What’s New in the Aviatrix Controller?
This page provides information about the latest Aviatrix features. See the Release Notes for more detailed release specific information.
7.1.4105
Release Date: 18 July 2024
What’s New updated 16 September 2024
Important Notices in Aviatrix 7.1.4105
Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.
-
An older Linux OS is supported with Controller 7.1.3956 and 7.1.4101.
-
A newer Linux OS is supported with Controller 7.1.3958 and 7.1.4105.
This 7.1.4105 release version is available as an upgrade option only if you have already upgraded to the following:
-
7.1.3956 or 7.1.4101
-
7.1.3958 (latest Linux OS)
Starting with 7.1.3958, the Aviatrix base image uses a newer industry standard Linux operating system. See the Upgrading Aviatrix documentation for more information.
Do Not Apply Existing Patches to Newly Upgraded Controllers
The new Controller and Gateway images shipped with the 7.1.3958 release include all previously released software patches. Therefore, you do not need to reapply the old software patches to Controllers and Gateways updated to this release. If any new software patches are released in the future, and if they apply to the new Controller and Gateway images, the documentation associated with that release will clearly identify the patches and provide instructions.
CloudN Not Supported in 7.1.4105
CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. If you have CloudN gateways attached to your Controller and you want to upgrade to release 7.1.4105, you must migrate to Aviatrix Edge. For more information, contact your account team.
Upgrade on Aviatrix Edge Platform
On the Aviatrix Edge Platform, after you have upgraded the image to the latest Aviatrix base image in 7.1.3958, you cannot roll back to the previous image.
Migrate Egress FQDN Filtering to Distributed Cloud Firewall
As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.
Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.
New Features in Release 7.1.4105
Issue | Description |
---|---|
AVX-53690 |
Enable Azure Migration in CoPilot The Controller auto-migration feature using CoPilot is now available for Controllers on Azure. For information, see Upgrade your Controller and Gateways to the Latest Aviatrix Supported Images. You can use the auto-migration feature to migrate from 7.1.4101 to 7.1.4105 or later releases. Azure China is not currently supported for migration to 7.1.3958 or later releases. |
AVX-51224 |
Added support to deploy Azure V5 instances of Firewalls in Aviatrix FireNet. |
7.1.4101
Release Date: 22 July 2024
What’s New updated 16 September 2024
Important Notices in Aviatrix Release 7.1.4101
Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.
-
An older Linux OS is supported with Controller 7.1.3956 and 7.1.4101.
-
A newer Linux OS is supported with Controller 7.1.3958 and 7.1.4105.
CloudN Support Ending
Controller version 7.1.4101 (older Linux OS) is the last version that supports CloudN. CloudN is being replaced with Aviatrix Edge. For more information, contact your account team.
Upgrades to Future Releases
If your Controller is running release 7.1.4101 or earlier, you will not be able to upgrade directly to 7.2 or later releases, when they become available. You will need to upgrade to release 7.1.4105 or a later 7.1 release before proceeding to any 7.2 releases.
Migrate Egress FQDN Filtering to Distributed Cloud Firewall
As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.
Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.
Enhanced Features in Release 7.1.4101
Issue | Description |
---|---|
AVX-54105 |
Enable Azure Migration in CoPilot The Controller auto-migration feature using CoPilot is now available for Controllers on Azure. For information, see Upgrade your Controller and Gateways to the Latest Aviatrix Supported Images. You can use the auto-migration feature to migrate from 7.1.4101 to 7.1.4105 or later releases. Azure China is not currently supported for migration to 7.1.3958 or later releases. |
7.1.3958
Release Date: 06 June 2024
What’s New updated 16 September 2024
Important Notices in Aviatrix 7.1.3958
Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.
-
An older Linux OS is supported with Controller 7.1.3956.
-
A newer Linux OS is supported with Controller 7.1.3958.
This release updates the Aviatrix base image to use a newer industry standard Linux operating system. See the Upgrading Aviatrix documentation for more information.
This release version is available as an upgrade option only if you have already upgraded to 7.1.3956.
Do Not Apply Existing Patches to Newly Upgraded Controllers
The new Controller and Gateway images shipped with the 7.1.3958 release include all previously released software patches. Therefore, you do not need to reapply the old software patches to Controllers and Gateways updated to this release. If any new software patches are released in the future, and if they apply to the new Controller and Gateway images, the documentation associated with that release will clearly identify the patches and provide instructions.
CloudN Not Supported on 7.1.3958
CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. If you have CloudN gateways attached to your Controller and you want to upgrade to release 7.1.3958, you must migrate to Aviatrix Edge. For more information, contact your account team.
Upgrade on Aviatrix Edge Platform
On the Aviatrix Edge Platform, after you have upgraded the image to the latest Aviatrix base image, you cannot roll back to the previous image.
Migrate Egress FQDN Filtering to Distributed Cloud Firewall
As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.
Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.
Enhanced Features in Release 7.1.3958
Issue | Description |
---|---|
AVX-37409 |
IP routing services for Border Gateway Protocol (BGP) have been upgraded and improved. This does not impact user functionality and does not require any changes to your environment. |
AVX-44963 |
Support for GCP gateways has been improved, so launching gateways for multiple GCP accounts can happen in parallel. The time it takes to launch GCP gateways for the first time in an account has also been optimized. |
7.1.3956
Release Date: 28 May 2024
What’s New updated 16 September 2024
Enhanced Features in Release 7.1.3956
This release introduces a new GUI-based Controller image upgrade experience when used with CoPilot.
Important Upgrade Notices in Aviatrix Release 7.1.3956
Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.
-
An older Linux OS is supported with Controller 7.1.3956.
-
A newer Linux OS is supported with Controller 7.1.3958.
Upgrades to Future Releases
If your Controller is running release 7.1.3956 or earlier, you will not be able to upgrade directly to 7.2 or later releases, when they become available. You will need to upgrade to release 7.1.3958 or a later 7.1 release before proceeding to any 7.2 releases.
CloudN Support Ending
Controller version 7.1.4101 (older Linux OS) will be the last version that supports CloudN. CloudN is being replaced with Aviatrix Edge. For more information, contact your account team.
Migrate Egress FQDN Filtering to Distributed Cloud Firewall
As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.
Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.
7.1.3006
Release Date: 10 Jan 2024
Enhanced Features in Release 7.1.3006
Issue | Description |
---|---|
AVX-37725 |
(Azure) During subnet inspection, added the ability to inspect secondary/extra CIDRs in a VNet. When you use this enhancement, subnet inspection extends to cover all CIDR ranges associated with a VNet. |
AVX-38333 |
Added support for High Availability (HA) and horizontal scaling for Aviatrix Edge gateways. You can now:
High-Performance Encryption (HPE) is required. |
AVX-38335 |
Aviatrix Secure Edge now supports the Dell R450 hardware for the Aviatrix Edge Platform. For more information, see the following documents: * Supported Edge Hardware for the Aviatrix Edge Platform for the hardware specification details * Onboarding Edge Hardware for the steps to onboard your edge hardware in Aviatrix CoPilot |
AVX-41388 |
Improved Controller resilience and scalability with the metrics database. Added support for two new metrics: conntrack allowance available and conntrack usage rate. These metrics are available on Controller software version 7.0.1307 and above. |
AVX-43958 |
|
AVX-44146 |
(AWS) You can now create c6in instance gateways for all AWS regions. |
AVX-44831 |
Aviatrix Secure Edge BGP over LAN Connection Enhancement This feature enhancement allows Aviatrix Secure Edge Gateways in a cluster to establish a BGP over LAN connection to the same BGP neighbor. Previously, Edge Gateways in a cluster could only establish a one-to-one peering for BGP over LAN connections with its BGP neighbors. |
AVX-45898 |
(Azure) The Qatar Central region has been included in the supported regions for Azure Gateways and VPCs. |
AVX-45899 |
(Azure) Added support for Azure China East 3 region. |
AVX-46659 |
For Equinix Edge Gateways, you can now set up BGP configuration for each HA (High Availability) Gateway as well as for the primary gateway. Previously, you could only set up BGP for the primary Equinix Edge Gateway. |
AVX-48416 |
(Azure) The Aviatrix platform now supports new instance sizes for Azure FireNet Check Point Firewall deployment:
|
AVX-49589 |
Domain type WebGroups for Distributed Cloud Firewall are now GA. WebGroups are now the preferred mechanism for implementing Egress firewalling. For more information about WebGroups and Distributed Cloud Firewall, see About WebGroups. |
7.1.1710
Release Date: 11 May 2023
Important Notices in Aviatrix Release 7.1.1710
Disable Deprecated Controller-Logging Configurations
If you have logging configurations enabled in Controller for the following external log servers, the out-of-the box logging services for these external log servers were deprecated in previous Controller releases and are removed in Controller 7.1.1710:
-
Elastic Filebeat
-
Splunk Enterprise/Cloud
-
Sumo Logic
You cannot upgrade to Controller 7.1.1710 until you have disabled these deprecated logging configurations.
To disable the deprecated logging configurations:
-
Depending on your environment, you may want to enable your log forwarding under rsyslog and verify the functionality is working before disabling the deprecated logging configurations. For information about using rsyslog as the logging mechanism to forward Aviatrix platform logs to your external log server, see Aviatrix Controller Logging.
-
Disable the deprecated logging configurations for Elastic Filebeat/Splunk Enterprise or Cloud/Sumo Logic, as applicable, in the Controller > Settings > Logging page. Locate the applicable external log server’s respective option and switch its toggle from Enabled to Disabled.
Migrate Egress FQDN Filtering to Distributed Cloud Firewall
As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.
Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.
Preview Features in Aviatrix Release 7.1.1710
Intrusion Detection and TLS Decryption
When creating a Distributed Firewalling rule, you can enable Intrusion Detection, and TLS Decryption.
If Intrusion Detection is enabled, traffic is inspected for threats.
If Intrusion Detection and TLS Decryption are both enabled, the decrypted data is examined for intrusions.
For more information, click here.
New Features in Aviatrix Release 7.1.1710
AVX-35849 - (Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot. Previously, you could only create these interfaces while launching an Azure Transit Gateway.
In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group.
In CoPilot, this feature applies to a primary gateway and its HA (High Availability) instances.
-
When you add a BGP over LAN interface, Azure Gateway instances will stop during configuration.
-
You cannot delete BGP over LAN interfaces.
AVX-36272 - (Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot without re-deploying your Transit Gateways. Previously, you could only create these interfaces while launching an Azure Transit Gateway, and would have to re-deploy your gateway and cause down-time in your data plane.
In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group.
In CoPilot, this feature applies to each gateway group, or a primary gateway and its HA (High Availability) instances.
-
When you add a BGP over LAN interface, Azure Gateway instances will stop during configuration. If you use HA (High Availability), then the instances will stop one at a time to minimize impact.
-
You cannot delete BGP over LAN interfaces.
Feature Support in Aviatrix CoPilot for Controller 7.1.1710
The following features are available in Aviatrix CoPilot 3.10.0 when upgrading to Aviatrix Controller 7.1.1710:
Aviatrix Secure Edge for On-Premises and Aviatrix Edge Platform
This release enables support for Aviatrix Secure Edge Gateway to be deployed via a turnkey solution from Aviatrix by leveraging an appliance wherein appliance onboarding and orchestration is driven from the Cloud. Deployment of the Edge gateway is via a zero touch provisioning model. The solution enables a seamless management and configuration model from Cloud to edge. This functionality requires Controller software version 7.1.1710 or later. For more information on Aviatrix Secure Edge, see here.
VLAN, VRRP Support on Aviatrix Secure Edge
Aviatrix Edge Gateway can be used to terminate VLANs on the Edge Gateway. This also includes VRRP support. This can be used leveraging Aviatrix Edge platform on a device with secure edge gateway acting as a LAN side router. This functionality requires Controller software version 7.1.1710 or later.
VLAN at Edge to CSP VPC/VNET Segmentation Support
Aviatrix Secure Edge at a customer on-premises location can be used as a LAN side Gateway with VLANs and this now enables cloud to Edge segmentation model, where segmentation domains and corresponding policies allow customers to define isolation across CSP VPCs and VNETs to onpremises networks and viceversa. This functionality requires Controller software version 7.1.1710 or later.
Aviatrix Secure Edge in Equinix - BGP Underlay Support
Aviatrix Secure Edge in Equinix Network Edge platform now supports setting up private virtual connections from Aviatrix Secure Edge to CSPs such as AWS, Azure, GCP and OCI and use BGP for peering to the CSP private connections (for example, Direct Connect, Express Route, Interconnect). This functionality requires 7.1.1710 Controller release.
L4 Firewall Support on Aviatrix Secure Edge
Aviatrix Secure Edge now supports L4 firewall capabilities where CIDR and IP addresses can be used along with ports and protocols to define policies for granular traffic control.
Edge GW A/A and A/S Support
Edge in Equinix is only a single Gateway per site in this release.
Edge on ESXi/KVM is untested in Controller version 7.1.1710. For Edge on ESXI/KVM self managed environments, please use Controller version 6.8 , 6.9 or 7.1.
The Controller release 7.1.1710 supports two active/active Gateways when deployed in on-premises.
Distributed Firewalling with WebGroups
You can now use WebGroups when defining distributed firewalling rules in the CoPilot > Security > Distributed Firewalling page. WebGroups define Domains and URLs into a group which can be used into the DFW Rules as a matching condition for the Rule action to be enforced.
This functionality requires Controller software version 7.1.1710 or later.
Enhancements to Intra VPC/VNet Distributed Firewalling
If you have Controller version 7.1.1710 or later, you can perform Security Group orchestration for VPC/VNets that have Intra VPC/VNet enabled. See the CoPilot > Security > Distributed Firewalling > Settings tab.
You can view the Intra VPC/VNet configuration in the Topology map and see how many VPC/VNets have Intra VPC/VNet enabled.
For more information about CoPilot Features, see What’s New in CoPilot.
Enhanced Features in Aviatrix Release 7.1.1710
Issue | Description | ||
---|---|---|---|
AVX-10154 |
(Azure) If you have deployed Aviatrix gateways in Azure that use a companion-gateway-version less than or equal to “aviatrix-companion-gateway-v8,” upgrade to software release 6.7.1185 or newer before performing an image upgrade of these gateways. No immediate action is required. Do not perform any Out-of-band or Manual activity related to Azure unmanaged disks, as they will be retired in 2025. |
||
AVX-18598 |
(AWS) New AWS firewalls will now have the following rules for management interface security groups. These rules enhance firewall security. Palo Alto firewalls have a dedicated management interface. Their security group will have these rules:
Fortinet firewalls use the egress interface as the management interface. The security group will have:
Checkpoint firewalls use the egress interface as the management interface. The security group will have:
|
||
AVX-20069 |
The number of HPE (High Performance Encryption) tunnels between connections now automatically adjusts according to the new instance size. Previously, if the gateway already had an HPE connection, you had to manually detach the connection in order to resize. This improvement helps your network to scale more easily and effectively. |
||
AVX-20859 |
CoPilot has added the ability to save and download CoPilot user configuration as a backup file on the Controller. This will allow administrators to restore their environments back to previous configurations of their environment. You can use this backup configuration when you deploy a new CoPilot from the Controller. For information on how to save the CoPilot user configuration as a backup file, see this document. |
||
AVX-23108 |
(AWS) Intra VPC/VNet Distributed Firewalling is now available for AWS (VMs only) as well as Azure. With this feature you utilize cloud-native security features to provide security control within the virtual network. See this document for more information. |
||
AVX-23265 |
Performance enhancements to network segmentation in support of improved network scalability. When enabling network segmentation, there are no longer limits for creating underlying tunnels. |
||
AVX-27396 |
(Azure) You can now use HPE (High Performance Encryption) on the following Azure instances:
|
||
AVX-29650 |
Added a Max Performance column in the Transit Peering Connection table, which you can find in Multi-Cloud transit > List > select a gateway > click Details/Diag. This column shows you the max performance of each transit peering so that you can structure your network more efficiently. |
||
AVX-30716 |
Previously, Aviatrix Edge gateways were listening on a specific port on all interfaces. Now, Aviatrix has removed the open port to improve security. See here for information about on Aviatrix ports. |
||
AVX-30788 |
You can now configure BGP over LAN on a BGP Spoke Gateway. Customized NAT/DNAT is also supported by the BGPoLAN connection on the BGP Spoke Gateways. |
||
AVX-31421 |
While using Private Mode, you can now configure and edit Controller proxy settings directly from the Controller UI or Terraform after setting up your Controller. In the Aviatrix Controller, go to Settings > Advanced > Proxy to set up this configuration.
|
||
AVX-32231 |
A new safety check has been added to help avoid configuration errors. With this safety check, you cannot set up your Spoke Gateway with Custom Mapped/Mapped configuration with Overlapping CIDRs in any of the following:
|
||
AVX-32256 |
(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers. |
||
AVX-32467 |
Reduced the time it takes to enable CoPilot Security Group Management. |
||
AVX-32894 |
(Azure) You can now use Accelerated Networking on Azure gateways with instance sizes that support this feature. See the list of supported instance sizes here. |
||
AVX-32976 |
Aviatrix now supports service in the Azure China North 3 region. |
||
AVX-33021 |
When authenticating a Site2Cloud connection using PSK-based authentication, you can now ignore or skip the Remote ID check by entering ““ in the Remote Identifier field. This enhancement lets you authenticate connections for Remote ID types that Aviatrix Gateways do not support, including IPv6, FQDN, or email. This change also allows you to check if a tunnel is down because of a mismatched Remote ID. You can enter ““ in the Remote Identifier field, and if the tunnel comes up, the Remote ID could be mismatched. |
||
AVX-33353 |
If your Aviatrix Controller was configured with proxy configuration, you can now use remote support. |
||
AVX-34144 |
(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers. |
||
AVX-34431 |
(AWS) AWS gateways will now support a new instance type, C6in, in select regions. |
||
AVX-34591 |
(AWS) Added support for the UAE (United Arab Emirates) region, or me-central-1, for AWS Gateways and VPCs. |
||
AVX-35305 |
Corrected the user ownership of the BGP log to quagga:quagga. This enhancement helps maintain the logging of BGP and Zebra. |
||
AVX-35773 |
During vendor integration with Panorama, you can increase the wait time for a Panorama commit to one (1) minute. Because it can take some time for Panorama to commit template changes, doing a device push before that commit is ready could cause incomplete routes to be pushed to devices. The increased wait time ensures that the Panorama commit is complete before the device push. To increase the wait time for these commits, please reach out to support@aviatrix.com. |
||
AVX-35789 |
Previously, if the gateway daemon code experienced errors, it could be difficult to receive alerts for those errors. Now, if the gateway daemon code experiences errors, you receive a notification through the Controller’s bell icon. |
||
AVX-36202 |
Aviatrix now supports BGP over GRE in Spoke Gateways. Previously, Aviatrix only supported BGP over GRE for Transit Gateways. |
||
AVX-36246 |
Added new API endpoints for Datadog: "ddog-gov.com", "us3.datadoghq.com", "us5.datadoghq.com". |
||
AVX-36425 |
You can now configure DNAT in non-active gateways. |
||
AVX-36562 |
The FlightPath feature has two improvements:
|
||
AVX-36747 |
Aviatrix Controller and gateway images are switching from Racoon based IKE to Strongswan-based IKE. Your Controller and gateways will use the image’s Linux kernel version to determine which IKE-type to enable. If the Linux kernel version is 5.4 (or newer), an upgrade is supported. |
||
AVX-36880 |
You can now upgrade images for multiple non-Activemesh Aviatrix Standalone Gateways in batches, instead of individually. This improvement makes the image upgrade process faster and more efficient for this type of gateway. You can upgrade non-Activemesh gateway images in batch if they have no peerings, or if only one of the gateways has a peering. If more than one non-Activemesh gateway has a peering, the batch image upgrade will fail.
Please see Upgrading Gateway Images for more information. |
||
AVX-38080 |
The wait limit for communication between gateways and the Controller has been extended from 2.5 minutes to 10 minutes. This extension provides the necessary time for gateways to successfully upgrade. |
||
AVX-38963 |
Previously, the Aviatrix OpenVPN® feature could not be used in conjunction with Site2Cloud certificate-based authentication. Now, you can use both features at the same time. |
||
AVX-39449 |
Private Mode now supports BGP-enabled Spoke with GRE tunnels as well as IPsec tunnels. This feature is available for Spoke and Transit Gateways. |
||
AVX-39732 |
(Azure) Aviatrix has added support for the following Standard_Dxs_v5 instance types for VMs (Virtual Machines):
This enhancement was added to enable you to resize from Standard_Dx_v3 instance types to the Standard_Dxs_v5 instance types listed above. This resizing was not possible with previously-supported Standard_Dxs_v5 instance types. See here for more information about resizing VMs in Azure. |