What’s New in the Aviatrix Controller?

The Aviatrix Controller UI will be deprecated in 2025. We recommend using CoPilot as your Aviatrix Management UI. Please contact your Account Representative for additional information.

The “Keep Alive via Firewall LAN Interface” option will be removed from the UI and enabled by default in a future Controller release. In preparation for that change, any newly launched FireNet resources will have “Keep Alive via Firewall LAN” (Keep Alive) enabled by default. You will not be able to disable the Keep Alive option. Existing FireNet resources should have “Keep Alive via Firewall LAN” set to enabled. Upgrades will be blocked if the Keep Alive option is disabled on any FireNet resources.

CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. You must migrate CloudN Gateways to Aviatrix Edge before upgrading to a release based on the newer Linux OS. For more information, contact your account team.

This feature is moved from Preview to General Availability (GA). For information about this feature, see Security Group Orchestration.

See Aviatrix Feature Modes for descriptions of Preview and GA features.

Aviatrix now supports OCI E5 for gateway instances:

FLEX4.16 — E5 4 OCPU 8G RAM

FLEX8.32 — E5 8 OCPU 32G RAM

FLEX16.32 — E5 16 OCPU 32G RAM

The following CSP regions are now supported in General Availability in this release.

AWS

Azure

OCI

Alibaba

BGP route tables will now include both next hop and neighbor IP validation to insert routes in the gateway table. This will allow all BGP prefixes to be learned when next hop IP and BGP peer IP are different.

Aviatrix provides a comprehensive listing of newly released instance types across AWS, Azure, GCP, and OCI, ensuring customers can leverage the latest compute options for the Spoke Gateways.

Aviatrix FireNet now supports the latest NGFW versions, ensuring compatibility with updated releases from Palo Alto Networks, Fortinet, Check Point, and Cisco across AWS, Azure, and GCP.

Security Group Orchestration has moved from Preview mode to General Availability for Microsoft Azure only. This feature automates the management and deployment of security group policies across multiple cloud environments, simplifying the process of defining, updating, and enforcing security rules for VNets, subnets, VMs, and subscriptions.

See the documentation for an explanation of Aviatrix Feature Modes.

Aviatrix’s External Connections (S2C) is now integrated with Microsoft Entra’s cloud-based IAM service to enable Zero Trust security. This ensures network traffic from various sources is securely forwarded to Microsoft’s SSE Solution cloud proxy for authentication and access to cloud resources.

This feature enables customers to configure Hostnames in SmartGroups as source and destination for Distributed Cloud Firewall (DCF) rules. This allows DNS-based IP resolution for managing non-HTTP/HTTPS traffic in East-West and Site-to-Cloud scenarios.

Kubernetes (K8s) clusters with native IP addressing (no overlay, no SNAT) can now seamlessly integrate into SmartGroups. This simplifies managing egress traffic to internet, VPCs/VNets, or external services, with auto-discovery and onboarding across AWS and Azure.

Inconsistent use of "DROP" and "DENY" in traffic logs for blocked connections caused confusion when interpreting Layer 7 and Layer 4 traffic logs. "DROP" and "DENY" were used interchangeably to indicate blocked connections. All Logs are now updated to consistently use "DENY" for all blocked traffic.

The Aviatrix Controller UI will be deprecated in 2025. We recommend using CoPilot as your Aviatrix Management UI. Please contact your Account Representative for additional information.

The “Keep Alive via Firewall Lan Interface” option will be removed from the UI and enabled by default in a future Controller release. In preparation for that change, any newly launched FireNet resources will have “Keep Alive via Firewall LAN” (Keep Alive) enabled by default. You will not be able to disable the Keep Alive option. Existing FireNet resources should have “Keep Alive via Firewall LAN” set to enabled. Upgrades will be blocked if the Keep Alive option is disabled on any FireNet resources.

CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. You must migrate CloudN Gateways to Aviatrix Edge before upgrading to a release based on the newer Linux OS. For more information, contact your account team.

New notifications have been added to help identify potential causes of connection problems. The following notifications will appear in the user interface when configuring or managing gateways:

This update helps to quickly pinpoint if Geoblocking rules or stale configurations are preventing connections from establishing properly. It also eliminates the need to manually check logs or configuration status when troubleshooting unexpected connectivity issues. It is particularly useful for diagnosing problems with BGP (Border Gateway Protocol) connections.

This update does not affect HPE or Public Subnet Filter Gateway functionality.

Added new functionality to track Aviatrix security policy enforcement in AWS VPCs. This improves visibility and troubleshooting for AWS intra-VPC security policy enforcement and allows administrators to easily verify applied security rules.

This release provides a major new capability for Aviatrix Edge Gateways. Edge Transit Gateways have been added to provide a secure, high-performance networking solution designed to simplify and accelerate hybrid and multi-cloud connectivity. Edge Transit Gateways enable seamless routing and end-to-end encryption across various cloud providers and on-premises environments, while providing centralized management and operational visibility. This feature is available at Cloud Fabric > Hybrid Cloud > Edge Gateways.

Edge Transit Gateways is a GA Feature for Aviatrix Edge Platform (AEP) and is a Preview Feature for Equinix Network Edge and Megaport Virtual Edge (MVE) in this Controller release.

Customers deploying Edge on physical appliances like Dell and HPE hardware, can now configure explicit and transparent proxies for Edge OS management connectivity outbound. The proxy support allows enterprises to leverage the proxies in their environment and Edge OS can now seamlessly call home via proxy server configuration.

You can configure proxy profiles for Edge Platform network connections from Cloud Fabric > Edge > Devices. You can create multiple proxy profiles to route traffic based on organizational requirements.

For more information, see Installing Edge OS and Onboaring Dell Hardware.

Customers can now leverage Distributed Cloud Firewall (DCF) for Egress security in Azure across multiple disconnected VPCs with the same IP ranges.

When using SmartGroups VM, VPC, or Subnet-type selectors, Aviatrix now intelligently programs policies for the appropriate VPCs even if the CIDRs are the same. CIDR-based SmartGroups are still programmed on all VPCs/VNets that match the CIDR. Logging will show the gateways that are enforcing the policies along with the appropriate rule UUIDs. This feature is already supported in AWS in previous releases.

Distributed Cloud Firewall (DCF) now has support for up to 5,000 rules and higher Groups scale.

Key Highlights:

This Distributed Cloud Firewall (DCF) feature enhances how GeoGroups and ThreatGroups are automatically updated with the latest security intelligence.

Key Features:

This release now supports the option of terminating Google interconnect connection on Edge Gateways and the ability to set up BGP to Google Cloud Router.

An option has been added to the NetFlow Agent that allows you to set the NetFlow sampling rate. Adjusting the sampling rate can reduce storage requirements and, in some cases, could provide a more accurate representation of NetFlow.

FlowIQ, CostIQ, and Anomaly Detection will factor in the sampling rate in the individual features. The sampling rate cannot be set to less than 100% for ThreatIQ and Geoblocking, if you are currently using those features.

For more information, see Configuring the Aviatrix NetFlow Agent.

This release enables you to securely expand your cloud footprint into China, using Palo Alto Firewalls in Azure China for advanced traffic filtering and security.

Key Highlights:

This enhancement introduces Session-Based Logging for Aviatrix Distributed Cloud Firewall (DCF), replacing traditional per-packet logging for improved performance and insight.

Transit Edge is a Preview Feature for Equinix NE and Megaport MVE in this controller release.

This Preview Feature enables secure and streamlined egress traffic management in Google Cloud Platform (GCP) deployments.

Key Features:

For more information, see Enabling and Disabling GCP Global VPC.

This release introduces two powerful new Preview Features, ThreatGroups and GeoGroups, designed to strengthen your security posture through dynamic content filtering and real-time threat intelligence.

These new features seamlessly integrate with ThreatIQ, providing you with enhanced flexibility and control to safeguard your infrastructure from location-based and evolving threats.

See the documentation About Groups.

This Preview Feature significantly enhances security and traffic management capabilities for hybrid cloud deployments.

Key Highlights:

This release enables organizations to enhance security for their public-facing workloads by leveraging advanced traffic filtering and security features. This is a Preview Feature.

Key Highlights:

The following CSP regions are supported as a Preview Feature in this release.

AWS

Azure

OCI

Alibaba

A limit check has been added for equal-cost multi-path (ECMP) Tunnels. A maximum number of tunnels can be created between certain gateway types:

See Controller Version Tracks for specific version numbers.

You can address this issue by doing any of the following:

As of 7.2.4820, the Keep Alive via Firewall Lan Interface option has been removed from the Controller UI. This action is now enabled by default and performed automatically.

You can now include spaces when naming rules, rulesets, SmartGroups, and WebGroups. Previously, names were restricted to alphanumeric characters, hyphens, and underscores. The maximum name length remains 128 characters and names must still be unique within your account.

Inconsistent use of "DROP" and "DENY" in traffic logs for blocked connections caused confusion when interpreting Layer 7 and Layer 4 traffic logs. "DROP" and "DENY" were used interchangeably to indicate blocked connections. With this release, all Logs will be updated to consistently use "DENY" for all blocked traffic.