What’s New?
This page provides information about the latest Aviatrix features. See the Release Notes for more detailed release specific information.
Feature Enhancements in Aviatrix Release 7.0.2239
Release Date: 1- Jan 2024
Enhanced Features in Release 7.0.2239
Issue | Description |
---|---|
AVX-37725 |
(Azure) During subnet inspection, added the ability to inspect secondary/extra CIDRs in a VNet. When you use this enhancement, subnet inspection extends to cover all CIDR ranges associated with a VNet. |
AVX-41388 |
Improved Controller resilience and scalability with the metrics database. Added support for two new metrics: conntrack allowance available and conntrack usage rate. These metrics are available on Controller software version 7.0.1307 and above. |
AVX-43958 |
|
AVX-44146 |
(AWS) You can now create c6in instance gateways for all AWS regions. |
AVX-48416 |
(Azure) The Aviatrix platform now supports new instance sizes for Azure FireNet Check Point Firewall deployment:
|
AVX-45898 |
(Azure) The Qatar Central region has been included in the supported regions for Azure Gateways and VPCs. |
AVX-45899 |
(Azure) Added support for Azure China East 3 region. |
AVX-49589 |
Domain type Webgroups for Distributed Cloud Firewall are now GA. Webgroups are now the preferred mechanism for implementing Egress firewalling. |
7.0.1768
Release Date: 05/04/2023
Enhanced Features in Release 7.0.1768
Issue | Description | ||
---|---|---|---|
AVX-36880 |
You can now upgrade images for multiple non-Activemesh Aviatrix Gateways in batches, instead of individually. This improvement makes the image upgrade process faster and more efficient for this type of gateway. You can upgrade non-Activemesh gateway images in batch if they have no peerings, or if only one of the gateways has a peering. If more than one non-Activemesh gateway has a peering, the batch image upgrade will fail.
Please see Upgrading Gateway Images for more information. |
||
AVX-38963 |
Previously, the Aviatrix OpenVPN® feature could not be used in conjunction with Site2Cloud certificate-based authentication. Now, you can use both features at the same time. |
||
AVX-39732 |
(Azure) Aviatrix has added support for the following Standard_Dxs_v5 instance types for VMs (Virtual Machines):
This enhancement was added to enable you to resize from Standard_Dx_v3 instance types to the Standard_Dxs_v5 instance types listed above. This resizing was not possible with previously supported Standard_Dxs_v5 instance types. See here for more information about resizing VMs in Azure. |
Enhanced Features in Aviatrix Release 7.0.1726
Release Date: 04/17/2023
Feature Enhancements in Aviatrix Release 7.0.1726
Issue | Description |
---|---|
AVX-10154 |
(Azure) If you have deployed Aviatrix gateways in Azure that use a companion-gateway-version less than or equal to “aviatrix-companion-gateway-v8,” upgrade to software release 6.7.1185 or newer before performing an image upgrade of these gateways. No immediate action is required. Do not perform any Out-of-band or Manual activity related to Azure unmanaged disks, as they will be retired in 2025. |
AVX-32894 |
(Azure) You can now use Accelerated Networking on Azure gateways with instance sizes that support this feature. See the list of supported instance sizes https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview [here]. |
AVX-34431 |
(AWS) AWS gateways will now support a new instance type, C6in, in select regions. |
AVX-35789 |
Previously, if the gateway daemon code experienced errors, it could be difficult to receive alerts for those errors. Now, if the gateway daemon code experiences errors, you receive a notification through the Controller’s bell icon. |
AVX-36562 |
The FlightPath feature has two improvements: This feature can now track egress traffic to the Internet. FlightPath now selects the route with the lowest metric when traversing the Linux route table. |
AVX-38080 |
The wait limit for communication between gateways and the Controller has been extended from 2.5 minutes to 10 minutes. This extension provides the necessary time for gateways to successfully upgrade. |
Feature Enhancements in Aviatrix Release 7.0.1601
New Features in Release 7.0.1601
Issue | Description | ||
---|---|---|---|
AVX-36272 |
(Azure) You can now create BGP over LAN interfaces directly through the Aviatrix Controller and CoPilot without re-deploying your Transit Gateways. Previously, you could only create these interfaces while launching an Azure Transit Gateway, and would have to re-deploy your gateway and cause a production outage. In the Controller, this feature applies to individual gateways. Make sure to set up the same number of BGP over LAN interfaces for each gateway in the group. In CoPilot, this feature applies to each gateway group, or a primary gateway and its HA (High Availability) instances.
|
Feature Enhancements in Aviatrix Release 7.0.1577
Enhanced Features in Release 7.0.1577
Issue | Description | ||
---|---|---|---|
AVX-18598 |
(AWS) New AWS firewalls will now have the following rules for management interface security groups. These rules enhance firewall security.
|
||
AVX-20069 |
The number of HPE (High Performance Encryption) tunnels between connections now automatically adjusts according to the new instance size. Previously, if the gateway already had an HPE connection, you had to manually detach the connection in order to resize. This improvement helps your network to scale more easily and effectively. |
||
AVX-20859 |
CoPilot has added the ability to save and download CoPilot user configuration as a backup file. This will allow administrators to restore their environments back to previous configurations. |
||
AVX-27396 |
(Azure) You can now use HPE (High Performance Encryption) on the following Azure instances: B2ms D2_v4 D4_v4 D2_v5 (12.5 Gbps compared to D2_v4 5 Gbps) D4_v5 (12.5 Gbps compared to 10 Gbps with D4_v4) D8_v5 D16_v5 |
||
AVX-31421 |
While using Private Mode, you can now configure and edit Controller proxy settings directly from the Controller UI or Terraform after setting up your Controller. Go to Settings > Advanced > Proxy to set up this configuration.
|
||
AVX-32231 |
A new safety check has been added to help avoid configuration errors. With this safety check, you cannot set up your Spoke Gateway with Custom Mapped/Mapped configuration with Overlapping CIDRs in any of the following:
|
||
AVX-32256 |
(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers. |
||
AVX-33353 |
If your Aviatrix Controller was configured with proxy configuration, you can now use remote support. |
||
AVX-34144 |
(Azure) With Azure Route Server integration, the Azure Route Server manages all the routes in the VNet route table. This enhancement means that you no longer need to add a default route with nexthop pointing to the remote peers. |
||
AVX-34591 |
(AWS) Added support for the UAE (United Arab Emirates) region, or me-central-1, for AWS Gateways and VPCs. |
||
AVX-35305 |
Corrected the user ownership of the BGP log to quagga:quagga. This enhancement helps maintain the logging of BGP and zebra. |
||
AVX-36425 |
You can now configure DNAT in non-active gateways. |
||
AVX-36747 |
Aviatrix Controller and gateway images are switching from IKE-type Racoon to IKE-type Strongswan. Your Controller and gateways will use the image’s Linux kernel version to determine which IKE-type to enable. If the Linux kernel version is 5.4 (or newer), Strongswan is enabled. |
Feature Enhancements in Aviatrix Release 7.0.1400
Issue |
Description |
AVX-36147 |
Removed the peering status check during the configuration workflow for NAT gateways. Now, you can configure NAT without waiting for the connection status to be UP. |
AVX-35773 |
During vendor integration with Panorama, increased the wait time for a Panorama commit to 1 minute. Because it can take some time for Panorama to commit template changes, doing a device push before that commit is ready could cause incomplete routes being pushed to devices. The increased wait time ensures that the Panorama commit is complete before the device push. |
AVX-35305 |
Corrected the user ownership of the BGP log to quagga:quagga. This enhancement helps maintain the logging of BGP and zebra. |
Feature Enhancements in Aviatrix Release 7.0.1383
Release Date: 02/01/2023
Issue | Description |
---|---|
AVX-34591 |
(AWS) Added support for the UAE (United Arab Emirates) region, or me-central-1, for AWS Gateways and VPCs. |
7.0.1373
Release Date: (01/09/2022)
Enhanced Features in Release 7.0.1373
Issue | Description |
---|---|
AVX-26394 |
For users authenticated using SAML to log in to Controller, you can now block them from logging in if they do not have a Profile. Previously, such users would be logged in as read-only. You can enable this option using the Block Empty Profiles toggle switch per SAML endpoint in your Controller. Navigate to Settings > Controller > SAML login. |
AVX-30716 |
Previously, Aviatrix Edge gateways were listening on port 111 on all interfaces. Now, Aviatrix has removed the open port 111 to improve security. |
AVX-32976 |
Aviatrix now supports service in the Azure China North 3 region. |
AVX-33021 |
When authenticating a Site2Cloud connection using PSK-based authentication, you can now ignore or skip the Remote ID check by entering ““ in the Remote Identifier field. This enhancement lets you authenticate connections for Remote ID types that Aviatrix Gateways do not support, including IPv6, FQDN, or email. This change also allows you to check if a tunnel is down because of a mismatched Remote ID. You can enter ““ in the Remote Identifier field, and if the tunnel comes up, the Remote ID could be mismatched. |
AVX-33814 |
When an account had too many S2C connections, transit segmentation pages failed to load. |
AVX-34089 |
You can now use the KEY_ID as the remote identifier in the Pre-Shared Key authentication for editing Site2Cloud connection configuration. |
Preview Features in Aviatrix Release 7.0.1307
Support for Distributed Firewalling (Azure Only)
Aviatrix has added support for distributed firewalling (L4 Micro-segmentation) for flows within a Virtual network in Azure. This is available under the Distributed Firewalling feature. To try this preview feature, enable the Virtual networks where you would like to enforce L4 distributed firewalling policies under the settings tab in the Security section.
This capability for distributed firewalling in a virtual network is available in Azure with the 7.0.1307 release. Support for other clouds will be available in future releases. |
Aviatrix Transit Segmentation Interop with Transit Gateways
The TGW/Transit Segmentation Interoperability feature enables you to extend your AWS TGW network domains into other CSPs (Cloud Service Providers). Therefore, traffic from different AWS TGW domains can remain segmented after they enter the transit network. The same segmentation can be kept for the traffic from the transit network segmentation to the TGW network.
Centralized FireNet in AWS
In AWS, you can now deploy a Centralized FireNet architecture that consists of one Primary Transit FireNet gateway connected to up to 10 Secondary Transit FireNet gateways. This new feature allows you to scale to more than 125 HPE-enabled Spokes and reduce the overall number of firewall deployments.
Building a Site2Cloud Tunnel from a Different Gateway in the Same VPC/VNet
You can now build multiple Site2Cloud tunnels from a different gateway in the same VPC/VNet to the same remote IP address. The Aviatrix solution supports up to 10 gateways in the same VPC/VNet that can create a Site2Cloud tunnel to the same remote IP address.
Improvements to Spoke Gateway Associations with Network Domains
-
Previously, a Spoke Gateway had to be associated with a Transit Gateway before you could associate it with a domain.
-
When you detached the Spoke Gateway from the Transit Gateway, the Spoke Gateway also left the network domain.
Now:
-
You can associate a Spoke Gateway with a network domain at any time, without attaching it to a Transit gateway.
-
When you detach a Spoke Gateway from a Transit Gateway, the domain tag stays with the Spoke Gateway. This change applies to all Spoke Gateways, including BGP spoke and Edge spoke.
Improvements to Edge Spoke Gateway Associations with Network Domains
Previously:
-
When you selected an Edge Spoke Gateway to associate with a Network Domain, you had to attach the Edge Spoke to the Transit Gateway first.
-
All Edge Gateways in the same site would associate/dissociate with the network domain together.
Now:
-
You can select the site_id tag to associate/disassociate with the network domain. No Transit Gateway attachment is required.
-
When you associate a site with a network domain, the Segmentation List page shows every Edge Gateway in the site. Each Edge Gateway in the site has an individual attachment to the network domain and can be associated or disassociated independently of the other Gateways.
Multiple Route Tables in BGP Spoke and Edge Spoke
This update applies to BGP Spoke and Edge Spoke Gateways, not regular Spoke Gateways. |
Previously, all Spoke Gateways (including BGP Spoke and Edge Spoke) only had a single route table, so that each Spoke Gateway belonged to a single network domain. This release introduces some behavior changes for Route Tables in BGP Spoke and Edge Spoke Gateways:
-
The BGP Spoke and Edge Spoke Gateway route database has all routes propagated from Transit and BGP.
-
BGP/edge Spoke Gateways have segmentation always enabled.
-
The BGP Spoke and Edge Spoke Gateway has all domain route tables.
-
IPset is configured on BGP Spoke or Edge Spoke Gateways:
-
BGP spoke local VPC CIDR with eth0
-
BGP over IPsec remote CIDR with IPsec tunnel interface
-
BGP over LAN remote CIDR with eth1 (LAN interface on edge)
-
-
The IP rules only have the associated domain rule.
-
On the attached transit side, no Ipset is configured for this attached BGP Spoke or Edge Spoke Gateway. The BGP spoke VPC CIDR has as “bgpspokevpc” route type.
Feature Enhancements in Aviatrix Release 7.0.1307
Issue | Description |
---|---|
AVX-13508 (AWS) |
When you launch a gateway, the gateway uses the Default encryption key set in your AWS account > EC2 > Settings > EBS encryption. To use a key other than the Default key in previous releases, you had to go to your AWS account > EC2 > Settings > EBS encryption and click Manage. Now, you can use Terraform or API to specify which encryption key to use for this gateway if you want to use a different encryption key than the Default encryption key. |
AVX-13570 |
Previously, a Controller automatically uploaded tracelogs when the FQDN feature crashed. This fix removed this functionality, as it is not necessary to debug or investigate these crashes. |
AVX-20629 |
In this release, the workload certificate validity time is reduced from 30 days to 1 day to make the control plane more secure. This improvement means the workload certificate will be rotated every 12 hours instead of 15 days. |
AVX-22644 |
BGP on Spoke is supported in Private Mode in 7.0.1307. |
AVX-23575 |
When computing how distributed firewall rules are enforced on the Aviatrix gateways, the Controller is aware of the source and destination NAT rules defined on the intervening spoke gateways. The Controller adjusts the filtering rules so that they will enforce based on the addresses on the packets at that point in the network. |
AVX-26205 |
Aviatrix has increased gateway IPsec daemon threads to support more than 2000 tunnels. This enhancement improves scalability and performance for your network. |
AVX-27473 |
The default admin password used to log in to the Edge gateway’s clish console will change to the gateway’s WAN IP address (IP address without the subnet mask) after the gateway registers with the Controller. There is no change in behavior prior to registration. This change applies to Edge gateways deployed in any environment. If you have an Edge gateway deployed with any build before or equal to 6.8.1149, on upgrade to either 6.8.a/6.9/7.0.1307 the Edge gateway’s default admin password will be changed to the WAN IP address. The password will be changed to the WAN IP even if your account’s password has been changed. After you upgrade to software version 6.8.1311, 6.9.128, or 7.0.1307 and your account password has been changed to a password of your choice, that new password will be carried forward on upgrade to the next Aviatrix release. Aviatrix will not reset the password to the WAN IP on upgrade. You are free to change the password at any point in time. |
AVX-27521 (AWS) |
When you launch a gateway, the gateway uses the Default encryption key set in your AWS account > EC2 > Settings > EBS encryption. To use a key other than the Default key, you had to go to your AWS account > EC2 > Settings > EBS encryption and click Manage. Now, you can use Terraform or API to specify which encryption key to use for this gateway if you want to use a different encryption key than the Default encryption key. |
AVX-29364 |
When a GRE tunnel goes down, your gateway withdraws routes. Previously, gateways withdrew routes one at a time, which could take a long time. This enhancement ensures that gateways withdraw routes in bulk to speed up the process. |