What’s New in the Aviatrix Controller?
This page provides information about the latest Aviatrix features. See the Release Notes for more detailed release specific information.
8.2.0
Release Date: 22 December 2025
Follow these links to learn about what’s new in this release:
Deprecation Notices in Release 8.2.0
Legacy Controller UI
The legacy Controller UI is deprecated in 8.2.0. Migrate all operational workflows to the modern UI. Legacy components will be removed in a future release.
New and Enhanced Features in Release 8.2.0
FlightPath 2.0
Adds deep, topology-aware troubleshooting:
-
CAI metrics for real-time analysis
-
Hop-by-hop path visualization
-
Route analytics accelerating root-cause isolation across multi-cloud fabrics
-
Improves operational visibility and reduces MTTR for complex network issues.
OCI Support with Distributed Cloud Firewall (DCF)
Aviatrix Cloud Firewall now supports Oracle Cloud Infrastructure (OCI) in addition to AWS, Azure, and GCP.
-
Enforce DCF rules on OCI gateways
-
Unified security posture across multi-cloud environments
TLS Profile Extensions for DCF
Provides granular control over origin certificate validation for traffic inspected by DCF:
-
Per-rule TLS profiles replacing global settings
-
Support for multiple custom CA bundles
-
Stricter validation for sensitive workloads Benefits: Enhances compliance and security for encrypted traffic.
Hierarchical (MultiWriter) Policy via Terraform
Introduces hierarchical policy structure and attachment points for distributed policy management:
-
Enables multi-team collaboration and RBAC
-
Full Terraform support for creating and managing hierarchical policies
Benefits: Enterprise-scale governance and automation.
Logging Enhancements (Session Profiles)
Configurable session-level logging with flexible options:
-
Log at Start, End, or both
-
Adds session attributes such as duration, bytes transferred, and stage
-
Includes API and Terraform support for log profiles
-
Improves troubleshooting and compliance reporting.
Controller CA Rotation
Zero-downtime rotation of the Controller’s CA certificate to improve cryptographic agility and security posture.
Terraform Provider Updates
Adds and expands resources and attributes for:
-
IPv6 constructs (dual-stack enablement metadata)
-
Smart Gateway settings
-
IPS (Suricata-based) profiles
-
Advanced SNAT/DNAT options
-
Hierarchical / MultiWriter policy attachments
-
Logging and TLS profile objects
Supporting Kubernetes Private Cluster
Introduces support for Kubernetes private clusters in policy enforcement and SmartGroup discovery, enabling secure and compliant operations for containerized workloads.
Upgrade Ciphers to NIST Standards for IPsec
Enhances IPsec encryption to meet NIST recommendations for stronger security:
-
Default tunnel attachments use AES-256-GCM for improved cryptographic strength
-
Weak ciphers are deprioritized when both endpoints support stronger options
-
Supports progressive migration of existing gateways to stronger ciphers
-
May require image upgrades for legacy gateways
Benefits: Aligns with FIPS 140-2/140-3 compliance and strengthens encryption for multi-cloud deployments.
BGPoLAN Gateway Resizing
Enables dynamic resizing of BGPoLAN gateways to smaller AWS instance types when interface count requirements are met:
-
Supports downsizing below 4xlarge without service disruption
-
Validates interface count to ensure compatibility with target instance type
-
Helps customers reduce operational costs while maintaining connectivity
Benefits: Improves flexibility and cost optimization for BGPoLAN deployments.
Preview Features in Release 8.2.0
IPv6 Capability – Phase 1 (Preview)
Dual-stack (IPv4 + IPv6) enablement across Controller, CoPilot, AWS, and Azure:
-
Gateways, FireNet, segmentation domains, and S2C with Edge support
-
Terraform automation and diagnostics tooling
-
Early edge support
Benefits: Addresses IPv4 exhaustion and future-proofs deployments.
Active Mesh 4.0 – Phase 1 (Preview)
Resiliency and lifecycle orchestration enhancements:
-
Primary gateway lifecycle control for safe deletion/replacement
-
Dynamic High-Performance Encryption (HPE) toggle
-
Make-Before-Break upgrade pipeline minimizing traffic impact
Smart Gateways – Phase 1 (Preview)
Early access fast convergence architecture:
-
Underlay fabric leveraging BGP-LU
-
Controller offload/headless resilience
-
Traffic drain/undrain operations
-
Enhanced telemetry export
Suricata-based IPS (Preview)
Inline detection & prevention with:
-
Customizable rulesets
-
External threat feed ingestion
-
Per-VPC/per-profile enforcement
-
Terraform + API automation
Policy Audit Enhancement (Preview)
Structured diffs and change attribution (who/what/when) for DCF entities:
-
Exportable via API for compliance and CI governance pipelines
DCF Serverless Rule Support (Preview)
AWS Lambda discovery and Smart Group-based policy application:
-
Enables least-privilege egress control for ephemeral serverless workloads
Behavior Changes in Release 8.2.0
Upgrade Flow Enforcement
Ordered Controller → Gateway sequencing via discrete API calls to prevent mixed-version operational states.
Default Deny System Rule Relocation
Legacy system default deny rule appears within user rulesets; administrators must explicitly retain or replace baseline posture. Legacy bootstrap artifacts can be removed.
Session Logging Behavior
Session logging supports Start, End, or Both lifecycle points with enriched metadata; review log retention policies due to potential volume increases.