Inline Software Upgrade

Aviatrix software is released frequently every 6 - 8 weeks.

When upgrading a controller’s software, all gateways are upgraded with the new software at the same time. This is done by the controller pushing new software to gateways directly and automatically once requested.


We strongly recommend that you make a backup before you start the upgrade process. Please follow the directions here.

Please also check out our release notes.

Pre-upgrade Checklist:

Here are a few steps that we suggest you go through before the actual upgrade. If you are scheduling the upgrade during a maintenance window, you can execute these before the maintenance window, so you can make best use of your downtime.

  1. Ensure that all gateways are in green/up status. If not, please check out Support Center for common issues and solutions
  2. Ensure that all the tunnels are green/up - if not, work with the right teams to debug and bring them up.
  3. Execute “AviatrixConsole/Settings/Maintenance/Upgrade/DryRun” to make sure that all gateways are ready for upgrade. If any gateways fail the dry run, please run “AviatrixConsole/Troubleshoot/Diagnostics/Gateway/Diagnostics” and review results to make sure there is a good communication path between the Controller and the Gateway. If you cannot fix it, please click on “Submit Results” and then open a ticket by sending an email to
  4. Please make sure that you have the right accounts/credentials to update IAM policies in all AWS accounts during the upgrade process
  5. Please make a backup and check the S3 bucket to make sure the process was successful. If you don’t have backup enabled, please follow the backup instructions to enable it.

How to upgrade software

Upgrades are done from the Controller UI. To check for an available update and perform an upgrade, follow these steps:

  1. Follow the directions listed below in this document to update your IAM policies in all accounts, before starting the upgrade process

  2. Log in to your Controller.

  3. Expand Settings navigation menu item

  4. Click Maintenance

  5. Click Dry Run to make sure the controller and gateway are in contact and allowed to download our software from our release server. If the Dry Run is unsuccessful, you may want to check controller/gateway security groups and VPC DNS settings to make sure their outbound traffic to Internet is allowed.

  6. Make a backup before the upgrade by following the instructions documented here.

  7. Click Upgrade to the latest to upgrade your software to the latest version

    1. If upgrading from a release<3.3.x: Please upgrade to the next immediate release by entering the right version in “Upgrade to custom release” - the correct order is: 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, 3.3
    2. Upgrading from a release>=3.3.x: The Aviatrix Controller will enforce incremental upgrades, so please click on “Upgrade to the Latest”. You might have to go through multiple upgrades before you reach the latest release. Follow the directions in the next note when you upgrade to release 4.0
    3. If upgrading from a release<4.0: Once you upgrade to 4.0, please go to “Aviatrix Console > Troubleshoot > Diagnostics > Services” and click on “Restart Cloudxd” - please click on it only one time, wait for a minute, close your browser and start a new https connection to Aviatrix Console. This is only needed if your controller is based on 14.04 AMI. This will not be required for later AMI’s.
    4. If you are running 4.7 or reached 4.7 during upgrade, the next release to upgrade is 5.0 and you would have to go to “Upgrade to Custom Release” and enter “5.0” in “Release Version” and click on “Upgrade to a Custom Release” button.
  8. Please go to “”AviatrixConsole/Settings/Maintenance/Upgrade/GatewayUpgradeStatus” and check that all gateways have been upgraded - “Current Version” on all gateways should match the version you have upgraded to. Please flip through additional pages if you have more than 20 gateways. If any gateway failed, please run diagnostics and a forced upgrade. If needed, please open a ticket with diags and tracelogs.

  9. Make a backup after the upgrade by following instructions documented here.

  10. If you are using terraform, please use the appropriate branch from For more information please go to

  11. If you are using Aviatrix VPN Client, please consider upgrading to the latest release.


To reduce issues related to upgrading, starting version 3.3, the Controller will let you upgrade only to the next maintenance release. For example, from 3.3.x, you can only upgrade to 3.4 first and can then upgrade again to get to 3.5. If you are running a version earlier than 3.3, please upgrade to the next higher version first and repeat till you get to 3.3, using the “Upgrade to a Custom Release” function. If you are running version 3.3 or later, you can upgrade using the “Upgrade to the Latest” method as mentioned above – but note that you might have to upgrade multiple times to get to the latest release.

Example: A controller running 3.1 can go to the latest release(lets say, 3.5) using the following steps:
  • Backup. Upgrade to 3.2 using “Upgrade to a Custom Release”
  • Backup. Upgrade to 3.3 using “Upgrade to a Custom Release”
  • Backup. Upgrade to 3.4 using “Upgrade to the Latest”
  • Backup. Upgrade to 3.5 using “Upgrade to the Latest”



If you have been provided a custom release version, please enter that version into the Release Version field and click Upgrade to a custom release button.

Inline and hitless software upgrade

Aviatrix software upgrade happens inline without taking down the controller.

In addition, gateway upgrades are hitless. That is, all gateway encrypted tunnels stay up during the upgrade process. There is no packet loss when upgrading the software.

Upgrade impact on OpenVPN® users

Most upgrades do not impact connected OpenVPN® users. In some cases, OpenVPN® service needs to be restarted as part of software upgrade, for example, upgrade to a new SSL version for security patch. In these cases, connected OpenVPN® users will be disconnected and will need to connect again.

Upgrading from release 4.3 and up will not result in an openvpn restart, so existing openvpn connections will not be dropped

When a release affects OpenVPN® users, the Release Note will make a note of it. Make sure you read the Release Notes before applying an upgrade.

OpenVPN is a registered trademark of OpenVPN Inc.

How to update AWS-IAM-Policy

Please also keep your AWS IAM Policies updated to the latest (preferably before upgrading controller software).

Step 01: Login to your AWS GUI console


Step 02: Go to IAM service


A. Update “aviatrix-assume-role-policy”:

Step 03: Click “Policies” and search for the policy “aviatrix-assume-role-policy”

If you have not created “aviatrix-assume-role-policy”, please see here.


Step 04: Click Edit Policy


Step 05: Click tab “JSON”

Step 06: Update Policy: copy and paste the policy text from this link and then click button “Review policy” and button “Save changes”.

B. Update “aviatrix-app-policy”:

Step 07: Click “Policies” and search for the policy “aviatrix-app-policy”

If you have not created “aviatrix-app-policy”, please see here.


Step 08: Click Edit Policy


Step 09: Click tab “JSON”

Step 10: Update Policy: copy and paste the policy provided by this link and then click button “Review policy” and button “Save changes”.


Please also update the AWS-IAM-Policy for all Secondary Access Accounts.