Jump to content
Welcome to our new Citrix community!
  • NetScaler ADC for Azure DNS Private Zone Deployment Guide


    Richard Faulkner
    • Validation Status: Validated
      Summary: NetScaler ADC for Azure DNS Private Zone Deployment Guide
      Has Video?: No

    NetScaler ADC for Azure DNS Private Zone Deployment Guide

    Introduction

    NetScaler ADC is a world-class product in the application delivery controller (ADC) space with the proven ability to load balance, manage global traffic, compression, and secure applications.

    Azure DNS is a service on the Microsoft Azure infrastructure for hosting DNS domains and providing name resolution.

    Azure DNS Private Zones is a service focused on resolving domain names in a private network. With Private Zones, customers can use their own custom domain names rather than the Azure-provided names available today.

     

    Overview of Azure DNS

    The Domain Name System, or DNS, is responsible for translating (or resolving) a service name to its IP address. A hosting service for DNS domains, Azure DNS provides name resolution by using the Microsoft Azure infrastructure. In addition to supporting internet-facing DNS domains, Azure DNS now also supports private DNS domains.

    Azure DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without needing a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names available today. Using custom domain names helps you to tailor your virtual network architecture to best suit your organization's needs. It provides name resolution for virtual machines (VMs) within a virtual network and between virtual networks. Also, customers can configure zones names with a split-horizon view, which allows a private and a public DNS zone to share a name.

     

    Why NetScaler GSLB for Azure DNS private zone?

    In today’s world, businesses want to transition their workloads from on-premises to Azure cloud. The transition to cloud allows them to leverage time to market, capital expenses/price, ease of deployment and security. Azure DNS Private Zone service provides a unique proposition for the businesses that are transitioning part of their workloads to the Azure Cloud. These businesses can create their private DNS Name, which they had for years in on-premises deployments, when they use the private zone service. With this hybrid model of intranet application servers being in on-premises and Azure cloud connected via secure VPN tunnels, the one challenge is how a user can have seamless access to these intranet applications. NetScaler ADC solves this unique use case with its global load balancing feature, which routes the application traffic to the most optimal distributed workloads/servers either on-premises or on Azure cloud and provides application server health status.

     

    Use Case

    Users in on-prem network and in different Azure VNETs should be able to connect to the most optimal servers in an internal network for accessing the required content. This ensures that the application is always available, optimized cost and user experience is good. Azure private traffic management (PTM) is the primary requirement here. Azure PTM ensures that users’ DNS queries resolve to an appropriate private IP address of the application server.

     

    Use Case Solution

    NetScaler ADC includes the global server load balancing (GSLB) feature, which can help meet the Azure PTM requirement. GSLB acts like a DNS server, which gets the DNS requests and resolves the DNS request into an appropriate IP address to provide:

    • Seamless DNS based failover
    • Phased migration from on-premises to cloud
    • A/B Testing a new feature

    Among many load balancing methods supported, following methods can be useful in this solution:

    1. Round Robin

    2. Static proximity (Location based server selection): It can be deployed in two ways

      1. EDNS Client Subnet (ECS) based GSLB on NetScaler ADC
      2. Deploy a DNS forwarder for every Virtual network

    Topology

    • The NetScaler ADC GSLB deployment for Azure private DNS zone logically looks shown in Figure 1.

    image.jpg.08eea34b3ff6cf2618e8ea37721fecb3.jpg

    • A user can access any application server either on Azure or on-prem based on NetScaler ADC GSLB load balancing method in an Azure private DNS zone
    • All traffic between on-prem and Azure Virtual Network is through a secure VPN tunnel only
    • Application traffic, DNS traffic, and monitoring traffic are shown in the preceding topology.
    • Depending on the required redundancy, NetScaler ADC and DNS forwarder can be deployed in the Virtual Networks and data centers. For simplicity purpose, only one NetScaler ADC is shown here but we recommend at least one set of NetScaler ADC and DNS forwarder for Azure region.
    • All user DNS queries first go to the DNS forwarder that has rules defined for forwarding the queries to appropriate DNS server.

    Configuring NetScaler ADC for Azure DNS Private Zone

    Products and Versions tested

    ProductVersion
    AzureCloud Subscription
    NetScaler ADC VPXBYOL (Bring your own license)

    Note:
    The deployment is tested and remains same with NetScaler ADC version 12.0 and above.

    Prerequisites and configuration notes

    The following are general prerequisites and configuration tested for this guide, please cross-check before configuring NetScaler ADC:

    Solution description

    Let suppose Customer want to host one application Azure DNS private zone (rr.ptm.mysite.net) which runs on HTTPs and is deployed across Azure and On-premises with intranet access based on round robin GSLB load balancing method. To achieve this deployment by enabling GSLB for Azure private DNS zone with NetScaler ADC consists of two parts – configuring the Azure, On-premises and the NetScaler ADC appliance.

    Part 1: Configure Azure, On-premises Setup

    As shown in Topology, set up Azure Virtual Network (VNet A, VNet B in this case) and on-premises setup. Step 1: Create an Azure private DNS zone with domain name (mysite.net) Step 2: Create two Virtual Networks (VNet A, VNet B) in Hub and Spoke model in an Azure region

    Step 3: Deploy App Server, DNS Forwarder, Windows 10 Pro client, NetScaler ADC in VNet A Step 4: Deploy App Server and deploy a DNS Forwarder if any clients are in VNet B Step 5: Deploy App server, DNS Forwarder, and Windows 10 pro client on on-premises

    Azure private DNS Zone

    Log into the Azure Portal and select or create a dashboard. Now click create a resource and search for DNS zone to create one (mysite.net in this case) as shown in the following image.

    image.thumb.jpg.6faee4ad03c4c29f01a576ec47dc4b06.jpg

    Azure virtual Networks (VNet A, VNet B) in Hub and spoke Model

    Select the same dashboard and click create a resource and search for virtual networks to create two virtual networks namely VNet A, VNet B in same region and peer them to form a Hub and Spoke model as shown in the following image. See Implement a hub-spoke network topology in Azure for information about how to set up a hub and spoke topology.

    image.thumb.jpg.e83457ad6c1f638df9d1e7c7c905f288.jpg

    image.thumb.jpg.88645f31fb39a70370d9e8d3116f16ab.jpg

    VNet A to VNet B peering

    To peer VNet A and VNet B click peerings from settings menu of VNet A and peer VNet B, enable Allow forwarded traffic and Allow gateway transit as shown in the following image.

    image.jpg.aa6fffd5685705ca2588387c9743561f.jpg

    After successful peering you see as shown in the following image:

    image.jpg.7e5793b01b0d80453981a742e4f175f3.jpg

    VNet B to VNet A peering

    To peer VNet B and VNet A click peerings from settings menu of VNet B and peer VNet A, enable Allow forwarded traffic and Use remote gateways as shown in the following image.

    image.jpg.6ca53cfad952e20385e79a192a74aac7.jpg

    After successful peering you see as shown in the following image:

    image.jpg.10a703baf20640c999b30dc89d9fa56a.jpg

    Deploy App Server, DNS Forwarder, Windows 10 Pro client, NetScaler ADC in VNet A

    We discuss briefly about App server, DNS forwarder, Windows 10 pro client, and NetScaler ADC on VNet A. Select the same dashboard, click create a resource, search for the respective instances and assign an IP from VNet A subnet

    App Server

    App server is nothing but the web server (HTTP server) where an Ubuntu server 16.04 is deployed as an instance on Azure or on-premises VM and run a CLI command: sudo apt install apache2 to make it as a web server

    Windows 10 Pro Client

    Launch Windows 10 pro instance as Client Machine on VNet A and on-premises too.

    NetScaler ADC

    NetScaler ADC compliments the Azure DNA private zone by health check and Analytics from NetScaler ADM. Launch a NetScaler ADC from Azure Marketplace based on your requirement, here we have used NetScaler ADC (BYOL) for this deployment. Please refer below URL for detailed steps on How to deploy NetScaler ADC on Microsoft Azure. After deployment, use NetScaler ADC IP to configure NetScaler ADC GSLB. See Deploy a NetScaler VPX Instance on Microsoft Azure

    DNS Forwarder

    It is used to forward the client requests of hosted domains bound to NetScaler ADC GSLB (ADNS IP).Launch an Ubuntu server 16.04 as Linux instance (Ubuntu server 16.04) and refer below URL on how to set up it as a DNS forwarder.

    Note:
    For Round Robin GSLB load balancing method one DNS forwarder for Azure Region is sufficient but for Static proximity we need one DNS forwarder per virtual Network.

    After deploying forwarder change the DNS server settings of Virtual network A from default to custom with VNet A DNS forwarder IP as shown in the following image, and then modify the named.conf.options file in VNet A DNS forwarder to add forwarding rules for domain (mysite.net) and subdomain (ptm.mysite.net) to the ADNS IP of NetScaler ADC GSLB. Now, restart the DNS forwarder to reflect the changes made in file named.conf.options.

    VNet A DNS Forwarder Settings

    zone "mysite.net" {           type forward;forwarders { 168.63.129.16; };};zone "ptm.mysite.net" {    type forward;    forwarders { 10.8.0.5; };};

     

    Note:
    For the domain ("mysite.net") zone IP address, use the DNS IP of your Azure region. For the subdomain ("ptm.mysite.net") zone IP address, use all ADNS IP addresses of your GSLB instances.

    Deploy App Server and deploy a DNS Forwarder if any clients are in VNet B

    Now for Virtual Network B, select the same dashboard, click create a resource, then search for the respective instances, and assign an IP from VNet B subnet. Launch App server and DNS Forwarder if there is static proximity GSLB load balancing similar to VNet A. Edit the VNet B DNS Forwarder settings in named.conf.options as shown:

    VNet B DNS Forwarder Settings: 

    zone "ptm.mysite.net" {    type forward;    forwarders { 10.8.0.5; };};

     

    image.jpg.397841d219572226a2a61409d61b4e41.jpg

    Deploy app server, DNS Forwarder, and Windows 10 pro client on on-premises

    Now for on-premises, launch the VMs on bare metal and bring App server, DNS Forwarder and Windows 10 pro client similar to VNet A. Edit the on-premises DNS Forwarder settings in the named.conf.options as shown in the following example.

    On-Premises DNS Forwarder Settings

    zone "mysite.net" {           type forward;           forwarders { 10.8.0.6; };};zone "ptm.mysite.net" {    type forward;    forwarders { 10.8.0.5; };};

     

    Here for mysite.net we have given DNS forwarder IP of VNet A instead of Azure private DNS zone server IP because it is a special IP not reachable from on-premises. Hence this change is required in the DNS forwarder setting of on-premises.

    Part 2: Configure the NetScaler ADC

    As shown in Topology, deploy the NetScaler ADC on Azure Virtual Network (VNet A in this case) and access it through NetScaler ADC GUI.

    Configuring NetScaler ADC GSLB

    Step 1: Create ADNS Service Step 2: Create sites – local and remote Step 3: Create services for the local virtual servers Step 4: Create virtual servers for the GSLB services

    Add ADNS Service

    Log into the NetScaler ADC GUI. On the Configuration tab, navigate to Traffic Management>Load Balancing > Services. Add a service. It is recommended to configure ADNS service both in TCP and UDP as shown here:

    image.jpg.174c3b6c34dea1d2943740ad68fa157b.jpg

    image.jpg.af3a8d6c830fed443da4bc730d2b3038.jpg

    image.jpg.f9e8ff08d3f20e934122427415063f06.jpg

    Add GSLB Sites

    Add local and remote sites between which GSLB will be configured. On the Configuration tab, navigate to Traffic Management > GSLB > GSLB Sites. Add a site as shown here and repeat the same procedure for other sites.

    image.jpg.1a73f4d84c3171b2c314ba2379874d50.jpg

    image.jpg.ecc00191be5cc7b94ead10f1515a12b4.jpg

    image.jpg.e873dfe541f1fdfd7da0c397bf8b3617.jpg

    Add GSLB Services

    Add GSLB services for the local and remote virtual servers which load balances App servers. On the Configuration tab, navigate to Traffic Management>GSLB > GSLB Services. Add the services as shown in the following examples. Bind HTTP monitor to check server status.

    image.jpg.7e4ef4b9e8b21eff7ad73eb36a186f32.jpg

    image.jpg.e952dad6b8d3c19b69d8b91f9ed5bf40.jpg

    After creating the service, go to the advanced settings tab inside the GSLB service and add Monitors tab to bind GSLB service with an HTTP monitor to bring up the state of service image.jpg.1dc6c90a0dbc58d89d96f3e981a33e10.jpg

    Once you bind with HTTP monitor, the state of services are UP as shown here: image.jpg.e207b002f87e462cff11b2e12c6f2690.jpg

    Add GSLB Virtual Server

    Add GSLB virtual server through which App servers’ alias GSLB Services are accessible. On the Configuration tab, navigate to Traffic Management>GSLB > GSLB Virtual Servers. Add the virtual servers as shown in the following example. Bind GSLB services and domain name to it. image.jpg.ab665de1255009bbea38879fb33d6929.jpg

    After creating the GSLB virtual server and selecting the appropriate load balancing method (Round Robin in this case), bind GSLB services and domains to complete the step

    image.jpg.fa0835cc8431454a6ceafb471dc9af0c.jpg

    Go to the advanced settings tab inside the virtual server and add Domains tab to bind a domain

    Go to Advanced > Services and click the arrow to bind a GSLB service and bind all three services (VNet A, VNet B, On-premises) to virtual server

    image.jpg.c963e3bbec4629d57deedc9be99e4e11.jpg

    After binding GSLB services and Domain to the virtual server it appears as shown here:

    image.jpg.20c1d08af8adeb9c3a56402a56703627.jpg

    Check if GSLB virtual server is up and 100% healthy. When the monitor shows that the server is up and healthy, it means that sites are in sync and back end services are available.

    image.jpg.9b286ed0f2222ae340dae1f05d9bac68.jpg

    To test the deployment now access domain URL rr.ptm.mysite.net from either Cloud client machine or on-premises client machine. For suppose access it from cloud windows client machine see that even on-premises App server is accessed in a private DNS zone without any need for third party or custom DNS solutions.

    Conclusion

    NetScaler ADC, the leading application delivery solution, is best suited to provide load balancing and GSLB capabilities for Azure DNS private zone. By subscribing to Azure DNS Private Zone, the business can rely on NetScaler ADC Global Server Load Balancing’s (GSLB) power and intelligence to distribute intranet traffic across workloads located in multiple geographies and across data centers, connected via secure VPN tunnels. This collaboration guarantees businesses seamless access to part of their workload they want to move to Azure public cloud.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...