K8s. Serverless. East-West. Edge. IPv6. Now Contained.

The Aviatrix 9.0 Release closes the paths your current stack leaves ungoverned.

If you run the Five Testable Properties of a containment platform against your environment today, most organizations pass two. Maybe three. The gaps are always the same: workload types the enforcement engine cannot reach, communication paths it cannot see, and propagation speeds that cannot keep pace with how fast your cloud moves.

For those new to the framework: the Five Testable Properties are the architectural requirements any Containment Platform must deliver. Path-complete means every communication path is governed, no bypasses. Identity-aware at L7 means policy targets workload identity, not IP addresses. Detection-independent means enforcement holds without requiring the breach first be detected. Compute-model agnostic means VMs, containers, serverless, and AI agents are all covered without agents on each workload. Universally propagated means one policy reaches every cloud in subseconds. These are not aspirational. They are testable. And every feature in 9.0 exists to extend one or more of them into territory your stack could not reach before.

Aviatrix 9.0 is built to close those gaps. Not with a new product or a new console, but by extending the Cloud Native Security Fabric deeper into the workload types, network paths, and operational realities that define modern cloud estates. If your containment architecture had a gap yesterday, this is the release that closes it.

Every Path Governed

Containment means nothing if the enforcement plane has blind spots. A single ungoverned communication path is the one an attacker will find. Four capabilities in 9.0 eliminate the most common bypasses we see across our installed base and across the industry.

PROPERTY 1: PATH-COMPLETE

DCF (Distributed Cloud Firewall) East-West with Transit Gateway

Most enterprises route inter-VPC traffic through a centralized Transit Gateway hub. Until now, east-west enforcement required Aviatrix transit peering. 9.0 changes that. The Aviatrix Policy Enforcement Point (PEP) now inserts transparently into your existing TGW architecture. Every flow between VPCs traverses the PEP for inspection and enforcement. Your native transit hub, peering, and cross-VPC routing stay exactly as they were. No rip-and-replace. No maintenance window. The fastest credible path from no east-west enforcement to full east-west containment.

A note on centralized Security Hub VPCs: for teams whose architecture still routes through a centralized inspection hub, 9.0 makes that hub a containment enforcement point from day one. This is not an endorsement of the chokepoint model of security. It is a recognition that customers start where they are, and the path to distributed enforcement is one VPC at a time from there. Value compounds at every stop, and no customer has to commit to the full journey to start getting results.

PROPERTY 4: COMPUTE-MODEL AGNOSTIC

Serverless DCF

Lambda functions, Azure Functions, and Cloud Run workloads have been enforcement blind spots across the industry. Chokepoint firewalls cannot inspect what never traverses the appliance. Agent-based microsegmentation cannot install on a workload that has no host. Serverless DCF extends the Policy Enforcement Point to serverless functions with zero changes to the function code, zero agents, and the same identity-aware policy model that governs your VMs and containers. One policy tree. Every compute type. This is the compute-model agnostic property made real: the same PEP architecture that governs a VM in AWS governs a Lambda function, a Cloud Run service, and a Kubernetes pod. No separate tool. No separate policy. No gap.

PROPERTY 1: PATH-COMPLETE

DCF on Edge

Edge locations are where containment policy has historically ended and hope has begun. 9.0 extends the PEP to edge compute environments, bringing the same enforcement, the same policy propagation, and the same back-out path to the perimeter. This is Communication Governance extended to the boundary of your network. The edge is not a different security domain. It is another workload environment, and it deserves the same enforcement posture as your core. If a communication path exists, policy now governs it.

PROPERTY 1: PATH-COMPLETE

IPv6 Phase 2

If your containment enforcement only covers IPv4, you have a bypass. It is that simple. 9.0 delivers full dual-stack enforcement across the DCF policy plane. Every rule, every WebGroup, every identity-based policy applies equally to IPv4 and IPv6 traffic. Dual-stack is not a future-proofing checkbox. It is a path-completeness requirement.

Enforcement That Doesn't Break Things

The biggest fear most security teams have is breaking applications on the way to better security. Every feature in this section exists to make that fear unfounded. The principle is borrowed from our Architecture Brief: monitor before enforce, one VPC at a time, built-in back-out states.

PROPERTY 5: UNIVERSALLY PROPAGATED

Gateway Drain and Undrain

When the Aviatrix dataplane needs maintenance, 9.0 lets you drain a gateway gracefully. Active flows complete. New flows route to healthy gateways. When maintenance is done, undrain. No dropped connections. No maintenance windows. This matters because universal propagation is not just about policy speed. It is about infrastructure operations that never disrupt the enforcement plane. The dataplane never reloads.

Smart Gateways Phase 2

Automated gateway health monitoring, self-healing failover, and capacity-aware scaling. The enforcement plane adapts to infrastructure conditions without operator intervention. Policy propagation remains sub-second regardless of gateway topology changes. This is operational maturity that makes containment trustworthy at production scale.

IPS with TLS Decryption

Encrypted traffic is where threats hide. 9.0 adds TLS decryption to the Aviatrix IPS engine with curated threat intelligence from the Aviatrix Threat Research Center. But the containment point is this: IPS makes detection better. The containment architecture does not depend on it. Your enforcement holds whether or not IPS fires, whether or not the threat is detected, whether or not a signature exists. That is what detection-independent means. IPS is the bonus. Containment is the architecture.

See Everything, Contain Everything

You cannot contain what you cannot see. Discovery feeds enforcement. Two capabilities in 9.0 close the visibility-to-action loop.

PROPERTY 4: COMPUTE-MODEL AGNOSTIC

Kubernetes Discovery

9.0 discovers Kubernetes workloads natively, without touching the cluster, without replacing the CNI, without installing agents on pods. We work alongside Calico, Cilium, AWS VPC CNI, Azure CNI, GKE, whatever you have. One sidecar at the VPC. Not one agent per pod. Not one daemon per host. The Aviatrix PEP inspects every flow into and out of the VPC at L3 through L7 with zero changes to applications, cluster networking, or cloud native routing. No CNI replacement. No kernel modules. No licensing per host. The workload does not have to know we are there.

This matters because Kubernetes is where the modernization is happening, and it is where the enforcement gap is widest. Discovery is Step 1 of the containment journey. You cannot write policy for workloads you do not know exist. 9.0 makes K8s workloads first-class citizens in the Aviatrix policy tree from the moment they are visible, with the same identity model (tags, namespaces, labels) that governs the rest of your estate.

Policy Audit

Every policy change. Every enforcement decision. Every exception. 9.0 delivers a complete audit trail that maps to the compliance frameworks your organization already operates under. Policy Audit is what turns containment from a technical capability into an auditable control. Security teams define intent. Platform teams enforce. Auditors verify. One trail.

What Else Shipped

9.0 also includes Active Mesh 4.0 Phase 2 for improved multicloud transit resilience, expanded firewall vendor integrations for customers running hybrid enforcement during their containment journey, and Dell R470 hardware support for on-premises edge deployments. Each of these capabilities reinforces the same principle: meet customers where they are and make the next step toward containment the easiest decision on their roadmap.

The Diagnostic Question

We are in the Containment Era. The math is settled: organizations increased remediation effort 6.5x in a single year and the percentage of critical vulnerabilities unresolved at seven days still worsened. Meanwhile, 82% of intrusions now ride valid credentials through legitimate channels, producing no anomalous signal for detection systems to catch. Prevention will always matter. Detection will always matter. But neither determines whether an incident becomes a breach. Containment does. And containment is an architectural property, not a product feature. It either holds across every path and every workload or the Blast Radius is unbounded.

Run the Five Testable Properties against your environment after upgrading to 9.0. Path-complete. Identity-aware at L7. Detection-independent. Compute-model agnostic. Universally propagated. Count how many your stack delivers today. Then count how many it delivers after 9.0.

The gap between those two numbers is your containment deficit. 9.0 is how you close it.

Talk to your account team about a guided upgrade path. Read the Validated Containment Architectures library for deployment blueprints covering Kubernetes, serverless, and AI agent workloads.

If you are an existing customer, 9.0 is available now and the upgrade path is designed to be frictionless.

If you are evaluating Aviatrix for the first time, start with one VPC. See the back-out live. Decide from there.