topic BGP Routing between vION and Connect Peer TGW in AWS in Prisma SD-WAN Discussions

BGP Routing between vION and Connect Peer TGW in AWS

M.S049558 — Wed, 25 Jun 2025 09:49:41 GMT

We have 2 vIONs deployed in AWS which are the Data Center devices and they are not in HA (Standalone). It has a BGP connections to the connect peer TGW (in AWS). How are the subnets of Branch Office advertised from vION to Connect Peer TGW. I can see the route map and prefix list are autogenerated and cannot be manually edited. Additionally I also see from CLI that the list of subnets being advertised via the prefix list varies with time in each vIONs.

BGP Peer Type: Core

Re: BGP Routing between vION and Connect Peer TGW in AWS

rgallagher — Wed, 25 Jun 2025 12:26:50 GMT

What you're seeing is expected, each Branch will chose one DC ION in the cluster as the active device, that DC ION is then responsible for advertising the Branch prefixes via the Core peer, so it's normal to see different subnets being advertised from each DC ION. The DC IONs are not in a HA Group like you would see in a Branch, but they are still HA but running in Active/Active from perspective of the DC, although from an individual Branch they see the DC as Active/Backup, see the diagram to hopefully explain.

Re: BGP Routing between vION and Connect Peer TGW in AWS

M.S049558 — Wed, 25 Jun 2025 13:10:11 GMT

Thanks for your response, we are planning for the Upgrade of DC vIONs. If we take down one of the vIONs, will all the subnets be automatically failed over to the other?

Example: if we are rebooting vION2, will the subnets being advertised to AWS TGW by the BGP in vION2 automatically switch to advertise through vION1.

NOTE: We are running BGP between DC vIONs and AWS TGW (using Connect Peer)

Re: BGP Routing between vION and Connect Peer TGW in AWS

rgallagher — Wed, 25 Jun 2025 14:38:04 GMT

Yes that's right, the active VPN will just failover automatically to the ION that is not being upgraded.

Re: BGP Routing between vION and Connect Peer TGW in AWS

M.S049558 — Mon, 30 Jun 2025 12:42:51 GMT

Hi Richard,

Just one last question, how does the Branch ION choose which DC ION to send the traffic (Active Tunnel). Are there any criteria or metrics.

Re: BGP Routing between vION and Connect Peer TGW in AWS

rgallagher — Mon, 07 Jul 2025 13:10:10 GMT

It's somewhat arbitrary given the DC ION that it choses will move after VPN flaps etc and therefore not persistent, but typically it will be the first one to come up.