What’s New in the Aviatrix Controller?

This page provides information about the latest Aviatrix features. See the Release Notes for more detailed release specific information.

7.1.3006

Release Date: 10 Jan 2024

Enhanced Features in Release 7.1.3006

Issue Description

AVX-37725

(Azure) During subnet inspection, added the ability to inspect secondary/extra CIDRs in a VNet. When you use this enhancement, subnet inspection extends to cover all CIDR ranges associated with a VNet.

AVX-38333

Added support for High Availability (HA) and horizontal scaling for Aviatrix Edge gateways. You can now:

  • Deploy more than 2 Edge Gateways with a primary and HA gateway, or

  • Use ECMP in a gateway group or ability to ECMP across more than 2 edge GWs in a location or site.

High-Performance Encryption (HPE) is required.

AVX-38335

Aviatrix Secure Edge now supports the Dell R450 hardware for the Aviatrix Edge Platform. For more information, see the following documents:

* Supported Edge Hardware for the Aviatrix Edge Platform for the hardware specification details * Onboarding Edge Hardware for the steps to onboard your edge hardware in Aviatrix CoPilot

AVX-41388

Improved Controller resilience and scalability with the metrics database. Added support for two new metrics: conntrack allowance available and conntrack usage rate. These metrics are available on Controller software version 7.0.1307 and above.

AVX-43958

  • Added the ability to select multiple Access Accounts at once and audit them simultaneously.

  • Added Last Audit Timestamp column on the Access Accounts page and Account Audit page.

AVX-44146

(AWS) You can now create c6in instance gateways for all AWS regions.

AVX-44831

Aviatrix Secure Edge BGP over LAN Connection Enhancement

This feature enhancement allows Aviatrix Secure Edge Gateways in a cluster to establish a BGP over LAN connection to the same BGP neighbor. Previously, Edge Gateways in a cluster could only establish a one-to-one peering for BGP over LAN connections with its BGP neighbors.

AVX-45898

(Azure) The Qatar Central region has been included in the supported regions for Azure Gateways and VPCs.

AVX-45899

(Azure) Added support for Azure China East 3 region.

AVX-46659

For Equinix Edge Gateways, you can now set up BGP configuration for each HA (High Availability) Gateway as well as for the primary gateway. Previously, you could only set up BGP for the primary Equinix Edge Gateway.

AVX-48416

(Azure) The Aviatrix platform now supports new instance sizes for Azure FireNet Check Point Firewall deployment:

  • D2ds_v5

  • D4ds_v5

  • D8ds_v5

AVX-49589

Domain type WebGroups for Distributed Cloud Firewall are now GA. WebGroups are now the preferred mechanism for implementing Egress firewalling. For more information about WebGroups and Distributed Cloud Firewall, see About WebGroups.

7.1.1710

Release Date: 11 May 2023

Important Notices in Aviatrix Release 7.1.1710

Disable Deprecated Controller-Logging Configurations

If you have logging configurations enabled in Controller for the following external log servers, the out-of-the box logging services for these external log servers were deprecated in previous Controller releases and are removed in Controller 7.1.1710:

  • Elastic Filebeat

  • Splunk Enterprise/Cloud

  • Sumo Logic

You cannot upgrade to Controller 7.1.1710 until you have disabled these deprecated logging configurations.

To disable the deprecated logging configurations:

  • Depending on your environment, you may want to enable your log forwarding under rsyslog and verify the functionality is working before disabling the deprecated logging configurations. For information about using rsyslog as the logging mechanism to forward Aviatrix platform logs to your external log server, see Aviatrix Controller Logging.

  • Disable the deprecated logging configurations for Elastic Filebeat/Splunk Enterprise or Cloud/Sumo Logic, as applicable, in the Controller > Settings > Logging page. Locate the applicable external log server’s respective option and switch its toggle from Enabled to Disabled.

Preview Features in Aviatrix Release 7.1.1710

Intrusion Detection and TLS Decryption

When creating a Distributed Firewalling rule, you can enable Intrusion Detection, and TLS Decryption.

If Intrusion Detection is enabled, traffic is inspected for threats.

If Intrusion Detection and TLS Decryption are both enabled, the decrypted data is examined for intrusions.

For more information, click here.

New Features in Aviatrix Release 7.1.1710

AVX-35849 - (Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot. Previously, you could only create these interfaces while launching an Azure Transit Gateway.

In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group.

In CoPilot, this feature applies to a primary gateway and its HA (High Availability) instances.

  • When you add a BGP over LAN interface, Azure Gateway instances will stop during configuration.

  • You cannot delete BGP over LAN interfaces.

AVX-36272 - (Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot without re-deploying your Transit Gateways. Previously, you could only create these interfaces while launching an Azure Transit Gateway, and would have to re-deploy your gateway and cause down-time in your data plane.

In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group.

In CoPilot, this feature applies to each gateway group, or a primary gateway and its HA (High Availability) instances.

  • When you add a BGP over LAN interface, Azure Gateway instances will stop during configuration. If you use HA (High Availability), then the instances will stop one at a time to minimize impact.

  • You cannot delete BGP over LAN interfaces.

Feature Support in Aviatrix CoPilot for Controller 7.1.1710

The following features are available in Aviatrix CoPilot 3.10.0 when upgrading to Aviatrix Controller 7.1.1710:

Aviatrix Secure Edge for On-Premises and Aviatrix Edge Platform

This release enables support for Aviatrix Secure Edge Gateway to be deployed via a turnkey solution from Aviatrix by leveraging an appliance wherein appliance onboarding and orchestration is driven from the Cloud. Deployment of the Edge gateway is via a zero touch provisioning model. The solution enables a seamless management and configuration model from Cloud to edge. This functionality requires Controller software version 7.1.1710 or later. For more information on Aviatrix Secure Edge, see here.

VLAN, VRRP Support on Aviatrix Secure Edge

Aviatrix Edge Gateway can be used to terminate VLANs on the Edge Gateway. This also includes VRRP support. This can be used leveraging Aviatrix Edge platform on a device with secure edge gateway acting as a LAN side router. This functionality requires Controller software version 7.1.1710 or later.

VLAN at Edge to CSP VPC/VNET Segmentation Support

Aviatrix Secure Edge at a customer on-premises location can be used as a LAN side Gateway with VLANs and this now enables cloud to Edge segmentation model, where segmentation domains and corresponding policies allow customers to define isolation across CSP VPCs and VNETs to onpremises networks and viceversa. This functionality requires Controller software version 7.1.1710 or later.

Aviatrix Secure Edge in Equinix - BGP Underlay Support

Aviatrix Secure Edge in Equinix Network Edge platform now supports setting up private virtual connections from Aviatrix Secure Edge to CSPs such as AWS, Azure, GCP and OCI and use BGP for peering to the CSP private connections (for example, Direct Connect, Express Route, Interconnect). This functionality requires 7.1.1710 Controller release.

L4 Firewall Support on Aviatrix Secure Edge

Aviatrix Secure Edge now supports L4 firewall capabilities where CIDR and IP addresses can be used along with ports and protocols to define policies for granular traffic control.

Edge GW A/A and A/S Support

Edge in Equinix is only a single Gateway per site in this release.

Edge on ESXi/KVM is untested in Controller version 7.1.1710. For Edge on ESXI/KVM self managed environments, please use Controller version 6.8 , 6.9 or 7.1.

The Controller release 7.1.1710 supports two active/active Gateways when deployed in on-premises.

Distributed Firewalling with WebGroups

You can now use WebGroups when defining distributed firewalling rules in the CoPilot > Security > Distributed Firewalling page. WebGroups define Domains and URLs into a group which can be used into the DFW Rules as a matching condition for the Rule action to be enforced.

This functionality requires Controller software version 7.1.1710 or later.

Enhancements to Intra VPC/VNet Distributed Firewalling

If you have Controller version 7.1.1710 or later, you can perform Security Group orchestration for VPC/VNets that have Intra VPC/VNet enabled. See the CoPilot > Security > Distributed Firewalling > Settings tab.

You can view the Intra VPC/VNet configuration in the Topology map and see how many VPC/VNets have Intra VPC/VNet enabled.

For more information about CoPilot Features, see What’s New in CoPilot.

Enhanced Features in Aviatrix Release 7.1.1710

Issue Description

AVX-10154

(Azure) If you have deployed Aviatrix gateways in Azure that use a companion-gateway-version less than or equal to “aviatrix-companion-gateway-v8,” upgrade to software release 6.7.1185 or newer before performing an image upgrade of these gateways. No immediate action is required. Do not perform any Out-of-band or Manual activity related to Azure unmanaged disks, as they will be retired in 2025.

AVX-18598

(AWS) New AWS firewalls will now have the following rules for management interface security groups. These rules enhance firewall security.

Palo Alto firewalls have a dedicated management interface. Their security group will have these rules:

  • allow TCP 443 from the Controller’s public or private IP,

  • allow TCP 3978 from the Controller public or private IP, with the description: “Panorama access, please replace it with correct IP”.

  • allow ICMP from controller IP.

Fortinet firewalls use the egress interface as the management interface. The security group will have:

  • allow-all. This is the existing rule for egress

  • allow TCP 443 from the Controller’s public or private IP.

Checkpoint firewalls use the egress interface as the management interface. The security group will have:

  • allow-all. This is the existing rule for egress.

  • allow TCP 443 from Controller’s public or private IP.

  • allow SSH 22 from Controller’s public or private IP.

AVX-20069

The number of HPE (High Performance Encryption) tunnels between connections now automatically adjusts according to the new instance size. Previously, if the gateway already had an HPE connection, you had to manually detach the connection in order to resize. This improvement helps your network to scale more easily and effectively.

AVX-20859

CoPilot has added the ability to save and download CoPilot user configuration as a backup file on the Controller. This will allow administrators to restore their environments back to previous configurations of their environment. You can use this backup configuration when you deploy a new CoPilot from the Controller.

For information on how to save the CoPilot user configuration as a backup file, see this document.

AVX-23108

(AWS) Intra VPC/VNet Distributed Firewalling is now available for AWS (VMs only) as well as Azure. With this feature you utilize cloud-native security features to provide security control within the virtual network. See this document for more information.

AVX-23265

Performance enhancements to network segmentation in support of improved network scalability. When enabling network segmentation, there are no longer limits for creating underlying tunnels.

AVX-27396

(Azure) You can now use HPE (High Performance Encryption) on the following Azure instances:

  • B2ms

  • D2_v4

  • D4_v4

  • D2_v5 (12.5 Gbps compared to D2_v4 5 Gbps)

  • D4_v5 (12.5 Gbps compared to 10 Gbps with D4_v4)

  • D8_v5

  • D16_v5

AVX-29650

Added a Max Performance column in the Transit Peering Connection table, which you can find in Multi-Cloud transit > List > select a gateway > click Details/Diag. This column shows you the max performance of each transit peering so that you can structure your network more efficiently.

AVX-30716

Previously, Aviatrix Edge gateways were listening on a specific port on all interfaces. Now, Aviatrix has removed the open port to improve security. See here for information about on Aviatrix ports.

AVX-30788

You can now configure BGP over LAN on a BGP Spoke Gateway. Customized NAT/DNAT is also supported by the BGPoLAN connection on the BGP Spoke Gateways.

AVX-31421

While using Private Mode, you can now configure and edit Controller proxy settings directly from the Controller UI or Terraform after setting up your Controller. In the Aviatrix Controller, go to Settings > Advanced > Proxy to set up this configuration.

  • Proxy CA Certificate is not supported.

  • Remote Support is supported with a proxy server for the Controller.

  • (AWS users) AWS proxy instances are no longer necessary while using Private Mode.

AVX-32231

A new safety check has been added to help avoid configuration errors. With this safety check, you cannot set up your Spoke Gateway with Custom Mapped/Mapped configuration with Overlapping CIDRs in any of the following:

  • Local Initiated Traffic Destination Virtual CIDRs

  • Remote Initiated Traffic Source Virtual CIDRs

  • Remote Subnet (Virtual)

AVX-32256

(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers.

AVX-32467

Reduced the time it takes to enable CoPilot Security Group Management.

AVX-32894

(Azure) You can now use Accelerated Networking on Azure gateways with instance sizes that support this feature. See the list of supported instance sizes here.

AVX-32976

Aviatrix now supports service in the Azure China North 3 region.

AVX-33021

When authenticating a Site2Cloud connection using PSK-based authentication, you can now ignore or skip the Remote ID check by entering ““ in the Remote Identifier field. This enhancement lets you authenticate connections for Remote ID types that Aviatrix Gateways do not support, including IPv6, FQDN, or email.

This change also allows you to check if a tunnel is down because of a mismatched Remote ID. You can enter ““ in the Remote Identifier field, and if the tunnel comes up, the Remote ID could be mismatched.

AVX-33353

If your Aviatrix Controller was configured with proxy configuration, you can now use remote support.

AVX-34144

(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers.

AVX-34431

(AWS) AWS gateways will now support a new instance type, C6in, in select regions.

AVX-34591

(AWS) Added support for the UAE (United Arab Emirates) region, or me-central-1, for AWS Gateways and VPCs.

AVX-35305

Corrected the user ownership of the BGP log to quagga:quagga. This enhancement helps maintain the logging of BGP and Zebra.

AVX-35773

During vendor integration with Panorama, you can increase the wait time for a Panorama commit to one (1) minute. Because it can take some time for Panorama to commit template changes, doing a device push before that commit is ready could cause incomplete routes to be pushed to devices. The increased wait time ensures that the Panorama commit is complete before the device push. To increase the wait time for these commits, please reach out to support@aviatrix.com.

AVX-35789

Previously, if the gateway daemon code experienced errors, it could be difficult to receive alerts for those errors. Now, if the gateway daemon code experiences errors, you receive a notification through the Controller’s bell icon.

AVX-36202

Aviatrix now supports BGP over GRE in Spoke Gateways. Previously, Aviatrix only supported BGP over GRE for Transit Gateways.

AVX-36246

Added new API endpoints for Datadog: "ddog-gov.com", "us3.datadoghq.com", "us5.datadoghq.com".

AVX-36425

You can now configure DNAT in non-active gateways.

AVX-36562

The FlightPath feature has two improvements:

  • This feature can now track egress traffic to the Internet.

  • FlightPath now selects the route with the lowest metric when traversing the Linux route table.

AVX-36747

Aviatrix Controller and gateway images are switching from Racoon based IKE to Strongswan-based IKE. Your Controller and gateways will use the image’s Linux kernel version to determine which IKE-type to enable. If the Linux kernel version is 5.4 (or newer), an upgrade is supported.

AVX-36880

You can now upgrade images for multiple non-Activemesh Aviatrix Standalone Gateways in batches, instead of individually. This improvement makes the image upgrade process faster and more efficient for this type of gateway.

You can upgrade non-Activemesh gateway images in batch if they have no peerings, or if only one of the gateways has a peering. If more than one non-Activemesh gateway has a peering, the batch image upgrade will fail.

Only one image-upgrade session is allowed for non-Activemesh gateways. This means that all desired gateways must be included in a single upgrade session. However, multiple non-Activemesh gateways can be upgraded simultaneously as part of a single upgrade session.

Please see Upgrading Gateway Images for more information.

AVX-38080

The wait limit for communication between gateways and the Controller has been extended from 2.5 minutes to 10 minutes. This extension provides the necessary time for gateways to successfully upgrade.

AVX-38963

Previously, the Aviatrix OpenVPN® feature could not be used in conjunction with Site2Cloud certificate-based authentication. Now, you can use both features at the same time.

AVX-39449

Private Mode now supports BGP-enabled Spoke with GRE tunnels as well as IPsec tunnels. This feature is available for Spoke and Transit Gateways.

AVX-39732

(Azure) Aviatrix has added support for the following Standard_Dxs_v5 instance types for VMs (Virtual Machines):

  • Standard_D2ds_v5

  • Standard_D4ds_v5

  • Standard_D8ds_v5

  • Standard_D16ds_v5

  • Standard_D32ds_v5

  • Standard_D48ds_v5

  • Standard_D64ds_v5

This enhancement was added to enable you to resize from Standard_Dx_v3 instance types to the Standard_Dxs_v5 instance types listed above. This resizing was not possible with previously-supported Standard_Dxs_v5 instance types. See here for more information about resizing VMs in Azure.