What’s New in the Aviatrix Controller?
This page provides information about the latest Aviatrix features. See the Release Notes for more detailed release specific information.
8.0.0
Release Date: 19 May 2025
What’s New Last Updated: 30 May 2025
Follow these links to learn about what’s new in this release:
Deprecation Notices in Release 8.0.0
Controller Proxy Feature Deprecated
The Controller Proxy feature has been deprecated and is no longer supported starting with version 8.0.0. Users using this feature should remove proxy configurations and transition to direct outbound access or alternative network configurations as appropriate. Please contact your Account Representative for additional information.
Gateway Audit Feature and Status Deprecated
The Gateway Audit feature and the corresponding Gateway Audit Status setting are deprecated starting with version 8.0.0 and will be removed in a future release. While the options may still appear in the Controller UI under Settings > Advanced > Gateway > Gateway Audit Status, they are no longer supported. A deprecation note has been added in the UI for visibility. Avoid using these settings in new deployments.
New and Enhanced Features in Release 8.0.0
Transit Edge Enhancements – Site-to-Cloud
Supports external connections such as partner networks, SDWAN solutions, and on-prem locations via IPSec and GRE on Aviatrix Transit Edge. This enhancement enables secure partner and remote site connectivity from non-cloud environments like network aggregation sites, Equinix, and Megaport. Customers can land IPSec or GRE connections directly on Aviatrix Transit Edge, available as a physical appliance or as a virtual network service in supported provider locations. Configuration Supported: BGPoIPSec, BGPoGRE, and static IPSec Applications: Connecting to partner networks, integrating SDWAN connectivity, or linking remote sites to the cloud
BGP Communities Support
Provides fine-grained control over BGP route propagation and preference. Aviatrix Secure Cloud Network now supports BGP communities with enhanced controls in version 8.0.0, including global enablement, per-gateway, and per-connection options for blocking, adding, or replacing communities. Communities Supported: Numeric communities such as 65535:65535, No-Advertise, and No-Export
BFD (Bidirectional Forwarding Detection)
Enables rapid failure detection between BGP peers, reducing downtime and accelerating convergence. BFD provides a proactive alternative to BGP hold timers and supports both single-hop and multi-hop configurations for external BGP sessions on Aviatrix gateways.
Megaport Transit Edge and Spoke Edge
Adds support for deploying Transit Edge and Spoke Edge via Megaport Virtual Edge (MVE) using cloud-init. This expands deployment options for Aviatrix Edges in all Megaport-enabled locations.
Edge ActiveMesh BGP
Extends ActiveMesh BGP peering to LAN neighbors at the Edge. This is ideal for data center and mid-mile network architectures such as deployments at Equinix, enabling BGP peering from single or HA Edge instances to remote LAN HA routers.
Non-ActiveMesh Mode for Megaport and Site-to-Controller Links
Introduced a non-ActiveMesh option for Megaport edge peerings and Site-to-Controller connections to support Layer 2 point-to-point connectivity.
Controller Auto Upgrade for OS Security Fixes
Starting with version 8.0.0, the Controller includes an automatic upgrade mechanism that periodically checks for and installs critical security fixes for operating system packages. This enhancement helps ensure that the Controller stays protected against known vulnerabilities without requiring manual intervention.
Automatic upgrades do not trigger a system reboot. If a kernel update is included, it will be queued and applied at the next manual reboot.
Route Reconciliation Optimization
Optimized route reconciliation at the gateway to reduce CPU and memory usage, improving performance in large-scale testbeds. Benchmarks have been added to help calculate scale parameters such as CPU usage relative to the number of routes.
Controller Associates Resource Manager Tags with VPCs in GCP
Starting with version 8.0.0, the Controller associates Google Cloud Resource Manager tags with VPCs in GCP. These tags can be used to match VPCs in Distributed Cloud Firewall (DCF) rules, similar to how tag-based matching works in AWS and Azure. This enhancement enables more granular control and simplifies GCP VPC management by allowing DCF rules to be applied based on specific tags.
System-wide PushConfig Timeout Control
Allows configuring pushconfig timeouts at the system level, enabling support teams to adjust timeouts more efficiently.
Reduced Memory Usage in Cloud Account Inventory (CAI)
Starting with version 8.0.0, the Controller reduces memory consumption in the Cloud Account Inventory (CAI) system by eliminating redundant storage of cloud provider credentials across regions. This enhancement improves system performance and stability, especially in large-scale or resource-constrained environments. No configuration changes are needed—this optimization is applied automatically upon upgrade.
CoPilot Features Enabled by Controller 8.0.0
SNI Verification (Preview) (click to expand)
This is a Preview Feature and not intended for production environments.
You can now enable SNI verification for a Distributed Cloud Firewall (DCF) rule when a WebGroup is selected.
SNI verification ensures that the Common Name (CN) or Subject Alternative Name (SAN) of the certificate matches the SNI field in the request.
If this condition is not met, the traffic is dropped. Additionally, you can adjust the enforcement level for the certificate in the DCF settings on the Decryption CA Certificate card.
Distributed Cloud Firewall Rulesets (click to expand)
The DCF policy is composed of multiple rulesets, each containing a set of ordered rules. These rulesets allow organizations to achieve various objectives by creating collections of rules tailored to specific needs. In Controller 8.0.0, two system-defined rulesets will be available:
-
V1 Policy List: Contains all existing legacy rules (created prior to Controller 8.0) and the Greenfield Rule
-
Post Rules Policy List: Contains the DefaultDenyAll rule
Egress Security Score (click to expand)
The Egress Security Score provides positive feedback as egress protection is implemented on Aviatrix-managed VPCs/VNets.
You can also view the protection status of VPCs/VNets, which are categorized as unprotected, monitored, partially protected, or fully protected.
Additionally, you can view detailed information on the calculation of the Egress Security Score, which offers a clear understanding of the metrics behind the security posture.
Also, when you protect your VPC/VNets, you can use the AI FQDN Analyzer to provide AI-driven insights into VPC/VNet traffic flows. These insights allow for informed decisions about which traffic flows require protection, thereby enhancing egress security.
Enhanced Audit Log Download (click to expand)
You can download full set of logs to audit user access activities from Administration > Audit on the CoPilot UI.
Preview Features in Release 8.0.0
See the documentation for an explanation of Aviatrix Feature Modes.
Transit Edge S2C Static IPSec
Transit Edge S2C Static IPSec configuration is a preview feature in this release.
SNI Verification for DCF Rules
SNI Verification is a preview feature that allows matching certificate fields (CN/SAN) with the SNI field in TLS connections.
See SNI Verification (Preview) under CoPilot Features for details.
Behavior Changes in Release 8.0.0
API Behavior Change for Platform Upgrades
Starting with version 8.0.0, the upgrade_platform
API no longer supports upgrading the Controller and Gateways in a single API call.
To perform an upgrade, first upgrade the Controller using one API call. Then, initiate a separate call to upgrade one or more Gateways.