What’s New in the Aviatrix Controller?

This page provides information about the latest Aviatrix features. See the Release Notes for more detailed release specific information.

7.2.4996

Release Date: 19 December 2024

Controller Version Tracks

Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.

The Controller generation 3 (g3) software images support the newer Linux OS.

  • Newer Linux OS is supported on Controller software versions with the g3 image:

    • 7.2.4996, 7.2.4820

    • 7.1.4191, 7.1.4183, 7.1.4139, 7.1.4105, or 7.1.3958

  • Older Linux OS is supported on Controller software versions:

    • 7.1.4101, 7.1.3956, and earlier

Security Notice

CVE-2024-50603 has been permanently patched.

Deprecation Notices

Controller UI Deprecation

The Aviatrix Controller UI will be deprecated in 2025. We recommend using CoPilot as your Aviatrix Management UI. Please contact your Account Representative for additional information.

“Keep Alive via Firewall LAN Interface” Option is Deprecated

The “Keep Alive via Firewall LAN Interface” option will be removed from the UI and enabled by default in a future Controller release. In preparation for that change, any newly launched FireNet resources will have “Keep Alive via Firewall LAN” (Keep Alive) enabled by default. You will not be able to disable the Keep Alive option. Existing FireNet resources should have “Keep Alive via Firewall LAN” set to enabled. Upgrades will be blocked if the Keep Alive option is disabled on any FireNet resources.

CloudN Not Supported

CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. You must migrate CloudN Gateways to Aviatrix Edge before upgrading to a release based on the newer Linux OS. For more information, contact your account team.

New and Enhanced Features in Release 7.2.4996

Security Group Orchestration Now GA

This feature is moved from Preview to General Availability (GA). For information about this feature, see Security Group Orchestration.

See Aviatrix Feature Modes for descriptions of Preview and GA features.

Support for OCI E5

Aviatrix now supports OCI E5 for gateway instances:

FLEX4.16 — E5 4 OCPU 8G RAM

FLEX8.32 — E5 8 OCPU 32G RAM

FLEX16.32 — E5 16 OCPU 32G RAM

New Cloud Regions Supported

The following CSP regions are now supported in General Availability in this release.

AWS

  • ca-west-1 (Canada—​Calgary)

  • ap-southeast-4 (Melbourne)

  • eu-south-2 (Spain)

  • eu-central-2 (Zurich)

  • ap-south-2 (Hyderabad)

  • il-central-1 (Israel—​Tel Aviv)

Azure

  • Mexico Central

  • Italy North

  • Poland Central

  • Spain Central

  • Israel Central

  • Central US EUAP

  • US East 2 EUAP

OCI

  • me-riyadh-1

  • us-chicago-1

  • eu-stockholm-1

  • eu-paris-1

  • eu-madrid-1

  • sa-valparaiso-1

  • sa-bogota-1

  • ap-singapore-2

  • mx-queretaro-1

  • mx-monterrey-1

Alibaba

  • acs-me-central-1 (Riyadh)

Edge Gateway BGP Next Hop and Neighbor IP

BGP route tables will now include both next hop and neighbor IP validation to insert routes in the gateway table. This will allow all BGP prefixes to be learned when next hop IP and BGP peer IP are different.

Firenet: Support all New Instance Types

Aviatrix provides a comprehensive listing of newly released instance types across AWS, Azure, GCP, and OCI, ensuring customers can leverage the latest compute options for the Spoke Gateways.

Firenet: Support Latest NGFW Version on AWS, Azure, and GCP

Aviatrix FireNet now supports the latest NGFW versions, ensuring compatibility with updated releases from Palo Alto Networks, Fortinet, Check Point, and Cisco across AWS, Azure, and GCP.

MicroSeg: Security Group Orchestration on Azure (Preview to GA)

Security Group Orchestration has moved from Preview mode to General Availability for Microsoft Azure only. This feature automates the management and deployment of security group policies across multiple cloud environments, simplifying the process of defining, updating, and enforcing security rules for VNets, subnets, VMs, and subscriptions.

Security Group Orchestration remains a Preview feature for AWS.

See the documentation for an explanation of Aviatrix Feature Modes.

Microsoft’s SSE Solution with External Connection (S2C)

Aviatrix’s External Connections (S2C) is now integrated with Microsoft Entra’s cloud-based IAM service to enable Zero Trust security. This ensures network traffic from various sources is securely forwarded to Microsoft’s SSE Solution cloud proxy for authentication and access to cloud resources.

Preview Features in Release 7.2.4996

See the documentation for an explanation of Aviatrix Feature Modes.

Hostname SmartGroups for non-HTTP/HTTPs Traffic

This feature enables customers to configure Hostnames in SmartGroups as source and destination for Distributed Cloud Firewall (DCF) rules. This allows DNS-based IP resolution for managing non-HTTP/HTTPS traffic in East-West and Site-to-Cloud scenarios.

Kubernetes-based SmartGroups

Kubernetes (K8s) clusters with native IP addressing (no overlay, no SNAT) can now seamlessly integrate into SmartGroups. This simplifies managing egress traffic to internet, VPCs/VNets, or external services, with auto-discovery and onboarding across AWS and Azure.

Behavior Changes in Release 7.2.4996

Logging Terminology Consistency Improvement

Inconsistent use of "DROP" and "DENY" in traffic logs for blocked connections caused confusion when interpreting Layer 7 and Layer 4 traffic logs. "DROP" and "DENY" were used interchangeably to indicate blocked connections. All Logs are now updated to consistently use "DENY" for all blocked traffic.

7.2.4820

Release Date: 15 October 2024

What’s New updated 31 October 2024

See the Controller Release Notes for Corrected Issues and Known Issues in this release.

Controller Version Tracks

Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.

Controller versions that support the newer Linux OS have software image numbers that start with a "g3-" prefix.

  • Newer Linux OS is supported on Controller software versions with the g3 image:

    • 7.2.4820

    • 7.1.4183, 7.1.4139, 7.1.4105, or 7.1.3958

  • Older Linux OS is supported on Controller software versions:

    • 7.1.4101, 7.1.3956, and earlier

Deprecation Notices

Controller UI Deprecation

The Aviatrix Controller UI will be deprecated in 2025. We recommend using CoPilot as your Aviatrix Management UI. Please contact your Account Representative for additional information.

“Keep Alive via Firewall Lan Interface” Option is Deprecated

The “Keep Alive via Firewall Lan Interface” option will be removed from the UI and enabled by default in a future Controller release. In preparation for that change, any newly launched FireNet resources will have “Keep Alive via Firewall LAN” (Keep Alive) enabled by default. You will not be able to disable the Keep Alive option. Existing FireNet resources should have “Keep Alive via Firewall LAN” set to enabled. Upgrades will be blocked if the Keep Alive option is disabled on any FireNet resources.

CloudN Not Supported

CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. You must migrate CloudN Gateways to Aviatrix Edge before upgrading to a release based on the newer Linux OS. For more information, contact your account team.

New and Enhanced Features in Release 7.2.4820

Improved Troubleshooting for Network Connectivity Issues

New notifications have been added to help identify potential causes of connection problems. The following notifications will appear in the user interface when configuring or managing gateways:

  • Alert when a Gateway configuration is out-of-date

  • Warning when Geoblocking is enabled on a Gateway

This update helps to quickly pinpoint if Geoblocking rules or stale configurations are preventing connections from establishing properly. It also eliminates the need to manually check logs or configuration status when troubleshooting unexpected connectivity issues. It is particularly useful for diagnosing problems with BGP (Border Gateway Protocol) connections.

This update does not affect HPE or Public Subnet Filter Gateway functionality.

Intra-VPC AWS Diagnostic Tool Added

Added new functionality to track Aviatrix security policy enforcement in AWS VPCs. This improves visibility and troubleshooting for AWS intra-VPC security policy enforcement and allows administrators to easily verify applied security rules.

Edge Transit Gateways

This release provides a major new capability for Aviatrix Edge Gateways. Edge Transit Gateways have been added to provide a secure, high-performance networking solution designed to simplify and accelerate hybrid and multi-cloud connectivity. Edge Transit Gateways enable seamless routing and end-to-end encryption across various cloud providers and on-premises environments, while providing centralized management and operational visibility. This feature is available at Cloud Fabric > Hybrid Cloud > Edge Gateways.

Edge Transit Gateways is a GA Feature for Aviatrix Edge Platform (AEP) and is a Preview Feature for Equinix Network Edge and Megaport Virtual Edge (MVE) in this Controller release.

Proxy Management for Aviatrix Edge Platform

Customers deploying Edge on physical appliances like Dell and HPE hardware, can now configure explicit and transparent proxies for Edge OS management connectivity outbound. The proxy support allows enterprises to leverage the proxies in their environment and Edge OS can now seamlessly call home via proxy server configuration.

You can configure proxy profiles for Edge Platform network connections from Cloud Fabric > Edge > Devices. You can create multiple proxy profiles to route traffic based on organizational requirements.

DCF Support for Disconnected VPC/VNETs with Overlapping IPs in Azure

Customers can now leverage Distributed Cloud Firewall (DCF) for Egress security in Azure across multiple disconnected VPCs with the same IP ranges.

When using SmartGroups VM, VPC, or Subnet-type selectors, Aviatrix now intelligently programs policies for the appropriate VPCs even if the CIDRs are the same. CIDR-based SmartGroups are still programmed on all VPCs/VNets that match the CIDR. Logging will show the gateways that are enforcing the policies along with the appropriate rule UUIDs. This feature is already supported in AWS in previous releases.

Enhanced Distributed Cloud Firewall (DCF) Scale

Distributed Cloud Firewall (DCF) now has support for up to 5,000 rules and higher Groups scale.

Key Highlights:

  • Support for 5,000 DCF rules

  • 1,200 Groups (ThreatGroups, and SmartGroups)

  • 200 System GeoGroups

  • 300,000 matched CIDRs

Dynamic Security Updates on Aviatrix

This Distributed Cloud Firewall (DCF) feature enhances how GeoGroups and ThreatGroups are automatically updated with the latest security intelligence.

Key Features:

  • MaxMind Integration: GeoGroups are updated regularly with the latest geographical data from MaxMind.

  • EmergingThreats Integration: ThreatGroups are continuously refreshed with Suricata Rules and threat intelligence from EmergingThreats.

  • Automated Resource Updates:

    • Controller Sync: The Aviatrix Controller checks for updates every hour. If new data is detected (via hash changes), it pulls and stores updated resources automatically.

    • Gateway Sync: Gateways check for updates from the Controller every hour. If changes are found, the Gateway downloads and applies the new resources seamlessly.

    • Continuous Protection: Missing or modified resources are automatically downloaded and updated, ensuring policies are always based on the latest security intelligence without manual intervention.

GCP Underlay Support on Edge

This release now supports the option of terminating Google interconnect connection on Edge Gateways and the ability to set up BGP to Google Cloud Router.

NetFlow Sampling Rate

An option has been added to the NetFlow Agent that allows you to set the NetFlow sampling rate. Adjusting the sampling rate can reduce storage requirements and, in some cases, could provide a more accurate representation of NetFlow.

FlowIQ, CostIQ, and Anomaly Detection will factor in the sampling rate in the individual features. The sampling rate cannot be set to less than 100% for ThreatIQ and Geoblocking, if you are currently using those features.

For more information, see Configuring the Aviatrix NetFlow Agent.

FireNet and Next-Generation Firewall (NGFW) in China

This release enables you to securely expand your cloud footprint into China, using Palo Alto Firewalls in Azure China for advanced traffic filtering and security.

Key Highlights:

  • FireNet with NGFW Integration with Palo Alto Firewalls.

  • Regulatory compliance with local Chinese regulations.

  • Global expansion into China using localized versions of AWS, Azure, and Alibaba Cloud.

Session-Based Distributed Cloud Firewall Logging

This enhancement introduces Session-Based Logging for Aviatrix Distributed Cloud Firewall (DCF), replacing traditional per-packet logging for improved performance and insight.

Preview Features in Release 7.2.4820

See the documentation for an explanation of Aviatrix Feature Modes.

Edge Transit Gateways for Equinix and Megaport

Transit Edge is a Preview Feature for Equinix NE and Megaport MVE in this controller release.

Global GCP Spoke Support for FireNet Egress

This Preview Feature enables secure and streamlined egress traffic management in Google Cloud Platform (GCP) deployments.

Key Features:

  • Global Spoke Support: Extend FireNet functionality to GCP spokes, allowing you to manage outbound egress traffic securely and efficiently across your global GCP network.

  • Centralized Traffic Filtering: Integrate with the Aviatrix FireNet architecture, centralizing security policies and egress filtering for spokes, reducing complexity, and improving visibility into egress traffic.

For more information, see Enabling and Disabling GCP Global VPC.

ThreatGroups and GeoGroups for Enhanced Security

This release introduces two powerful new Preview Features, ThreatGroups and GeoGroups, designed to strengthen your security posture through dynamic content filtering and real-time threat intelligence.

  • ThreatGroups: Leverage external dynamic content filtering to create advanced threat prevention policies based on real-time intelligence. This allows for more precise and adaptable security measures, enhancing your overall defense against emerging threats.

  • GeoGroups: Implement geolocation-based policies to block or allow traffic from specific regions, enabling more granular control over your network security.

These new features seamlessly integrate with ThreatIQ, providing you with enhanced flexibility and control to safeguard your infrastructure from location-based and evolving threats.

See the documentation About Groups.

Distributed Cloud Firewall Rule Enforcement on External Connections

This Preview Feature significantly enhances security and traffic management capabilities for hybrid cloud deployments.

Key Highlights:

  • Enforcement of Distributed Cloud Firewall (DCF) policies on Site2Cloud interfaces.

  • Specific Use Cases: Designed specifically for Partner Landing Zones, Backbone Use Cases, and CloudWAN/AVA scenarios.

  • DCF rules can be pushed to both Spoke and Transit Gateways.

Distributed Cloud Firewall (DCF) Policy Push to Public Subnet Filtering (PSF) Gateways

This release enables organizations to enhance security for their public-facing workloads by leveraging advanced traffic filtering and security features. This is a Preview Feature.

Key Highlights:

  • DCF with PSF Gateway Integration: Apply advanced security policies to secure inbound and outbound traffic in public subnets.

  • Dynamic Policy Enforcement: Utilize GeoGroups, ThreatGroups, WebGroups and SmartGroups to dynamically filter traffic based on geographic locations, known threats, and custom groupings.

Support for Additional Cloud Regions

The following CSP regions are supported as a Preview Feature in this release.

AWS

  • ca-west-1 (Canada—​Calgary)

  • ap-southeast-4 (Melbourne)

  • eu-south-2 (Spain)

  • eu-central-2 (Zurich)

  • ap-south-2 (Hyderabad)

  • il-central-1 (Israel—​Tel Aviv)

Azure

  • Mexico Central

  • Italy North

  • Poland Central

  • Spain Central

  • Israel Central

OCI

  • me-riyadh-1

  • us-chicago-1

  • eu-stockholm-1

  • eu-paris-1

  • eu-madrid-1

  • sa-valparaiso-1

  • sa-bogota-1

  • ap-singapore-2

  • mx-queretaro-1

  • mx-monterrey-1

Alibaba

  • acs-me-central-1 (Riyadh)

Behavior Changes in Release 7.2.4820

Limit Check for ECMP

A limit check has been added for equal-cost multi-path (ECMP) Tunnels. A maximum number of tunnels can be created between certain gateway types:

  • For older versions of Linux OS gateways: 123 tunnels

  • For newer versions of Linux OS gateways: 466 tunnels

See Controller Version Tracks for specific version numbers.

You can address this issue by doing any of the following:

  • Reduce tunnel count to stay under the limit.

  • Use larger gateway sizes supporting more tunnels.

  • Distribute connections across multiple gateways.

Keep Alive via Firewall Lan Interface Is Removed

As of 7.2.4820, the Keep Alive via Firewall Lan Interface option has been removed from the Controller UI. This action is now enabled by default and performed automatically.

Spaces Now Allowed in Object Names

You can now include spaces when naming rules, rulesets, SmartGroups, and WebGroups. Previously, names were restricted to alphanumeric characters, hyphens, and underscores. The maximum name length remains 128 characters and names must still be unique within your account.

Distributed Cloud Firewall Rule Changes

  • Previously, when the "Ensure TLS" setting on a (DCF) rule was enabled, non-encrypted HTTP traffic was incorrectly passed to the next rule instead of being dropped. This occurred even when all other rule criteria were matched. The issue specifically affected HTTP traffic on port 80.

    With this release, rules with Ensure TLS enabled correctly match TLS traffic and drop non-encrypted HTTP traffic.

    If you want to verify that the Ensure TLS feature is performing as you expect, you can do the following:

    • Disable the Ensure TLS option on the DCF rule.

    • Wait awhile and then check traffic logs to see If non-TLS traffic matches the rule.

    • Re-enable Ensure TLS or configure a new DCF Rule, as needed.

  • DCF rules were not properly applied to non-encrypted, non-web traffic (Non-TLS and Non-HTTP traffic) when processed by the High Performance Encryption (HPE) enabled gateways.

    This issue was fixed to enable correct identification and Rule enforcement for all traffic types, regardless of Rule order.

Logging Terminology Consistency

Inconsistent use of "DROP" and "DENY" in traffic logs for blocked connections caused confusion when interpreting Layer 7 and Layer 4 traffic logs. "DROP" and "DENY" were used interchangeably to indicate blocked connections. With this release, all Logs will be updated to consistently use "DENY" for all blocked traffic.

7.1.4105

Release Date: 18 July 2024

What’s New updated 16 September 2024

Important Notices in Aviatrix 7.1.4105

Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.

  • An older Linux OS is supported with Controller 7.1.3956 and 7.1.4101.

  • A newer Linux OS is supported with Controller 7.1.3958 and 7.1.4105.

This 7.1.4105 release version is available as an upgrade option only if you have already upgraded to the following:

  • 7.1.3956 or 7.1.4101

  • 7.1.3958 (latest Linux OS)

Starting with 7.1.3958, the Aviatrix base image uses a newer industry standard Linux operating system. See the Upgrading Aviatrix documentation for more information.

Do Not Apply Existing Patches to Newly Upgraded Controllers

The new Controller and Gateway images shipped with the 7.1.3958 release include all previously released software patches. Therefore, you do not need to reapply the old software patches to Controllers and Gateways updated to this release. If any new software patches are released in the future, and if they apply to the new Controller and Gateway images, the documentation associated with that release will clearly identify the patches and provide instructions.

CloudN Not Supported in 7.1.4105

CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. If you have CloudN gateways attached to your Controller and you want to upgrade to release 7.1.4105, you must migrate to Aviatrix Edge. For more information, contact your account team.

Upgrade on Aviatrix Edge Platform

On the Aviatrix Edge Platform, after you have upgraded the image to the latest Aviatrix base image in 7.1.3958, you cannot roll back to the previous image.

Migrate Egress FQDN Filtering to Distributed Cloud Firewall

As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.

Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.

New Features in Release 7.1.4105

Issue Description

AVX-53690

Enable Azure Migration in CoPilot

The Controller auto-migration feature using CoPilot is now available for Controllers on Azure. For information, see Upgrade your Controller and Gateways to the Latest Aviatrix Supported Images.

You can use the auto-migration feature to migrate from 7.1.4101 to 7.1.4105 or later releases.

Azure China is not currently supported for migration to 7.1.3958 or later releases.

AVX-51224

Added support to deploy Azure V5 instances of Firewalls in Aviatrix FireNet.

7.1.4101

Release Date: 22 July 2024

What’s New updated 16 September 2024

Important Notices in Aviatrix Release 7.1.4101

Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.

  • An older Linux OS is supported with Controller 7.1.3956 and 7.1.4101.

  • A newer Linux OS is supported with Controller 7.1.3958 and 7.1.4105.

CloudN Support Ending

Controller version 7.1.4101 (older Linux OS) is the last version that supports CloudN. CloudN is being replaced with Aviatrix Edge. For more information, contact your account team.

Upgrades to Future Releases

If your Controller is running release 7.1.4101 or earlier, you will not be able to upgrade directly to 7.2 or later releases, when they become available. You will need to upgrade to release 7.1.4105 or a later 7.1 release before proceeding to any 7.2 releases.

Migrate Egress FQDN Filtering to Distributed Cloud Firewall

As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.

Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.

Enhanced Features in Release 7.1.4101

Issue Description

AVX-54105

Enable Azure Migration in CoPilot

The Controller auto-migration feature using CoPilot is now available for Controllers on Azure. For information, see Upgrade your Controller and Gateways to the Latest Aviatrix Supported Images.

You can use the auto-migration feature to migrate from 7.1.4101 to 7.1.4105 or later releases.

Azure China is not currently supported for migration to 7.1.3958 or later releases.

7.1.3958

Release Date: 06 June 2024

What’s New updated 16 September 2024

Important Notices in Aviatrix 7.1.3958

Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.

  • An older Linux OS is supported with Controller 7.1.3956.

  • A newer Linux OS is supported with Controller 7.1.3958.

This release updates the Aviatrix base image to use a newer industry standard Linux operating system. See the Upgrading Aviatrix documentation for more information.

This release version is available as an upgrade option only if you have already upgraded to 7.1.3956.

Do Not Apply Existing Patches to Newly Upgraded Controllers

The new Controller and Gateway images shipped with the 7.1.3958 release include all previously released software patches. Therefore, you do not need to reapply the old software patches to Controllers and Gateways updated to this release. If any new software patches are released in the future, and if they apply to the new Controller and Gateway images, the documentation associated with that release will clearly identify the patches and provide instructions.

CloudN Not Supported on 7.1.3958

CloudN is not supported with any Aviatrix Controller releases that are based on the newer Linux OS. CloudN has been replaced with Aviatrix Edge. If you have CloudN gateways attached to your Controller and you want to upgrade to release 7.1.3958, you must migrate to Aviatrix Edge. For more information, contact your account team.

Upgrade on Aviatrix Edge Platform

On the Aviatrix Edge Platform, after you have upgraded the image to the latest Aviatrix base image, you cannot roll back to the previous image.

Migrate Egress FQDN Filtering to Distributed Cloud Firewall

As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.

Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.

Enhanced Features in Release 7.1.3958

Issue Description

AVX-37409

IP routing services for Border Gateway Protocol (BGP) have been upgraded and improved. This does not impact user functionality and does not require any changes to your environment.

AVX-44963

Support for GCP gateways has been improved, so launching gateways for multiple GCP accounts can happen in parallel. The time it takes to launch GCP gateways for the first time in an account has also been optimized.

7.1.3956

Release Date: 28 May 2024

What’s New updated 16 September 2024

Enhanced Features in Release 7.1.3956

This release introduces a new GUI-based Controller image upgrade experience when used with CoPilot.

Important Upgrade Notices in Aviatrix Release 7.1.3956

Aviatrix Controller releases have two versioning tracks, depending on the Linux OS version supported.

  • An older Linux OS is supported with Controller 7.1.3956.

  • A newer Linux OS is supported with Controller 7.1.3958.

Upgrades to Future Releases

If your Controller is running release 7.1.3956 or earlier, you will not be able to upgrade directly to 7.2 or later releases, when they become available. You will need to upgrade to release 7.1.3958 or a later 7.1 release before proceeding to any 7.2 releases.

CloudN Support Ending

Controller version 7.1.4101 (older Linux OS) will be the last version that supports CloudN. CloudN is being replaced with Aviatrix Edge. For more information, contact your account team.

Migrate Egress FQDN Filtering to Distributed Cloud Firewall

As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.

Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.

7.1.3006

Release Date: 10 Jan 2024

Enhanced Features in Release 7.1.3006

Issue Description

AVX-37725

(Azure) During subnet inspection, added the ability to inspect secondary/extra CIDRs in a VNet. When you use this enhancement, subnet inspection extends to cover all CIDR ranges associated with a VNet.

AVX-38333

Added support for High Availability (HA) and horizontal scaling for Aviatrix Edge gateways. You can now:

  • Deploy more than 2 Edge Gateways with a primary and HA gateway, or

  • Use ECMP in a gateway group or ability to ECMP across more than 2 edge GWs in a location or site.

High-Performance Encryption (HPE) is required.

AVX-38335

Aviatrix Secure Edge now supports the Dell R450 hardware for the Aviatrix Edge Platform. For more information, see the following documents:

AVX-41388

Improved Controller resilience and scalability with the metrics database. Added support for two new metrics: conntrack allowance available and conntrack usage rate. These metrics are available on Controller software version 7.0.1307 and above.

AVX-43958

  • Added the ability to select multiple Access Accounts at once and audit them simultaneously.

  • Added Last Audit Timestamp column on the Access Accounts page and Account Audit page.

AVX-44146

(AWS) You can now create c6in instance gateways for all AWS regions.

AVX-44831

Aviatrix Secure Edge BGP over LAN Connection Enhancement

This feature enhancement allows Aviatrix Secure Edge Gateways in a cluster to establish a BGP over LAN connection to the same BGP neighbor. Previously, Edge Gateways in a cluster could only establish a one-to-one peering for BGP over LAN connections with its BGP neighbors.

AVX-45898

(Azure) The Qatar Central region has been included in the supported regions for Azure Gateways and VPCs.

AVX-45899

(Azure) Added support for Azure China East 3 region.

AVX-46659

For Equinix Edge Gateways, you can now set up BGP configuration for each HA (High Availability) Gateway as well as for the primary gateway. Previously, you could only set up BGP for the primary Equinix Edge Gateway.

AVX-48416

(Azure) The Aviatrix platform now supports new instance sizes for Azure FireNet Check Point Firewall deployment:

  • D2ds_v5

  • D4ds_v5

  • D8ds_v5

AVX-49589

Domain type WebGroups for Distributed Cloud Firewall are now GA. WebGroups are now the preferred mechanism for implementing Egress firewalling. For more information about WebGroups and Distributed Cloud Firewall, see About WebGroups.

7.1.1710

Release Date: 11 May 2023

Important Notices in Aviatrix Release 7.1.1710

Disable Deprecated Controller-Logging Configurations

If you have logging configurations enabled in Controller for the following external log servers, the out-of-the box logging services for these external log servers were deprecated in previous Controller releases and are removed in Controller 7.1.1710:

  • Elastic Filebeat

  • Splunk Enterprise/Cloud

  • Sumo Logic

You cannot upgrade to Controller 7.1.1710 until you have disabled these deprecated logging configurations.

To disable the deprecated logging configurations:

  • Depending on your environment, you may want to enable your log forwarding under rsyslog and verify the functionality is working before disabling the deprecated logging configurations. For information about using rsyslog as the logging mechanism to forward Aviatrix platform logs to your external log server, see Aviatrix Controller Logging.

  • Disable the deprecated logging configurations for Elastic Filebeat/Splunk Enterprise or Cloud/Sumo Logic, as applicable, in the Controller > Settings > Logging page. Locate the applicable external log server’s respective option and switch its toggle from Enabled to Disabled.

Migrate Egress FQDN Filtering to Distributed Cloud Firewall

As of Controller 7.1.1710, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.

Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.

Preview Features in Aviatrix Release 7.1.1710

Intrusion Detection and TLS Decryption

When creating a Distributed Firewalling rule, you can enable Intrusion Detection, and TLS Decryption.

If Intrusion Detection is enabled, traffic is inspected for threats.

If Intrusion Detection and TLS Decryption are both enabled, the decrypted data is examined for intrusions.

For more information, click here.

New Features in Aviatrix Release 7.1.1710

AVX-35849 - (Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot. Previously, you could only create these interfaces while launching an Azure Transit Gateway.

In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group.

In CoPilot, this feature applies to a primary gateway and its HA (High Availability) instances.

  • When you add a BGP over LAN interface, Azure Gateway instances will stop during configuration.

  • You cannot delete BGP over LAN interfaces.

AVX-36272 - (Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot without re-deploying your Transit Gateways. Previously, you could only create these interfaces while launching an Azure Transit Gateway, and would have to re-deploy your gateway and cause down-time in your data plane.

In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group.

In CoPilot, this feature applies to each gateway group, or a primary gateway and its HA (High Availability) instances.

  • When you add a BGP over LAN interface, Azure Gateway instances will stop during configuration. If you use HA (High Availability), then the instances will stop one at a time to minimize impact.

  • You cannot delete BGP over LAN interfaces.

Feature Support in Aviatrix CoPilot for Controller 7.1.1710

The following features are available in Aviatrix CoPilot 3.10.0 when upgrading to Aviatrix Controller 7.1.1710:

Aviatrix Secure Edge for On-Premises and Aviatrix Edge Platform

This release enables support for Aviatrix Secure Edge Gateway to be deployed via a turnkey solution from Aviatrix by leveraging an appliance wherein appliance onboarding and orchestration is driven from the Cloud. Deployment of the Edge gateway is via a zero touch provisioning model. The solution enables a seamless management and configuration model from Cloud to edge. This functionality requires Controller software version 7.1.1710 or later. For more information on Aviatrix Secure Edge, see here.

VLAN, VRRP Support on Aviatrix Secure Edge

Aviatrix Edge Gateway can be used to terminate VLANs on the Edge Gateway. This also includes VRRP support. This can be used leveraging Aviatrix Edge platform on a device with secure edge gateway acting as a LAN side router. This functionality requires Controller software version 7.1.1710 or later.

VLAN at Edge to CSP VPC/VNET Segmentation Support

Aviatrix Secure Edge at a customer on-premises location can be used as a LAN side Gateway with VLANs and this now enables cloud to Edge segmentation model, where segmentation domains and corresponding policies allow customers to define isolation across CSP VPCs and VNETs to onpremises networks and viceversa. This functionality requires Controller software version 7.1.1710 or later.

Aviatrix Secure Edge in Equinix - BGP Underlay Support

Aviatrix Secure Edge in Equinix Network Edge platform now supports setting up private virtual connections from Aviatrix Secure Edge to CSPs such as AWS, Azure, GCP and OCI and use BGP for peering to the CSP private connections (for example, Direct Connect, Express Route, Interconnect). This functionality requires 7.1.1710 Controller release.

L4 Firewall Support on Aviatrix Secure Edge

Aviatrix Secure Edge now supports L4 firewall capabilities where CIDR and IP addresses can be used along with ports and protocols to define policies for granular traffic control.

Edge GW A/A and A/S Support

Edge in Equinix is only a single Gateway per site in this release.

Edge on ESXi/KVM is untested in Controller version 7.1.1710. For Edge on ESXI/KVM self managed environments, please use Controller version 6.8, 6.9, or 7.1.

The Controller release 7.1.1710 supports two active/active Gateways when deployed in on-premises.

Distributed Firewalling with WebGroups

You can now use WebGroups when defining distributed firewalling rules in the CoPilot > Security > Distributed Firewalling page. WebGroups define Domains and URLs into a group which can be used into the DFW Rules as a matching condition for the Rule action to be enforced.

This functionality requires Controller software version 7.1.1710 or later.

Enhancements to Intra VPC/VNet Distributed Firewalling

If you have Controller version 7.1.1710 or later, you can perform Security Group orchestration for VPC/VNets that have Intra VPC/VNet enabled. See the CoPilot > Security > Distributed Firewalling > Settings tab.

You can view the Intra VPC/VNet configuration in the Topology map and see how many VPC/VNets have Intra VPC/VNet enabled.

For more information about CoPilot Features, see What’s New in CoPilot.

Enhanced Features in Aviatrix Release 7.1.1710

Issue Description

AVX-10154

(Azure) If you have deployed Aviatrix gateways in Azure that use a companion-gateway-version less than or equal to “aviatrix-companion-gateway-v8,” upgrade to software release 6.7.1185 or newer before performing an image upgrade of these gateways. No immediate action is required. Do not perform any Out-of-band or Manual activity related to Azure unmanaged disks, as they will be retired in 2025.

AVX-18598

(AWS) New AWS firewalls will now have the following rules for management interface security groups. These rules enhance firewall security.

Palo Alto firewalls have a dedicated management interface. Their security group will have these rules:

  • allow TCP 443 from the Controller’s public or private IP,

  • allow TCP 3978 from the Controller public or private IP, with the description: “Panorama access, please replace it with correct IP”.

  • allow ICMP from controller IP.

Fortinet firewalls use the egress interface as the management interface. The security group will have:

  • allow-all. This is the existing rule for egress

  • allow TCP 443 from the Controller’s public or private IP.

Checkpoint firewalls use the egress interface as the management interface. The security group will have:

  • allow-all. This is the existing rule for egress.

  • allow TCP 443 from Controller’s public or private IP.

  • allow SSH 22 from Controller’s public or private IP.

AVX-20069

The number of HPE (High Performance Encryption) tunnels between connections now automatically adjusts according to the new instance size. Previously, if the gateway already had an HPE connection, you had to manually detach the connection in order to resize. This improvement helps your network to scale more easily and effectively.

AVX-20859

CoPilot has added the ability to save and download CoPilot user configuration as a backup file on the Controller. This will allow administrators to restore their environments back to previous configurations of their environment. You can use this backup configuration when you deploy a new CoPilot from the Controller.

For information on how to save the CoPilot user configuration as a backup file, see this document.

AVX-23108

(AWS) Intra VPC/VNet Distributed Firewalling is now available for AWS (VMs only) as well as Azure. With this feature you utilize cloud-native security features to provide security control within the virtual network. See this document for more information.

AVX-23265

Performance enhancements to network segmentation in support of improved network scalability. When enabling network segmentation, there are no longer limits for creating underlying tunnels.

AVX-27396

(Azure) You can now use HPE (High Performance Encryption) on the following Azure instances:

  • B2ms

  • D2_v4

  • D4_v4

  • D2_v5 (12.5 Gbps compared to D2_v4 5 Gbps)

  • D4_v5 (12.5 Gbps compared to 10 Gbps with D4_v4)

  • D8_v5

  • D16_v5

AVX-29650

Added a Max Performance column in the Transit Peering Connection table, which you can find in Multi-Cloud transit > List > select a gateway > click Details/Diag. This column shows you the max performance of each transit peering so that you can structure your network more efficiently.

AVX-30716

Previously, Aviatrix Edge gateways were listening on a specific port on all interfaces. Now, Aviatrix has removed the open port to improve security. See here for information about on Aviatrix ports.

AVX-30788

You can now configure BGP over LAN on a BGP Spoke Gateway. Customized NAT/DNAT is also supported by the BGPoLAN connection on the BGP Spoke Gateways.

AVX-31421

While using Private Mode, you can now configure and edit Controller proxy settings directly from the Controller UI or Terraform after setting up your Controller. In the Aviatrix Controller, go to Settings > Advanced > Proxy to set up this configuration.

  • Proxy CA Certificate is not supported.

  • Remote Support is supported with a proxy server for the Controller.

  • (AWS users) AWS proxy instances are no longer necessary while using Private Mode.

AVX-32231

A new safety check has been added to help avoid configuration errors. With this safety check, you cannot set up your Spoke Gateway with Custom Mapped/Mapped configuration with Overlapping CIDRs in any of the following:

  • Local Initiated Traffic Destination Virtual CIDRs

  • Remote Initiated Traffic Source Virtual CIDRs

  • Remote Subnet (Virtual)

AVX-32256

(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers.

AVX-32467

Reduced the time it takes to enable CoPilot Security Group Management.

AVX-32894

(Azure) You can now use Accelerated Networking on Azure gateways with instance sizes that support this feature. See the list of supported instance sizes here.

AVX-32976

Aviatrix now supports service in the Azure China North 3 region.

AVX-33021

When authenticating a Site2Cloud connection using PSK-based authentication, you can now ignore or skip the Remote ID check by entering ““ in the Remote Identifier field. This enhancement lets you authenticate connections for Remote ID types that Aviatrix Gateways do not support, including IPv6, FQDN, or email.

This change also allows you to check if a tunnel is down because of a mismatched Remote ID. You can enter ““ in the Remote Identifier field, and if the tunnel comes up, the Remote ID could be mismatched.

AVX-33353

If your Aviatrix Controller was configured with proxy configuration, you can now use remote support.

AVX-34144

(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers.

AVX-34431

(AWS) AWS gateways will now support a new instance type, C6in, in select regions.

AVX-34591

(AWS) Added support for the UAE (United Arab Emirates) region, or me-central-1, for AWS Gateways and VPCs.

AVX-35305

Corrected the user ownership of the BGP log to quagga:quagga. This enhancement helps maintain the logging of BGP and Zebra.

AVX-35773

During vendor integration with Panorama, you can increase the wait time for a Panorama commit to one (1) minute. Because it can take some time for Panorama to commit template changes, doing a device push before that commit is ready could cause incomplete routes to be pushed to devices. The increased wait time ensures that the Panorama commit is complete before the device push. To increase the wait time for these commits, please reach out to support@aviatrix.com.

AVX-35789

Previously, if the gateway daemon code experienced errors, it could be difficult to receive alerts for those errors. Now, if the gateway daemon code experiences errors, you receive a notification through the Controller’s bell icon.

AVX-36202

Aviatrix now supports BGP over GRE in Spoke Gateways. Previously, Aviatrix only supported BGP over GRE for Transit Gateways.

AVX-36246

Added new API endpoints for Datadog: "ddog-gov.com", "us3.datadoghq.com", "us5.datadoghq.com".

AVX-36425

You can now configure DNAT in non-active gateways.

AVX-36562

The FlightPath feature has two improvements:

  • This feature can now track egress traffic to the Internet.

  • FlightPath now selects the route with the lowest metric when traversing the Linux route table.

AVX-36747

Aviatrix Controller and gateway images are switching from Racoon based IKE to Strongswan-based IKE. Your Controller and gateways will use the image’s Linux kernel version to determine which IKE-type to enable. If the Linux kernel version is 5.4 (or newer), an upgrade is supported.

AVX-36880

You can now upgrade images for multiple non-Activemesh Aviatrix Standalone Gateways in batches, instead of individually. This improvement makes the image upgrade process faster and more efficient for this type of gateway.

You can upgrade non-Activemesh gateway images in batch if they have no peerings, or if only one of the gateways has a peering. If more than one non-Activemesh gateway has a peering, the batch image upgrade will fail.

Only one image-upgrade session is allowed for non-Activemesh gateways. This means that all desired gateways must be included in a single upgrade session. However, multiple non-Activemesh gateways can be upgraded simultaneously as part of a single upgrade session.

Please see Upgrading Gateway Images for more information.

AVX-38080

The wait limit for communication between gateways and the Controller has been extended from 2.5 minutes to 10 minutes. This extension provides the necessary time for gateways to successfully upgrade.

AVX-38963

Previously, the Aviatrix OpenVPN® feature could not be used in conjunction with Site2Cloud certificate-based authentication. Now, you can use both features at the same time.

AVX-39449

Private Mode now supports BGP-enabled Spoke with GRE tunnels as well as IPsec tunnels. This feature is available for Spoke and Transit Gateways.

AVX-39732

(Azure) Aviatrix has added support for the following Standard_Dxs_v5 instance types for VMs (Virtual Machines):

  • Standard_D2ds_v5

  • Standard_D4ds_v5

  • Standard_D8ds_v5

  • Standard_D16ds_v5

  • Standard_D32ds_v5

  • Standard_D48ds_v5

  • Standard_D64ds_v5

This enhancement was added to enable you to resize from Standard_Dx_v3 instance types to the Standard_Dxs_v5 instance types listed above. This resizing was not possible with previously-supported Standard_Dxs_v5 instance types. See here for more information about resizing VMs in Azure.