New Features in 3.10.0

Release Date: 11 May 2023

For issues corrected in CoPilot 3.10.0, see Aviatrix CoPilot Software Release Notes.

Aviatrix Secure Edge for On-Premises and Aviatrix Edge Platform

This release enables support for Aviatrix Secure Edge Gateway to be deployed via a turnkey solution from Aviatrix by leveraging an appliance wherein appliance onboarding and orchestration is driven from the Cloud. Deployment of the Edge gateway is via a zero touch provisioning model. The solution enables a seamless management and configuration model from Cloud to edge. This functionality requires Controller software version 7.1.1710 or later.

VLAN, VRRP Support on Aviatrix Secure Edge

Aviatrix Edge Gateway can be used to terminate VLANs on the Edge Gateway. This also includes VRRP support. This can be used leveraging Aviatrix Edge platform on a device with secure edge gateway acting as a LAN side router. This functionality requires Controller software version 7.1.1710 or later.

VLAN at Edge to CSP VPC/VNET Segmentation Support

Aviatrix Secure Edge at a customer on-premises location can be used as a LAN side Gateway with VLANs and this now enables cloud to Edge segmentation model, where segmentation domains and corresponding policies allow customers to define isolation across CSP VPCs and VNETs to onpremises networks and viceversa. This functionality requires Controller software version 7.1.1710 or later.

Aviatrix Secure Edge in Equinix - BGP Underlay Support

Aviatrix Secure Edge in Equinix Network Edge platform now supports setting up private virtual connections from Aviatrix Secure Edge to CSPs such as AWS, Azure, GCP and OCI and use BGP for peering to the CSP private connections (for example, Direct Connect, Express Route, Interconnect). This functionality requires 7.1.1710 Controller release.

L4 Firewall Support on Aviatrix Secure Edge

Aviatrix Secure Edge now supports L4 firewall capabilities where CIDR and IP addresses can be used along with ports and protocols to define policies for granular traffic control.

Edge GW A/A and A/S Support

Edge in Equinix is only a single Gateway per site in this release.

Edge on ESXi/KVM is untested in Controller version 7.1.1710. For Edge on ESXI/KVM self managed environments, please use Controller version 6.8 , 6.9 or 7.1.

The Controller release 7.1.1710 supports two active/active Gateways when deployed in on-premises.

Enhanced Features in 3.10.0

Updated Cloud Routes page

The CoPilot > Troubleshoot > Cloud Routes page has an updated layout and improved format for tables and search controls.

Additional Info in ThreatIQ Alert Email/Webhook

For ThreatIQ alerts, additional information is now included for both email and webhook alert notification channels.

  • Webhooks: The event.threatIqInfo field is added. The Webhook fields matchingHosts, newlyAffectedHosts, and recoveredHosts used to contain only the threat IP. With the addition of the event.threatIqInfo field, these fields also contain the affected gateway name.

    The event.threatIqInfo field is only available for threatIQ alerts and is automatically sent out with the ThreatIQ webhook; the field is not accessible through the webhook template in the CoPilot UI.

  • Emails: The Newly Affected Hosts table row now provides the affected gateway name in addition to the threat IP and threat severity as defined by the threat-IP source.

New Pages for Gateway Functional Areas

New pages were added to CoPilot for these functional areas:

  • Transitive Routing (Edge)

    The Transitive Routing option is added to allow Edge Gateways to forward traffic between multiple Transit Gateways. See Configuring Transitive Routing with Edge Gateway.

  • Setup Gateways

Support for Edge HA Gateway Creation

You can now use the CoPilot > AirSpace > Edge page to create edge high availability (HA) gateways.

This functionality requires Controller software version 7.1.1710 or later.

Distributed Firewalling with WebGroups

You can now use WebGroups (Preview feature) when defining Distributed Firewalling (DFW) rules in the CoPilot > Security > Distributed Firewalling page. WebGroups define Domains and URLs into a group which can be used into the DFW Rules as a matching condition for the Rule action to be enforced.

This functionality requires Controller software version 7.1.1710 or later.

Enhancements to Intra VPC/VNet Distributed Firewalling

If you have Controller version 7.1.1710 or later, you can perform Security Group orchestration for VPC/VNets that have Intra VPC/VNet enabled. See the CoPilot > Security > Distributed Firewalling > Settings tab.

You can view the Intra VPC/VNet configuration in the Topology map and see how many VPC/VNets have Intra VPC/VNet enabled.

Support for Spoke Attachment while Creating/Editing a FireNet Gateway

You can now attach a Spoke Gateway to a FireNet Gateway while creating or editing the FireNet Gateway in the CoPilot > Security > FireNet page.

Preview Features in 3.10.0

This section lists Preview Features in this release.

Decryption CA Certificate Functions for Distributed Firewalling

If you have CoPilot 3.10.0 and Controller version 7.1.1710 or later, the following decryption CA certificate functions are available as a preview feature:

In CoPilot > Security > Distributed Firewalling > Settings > Decryption CA Certificate:

  • Upload your own CA certificate so that you can use TLS (recommended)

  • Download the default Aviatrix CA certificate for use in your environment

  • Add the Aviatrix CA certificate to your trust bundle

  • Upload your own trust bundle

  • Change the enforcement level to determine how Distributed Firewalling handles origin certificates that are not signed by a trusted Certificate Authority.

  • Renew certificates

When using a Controller version earlier than 7.1.1710, you can download the Aviatrix CA certificate for use in your environment but other functions (described above) are not available.

GCP Global VPC Routing (Global Spoke for GCP)

Global Spoke for GCP is a preview feature available in CoPilot 3.10.0.

Global Spoke for GCP creates regional awareness between the VPC and Aviatrix gateways allowing you to restrict spoke gateway traffic to transit gateways in the same region as the spoke gateway. Without global VPC, communications between spokes over transit in the same region are routed outside the region. Regional awareness is achieved by appending regional network tags to virtual machines and adding regional routes to the gateways in the routing table using tags. You can configure the method of appending the network tags in the CoPilot > AirSpace > Gateways > Settings page. For more information, see GCP Global VPC Routing.

WebGroups

WebGroups are used in Distributed Firewalling rules. WebGroups define Domains and URLs into a group which can be used into the DFW Rules as a matching condition for the Rule action to be enforced.