Deployment Guide Citrix ADC VPX on AWS - Autoscale

Contributors

Author: Blake Schindler

Overview

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments.

As an undisputed leader of service and application delivery, Citrix ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, Citrix ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. Citrix ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.

Citrix VPX

The Citrix ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms:

  • Citrix Hypervisor

  • VMware ESX

  • Microsoft Hyper-V

  • Linux KVM

  • Amazon Web Services

  • Microsoft Azure

  • Google Cloud Platform

This deployment guide focuses on Citrix ADC VPX on Amazon Web Services.

Amazon Web Services

Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services can offer tools such as compute power, database storage, and content delivery services.

AWS offers the following essential services

  • AWS Compute Services

  • Migration Services

  • Storage

  • Database Services

  • Management Tools

  • Security Services

  • Analytics

  • Networking

  • Messaging

  • Developer Tools

  • Mobile Services

AWS Terminology

Here is a brief description of the key terms used in this document that users must be familiar with:

  • Amazon Machine Image (AMI) - A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.

  • Auto Scaling - A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks.

  • AWS Auto Scaling Group - An AWS auto scaling group is a collection of EC2 instances that share similar characteristics and are treated as a logical grouping for the purposes of instance scaling and management.

  • Elastic Block Store - Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.

  • Elastic Compute Cloud (EC2) - A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

  • Elastic Load Balancing (ELB) - Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. Distributing the traffic increases the fault tolerance of user applications.

  • Elastic Network Interface (ENI) - A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC).

  • Elastic IP (EIP) address - A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change.

  • IAM-Instance-Profile - An identity provided to the Citrix ADC instances provisioned in a cluster in AWS. The profile allows the instances to access AWS services when it starts to load balance the client requests.

  • Identity and Access Management (IAM) - An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup.

  • Instance type - Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications.

  • Listener - A listener is a process that checks for connection requests, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to the targets in one or more target groups.

  • NLB - Network load balancer. NLB is an L4 load balancer available in the AWS environment.

  • Route 53 - Route 53 is Amazon’s highly available and scalable cloud domain name system (DNS) web service.

  • Security groups - A named set of allowed inbound network connections for an instance.

  • Subnet - A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs.

  • Virtual Private Cloud (VPC) - A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define.

Here is a brief description of other terms used in this document that we recommend you are familiar with:

  • Autoscale Groups - An Autoscale group is a group of Citrix ADC instances that load balance applications as a single entity and trigger autoscaling when the threshold parameters breach the limits. Citrix ADC instances scale-out or scale-in dynamically based on the autoscale groups configuration.

Note:

A Citrix autoscale group is called autoscale group throughout this document whereas the AWS autoscale group is explicitly called AWS autoscale group.

  • Citrix ADC Clusters - A Citrix ADC cluster is a group of Citrix ADC VPX instances and each instance is called a node. The client traffic is distributed across the nodes to provide high availability, high throughput, and scalability.

  • CloudFormation - A service for writing or changing templates that create and delete related AWS resources together as a unit.

  • Cooldown period - After a scale-out, the cooldown period is the time for which evaluation of the statistics has to be stopped. The cooldown period ensures organic growing of an autoscale group by allowing current traffic to stabilize and average out on the current set of instances before the next scaling decision is made. Default cooldown period value is 10 minutes and is configurable.

Note:

Default value is determined based on the time required for the system to stabilize after a scale-out (approximately 4 minutes) plus Citrix ADC configuration and DNS advertisement time.

  • Drain Connection Timeout - During scale-in, once an instance is selected for deprovisioning, Citrix ADM removes the instance from processing new connections to the autoscale group and waits until the specified drain connection timeout period expires before deprovisioning. This timeout allows existing connections to this instance be drained out before it gets deprovisioned. If the connections are drained before the drain connection timeout expires, even then the Citrix ADM waits for the drain connection timeout period to expire before starting a new evaluation.

Note:

If the connections are not drained even after the drain connection timeout expires, the Citrix ADM removes the instances which might impact the application. Default value is 5 minutes and is configurable.

  • Key pair - A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key.

  • Route table - A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.

  • Simple Storage Service (S3) - Storage for the Internet. It is designed to make web-scale computing easier for developers.

  • Tags - Each autoscale group is assigned a tag which is a key and value pair. You can apply tags to the resources that enable you to organize and identify resources easily. The tags are applied to both AWS and Citrix ADM. Example: Key= name, Value = webserver. Use a consistent set of tags to easily track the autoscale groups that might belong to various groups such as development, production, testing.

  • Threshold Parameters - Parameters that are monitored for triggering scale-out or scale-in. The parameters are CPU usage, memory usage, and throughput. You can select one parameter or more than one parameter for monitoring.

  • Time to Live (TTL) - Specifies the time interval that the DNS resource record may be cached before the source of the information should again be consulted. Default TTL value is 30 seconds and is configurable.

  • Watch Time - The time for which the scale parameter’s threshold has to stay breached for a scaling to happen. If the threshold is breached on all the samples collected in this specified time, then a scaling happens. If the threshold parameters remain at a value higher than the maximum threshold value throughout this duration, a scale-out is triggered. If the threshold parameters operate at a value lower than the minimum threshold value, a scale-in is triggered. Default value is 3 minutes and is configurable.

Use Cases

Compared to alternative solutions that require each service to be deployed as a separate virtual appliance, Citrix ADC on AWS combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, and other essential application delivery capabilities in a single VPX instance, conveniently available via the AWS Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises Citrix ADC deployments. The net result is that Citrix ADC on AWS enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers.

Data center Expansion with Autoscale

There are organizations looking to expand their Citrix footprint in the public cloud, and they are thinking about using native public cloud services. A common use case is for businesses to migrate to the cloud at their own pace so that they can focus on higher ROI workloads or applications. And by using our solution, which often includes using pooled capacity devices to keep workloads both on-prem and in the cloud by decoupling the bandwidth and instances, they can go ahead and move to whichever cloud they choose at their own pace.

Now the public cloud provides elasticity, which is also a significant use case for customers who want to host applications on demand while not worrying about over or under provisioning of resources.

Efficient hosting of applications in a cloud involves easy and cost-effective management of resources depending on the application demand. For example, consider that a business has an e-commerce web portal running on AWS. This portal sometimes offers enormous discounts during which there is a spike in the application traffic. When application traffic increases during these offers, the applications must be scaled out dynamically and network resources might likewise also need to be increased.

The Citrix ADM autoscaling feature supports provisioning and autoscaling of Citrix ADC instances in AWS. The Citrix ADM autoscaling feature constantly monitors the threshold parameters such as memory usage, CPU usage, and throughput. Users can select one of these parameters or more than one parameter for monitoring. These parameter values are then compared to the user configured values. If the parameter values breach the limits, then scale-out or scale-in is triggered as needed.

The Citrix ADM autoscale feature architecture is designed in such a way that users can configure the minimum and maximum number of instances for each of the autoscale groups. Pre-setting these numbers ensures that each application is always up and running and aligns to customer demand.

Benefits of Autoscaling

High availability of applications. Autoscaling ensures that your application always has the right number of Citrix ADC VPX instances to handle the traffic demands. This is to ensure that your application is up and running all the time irrespective of traffic demands.

Smart scaling decisions and zero touch configuration. Autoscaling continuously monitors your application and adds or removes Citrix ADC instances dynamically depending on the demand. When demand spikes upward, the instances are automatically added. When the demand spikes downward, the instances are automatically removed. The addition and removal of Citrix ADC instances happens automatically making it a zero-touch manual configuration.

Automatic DNS management. The Citrix ADM autoscale feature offers automatic DNS management. Whenever new Citrix ADC instances are added, the domain names are updated automatically.

Graceful connection termination. During a scale-in, the Citrix ADC instances are gracefully removed avoiding the loss of client connections.

Better cost management. Autoscaling dynamically increases or decreases Citrix ADC instances as needed. Running only needed instances enables users to optimize the costs involved. Users save money by launching instances only when they are needed and terminate them when they are not needed. Thus, users pay only for the resources they use.

Observability. Observability is essential to application dev-ops or IT personnel to monitor the health of the application. The Citrix ADM’s autoscale dashboard enables users to visualize the threshold parameter values, autoscale trigger time stamps, events, and the instances participating in autoscale.

Deployment Types

Three-NIC Deployment

  • Typical Deployments

    • Typical Deployments

    • StyleBook driven

    • With ADM

    • With GSLB (Route53 w/domain registration)

    • Licensing - Pooled/Marketplace

  • Use Cases

    • Three-NIC Deployments are used to achieve real isolation of data and management traffic.

    • Three-NIC Deployments also improve the scale and performance of the ADC.

    • Three-NIC Deployments are used in network applications where throughput is typically 1 Gbps or higher and a Three-NIC Deployment is recommended.

CFT Deployment

Customers would deploy using CloudFormation Templates if they are customizing their deployments or they are automating their deployments.

Deployment Steps

Three-NIC Deployment for data center Expansion with Autoscale

The Citrix ADC VPX instance is available as an Amazon Machine Image (AMI) in the AWS marketplace, and it can be launched as an Elastic Compute Cloud (EC2) instance within an AWS VPC. The minimum EC2 instance type allowed as a supported AMI on Citrix VPX is m4.large. The Citrix ADC VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. An EC2 instance launched within an AWS VPC can also provide the multiple interfaces, multiple IP addresses per interface, and public and private IP addresses needed for VPX configuration. Each VPX instance requires at least three IP subnets:

  • A management subnet

  • A client-facing subnet (VIP)

  • A back-end facing subnet (SNIP)

Citrix recommends three network interfaces for a standard VPX instance on AWS installation.

AWS currently makes multi-IP functionality available only to instances running within an AWS VPC. A VPX instance in a VPC can be used to load balance servers running in EC2 instances. An Amazon VPC allows users to create and control a virtual networking environment, including their own IP address range, subnets, route tables, and network gateways.

Note:

By default, users can create up to 5 VPC instances per AWS region for each AWS account. Users can request higher VPC limits by submitting Amazon’s request form: Amazon VPC Request.

Licensing Requirements

The Citrix ADC instances that are created for the Citrix autoscale group use Citrix ADC Advanced or Premium ADC licenses. Citrix ADC clustering feature is included in Advanced or Premium ADC licenses.

Users can choose one of the following methods to license Citrix ADCs provisioned by Citrix ADM:

  • Using ADC licenses present in Citrix ADM: Configure pooled capacity, VPX licenses, or virtual CPU licenses while creating the autoscale group. So, when a new instance is provisioned for an autoscale group, the already configured license type is automatically applied to the provisioned instance.

    • Pooled Capacity: Allocates bandwidth to every provisioned instance in the autoscale group. Ensure users have the necessary bandwidth available in Citrix ADM to provision new instances. For more information, see: Configure Pooled Capacity. Each ADC instance in the autoscale group checks out one instance license and the specified bandwidth from the pool.

    • VPX licenses: Applies the VPX licenses to newly provisioned instances. Ensure users have the necessary number of VPX licenses available in Citrix ADM to provision new instances. When a Citrix ADC VPX instance is provisioned, the instance checks out the license from the Citrix ADM. For more information, see: Citrix ADC VPX Check-in and Check-out Licensing.

    • Virtual CPU licenses: Applies virtual CPU licenses to newly provisioned instances. This license specifies the number of CPUs entitled to a Citrix ADC VPX instance. Ensure users have the necessary number of Virtual CPUs in Citrix ADM to provision new instances. When a Citrix ADC VPX instance is provisioned, the instance checks out the virtual CPU license from the Citrix ADM. For more information, see: Citrix ADC virtual CPU Licensing.

When the provisioned instances are destroyed or de-provisioned, the applied licenses are automatically returned to Citrix ADM.

To monitor the consumed licenses, navigate to the Networks > Licenses page.

  • Using AWS subscription licenses: Configure Citrix ADC licenses available in the AWS marketplace while creating the autoscale group. So, when a new instance is provisioned for the autoscale group, the license is obtained from AWS Marketplace.

Deploying Citrix ADC VPX Instances on AWS

When customers move their applications to the cloud, the components that are part of their application increase, become more distributed, and need to be dynamically managed.

With Citrix ADC VPX instances on AWS, users can seamlessly extend their L4-L7 network stack to AWS. With Citrix ADC VPX, AWS becomes a natural extension of their on-premises IT infrastructure. Customers can use Citrix ADC VPX on AWS to combine the elasticity and flexibility of the cloud, with the same optimization, security, and control features that support the most demanding websites and applications in the world.

With Citrix Application Delivery Management (ADM) monitoring their Citrix ADC instances, users gain visibility into the health, performance, and security of their applications. They can automate the setup, deployment, and management of their application delivery infrastructure across hybrid multi-cloud environments.

Architecture Diagram

The following image provides an overview of how Citrix ADM connects with AWS to provision Citrix ADC VPX instances in AWS.

image-vpx-aws-autoscale-deployment-01

Configuration Tasks

Perform the following tasks on AWS before provisioning Citrix ADC VPX instances in Citrix ADM:

  • Create subnets

  • Create security groups

  • Create an IAM role and define a policy

Perform the following tasks on Citrix ADM to provision the instances on AWS:

  • Create site

  • Provision Citrix ADC VPX instance on AWS

To Create Subnets

Create three subnets in a VPC. The three subnets that are required to provision Citrix ADC VPX instances in a VPC - are management, client, and server. Specify an IPv4 CIDR block from the range that is defined in the VPC for each of the subnets. Specify the availability zone in which the subnet is to reside. Create all the three subnets in the same availability zone.

The following image illustrates the three subnets created in the customer region and their connectivity to the client system.

image-vpx-aws-autoscale-deployment-02

For more information on VPC and subnets, see: VPCs and Subnets.

To Create Security Groups

Create a security group to control inbound and outbound traffic in the Citrix ADC VPX instance. A security group acts as a virtual firewall for a user instance. Create security groups at the instance level, and not at the subnet level. It is possible to assign each instance in a subnet in the user VPC to a different set of security groups. Add rules for each security group to control the inbound traffic that is passing through the client subnet to instances. Users can also add a separate set of rules that control the outbound traffic that passes through the server subnet to the application servers. Although users can use the default security group for their instances, they might want to create their own groups. Create three security groups - one for each subnet. Create rules for both incoming and outgoing traffic that users want to control. Users can add as many rules as they want.

For more information on security groups, see: Security Groups for Your VPC.

To Create an IAM Role and Define a Policy

Create an IAM role so that customers can establish a trust relationship between their users and the Citrix trusted AWS account and create a policy with Citrix permissions.

  • In AWS, click Services. In the left side navigation pane, select IAM > Roles > Create role.

  • Users are connecting their AWS account with the AWS account in Citrix ADM. So, select Another AWS account to allow Citrix ADM to perform actions in the AWS account.

  • Type in the 12-digit Citrix ADM AWS account ID. The Citrix ID is 835822366011. Users can also find the Citrix ID in Citrix ADM when they create the cloud access profile.

image-vpx-aws-autoscale-deployment-03

  • Enable Require external ID to connect to a third-party account. Users can increase the security of their roles by requiring an optional external identifier. Type an ID that can be a combination of any characters.

  • Click Permissions.

  • In Attach permissions policies page, click Create policy.

The list of permissions from Citrix is provided in the following box:

{
"Version": "2012-10-17",
"Statement":
[
    {
         "Effect": "Allow",
        "Action": [
            "ec2:DescribeInstances",
            "ec2:DescribeImageAttribute",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeRegions",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeHosts",
            "ec2:DescribeImages",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeNetworkInterfaceAttribute",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeAddresses",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeTags",
            "ec2:DescribeVolumeStatus",
            "ec2:DescribeVolumes",
            "ec2:DescribeVolumeAttribute",
            "ec2:CreateTags",
            "ec2:DeleteTags",
            "ec2:CreateKeyPair",
            "ec2:DeleteKeyPair",
            "ec2:ResetInstanceAttribute",
            "ec2:RunScheduledInstances",
            "ec2:ReportInstanceStatus",
            "ec2:StartInstances",
            "ec2:RunInstances",
            "ec2:StopInstances",
            "ec2:UnmonitorInstances",
            "ec2:MonitorInstances",
            "ec2:RebootInstances",
            "ec2:TerminateInstances",
            "ec2:ModifyInstanceAttribute",
            "ec2:AssignPrivateIpAddresses",
            "ec2:UnassignPrivateIpAddresses",
            "ec2:CreateNetworkInterface",
            "ec2:AttachNetworkInterface",
            "ec2:DetachNetworkInterface",
            "ec2:DeleteNetworkInterface",
            "ec2:ResetNetworkInterfaceAttribute",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:AssociateAddress",
            "ec2:AllocateAddress",
            "ec2:ReleaseAddress",
            "ec2:DisassociateAddress",
            "ec2:GetConsoleOutput"
        ],
            "Resource": "*"
    }
]
}
  • Copy and paste the list of permissions in the JSON tab and click Review policy.

  • In Review policy page, type a name for the policy, enter a description, and click Create policy.

To Create a Site in Citrix ADM

Create a site in Citrix ADM and add the details of the VPC associated with the AWS role.

  1. In Citrix ADM, navigate to Networks > Sites.

  2. Click Add.

  3. Select the service type as AWS and enable Use existing VPC as a site.

  4. Select the cloud access profile.

  5. If the cloud access profile does not exist in the field, click Add to create a profile.

    1. In the Create Cloud Access Profile page, type the name of the profile with which users want to access AWS.

    2. Type the ARN associated with the role that users have created in AWS.

    3. Type the external ID that users provided while creating an Identity and Access Management (IAM) role in AWS. See step 4 in “To create an IAM role and define a policy” task. Ensure that the IAM role name that you specified in AWS starts with “Citrix-ADM-“and it correctly appears in the Role ARN.

image-vpx-aws-autoscale-deployment-04

The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with the user IAM role in AWS are imported in Citrix ADM.

  1. Type a name for the site.

  2. Click Create.

To Provision Citrix ADC VPX on AWS

Use the site that users created earlier to provision the Citrix ADC VPX instances on AWS. Provide Citrix ADM service agent details to provision those instances that are bound to that agent.

  1. In Citrix ADM, navigate to Networks > Instances > Citrix ADC.

  2. In the VPX tab, click Provision.

This option displays the Provision Citrix ADC VPX on Cloud page.

  1. Select Amazon Web Services (AWS) and click Next.

  2. In Basic Parameters, select the Type of Instance from the list.

    • Standalone: This option provisions a standalone Citrix ADC VPX instance on AWS.

    • HA: This option provisions the high availability Citrix ADC VPX instances on AWS.

    To provision the Citrix ADC VPX instances in the same zone, select the Single Zone option under Zone Type.

    To provision the Citrix ADC VPX instances across multiple zones, select the Multi Zone option under Zone type. In the Cloud Parameters tab, make sure to specify the network details for each zone that is created on AWS.

    image-vpx-aws-autoscale-deployment-05

    • Specify the name of your Citrix ADC VPX instance.

    • In Site, select the site that you created earlier.

    • In Agent, select the agent that is created to manage your Citrix ADC VPX instance.

    • In Cloud Access Profile, select the cloud access profile created during site creation.

    • In Device Profile, select the profile to provide authentication.

    Citrix ADM uses the device profile when it requires to log on to the Citrix ADC VPX instance.

    • Click Next.
  3. In Cloud Parameters,

    • Select the Citrix IAM Role created in AWS. An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

    • In the Product field, select the Citrix ADC product version that users want to provision.

    • Select the EC2 instance type from the Instance Type list.

    • Select the Version of Citrix ADC that users want to provision. Select both Major and Minor version of Citrix ADC.

    • In Security Groups, select the Management, Client, and Server security groups that users created in their virtual network.

    • In IPs in server Subnet per Node, select the number of IP addresses in server subnet per node for the security group.

    • In Subnets, select the Management, Client, and Server subnets for each zone that are created in AWS. Users can also select the region from the Availability Zone list.

  4. Click Finish.

image-vpx-aws-autoscale-deployment-06

The Citrix ADC VPX instance is now provisioned on AWS.

Note: Currently, Citrix ADM doesn’t support deprovisioning of Citrix ADC instances from AWS.

To View the Citrix ADC VPX Provisioned in AWS

  1. From the AWS home page, navigate to Services and click EC2.

  2. On the Resources page, click Running Instances.

  3. Users can view the Citrix ADC VPX provisioned in AWS.

The name of the Citrix ADC VPX instance is the same name users provided while provisioning the instance in Citrix ADM.

To View the Citrix ADC VPX Provisioned in Citrix ADM

  1. In Citrix ADM, navigate to Networks > Instances > Citrix ADC.

  2. Select Citrix ADC VPX tab.

  3. The Citrix ADC VPX instance provisioned in AWS is listed here.

Autoscaling of Citrix ADC in AWS using Citrix ADM

Autoscaling Architecture

The following diagram illustrates the architecture of the autoscaling feature with DNS as the traffic distributor.

image-vpx-aws-autoscale-deployment-07

The following diagram illustrates the architecture of the autoscaling feature with NLB as the traffic distributor.

image-vpx-aws-autoscale-deployment-08

Citrix Application Delivery Management (ADM)

Citrix Application Delivery Management is a web-based solution for managing all Citrix ADC deployments that are deployed on-premises or on the cloud. You can use this cloud solution to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified, and centralized cloud-based console. Citrix Application Delivery Management (ADM) provides all the capabilities required to quickly set up, deploy, and manage application delivery in Citrix ADC deployments and with rich analytics of application health, performance, and security.

The autoscale groups are created in Citrix ADM and the Citrix ADC VPX instances are provisioned from Citrix ADM. The application is then deployed through StyleBooks in Citrix ADM.

Traffic Distributors (NLB or DNS/Route53)

NLB or DNS/Route53 is used to distribute traffic across all the nodes in an autoscale group. See Autoscale traffic distribution modes for more information.

The Citrix ADM communicates with the traffic distributor to update the application domain and IP addresses of the load balancing virtual servers that front-end the application.

Citrix ADM Autoscale Group

Autoscale group is a group of Citrix ADC instances that load balances applications as a single entity and triggers autoscaling based on the configured threshold parameter values.

Citrix ADC Clusters

A Citrix ADC cluster is a group of Citrix ADC VPX instances and each instance is called a node. The client traffic is distributed across the nodes to provide high availability, high throughput, and scalability.

Note:

Autoscaling decisions are made at the cluster level and not at the node level.

  • Independent clusters are hosted in different availability zones and therefore support for some of the shared state features are limited.

  • Persistence sessions such as source IP persistence and others except cookie-based persistence cannot be shared across clusters. However, all the stateless features like load balancing methods work as expected across the multiple availability zones.

AWS Auto Scaling Groups

AWS auto scaling group is a collection of EC2 instances that share similar characteristics and are treated as a logical grouping for the purposes of instance scaling and management.

AWS Availability Zones

AWS availability zone is an isolated location inside a region. Each region is made up of several availability zones. Each availability zone belongs to a single region.

Traffic Distribution Modes

As users move their application deployment to cloud, autoscaling becomes a part of the infrastructure. As the applications scale-out or scale-in using autoscaling, these changes must be propagated to the client. This propagation is achieved using DNS based or NLB based autoscaling.

Traffic Distribution Use Cases

Feature Supported for NLB Supported for DNS
HTTPS Supported Supported
WAF Supported Supported
Gateway Not Supported Not Supported
* ICA Proxy Not Supported Not Supported
* EDT Support Not Supported Not Supported

NLB based Autoscaling

In NLB-based deployment mode, the distribution tier to the cluster nodes is the AWS network load balancer.

In NLB based autoscaling, only one static IP address is offered per availability zone. This is the public IP address that is added to route53 and the back end IP addresses can be private. With this public IP address, any new Citrix ADC instance provisioned during autoscaling operates using private IP addresses and does not require extra public IP addresses.

Use NLB-based autoscaling to manage TCP traffic. Use DNS-based autoscaling to manage UDP traffic.

DNS based Autoscaling

In DNS based autoscaling, DNS acts as the distribution layer to the Citrix ADC cluster nodes. The scaling changes are propagated to the client by updating the domain name corresponding to the application. Currently, the DNS provider is AWS Route53.

Note:

In DNS based autoscaling, each Citrix ADC instance requires a public IP address. Important:

Autoscaling supports all the Citrix ADC features except the following features which require a spotted configuration on cluster nodes:

  • GSLB Virtual Servers

  • Citrix Gateway and its features

  • Telco Features

For more information on spotted configuration, see Striped, Partially Striped, and Spotted Configurations.

How Autoscaling Works

The following flowchart illustrates the autoscaling workflow.

image-vpx-aws-autoscale-deployment-09

The Citrix ADM collects statistics (CPU usage, memory usage, throughput) from the autoscale provisioned clusters at a time interval of one minute.

The statistics are evaluated against the configuration thresholds. Depending on whether the statistics exceed the maximum threshold or are operating below the minimum threshold, scale-out or scale-in is triggered respectively.

  • If a scale-out is triggered:

    • New nodes are provisioned.

    • The nodes are attached to the cluster and the configuration is synchronized from the cluster to the new node.

    • The nodes are registered with Citrix ADM.

    • The new node IP addresses are updated in DNS/NLB.

When the application is deployed, an IPset is created on clusters in each availability zone and the domain and the instance IP addresses are registered with DNS/NLB.

  • If a scale-in is triggered:

    • The IP addresses of the nodes identified for removal are removed.

    • The nodes are detached from the cluster, deprovisioned, and then deregistered from Citrix ADM.

When the application is removed, the domain and the instance IP addresses are deregistered from DNS/NLB and the IPset is deleted.

Example

Consider that users have created an autoscale group named asg_arn in a single availability zone with the following configuration.

  • Threshold parameter – Memory usage

  • Minimum limit: 40

  • Maximum limit: 85

  • Watch time – 3 minutes

  • Cooldown period – 10 minutes

  • Drain connection timeout – 10 minutes

  • TTL timeout – 60 seconds

After the autoscale group is created, statistics are collected from the autoscale group. The autoscale policy also evaluates if any an autoscale event is in progress and if an autoscaling is in progress, waits for that event to complete before collecting the statistics.

image-vpx-aws-autoscale-deployment-10

Sequence of Events

  • T1 and T2: Memory usage exceeds the maximum threshold limit.

  • T3 - Memory usage is below the maximum threshold limits.

  • T6, T5, T4: Memory usage has breached the maximum threshold limit consecutively for three watch time durations.

    • A scale-out is triggered.

    • Provisioning of nodes occurs.

    • Cooldown period is in effect.

  • T7 – T16: Autoscale evaluation is skipped for this availability zone from T7 through T16 as the cool down period is in effect.

  • T18, T19, T20 - Memory usage has breached the minimum threshold limit consecutively for three watch time durations.

    • Scale-in is triggered.

    • Drain connection timeout is in effect.

    • IP addresses are relieved from the DNS/NLB.

  • T21 – T30: Autoscale evaluation is skipped for this availability zone from T21 through T30 as the drain connection timeout is in effect.

  • T31

    • For DNS based autoscaling, TTL is in effect.

    • For NLB based autoscaling, deprovisioning of the instances occurs.

  • T32

    • For NLB based autoscaling, evaluation of the statistics starts.

    • For DNS based autoscaling, deprovisioning of the instances occurs.

  • T33: For DNS based autoscaling, evaluation of the statistics starts.

Autoscale Configuration

To start autoscaling of Citrix ADC VPX instances in AWS, users must complete the following steps:

image-vpx-aws-autoscale-deployment-11

  • Complete all the pre-requisites on AWS listed in the AWS Prerequisites section of this guide.

  • Complete all the prerequisites listed on Citrix ADM in the Citrix ADM Prerequisites section of this guide.

  • Create autoscale groups:

    • Initialize the autoscale configuration.

    • Configure autoscale parameters.

    • Check out licenses.

    • Configure cloud parameters.

  • Deploy the application.

The next few sections assist users in performing all the necessary tasks in AWS before users create autoscale groups in Citrix ADM. The tasks that users must complete are as follows:

  • Subscribe to the required Citrix ADC VPX instance on AWS.

  • Create the required VPC or select an existing VPC.

  • Define the corresponding subnets and security groups.

  • Create two IAM roles, one for Citrix ADM and one for Citrix ADC VPX instance.

Tip:

Users can use AWS CloudFormation Templates to automate the AWS prerequisites step for the Citrix ADC autoscaling by visiting: citrix-adc-aws-cloudformation/templates.

For more information on how to create VPC, subnet and security groups, refer to: AWS Documentation.

Subscribe to Citrix ADC VPX License in AWS

  • Go to: AWS Marketplace.

  • Log on with your credentials.

  • Search for Citrix ADC VPX Customer Licensed, Premium, or Advanced edition.

image-vpx-aws-autoscale-deployment-12

  • Subscribe to either Citrix ADC VPX Customer Licensed, Premium Edition, or Citrix ADC VPX Advanced Edition licenses.

Note:

If users choose the Customer Licensed edition, the autoscale group checks out the licenses from the Citrix ADM while provisioning Citrix ADC instances.

Create Subnets

Create three subnets in the user VPC - one each for the management, client, and server connections. Specify an IPv4 CIDR block from the range that is defined in the user VPC for each of the subnets. Specify the availability zone in which users want the subnet to reside. Create all three subnets in each of the availability zones where servers are present.

  • Management. Existing subnet in the user Virtual Private Cloud (VPC) dedicated for management. Citrix ADC must contact AWS services and requires internet access. Configure a NAT gateway and add a route table entry to allow internet access from this subnet.

  • Client. Existing subnet in the user Virtual Private Cloud (VPC) dedicated for client side. Typically, Citrix ADC receives client traffic for the application via a public subnet from the internet. Associate the client subnet with a route table which has a route to an Internet gateway. This allows Citrix ADC to receive application traffic from the internet.

  • Server. A server subnet where the application servers are provisioned. All user application servers are present in this subnet and receive application traffic from the Citrix ADC through this subnet.

Create Security Groups

  • Management. Existing security group in your account dedicated for management of Citrix ADC VPX. Inbound rules should be allowed on the following TCP and UDP ports.

    • TCP: 80, 22, 443, 3008–3011, 4001

    • UDP: 67, 123, 161, 500, 3003, 4500, 7000

    Ensure that the security group allows the Citrix ADM agent to be able to access the VPX.

  • Client. Existing security group in the user account dedicated for client-side communication of Citrix ADC VPX instances. Typically, inbound rules are allowed on TCP ports 80, 22, and 443.

  • Server. Existing security group in the user account dedicated for server-side communication of Citrix ADC VPX.

Create IAM Roles

Along with creating an IAM role and defining a policy, users must also create an instance profile in AWS. IAM roles allow Citrix ADM to provision Citrix ADC instances, create, or delete Route53 entries.

While roles define “what can I do?” they do not define “who am I?” AWS EC2 uses an instance profile as a container for an IAM role. An instance profile is a container for an IAM role that users can use to pass role information to an EC2 instance when the instance starts.

When users create an IAM role using the console, the console creates an instance profile automatically and gives it the same name as the role it corresponds to. Roles provide a mechanism to define a collection of permissions. An IAM user represents a person and an instance profile represents the EC2 instances. If a user has role “A,” and an instance has an instance profile attached to “A,” these two principals can access the same resources in the same way.

Note:

Ensure that the role names start with “Citrix-ADM-“and the instance profile name starts with “Citrix-ADC-.”

To Create an IAM Role

Create an IAM role so that you can establish a trust relationship between your users and the Citrix trusted AWS account and create a policy with Citrix permissions.

  • In AWS, click Services. In the left side navigation pane, select IAM > Roles > Create role.

  • Users are connecting the user AWS account with the AWS account in Citrix ADM. So, select Another AWS account to allow Citrix ADM to perform actions in the user AWS account.

  • Type in the 12-digit Citrix ADM AWS account ID. The Citrix ID is 835822366011. Users can also find the Citrix ID in Citrix ADM when they create the cloud access profile.

image-vpx-aws-autoscale-deployment-13

  • Click Permissions.

  • In Attach permissions policies page, click Create policy.

  • Users can create and edit a policy in the visual editor or by using JSON.

The list of permissions from Citrix for Citrix ADM is provided in the following box:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "ec2:DescribeInstances",
            "ec2:UnmonitorInstances",
            "ec2:MonitorInstances",
            "ec2:CreateKeyPair",
            "ec2:ResetInstanceAttribute",
            "ec2:ReportInstanceStatus",
            "ec2:DescribeVolumeStatus",
            "ec2:StartInstances",
            "ec2:DescribeVolumes",
            "ec2:UnassignPrivateIpAddresses",
            "ec2:DescribeKeyPairs",
            "ec2:CreateTags",
            "ec2:ResetNetworkInterfaceAttribute",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:DeleteNetworkInterface",
            "ec2:RunInstances",
            "ec2:StopInstances",
            "ec2:AssignPrivateIpAddresses",
            "ec2:DescribeVolumeAttribute",
            "ec2:DescribeInstanceCreditSpecifications",
            "ec2:CreateNetworkInterface",
            "ec2:DescribeImageAttribute",
            "ec2:AssociateAddress",
            "ec2:DescribeSubnets",
            "ec2:DeleteKeyPair",
            "ec2:DisassociateAddress",
            "ec2:DescribeAddresses",
            "ec2:DeleteTags",
            "ec2:RunScheduledInstances",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeRegions",
            "ec2:DescribeDhcpOptions",
            "ec2:GetConsoleOutput",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeNetworkInterfaceAttribute",
            "ec2:ModifyInstanceAttribute",
            "ec2:DescribeInstanceStatus",
            "ec2:ReleaseAddress",
            "ec2:RebootInstances",
            "ec2:TerminateInstances",
            "ec2:DetachNetworkInterface",
            "ec2:DescribeIamInstanceProfileAssociations",
            "ec2:DescribeTags",
            "ec2:AllocateAddress",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeHosts",
            "ec2:DescribeImages",
            "ec2:DescribeVpcs",
            "ec2:AttachNetworkInterface",
            "ec2:AssociateIamInstanceProfile",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeInternetGateways"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "VisualEditor0"
    },
    {
        "Action": [
            "iam:GetRole",
            "iam:PassRole",
            "iam:CreateServiceLinkedRole"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "VisualEditor1"
    },
    {
        "Action": [
            "route53:CreateHostedZone",
            "route53:CreateHealthCheck",
            "route53:GetHostedZone",
            "route53:ChangeResourceRecordSets",
            "route53:ChangeTagsForResource",
            "route53:DeleteHostedZone",
            "route53:DeleteHealthCheck",
            "route53:ListHostedZonesByName",
            "route53:GetHealthCheckCount"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "VisualEditor2"
    },
    {
        "Action": [
            "iam:ListInstanceProfiles",
            "iam:ListAttachedRolePolicies",
            "iam:SimulatePrincipalPolicy",
            "iam:SimulatePrincipalPolicy"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "VisualEditor3"
    },
    {
        "Action": [
            "ec2:ReleaseAddress",
            "elasticloadbalancing:DeleteLoadBalancer",
            "ec2:DescribeAddresses",
            "elasticloadbalancing:CreateListener",
            "elasticloadbalancing:CreateLoadBalancer",
            "elasticloadbalancing:RegisterTargets",
            "elasticloadbalancing:CreateTargetGroup",
            "elasticloadbalancing:DeregisterTargets",
            "ec2:DescribeSubnets",
            "elasticloadbalancing:DeleteTargetGroup",
            "elasticloadbalancing:ModifyTargetGroupAttributes",
            "ec2:AllocateAddress"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "VisualEditor4"
    }
  ]
}
  • Copy and paste the list of permissions in the JSON tab and click Review policy.

  • In Review policy page, type a name for the policy, enter a description, and click Create policy.

Note:

Ensure that the name starts with “Citrix-ADM-.”

  • In the Create Role page, enter the name of the role.

Note:

Ensure that the role name starts with “Citrix-ADM-.”

  • Click Create Role.

Similarly, create a profile for the Citrix ADC instances by providing a different name starting with Citrix-ADC-. Attach a policy with permissions provided by Citrix for AWS to access the Citrix ADC instances.

Ensure that users select AWS service > EC2, and then click Permissions to create an instance profile. Add the list of permissions provided by Citrix.

image-vpx-aws-autoscale-deployment-14

The list of permissions from Citrix for Citrix ADC instances is provided in the following box:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:SimulatePrincipalPolicy",
        "autoscaling:*",
        "sns:*",
        "sqs:*",
        "cloudwatch:*",
        "ec2:AssignPrivateIpAddresses",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DetachNetworkInterface",
        "ec2:AttachNetworkInterface",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    }
  ]
}

Register the DNS Domain

Users must also ensure that they have registered the DNS domain for hosting their applications.

Assess the number of elastics IPs (EIP) required in the user network.

The number of EIPs required varies based on whether users are deploying DNS based autoscaling or NLB based autoscaling. To increase the number of EIPs, create a case with AWS.

  • For DNS based autoscaling, the number of EIPs required per availability zone is equal to the number of applications multiplied by the maximum number of VPX instances users want to configure in the autoscale groups.

  • For NLB based autoscaling, the number of EIPs required is equal to the number of applications multiplied by the number of availability zones in which the applications are getting deployed.

Assess the Instance Limit Requirements

When assessing instance limits, ensure that users consider space requirements for Citrix ADC instances as well.

Create Autoscale Groups

Initialize Autoscale Configuration

  • In Citrix ADM, navigate to Networks > AutoScale Groups.

  • Click Add to create autoscale groups. The Create AutoScale Group page appears.

  • Enter the following details.

    • Name. Type a name for the autoscale group.

    • Site. Select the site that users have created to provision the Citrix ADC VPX instances on AWS.

    • Agent. Select the Citrix ADM agent that manages the provisioned instances.

    • Cloud Access Profile. Select the cloud access profile.

    Note:

    If the cloud access profile does not exist in the field, click Add to create a profile.

    • Type the ARN associated with the role that you have created in AWS.

    • Type the external ID that users provided while creating an Identity and Access Management (IAM) role in AWS. Depending on the cloud access profile that users select, the availability zones are populated.

    • Device Profile. Select the device profile from the list. The device profile will be used by Citrix ADM whenever it must log on to the instance.

    • Traffic Distribution Mode. The Load Balancing using NLB option is selected as default traffic distribution mode. If applications are using UDP traffic, then select DNS using AWS route53. image-vpx-aws-autoscale-deployment-15

Note:

After the autoscale configuration is set up, new availability zones cannot be added or existing availability zones cannot be removed.

  • Enable AutoScale Group. Enable or disable the status of the ASG groups. This option is enabled, by default. If this option is disabled, autoscaling is not triggered.

  • Availability Zones. Select the zones in which you want to create the autoscale groups. Depending on the cloud access profile that you have selected, availability zones specific to that profile are populated.

  • Tags. Type the key-value pair for the autoscale group tags. A tag consists of a case-sensitive key-value pair. These tags enable you to organize and identify the autoscale groups easily. The tags are applied to both AWS and Citrix ADM.

image-vpx-aws-autoscale-deployment-16

  • Click Next.

Configuring Autoscale Parameters

  • In the AutoScale Parameters tab, enter the following details.

  • Select one or more than one of the following threshold parameters whose values must be monitored to trigger a scale-out or a scale-in.

    • Enable CPU Usage Threshold: Monitor the metrics based on the CPU usage.

    • Enable Memory Usage Threshold: Monitor the metrics based on the memory usage.

    • Enable Throughput Threshold: Monitor the metrics based on the throughput.

Note:

  1. Default minimum threshold limit is 30 and maximum threshold limit is 70. However, users can modify the limits.
  2. Minimum threshold limit must be equal to or less than half of the maximum threshold limit.
  3. More than one threshold parameters can be selected for monitoring. In such cases, a scale-in is triggered if at least one of the threshold parameters is above the maximum threshold. However, a scale-in is triggered only if all the threshold parameters are operating below their normal thresholds.

image-vpx-aws-autoscale-deployment-17

  • Minimum Instances. Select the minimum number of instances that need to be provisioned for this autoscale group.

  • By default, the minimum number of instances is equal to the number of zones selected. Users can increment the minimum instances by multiples of number of zones.

  • For example, if the number of availability zones is 4, the minimum instances is 4 by default. Users can increase the minimum instances by 8, 12, 16.

  • Maximum Instances. Select the maximum number of instances that need to be provisioned for this autoscale group.

  • The maximum number of instances must be greater than or equal to the minimum instances value. The maximum number of instances that can be configured is equal to number of availability zones multiplied by 32.

  • Maximum number of instances = number of availability zones * 32.

  • Drain Connection Timeout (minutes). Select the drain connection timeout period. During scale-in, once an instance is selected for deprovisioning, Citrix ADM removes the instance from processing new connections to autoscale group and waits until the specified time expires before deprovisioning. This allows existing connections to this instance to be drained out before it gets deprovisioned.

  • Cooldown period (minutes). Select the cooldown period. During scale-out, cooldown period is the time for which evaluation of the statistics has to be stopped after a scale-out occurs. This ensures organic growing of instances of an autoscale group by allowing current traffic to stabilize and average out on the current set of instances before the next scaling decision is made.

  • DNS Time To Live(seconds). Select the amount of time (in seconds) that a packet is set to exist inside a network before being discarded by a router. This parameter is applicable only when the traffic distribution mode is DNS using AWS route53.

  • Watch-Time (minutes). Select the watch-time duration. The time for which the scale parameter’s threshold has to stay breached for a scaling to happen. If the threshold is breached on all the samples collected in this specified time, then a scaling happens.

image-vpx-aws-autoscale-deployment-18

  • Click Next.

Configure Licenses for Provisioning Citrix ADC Instances

Select one of the following modes to license Citrix ADC instances that are part of your Autoscale Group:

  • Using Citrix ADM: While provisioning Citrix ADC instances, the autoscale group checks out the licenses from the Citrix ADM.

  • Using AWS Cloud: The Allocate from Cloud option uses the Citrix product licenses available in the AWS marketplace. While provisioning Citrix ADC instances, the autoscale group uses the licenses from the marketplace.

    • If users choose to use licenses from the AWS marketplace, specify the product or license in the Cloud Parameters tab.

    • For more information, see: Licensing Requirements.

Use Licenses from Citrix ADM

  • In the License tab, select Allocate from ADM.

  • In License Type, select one of the following options from the list:

    • Bandwidth Licenses: Users can select one of the following options from the Bandwidth License Types list:

    • Pooled Capacity: Specify the capacity to allocate for every new instance in the autoscale group.

    From the common pool, each ADC instance in the autoscale group checks out one instance license and only as much bandwidth as is specified.

    • VPX Licenses: When a Citrix ADC VPX instance is provisioned, the instance checks out the license from the Citrix ADM.

    • Virtual CPU Licenses: The provisioned Citrix ADC VPX instance checks out licenses depending on the number of active CPUs running in the autoscale group.

Note: When the provisioned instances are removed or destroyed, the applied licenses return to the Citrix ADM license pool. These licenses can be reused to provision new instances during your next autoscale.

  • In License Edition, select the license edition. The autoscale group uses the specified edition to provision instances.

  • Click Next.

Configure Cloud Parameters

image-vpx-aws-autoscale-deployment-19

  • In the Cloud Parameters tab, enter the following details.

    • IAM Role: Select the IAM role that users have created in AWS. An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

    • Product: Select the Citrix ADC product version that users want to provision.

    • Version: Select the Citrix ADC product release version and build number. The release versions and build numbers are auto-populated based on the product that users have selected.

    • AWS AMI ID: Enter the AMI ID specific to the region that users have selected.

    • Instance Type: Select the EC2 instance type.

Note:

The recommended instance type for the selected product is auto-populated, by default.

  • Security Groups: Security groups control the inbound and outbound traffic in the Citrix ADC VPX instance. Users create rules for both incoming and outgoing traffic that they want to control. Select appropriate values for the following subnets.

  • Group in the user account dedicated for management of Citrix ADC VPX instances. Inbound rules should be allowed on the following TCP and UDP ports.

TCP: 80, 22, 443, 3008–3011, 4001 UDP: 67, 123, 161, 500, 3003, 4500, 7000

Ensure that the security group allows the Citrix ADM agent to be able to access the VPX.

  • Client. Existing security group in the user account dedicated for client-side communication of Citrix ADC VPX instances. Typically, inbound rules are allowed on the TCP ports 80, 22, and 443.

  • Server. Existing security group in the user account dedicated for server-side communication of Citrix ADC VPX.

  • IP’s in server subnet per node: Select the number of IP addresses in server subnet per node for the security group.

image-vpx-aws-autoscale-deployment-20

  • Zone: The number of zones that are populated is equal to the number of availability zones that users have selected. For each zone, select the appropriate values for the following subnets.

  • Management. Existing subnet in the user Virtual Private Cloud (VPC) dedicated for management. Citrix ADC needs to contact AWS services and requires internet access. Configure a NAT gateway and add a route table entry to allow internet access from this subnet.

  • Client. Existing subnet in the user Virtual Private Cloud (VPC) dedicated for client side. Typically, Citrix ADC receives client traffic for the application via a public subnet from the internet. Associate the client subnet with a route table which has a route to an Internet gateway. This will allow Citrix ADC to receive application traffic from the internet.

  • Server. Application servers are provisioned in a server subnet. All user application servers will be present in this subnet and will be receiving application traffic from the Citrix ADC via this subnet.

image-vpx-aws-autoscale-deployment-21

  • Click Finish.

A progress window with the status for creating the autoscale group appears. It might take several minutes for the creation and provisioning of autoscale groups.

Configure Application using Stylebooks

image-vpx-aws-autoscale-deployment-22

  • In Citrix ADM, navigate to Networks > Autoscale Groups.

  • Select the autoscale group that users created and click Configure.

  • The Choose StyleBook page displays all the StyleBooks available for customer use to deploy configurations in the autoscale clusters.

    • Select the appropriate StyleBook. For example, users can use the HTTP/SSL Load balancing StyleBook. Users can also import new StyleBooks.

    • Click the StyleBook to create the required configuration. The StyleBook opens as a user interface page on which users can enter the values for all the parameters defined in this StyleBook.

    • Enter values for all the parameters.

    • If users are creating back-end servers in AWS, select Backend Server Configuration. Further select AWS EC2 Autoscaling > Cloud and enter the values for all the parameters.

    image-vpx-aws-autoscale-deployment-23

    • There might be a few optional configurations required depending on the StyleBook that users have chosen. For example, users might have to create monitors, provide SSL certificate settings, and so on.

    • Click Create to deploy the configuration on the Citrix ADC cluster.

    • The FQDN of the application or the virtual server cannot be modified after it is configured and deployed.

The FQDN of the application is resolved to the IP address using DNS. As this DNS record might be cached across various name servers, changing the FQDN might cause the traffic to be blackholed.

  • SSL session sharing work as expected within an availability zone but across availability zones, requires reauthentication.

SSL sessions are synchronized within the cluster. As the autoscale group spanning across availability zones has separate clusters in each zone, SSL sessions cannot be synchronized across zones.

  • Shared limits such as max client and spill-over are set statically based on the number of availability zones. This limit has to be set after calculating it manually. Limit = “Limit required” divided by “number of zones”.

Shared limits are distributed automatically across nodes within a cluster. As the autoscale group spanning across availability zones has separate clusters in each zone, these limits have to be calculated manually.

Upgrade Citrix ADC Clusters

Users must manually upgrade the cluster nodes. Users first upgrade the image of existing nodes and then update AMI from the Citrix ADM.

Important:

Ensure the following during an upgrade:

  1. No scale-in or scale-out is triggered.
  2. No configuration changes must be performed on the cluster in the autoscale group.
  3. Users keep a backup of the ns.conf file of the previous version. In case an upgrade fails, users can fall back to the previous version.

Perform the following steps to upgrade the Citrix ADC cluster nodes.

Note:

  1. Upgrade one node in the cluster.
  2. Monitor the application traffic for any failures.
  3. If users encounter any issues or failures, downgrade the node that was previously upgraded. Else, continue with the upgrade of all nodes.
  • Continue upgrading the nodes in all the clusters in the autoscale group.

Note:

If the upgrade for any cluster fails, downgrade all the clusters in the autoscale group to the previous version. Follow the steps documented in the topic Upgrading or Downgrading the Citrix ADC Cluster.

  • After successful upgrade of all clusters, update the AMI on the MAS ASG Portal. AMI must be of the same version as the image used for the upgrade.

  • Edit the autoscale group and type the AMI that corresponds to the upgraded version.

  • Enable the autoscale group on the ADM portal.

Modify Autoscale Groups Configuration

  • Users can modify an autoscale group configuration or delete an autoscale group. Users can modify only the following autoscale group parameters.

    • Traffic distribution mode.

    • Maximum and minimum limits of the threshold parameters.

    • Minimum and maximum instance values.

    • Drain connection period value.

    • Cooldown period value.

    • Time to live value – If the traffic distribution mode is DNS.

    • Watch duration value.

  • Users can also delete the autoscale groups after they are created.

When users delete an autoscale group, all the domains and IP addresses are deregistered from DNS/NLB and the cluster nodes are deprovisioned.

CloudFormation Template Deployment

Citrix ADC VPX is available as Amazon Machine Images (AMI) in the AWS Marketplace.

Before using a CloudFormation template to provision a Citrix ADC VPX in AWS, the AWS user has to accept the terms and subscribe to the AWS Marketplace product. Each edition of the Citrix ADC VPX in the Marketplace requires this step.

Each template in the CloudFormation repository has collocated documentation describing the usage and architecture of the template. The templates attempt to codify the recommended deployment architecture of the Citrix ADC VPX, or to introduce the user to the Citrix ADC or to demonstrate a particular feature, edition, or option. Users can reuse, modify, or enhance the templates to suit their production and testing needs. Most templates require full EC2 permissions in addition to permissions to create IAM roles.

The CloudFormation templates contain AMI IDs that are specific to a particular release of the Citrix ADC VPX (for example, release 12.0–56.20) and edition (for example, Citrix ADC VPX Platinum Edition - 10 Mbps) OR Citrix ADC BYOL. To use a different version / edition of the Citrix ADC VPX with a CloudFormation template requires the user to edit the template and replace the AMI Ids.

The latest Citrix ADC AWS-AMI-IDs are available from the Citrix ADC CloudFormation Templates on GitHub citrix-adc-aws-cloudformation/templates.

CFT Three-NIC Deployment

This template deploys a VPC, with 3 subnets (Management, client, server) for 2 Availability Zones. It deploys an Internet Gateway, with a default route on the public subnets. This template also creates a HA pair across Availability Zones with two instances of Citrix ADC: 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on primary and 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on secondary. All the resource names created by this CFT are prefixed with a tagName of the stack name.

The output of the CloudFormation template includes:

  • PrimaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Primary VPX (uses self-signed cert).

  • PrimaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Primary VPX.

  • PrimaryCitrixADCInstanceID - Instance Id of the newly created Primary VPX instance.

  • PrimaryCitrixADCPublicVIP - Elastic IP address of the Primary VPX instance associated with the VIP.

  • PrimaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Primary VPX.

  • PrimaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Primary VPX.

  • PrimaryCitrixADCPrivateVIP - Private IP address of the Primary VPX instance associated with the VIP.

  • PrimaryCitrixADCSNIP - Private IP address of the Primary VPX instance associated with the SNIP.

  • SecondaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Secondary VPX (uses self-signed cert).

  • SecondaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Secondary VPX.

  • SecondaryCitrixADCInstanceID - Instance Id of the newly created Secondary VPX instance.

  • SecondaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Secondary VPX.

  • SecondaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Secondary VPX.

  • SecondaryCitrixADCPrivateVIP - Private IP address of the Secondary VPX instance associated with the VIP.

  • SecondaryCitrixADCSNIP - Private IP address of the Secondary VPX instance associated with the SNIP.

  • SecurityGroup - Security group id to which the VPX belongs.

When providing input to the CFT, the * against any parameter in the CFT implies that it is a mandatory field. For example, VPC ID* is a mandatory field.

The following prerequisites must be met. The CloudFormation template requires sufficient permissions to create IAM roles, beyond normal EC2 full privileges. The user of this template also needs to accept the terms and subscribe to the AWS Marketplace product before using this CloudFormation template.

The following should also be present:

  • Key Pair

  • 3 unallocated EIPs

    • Primary Management

    • Client VIP

    • Secondary Management

For more information on provisioning Citrix ADC VPX instances on AWS, users can visit Provisioning Citrix ADC VPX Instances on AWS.

For more information on autoscaling of Citrix ADC in AWS using Citrix ADM, visit: Autoscaling of Citrix ADC in AWS using Citrix ADM.

For information on adding the AWS autoscaling service to a Citrix ADC VPX instance, visit: Add Back-end AWS Autoscaling Service.

AWS Prerequisites

Before attempting to create a VPX instance in AWS, users should ensure they have the following:

  • An AWS account to launch a Citrix ADC VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud (VPC). Users can create an AWS account for free at Amazon Web Services: AWS.

  • Citrix ADM service agent has been added in AWS.

  • A VPC has been created and availability zones have been selected.

  • For more information on how to create an account and other tasks, see: AWS Documentation.

  • For more information on how to install the Citrix ADM service agent on AWS, see: Install Citrix ADM Agent on AWS.

  • An AWS Identity and Access Management (IAM) user account to securely control access to AWS services and resources for users. For more information about how to create an IAM user account, see the topic: Creating IAM Users (Console).

  • An IAM adminuser with all administrative permissions has been created.

An IAM role is mandatory for both standalone and high availability deployments. The IAM role must have the following privileges:

  • ec2:DescribeInstances

  • ec2:DescribeNetworkInterfaces

  • ec2:DetachNetworkInterface

  • ec2:AttachNetworkInterface

  • ec2:StartInstances

  • ec2:StopInstances

  • ec2:RebootInstances

  • ec2:DescribeAddresses

  • ec2:AssociateAddress

  • ec2:DisassociateAddress

  • autoscaling:*

  • sns:*

  • sqs:*

  • iam:SimulatePrincipalPolicy

  • iam:GetRole

If the Citrix CloudFormation template is used, the IAM role is automatically created. The template does not allow selecting an already created IAM role.

Note:

When users log on the VPX instance through the GUI, a prompt to configure the required privileges for the IAM role appears. Ignore the prompt if the privileges have already been configured.

AWS CLI is required to use all the functionality provided by the AWS Management Console from the terminal program. For more information, see: What Is the AWS Command Line Interface?. Users also need the AWS CLI to change the network interface type to SR-IOV.

ADM Prerequisites

Users must ensure that they have completed all the pre-requisites on the Citrix ADM to use the autoscale feature.

image-vpx-aws-autoscale-deployment-24

Create a Site

Create a site in Citrix ADM and add the details of the VPC associated with the user AWS role.

  • In Citrix ADM, navigate to Networks > Sites.

  • Click Add.

  • Select the service type as AWS and enable Use existing VPC as a site.

  • Select the cloud access profile.

  • If the cloud access profile doesn’t exist in the field, click Add to create a profile.

    • In the Create Cloud Access Profile page, type the name of the profile with which users want to access AWS.

    • Type the ARN associated with the role that users have created in AWS.

    • Copy the autogenerated External ID to update the IAM role.

  • Click Create.

  • Again, click Create to create the site.

  • Update the IAM role in AWS using the auto-generated External ID:

image-vpx-aws-autoscale-deployment-25

*  Log in to the user AWS account and navigate to the role that users want to update.

*  In the Trust relationships tab, click Edit trust relationship and append the following condition within the Statement block:
  "Condition": {
  "StringEquals": {
    "sts:ExternalId": \<External-ID>\
  }
}

Enabling external ID for an IAM role in AWS allows users to connect to a third-party account. The external ID increases the security of the user role.

The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with the user IAM role in AWS are imported in Citrix ADM.

Provision Citrix ADM Agent on AWS

The Citrix ADM service agent works as an intermediary between the Citrix ADM and the discovered instances in the data center or on the cloud.

  • Navigate to Networks > Agents.

  • Click Provision.

  • Select AWS and click Next.

  • In the Cloud Parameters tab, specify the following:

    • Name - specify the Citrix ADM agent name.

    • Site - select the site users have created to provision an agent and ADC VPX instances.

    • Cloud Access Profile - select the cloud access profile from the list.

    • Availability Zone - Select the zones in which users want to create the autoscale groups. Depending on the cloud access profile that users have selected, availability zones specific to that profile are populated.

    • Security Group - Security groups control the inbound and outbound traffic in the Citrix ADC agent. Users create rules for both incoming and outgoing traffic that they want to control.

    • Subnet - Select the management subnet where users want to provision an agent.

    • Tags - Type the key-value pair for the autoscale group tags. A tag consists of a case-sensitive key-value pair. These tags enable users to organize and identify the autoscale groups easily. The tags are applied to both AWS and Citrix ADM.

  • Click Finish.

Alternatively, users can install the Citrix ADM agent from the AWS marketplace. For more information, see: Install Citrix ADM Agent on AWS.

Limitations and Usage Guidelines

The following limitations and usage guidelines apply when deploying a Citrix ADC VPX instance on AWS:

  • Users should read the AWS terminology listed previously in this article before starting a new deployment.

  • The clustering feature is supported only when provisioned with Citrix ADM Auto Scale Groups.

  • For the high availability setup to work effectively, associate a dedicated NAT device to the management Interface or associate an Elastic IP (EIP) to NSIP. For more information on NAT, in the AWS documentation, see: NAT Instances.

  • Data traffic and management traffic must be segregated with ENIs belonging to different subnets.

  • Only the NSIP address must be present on the management ENI.

  • If a NAT instance is used for security instead of assigning an EIP to the NSIP, appropriate VPC level routing changes are required. For instructions on making VPC level routing changes, in the AWS documentation, see: Scenario 2: VPC with Public and Private Subnets.

  • A VPX instance can be moved from one EC2 instance type to another (for example, from m3.large to an m3.xlarge). For more information, visit: Limitations and Usage Guidelines.

  • For storage media for VPX on AWS, Citrix recommends EBS, because it is durable and the data is available even after it is detached from the instance.

  • Dynamic addition of ENIs to VPX is not supported. Restart the VPX instance to apply the update. Citrix recommends users to stop the standalone or HA instance, attach the new ENI, and then restart the instance. The primary ENI cannot be changed or attached to a different subnet once it is deployed. Secondary ENIs can be detached and changed as needed while the VPX is stopped.

  • Users can assign multiple IP addresses to an ENI. The maximum number of IP addresses per ENI is determined by the EC2 instance type, see the section “IP Addresses Per Network Interface Per Instance Type” in: Elastic Network Interfaces. Users must allocate the IP addresses in AWS before they assign them to ENIs. For more information, see: Elastic Network Interfaces.

  • Citrix recommends that users avoid using the enable and disable interface commands on Citrix ADC VPX interfaces.

  • The Citrix ADC set ha node <NODE_ID> -haStatus STAYPRIMARY and set ha node <NODE_ID> -haStatus STAYSECONDARY commands are disabled by default.

  • IPv6 is not supported for VPX.

  • Due to AWS limitations, these features are not supported:

    • Gratuitous ARP(GARP).

    • L2 mode (bridging). Transparent vServers are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP.

    • Tagged VLAN.

    • Dynamic Routing.

    • Virtual MAC.

  • For RNAT, routing, and Transparent vServers to work, ensure Source/Destination Check is disabled for all ENIs in the data path. For more information, see “Changing the Source/Destination Checking” in: Elastic Network Interfaces.

  • In a Citrix ADC VPX deployment on AWS, in some AWS regions, the AWS infrastructure might not be able to resolve AWS API calls. This happens if the API calls are issued through a non-management interface on the Citrix ADC VPX instance. As a workaround, restrict the API calls to the management interface only. To do that, create an NSVLAN on the VPX instance and bind the management interface to the NSVLAN by using the appropriate command.

  • For example:

    • set ns config -nsvlan <vlan id>\ -ifnum 1/1 -tagged NO

    • save config

  • Restart the VPX instance at the prompt.

  • For more information about configuring nsvlan, see Configuring NSVLAN.

  • In the AWS console, the vCPU usage shown for a VPX instance under the Monitoring tab might be high (up to 100 percent), even when the actual usage is much lower. To see the actual vCPU usage, navigate to View all CloudWatch metrics. For more information, see: Monitor your Instances using Amazon CloudWatch. Alternately, if low latency and performance are not a concern, users can enable the CPU Yield feature allowing the packet engines to idle when there is no traffic. For more details about the CPU Yield feature and how to enable it, visit: Citrix Support Knowledge Center.

AWS-VPX Support Matrix

The following sections list the supported VPX model and AWS regions, instance types, and services.

Supported VPX Models on AWS

  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 200 Mbps
  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 1000 Mbps
  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 3 Gbps
  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 5 Gbps
  • Citrix ADC VPX Standard/Advanced/Premium - 10 Mbps
  • Citrix ADC VPX Express - 20 Mbps
  • Citrix ADC VPX - Customer Licensed

Supported AWS Regions

  • US West (Oregon) Region
  • US West (N. California) Region
  • US East (Ohio) Region
  • US East (N. Virginia) Region
  • Asia Pacific (Seoul) Region
  • Canada (Central) Region
  • Asia Pacific (Singapore) Region
  • Asia Pacific (Sydney) Region
  • Asia Pacific (Tokyo) Region
  • Asia Pacific (Hong Kong) Region
  • Canada (Central) Region
  • China (Beijing) Region
  • China (Ningxia) Region
  • EU (Frankfurt) Region
  • EU (Ireland) Region
  • EU (London) Region
  • EU (Paris) Region
  • South America (São Paulo) Region
  • AWS GovCloud (US-East) Region

Supported AWS Instance Types

  • m3.large, m3.large, m3.2xlarge
  • c4.large, c4.large, c4.2xlarge, c4.4xlarge, c4.8xlarge
  • m4.large, m4.large, m4.2xlarge, m4.4xlarge, m4.10xlarge
  • m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.12xlarge, m5.24xlarge
  • c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge, c5.24xlarge
  • C5n.large, C5n.xlarge, C5n.2xlarge, C5n.4xlarge, C5n.9xlarge, C5n.18xlarge

Supported AWS Services

  • #EC2
  • #Lambda
  • #S3
  • #VPC
  • #route53
  • #ELB
  • #Cloudwatch
  • #AWS AutoScaling
  • #Cloud formation
  • Simple Queue Service (SQS)
  • Simple Notification Service (SNS)
  • Identity & Access Management (IAM)

For higher bandwidth, Citrix recommends the following instance types

Instance Type Bandwidth Enhanced Networking (SR-IOV)
M4.10x large 3 Gbps and 5 Gbps Yes
C4.8x large 3 Gbps and 5 Gbps Yes
C5.18xlarge/M5.18xlarge 25 Gbps ENA
C5n.18xlarge 30 Gbps ENA

To remain updated about the current supported VPX models and AWS regions, instance types, and services, visit the VPX-AWS support matrix