What’s New?

This page provides information about the latest Aviatrix features. See the Release Notes for more detailed release specific information.

Important Notice for Aviatrix 7.0 Release Versions

AWS Outpost Support

Running the Aviatrix Platform on AWS Outposts is not supported.

Feature Enhancements in Aviatrix Release 7.0.2239

Release Date: 1- Jan 2024

Enhanced Features in Release 7.0.2239

Issue Description

AVX-37725

(Azure) During subnet inspection, added the ability to inspect secondary/extra CIDRs in a VNet. When you use this enhancement, subnet inspection extends to cover all CIDR ranges associated with a VNet.

AVX-41388

Improved Controller resilience and scalability with the metrics database. Added support for two new metrics: conntrack allowance available and conntrack usage rate. These metrics are available on Controller software version 7.0.1307 and above.

AVX-43958

  • Added the ability to select multiple Access Accounts at once and audit them simultaneously.

  • Added Last Audit Timestamp column on the Access Accounts page and Account Audit page.

AVX-44146

(AWS) You can now create c6in instance gateways for all AWS regions.

AVX-48416

(Azure) The Aviatrix platform now supports new instance sizes for Azure FireNet Check Point Firewall deployment:

  • D2ds_v5

  • D4ds_v5

  • D8ds_v5

AVX-45898

(Azure) The Qatar Central region has been included in the supported regions for Azure Gateways and VPCs.

AVX-45899

(Azure) Added support for Azure China East 3 region.

AVX-49589

Domain type Webgroups for Distributed Cloud Firewall are now GA. Webgroups are now the preferred mechanism for implementing Egress firewalling.

7.0.1768

Release Date: 05/04/2023

Enhanced Features in Release 7.0.1768

Issue Description

AVX-36880

You can now upgrade images for multiple non-Activemesh Aviatrix Gateways in batches, instead of individually. This improvement makes the image upgrade process faster and more efficient for this type of gateway.

You can upgrade non-Activemesh gateway images in batch if they have no peerings, or if only one of the gateways has a peering. If more than one non-Activemesh gateway has a peering, the batch image upgrade will fail.

Only one image-upgrade session is allowed for non-Activemesh gateways. This means that all desired gateways must be included in a single upgrade session. However, multiple non-Activemesh gateways can be upgraded simultaneously as part of a single upgrade session.

Please see Upgrading Gateway Images for more information.

AVX-38963

Previously, the Aviatrix OpenVPN® feature could not be used in conjunction with Site2Cloud certificate-based authentication. Now, you can use both features at the same time.

AVX-39732

(Azure) Aviatrix has added support for the following Standard_Dxs_v5 instance types for VMs (Virtual Machines):

  • Standard_D2ds_v5

  • Standard_D4ds_v5

  • Standard_D8ds_v5

  • Standard_D16ds_v5

  • Standard_D32ds_v5

  • Standard_D48ds_v5

  • Standard_D64ds_v5

This enhancement was added to enable you to resize from Standard_Dx_v3 instance types to the Standard_Dxs_v5 instance types listed above. This resizing was not possible with previously supported Standard_Dxs_v5 instance types. See here for more information about resizing VMs in Azure.

Enhanced Features in Aviatrix Release 7.0.1726

Release Date: 04/17/2023

Feature Enhancements in Aviatrix Release 7.0.1726

Issue Description

AVX-10154

(Azure) If you have deployed Aviatrix gateways in Azure that use a companion-gateway-version less than or equal to “aviatrix-companion-gateway-v8,” upgrade to software release 6.7.1185 or newer before performing an image upgrade of these gateways. No immediate action is required. Do not perform any Out-of-band or Manual activity related to Azure unmanaged disks, as they will be retired in 2025.

AVX-32894

(Azure) You can now use Accelerated Networking on Azure gateways with instance sizes that support this feature. See the list of supported instance sizes https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview [here].

AVX-34431

(AWS) AWS gateways will now support a new instance type, C6in, in select regions.

AVX-35789

Previously, if the gateway daemon code experienced errors, it could be difficult to receive alerts for those errors. Now, if the gateway daemon code experiences errors, you receive a notification through the Controller’s bell icon.

AVX-36562

The FlightPath feature has two improvements:

This feature can now track egress traffic to the Internet. FlightPath now selects the route with the lowest metric when traversing the Linux route table.

AVX-38080

The wait limit for communication between gateways and the Controller has been extended from 2.5 minutes to 10 minutes. This extension provides the necessary time for gateways to successfully upgrade.

Feature Enhancements in Aviatrix Release 7.0.1601

New Features in Release 7.0.1601

Issue Description

AVX-36272

(Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot without re-deploying your Transit Gateways. Previously, you could only create these interfaces while launching an Azure Transit Gateway, and would have to re-deploy your gateway and cause a production outage.

In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group. In CoPilot, this feature applies to each gateway group, or a primary gateway and its HA (High Availability) instances.

  • When you add a BGP over LAN interface, Azure Gateway instances will stop during configuration. If you use HA (High Availability), then the instances will stop one at a time to minimize impact.

  • You cannot delete BGP over LAN interfaces.

Feature Enhancements in Aviatrix Release 7.0.1577

Enhanced Features in Release 7.0.1577

Issue Description

AVX-18598

(AWS) New AWS firewalls will now have the following rules for management interface security groups. These rules enhance firewall security.

  • Palo Alto firewalls have a dedicated management interface. Their security group will have these rules:

    • allow TCP 443 from the Controller’s public or private IP,

    • allow TCP 3978 from the Controller public or private IP, with the description: “Panorama access, please replace it with correct IP”.

    • allow ICMP from controller IP.

  • Fortinet firewalls use the egress interface as the management interface. The security group will have:

    • allow-all. This is the existing rule for egress

    • allow tcp 443 from the Controller’s public or private IP.

  • Checkpoint firewalls use the egress interface as the management interface. The security group will have:

    • allow-all. This is the existing rule for egress.

    • allow TCP 443 from Controller’s public or private IP.

    • allow SSH 22 from Controller’s public or private IP.

AVX-20069

The number of HPE (High Performance Encryption) tunnels between connections now automatically adjusts according to the new instance size. Previously, if the gateway already had an HPE connection, you had to manually detach the connection in order to resize. This improvement helps your network to scale more easily and effectively.

AVX-20859

CoPilot has added the ability to save and download CoPilot user configuration as a backup file. This will allow administrators to restore their environments back to previous configurations.

AVX-27396

(Azure) You can now use HPE (High Performance Encryption) on the following Azure instances:

B2ms D2_v4 D4_v4 D2_v5 (12.5 Gbps compared to D2_v4 5 Gbps) D4_v5 (12.5 Gbps compared to 10 Gbps with D4_v4) D8_v5 D16_v5

AVX-31421

While using Private Mode, you can now configure and edit Controller proxy settings directly from the Controller UI or Terraform after setting up your Controller. Go to Settings > Advanced > Proxy to set up this configuration.

Proxy CA Certificate is not supported. Remote Support is supported with a proxy server for the Controller. (AWS users) AWS proxy instances are no longer necessary while using Private Mode.

AVX-32231

A new safety check has been added to help avoid configuration errors. With this safety check, you cannot set up your Spoke Gateway with Custom Mapped/Mapped configuration with Overlapping CIDRs in any of the following:

  • Local Initiated Traffic Destination Virtual CIDRs

  • Remote Initiated Traffic Source Virtual CIDRs

  • Remote Subnet (Virtual)

AVX-32256

(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers.

AVX-33353

If your Aviatrix Controller was configured with proxy configuration, you can now use remote support.

AVX-34144

(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers.

AVX-34591

(AWS) Added support for the UAE (United Arab Emirates) region, or me-central-1, for AWS Gateways and VPCs.

AVX-35305

Corrected the user ownership of the BGP log to quagga:quagga. This enhancement helps maintain the logging of BGP and zebra.

AVX-36425

You can now configure DNAT in non-active gateways.

AVX-36747

Aviatrix Controller and gateway images are switching from IKE-type Racoon to IKE-type Strongswan. Your Controller and gateways will use the image’s Linux kernel version to determine which IKE-type to enable. If the Linux kernel version is 5.4 (or newer), Strongswan is enabled.

Feature Enhancements in Aviatrix Release 7.0.1400

Issue

Description

AVX-36147

Removed the peering status check during the configuration workflow for NAT gateways. Now, you can configure NAT without waiting for the connection status to be UP.

AVX-35773

During vendor integration with Panorama, increased the wait time for a Panorama commit to 1 minute. Because it can take some time for Panorama to commit template changes, doing a device push before that commit is ready could cause incomplete routes being pushed to devices. The increased wait time ensures that the Panorama commit is complete before the device push.

AVX-35305

Corrected the user ownership of the BGP log to quagga:quagga. This enhancement helps maintain the logging of BGP and zebra.

Feature Enhancements in Aviatrix Release 7.0.1383

Release Date: 02/01/2023

Issue Description

AVX-34591

(AWS) Added support for the UAE (United Arab Emirates) region, or me-central-1, for AWS Gateways and VPCs.

7.0.1373

Release Date: (01/09/2022)

Enhanced Features in Release 7.0.1373

Issue Description

AVX-26394

For users authenticated using SAML to log in to Controller, you can now block them from logging in if they do not have a Profile. Previously, such users would be logged in as read-only. You can enable this option using the Block Empty Profiles toggle switch per SAML endpoint in your Controller. Navigate to Settings > Controller > SAML login.

AVX-30716

Previously, Aviatrix Edge gateways were listening on port 111 on all interfaces. Now, Aviatrix has removed the open port 111 to improve security.

AVX-32976

Aviatrix now supports service in the Azure China North 3 region.

AVX-33021

When authenticating a Site2Cloud connection using PSK-based authentication, you can now ignore or skip the Remote ID check by entering ““ in the Remote Identifier field. This enhancement lets you authenticate connections for Remote ID types that Aviatrix Gateways do not support, including IPv6, FQDN, or email. This change also allows you to check if a tunnel is down because of a mismatched Remote ID. You can enter ““ in the Remote Identifier field, and if the tunnel comes up, the Remote ID could be mismatched.

AVX-33814

When an account had too many S2C connections, transit segmentation pages failed to load.

AVX-34089

You can now use the KEY_ID as the remote identifier in the Pre-Shared Key authentication for editing Site2Cloud connection configuration.

Preview Features in Aviatrix Release 7.0.1307

Support for Distributed Firewalling (Azure Only)

Aviatrix has added support for distributed firewalling (L4 Micro-segmentation) for flows within a Virtual network in Azure. This is available under the Distributed Firewalling feature. To try this preview feature, enable the Virtual networks where you would like to enforce L4 distributed firewalling policies under the settings tab in the Security section.

This capability for distributed firewalling in a virtual network is available in Azure with the 7.0.1307 release. Support for other clouds will be available in future releases.

New Features in Aviatrix Release 7.0.1307

Aviatrix Transit Segmentation Interop with Transit Gateways

The TGW/Transit Segmentation Interoperability feature enables you to extend your AWS TGW network domains into other CSPs (Cloud Service Providers). Therefore, traffic from different AWS TGW domains can remain segmented after they enter the transit network. The same segmentation can be kept for the traffic from the transit network segmentation to the TGW network.

Centralized FireNet in AWS

In AWS, you can now deploy a Centralized FireNet architecture that consists of one Primary Transit FireNet gateway connected to up to 10 Secondary Transit FireNet gateways. This new feature allows you to scale to more than 125 HPE-enabled Spokes and reduce the overall number of firewall deployments.

Building a Site2Cloud Tunnel from a Different Gateway in the Same VPC/VNet

You can now build multiple Site2Cloud tunnels from a different gateway in the same VPC/VNet to the same remote IP address. The Aviatrix solution supports up to 10 gateways in the same VPC/VNet that can create a Site2Cloud tunnel to the same remote IP address.

Improvements to Spoke Gateway Associations with Network Domains

  • Previously, a Spoke Gateway had to be associated with a Transit Gateway before you could associate it with a domain.

  • When you detached the Spoke Gateway from the Transit Gateway, the Spoke Gateway also left the network domain.

Now:

  • You can associate a Spoke Gateway with a network domain at any time, without attaching it to a Transit gateway.

  • When you detach a Spoke Gateway from a Transit Gateway, the domain tag stays with the Spoke Gateway. This change applies to all Spoke Gateways, including BGP spoke and Edge spoke.

Improvements to Edge Spoke Gateway Associations with Network Domains

Previously:

  • When you selected an Edge Spoke Gateway to associate with a Network Domain, you had to attach the Edge Spoke to the Transit Gateway first.

  • All Edge Gateways in the same site would associate/dissociate with the network domain together.

Now:

  • You can select the site_id tag to associate/disassociate with the network domain. No Transit Gateway attachment is required.

  • When you associate a site with a network domain, the Segmentation List page shows every Edge Gateway in the site. Each Edge Gateway in the site has an individual attachment to the network domain and can be associated or disassociated independently of the other Gateways.

Multiple Route Tables in BGP Spoke and Edge Spoke

This update applies to BGP Spoke and Edge Spoke Gateways, not regular Spoke Gateways.

Previously, all Spoke Gateways (including BGP Spoke and Edge Spoke) only had a single route table, so that each Spoke Gateway belonged to a single network domain. This release introduces some behavior changes for Route Tables in BGP Spoke and Edge Spoke Gateways:

  • The BGP Spoke and Edge Spoke Gateway route database has all routes propagated from Transit and BGP.

  • BGP/edge Spoke Gateways have segmentation always enabled.

  • The BGP Spoke and Edge Spoke Gateway has all domain route tables.

  • IPset is configured on BGP Spoke or Edge Spoke Gateways:

    • BGP spoke local VPC CIDR with eth0

    • BGP over IPsec remote CIDR with IPsec tunnel interface

    • BGP over LAN remote CIDR with eth1 (LAN interface on edge)

  • The IP rules only have the associated domain rule.

  • On the attached transit side, no Ipset is configured for this attached BGP Spoke or Edge Spoke Gateway. The BGP spoke VPC CIDR has as “bgpspokevpc” route type.

Feature Enhancements in Aviatrix Release 7.0.1307

Issue Description

AVX-13508 (AWS)

When you launch a gateway, the gateway uses the Default encryption key set in your AWS account > EC2 > Settings > EBS encryption. To use a key other than the Default key in previous releases, you had to go to your AWS account > EC2 > Settings > EBS encryption and click Manage. Now, you can use Terraform or API to specify which encryption key to use for this gateway if you want to use a different encryption key than the Default encryption key.

AVX-13570

Previously, a Controller automatically uploaded tracelogs when the FQDN feature crashed. This fix removed this functionality, as it is not necessary to debug or investigate these crashes.

AVX-20629

In this release, the workload certificate validity time is reduced from 30 days to 1 day to make the control plane more secure. This improvement means the workload certificate will be rotated every 12 hours instead of 15 days.

AVX-22644

BGP on Spoke is supported in Private Mode in 7.0.1307.

AVX-23575

When computing how distributed firewall rules are enforced on the Aviatrix gateways, the Controller is aware of the source and destination NAT rules defined on the intervening spoke gateways. The Controller adjusts the filtering rules so that they will enforce based on the addresses on the packets at that point in the network.

AVX-26205

Aviatrix has increased gateway IPsec daemon threads to support more than 2000 tunnels. This enhancement improves scalability and performance for your network.

AVX-27473

The default admin password used to log in to the Edge gateway’s clish console will change to the gateway’s WAN IP address (IP address without the subnet mask) after the gateway registers with the Controller. There is no change in behavior prior to registration.

This change applies to Edge gateways deployed in any environment.

If you have an Edge gateway deployed with any build before or equal to 6.8.1149, on upgrade to either 6.8.a/6.9/7.0.1307 the Edge gateway’s default admin password will be changed to the WAN IP address. The password will be changed to the WAN IP even if your account’s password has been changed.

After you upgrade to software version 6.8.1311, 6.9.128, or 7.0.1307 and your account password has been changed to a password of your choice, that new password will be carried forward on upgrade to the next Aviatrix release. Aviatrix will not reset the password to the WAN IP on upgrade. You are free to change the password at any point in time.

AVX-27521 (AWS)

When you launch a gateway, the gateway uses the Default encryption key set in your AWS account > EC2 > Settings > EBS encryption. To use a key other than the Default key, you had to go to your AWS account > EC2 > Settings > EBS encryption and click Manage.

Now, you can use Terraform or API to specify which encryption key to use for this gateway if you want to use a different encryption key than the Default encryption key.

AVX-29364

When a GRE tunnel goes down, your gateway withdraws routes. Previously, gateways withdrew routes one at a time, which could take a long time. This enhancement ensures that gateways withdraw routes in bulk to speed up the process.