IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

January 21, 2020

Breaking changes

After a period of deprecation, we have removed the list-versions and update commands from apoctl.

New features

Web interface redesign

We’ve redesigned the web interface. Some of the highlights include:

  • Better login page
  • New getting started with helpful links
  • Most common features moved to the top of the left menu
  • More consistent toolbars

Arguments added to SSH command logs

The logs of the SSH commands issued by users now include the arguments.

Webhook automation usability improvements

The web interface now prevents users from creating malformed webhook automations.

  • It no longer allows users to specify conditions.
  • It allows only a single action.
  • The Edit Action dialog provides better stub code.

Streamlined web interface logins

Instead of clicking through several screens each time you log into the Aporeto web interface, you can now provide your selections in the URL itself.

  • Syntax

    https://console.aporeto.com/login/?namespace=/<NAMESPACE>&authmethod=<METHOD>&provider=<NAME>

  • Example

    https://console.aporeto.com/login/?namespace=/acme/team-a&authmethod=oidc&provider=okta

After constructing the appropriate URL, you can bookmark it in your browser for much faster and easier logins.

Reduced latency

The latest enforcer includes a new ENFORCERD_COMPRESSED_TAGS option that reduces latency. We recommend this option for all new installs and have updated the install instructions to enable it by default.

IMPORTANT

If you wish to upgrade your enforcers to use this new tag, ensure that you upgrade all of your enforcers. Enforcers compressing tags cannot communicate with enforcers not compressing tags.

Support for identity providers with private certificate authorities

You can now authenticate SSH and control plane users against OpenID Connect (OIDC) identity providers that use private certificate authorities (CAs). Aporeto provides a new option to supply the PEM-encoded SSL certificate of the identity provider’s CA during the configuration. If the identity provider uses a well-known, trusted CA, you can leave the field blank.

New Services tab

After clicking on a flow in the Platform pane, you can now view details of any services or proxies involved in the flow in a new Services tab. These details include HTTP methods and resources, if applicable.

Control plane performance and reliability improvements

We’ve continued to tune the control plane for optimal performance and reliability at scale. This release includes the following enhancements.

  • Better API gateway response times through use of TCP fast open and other low-level optimizations
  • Significant reduction in the number of processing unit pokes
  • Flow logs transmitted in batches for improved fault tolerance
  • Strategic use of caches
  • Ensuring that critical services have necessary resources and scale up as needed

Known issue

Red Hat Enterprise Linux 8+ requires special configuration to work with the SSH access control feature. If you require this distribution, contact us for assistance.