Advanced Concepts

Citrix ADC High Availability with Azure Load Balancer Front End IP Validated Reference Design


Implement a Citrix ADC high availability deployment in Microsoft Azure utilizing the Azure Load Balancer (ALB) as the Front End (FE) load balancer.

You can deploy a pair of Citrix ADC virtual appliances with multiple NICs in an active-passive high availability (high availability) setup on Azure. Each NIC can contain multiple IP addresses.

Configuring Citrix ADC VPX in High Availability Mode in Azure Service Management

The active-passive mode provides failover capability. In this mode, the VPX instances synchronize their configuration states. When the primary instance fails, the secondary instance takes over.

For information about high availability in Citrix ADC appliances, see High Availability

In a Microsoft Azure deployment, a high availability configuration of two Citrix ADC virtual machines is achieved by using the Azure load balancer, which distributes the client traffic across the virtual servers configured on both the Citrix ADC instances. Two types of Azure load balancers are available for high availability: Azure external load balancer: If the client traffic originates from the Internet, you have to deploy the external load balancer between the Internet and the Citrix ADC VPX instances to distribute client traffic. Azure internal load balancer: If the client traffic originates from within the cloud service, or is forwarded by a gateway or firewall within the cloud service, you have to deploy the internal load balancer to distribute client traffic. To achieve high availability on Azure, you must add the two Citrix ADC VMs as a load balanced set and configure the endpoints.

Citrix ADC active-passive deployment assumptions

  • A high availability Independent Network Configuration (INC) configuration
  • The Azure Load Balancer (ALB) in Direct Server Return (DSR) mode
  • All traffic goes through the primary node.
  • The secondary node remains in standby mode until the primary node fails.


For a Citrix ADC high availability deployment on Azure cloud to work, you need a floating public IP (PIP) that can be moved between the two Citrix ADC high availability nodes. The Azure Load Balancer (ALB) provides that floating PIP, which is moved to the second node automatically in the event of a failover.

The floating IP setting is configured in the ALB Load Balancing Rules as defined in step 4 under the ALB configuration section.

Citrix ADC IPSET feature overview

An IP set is a set of IP addresses, which are configured on the Citrix ADC appliance as Subnet IP addresses (SNIPs) or Virtual IP addresses (VIPs). An IP set is identified with a meaningful name that helps in identifying the usage of the IP addresses contained in it. To create an IP set, add an IP set and bind Citrix ADC owned IP addresses to it. SNIP addresses and VIP addresses can be present in the same IP set.

Azure Load Balancer overview

Deploy Citrix ADC high availability instances using the Citrix ADC 12.1 High Availability (high availability) Azure Resource Manager (ARM) template.

This template guides through deployment of Citrix ADC high availability Active-Passive mode. Preconfigured to include components and setting to deliver seamless high availability experience. Details of topology can be found at High Availability.

On successful deployment, a pair of Citrix ADC appliances is pre-configured in HA-INC mode. Citrix ADC VPX high availability template support different SKUs of Citrix ADC such as BYOL and hourly license such as VPX 10, VPX 200, VPX 1000, and VPX 3000.


The ARM Template for Citrix ADC contains specific Azure Load Balancing variables as resources.

Configuration prerequisites for the deployment

  • Azure Load Balancer Configuration
  • Citrix ADC Configuration

Azure Load Balancer configuration

  1. Add a front end IP address for each Citrix ADC service that will be available through the Azure Load Balancer.

  2. Add the alb back-end Pool for each application.

  3. Add the alb Health Probe for each application.

  4. Add the alb Load balancing rule.

  5. Add one or more Inbound security rules to the network security group (NSG)

Citrix NetScaler configuration

The NetScaler requires the addition of IPSETS to map the Citrix ADC resources to the Azure front end IP configuration.


Repeat the following steps for every VIP that requires a front-end Public IP from the ALB.

  1. Add the Azure front-end Public IP addresses to the Citrix ADC

    add ns ip 23.99.xx.xx -type vip (Azure Frontend Ip)
  2. Create and Bind the IPSET on the Citrix ADC for the Azure front-end IP

    add ipset net_1
    bind ipset net_1 23.99.xx.xx
  3. Update the Citrix ADC VIP with the IPSET

    set lb vserver net_1 -ipset net_1

Verify port connectivity to the ALB

Use a tool like or similar to verify the ALB and Citrix ADC services are available.

    IP address or host name:
    Port number:"80, 443. etc"
    23.99.xx.xx:80 port is open ---


  • nstcpdump - verify the Citrix ADC front end IP configuration
  • nstrace - verify the ALB health probe
Citrix ADC High Availability with Azure Load Balancer Front End IP Validated Reference Design