generated Output

Output will appear here...

About This Tool

When to Use This Tool

•Building a hub-and-spoke DRG topology where spoke VCNs route through a central firewall VCN for traffic inspection
•Configuring DRG route tables with import distributions that selectively accept routes from specific VCN attachments for network segmentation
•Setting up transit routing through the DRG to enable on-premises networks to reach multiple VCNs without direct attachments to each
•Creating static routes in DRG route tables to direct specific CIDR ranges to a network virtual appliance for inspection or NAT

Frequently Asked Questions

How does DRG route distribution work?: DRG route distributions are policies that control which routes are imported into or exported from a DRG route table. Import distributions determine which routes from attachments (VCN, IPSec, FastConnect, remote peering) are added to the route table. You can filter by attachment type, DRG attachment OCID, or match-all. This lets you create isolated routing domains — for example, a route table that only imports routes from production VCNs, not development VCNs.
Can I have multiple route tables on a single DRG?: Yes. A DRG supports multiple route tables, and each attachment is associated with exactly one route table. This enables per-attachment routing behavior. For example, you can create separate route tables for production VCN attachments, development VCN attachments, and on-premises connections, each with different route distribution policies and static routes. This is the foundation of network segmentation in OCI hub-and-spoke architectures.

Related Learning Guides

OCI VCN Networking Deep Dive25 min read