Advanced Concepts

Deployment Guide Citrix ADC VPX on AWS - Disaster Recovery

Contributors

Author: Blake Schindler, Solutions Architect

Overview

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments.

As an undisputed leader of service and application delivery, Citrix ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, Citrix ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. Citrix ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.

Citrix VPX

The Citrix ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms:

  • Citrix Hypervisor

  • VMware ESX

  • Microsoft Hyper-V

  • Linux KVM

  • Amazon Web Services

  • Microsoft Azure

  • Google Cloud Platform

This deployment guide focuses on Citrix ADC VPX on Amazon Web Services.

Amazon Web Services

Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services can offer tools such as compute power, database storage, and content delivery services.

AWS offers the following essential services:

  • AWS Compute Services

  • Migration Services

  • Storage

  • Database Services

  • Management Tools

  • Security Services

  • Analytics

  • Networking

  • Messaging

  • Developer Tools

  • Mobile Services

AWS Terminology

Here is a brief description of key terms used in this document that users must be familiar with:

  • Elastic Network Interface (ENI) - A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC).

  • Elastic IP (EIP) address - A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change.

  • Subnet - A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs.

  • Virtual Private Cloud (VPC) - A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define.

Here is a brief description of other terms used in this document that users should be familiar with:

  • Amazon Machine Image (AMI) - A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.

  • Elastic Block Store - Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.

  • Simple Storage Service (S3) - Storage for the Internet. It is designed to make web-scale computing easier for developers.

  • Elastic Compute Cloud (EC2) - A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

  • Elastic Load Balancing (ELB) - Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. ELB increases the fault tolerance of user applications.

  • Instance type - Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications.

  • Identity and Access Management (IAM) - An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup.

  • Internet Gateway - Connects a network to the Internet. Users can route traffic for IP addresses outside their VPC to the Internet gateway.

  • Key pair - A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key.

  • Route table - A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.

  • Auto Scaling - A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks.

  • CloudFormation - A service for writing or changing templates that create and delete related AWS resources together as a unit.

Use Cases

Disaster Recovery (DR)

Disaster is a sudden disruption of business functions caused by natural calamities or human caused events. Disasters affect data center operations, after which resources and the data lost at the disaster site must be fully rebuilt and restored. The loss of data or downtime in the data center is critical and collapses the business continuity.

One of the challenges that customers face today is deciding where to put their DR site. Businesses are looking for consistency and performance regardless of any underlying infrastructure or network faults.

Possible reasons many organizations are deciding to migrate to the cloud are:

  • Usage economics — The capital expense of having a data center on-prem is well documented and by using the cloud, these businesses can free up time and resources from expanding their own systems.

  • Faster recovery times — Much of the automated orchestration enables recovery in mere minutes.

  • Also, there are technologies that help replicate data by providing continuous data protection or continuous snapshots to guard against any outage or attack.

  • Finally, there are use cases where customers need many different types of compliance and security control which are already present on the public clouds. These make it easier to achieve the compliance they need rather than building their own.

Deployment Types

One-NIC Deployment

  • Typical Deployments

    • Standalone
  • Use Cases

    • Customers typically use One-NIC Deployments to deploy into a non-production environment, to set up an environment for testing, or to stage a new environment before production deployment.

    • One-NIC Deployments are also used to deploy directly to the cloud quickly and efficiently.

    • One-NIC Deployments are used when customers seek the simplicity of a single subnet configuration.

Three-NIC Deployment

  • Typical Deployments

    • Standalone

    • High Availability

  • Use Cases

    • Three-NIC Deployments are used to achieve real isolation of data and management traffic.

    • Three-NIC Deployments also improve scale and performance of the ADC.

    • Three-NIC Deployments are used in network applications where throughput is typically 1 Gbps or higher and a Three-NIC Deployment is recommended.

CFT Deployment

Customers would deploy using CloudFormation Templates if they are customizing their deployments or they are automating their deployments.

Sample Citrix ADC VPX Deployment on AWS Architecture

Sample Citrix ADC VPX Deployment on AWS Architecture

The preceding figure shows a typical topology of an AWS VPC with a Citrix ADC VPX deployment.

The AWS VPC has

  1. A single Internet gateway to route traffic in and out of the VPC.

  2. Network connectivity between the Internet gateway and the Internet.

  3. Three subnets, one each for management, client, and server.

  4. Network connectivity between the Internet gateway and the two subnets (management and client).

  5. A standalone Citrix ADC VPX instance deployed within the VPC. The VPX instance has three ENIs, one attached to each subnet.

Deployment Steps

One-NIC Deployment for DR

The Citrix ADC VPX Express instance is available as an Amazon Machine Image (AMI) in AWS marketplace. The minimum EC2 instance type allowed as a supported AMI on Citrix VPX is m4.large. Download and create an instance of the VPX using a single VPC subnet. The Citrix ADC VPX instance requires a minimum of 2 virtual CPUs and 2 GB of memory. Initial configuration performed includes network interface configuration, VIP configuration, and feature configuration. Further configuration can be performed by logging in to the GUI or via SSH (user name: nsroot).

The output of the configuration includes:

  • InstanceIdNS - Instance Id of newly created VPX instance. This is the default password for the GUI / ssh access.

  • ManagementURL - Use this HTTPS URL to the Management GUI (uses self-signed cert) to log in to the VPX and configure it further.

  • ManagementURL2 - Use this HTTP URL to the Management GUI (if your browser has problems with the self-signed cert) to log in to the VPX.

  • PublicNSIP - Use this public IP to ssh into the appliance.

  • PublicIpVIP - The Public IP where load balanced applications can be accessed.

The VPX is deployed in a single-NIC mode.

The standard NetScaler IP addresses: NSIP (management IP), VIP (where load balanced applications are accessed), and SNIP (the IP used to send traffic to back end instances) are all provisioned on the single NIC and are drawn from the (RFC1918) address space of the provided VPC subnet. The (RFC1918) NSIP is mapped to the Public IP of the VPX Instance and the RFC1918 VIP is mapped to a public Elastic IP.

Licensing

A Citrix ADC VPX instance on AWS requires a license.

The following licensing options are available for Citrix ADC VPX instances running on AWS:

Deployment Options

Users can deploy a Citrix ADC VPX standalone instance on AWS by using the following options

  • AWS web console

  • Citrix-authored CloudFormation template

  • AWS CLI

Deployment Steps

Users can deploy a Citrix ADC VPX instance on AWS through the AWS web console.

The deployment process includes the following steps:

  • Create a Key Pair

  • Create a Virtual Private Cloud (VPC)

  • Create the VPX instance

  • Create a single VPC subnet

  • Create network interface configuration

  • Map the NSIP to the Public IP of the VPX Instance

  • Map the VIP to a public Elastic IP

  • Connect to the VPX instance

Create a Key Pair

Amazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to an instance, users must create a key pair, specify the name of the key pair when they launch the instance, and provide the private key when they connect to the instance.

When users review and launch an instance by using the AWS Launch Instance wizard, they are prompted to use an existing key pair or create a new key pair.

For more information about how to create a key pair, see Amazon EC2 Key Pairs and Linux Instances

Create a VPC

A Citrix ADC VPC instance is deployed inside an AWS VPC. A VPC allows users to define virtual networks dedicated to their AWS account.

For more information about AWS VPC, see Getting Started With IPv4 for Amazon VPC.

While creating a VPC for a Citrix ADC VPX instance, keep the following points in mind.

Use the VPC with a Single Public Subnet Only option to create an AWS VPC in an AWS availability zone.

Citrix recommends that users map the previously created NSIP and VIP addresses to the public subnet.

Create a Citrix ADC VPX Instance by using the AWS Express AMI

Create a Citrix ADC VPX instance from the AWS VPX Express AMI.

From the AWS dashboard, go to Compute > Launch Instance > AWS Marketplace.

Before clicking Launch Instance, users should ensure their region is correct by checking the note that appears under Launch Instance.

In the Search AWS Marketplace bar, search with the keyword Citrix ADC VPX.

Select the desired version to deploy and then click Select.

For the Citrix ADC VPX version, users have the following options

  • A licensed version

  • Citrix ADC VPX Express appliance (a free virtual appliance, which is available from Citrix ADC 12.0 56.20.)

  • Bring your own device

The Launch Instance wizard starts. Follow the wizard to create an instance.

The wizard prompts users to

  • Choose Instance Type

  • Configure Instance

  • Add Storage

  • Add Tags

  • Review

Allocate and Associate Elastic IPs

If users assign a public IP address to an instance, it remains assigned only until the instance is stopped. After that, the address is released back to the pool. When users restart the instance, a new public IP address is assigned.

In contrast, an elastic IP (EIP) address remains assigned until the address is disassociated from an instance.

Allocate and associate an elastic IP for the management NIC.

For more information about how to allocate and associate elastic IP addresses, see these topics:

These steps complete the procedure to create a Citrix ADC VPX instance on AWS. It can take a few minutes for the instance to be ready. Check that the instance has passed its status checks. Users can view this information in the Status Checks column on the Instances page.

Connect to the VPX Instance

After users have created the VPX instance, users can connect to the instance by using the GUI and an SSH client.

GUI connection

The following are the default administrator credentials to access a Citrix ADC VPX instance

  • User name: nsroot

  • Password: The default password for the nsroot account is set to the AWS instance-ID of the Citrix ADC VPX instance.

SSH Client connection

From the AWS management console, select the Citrix ADC VPX instance and click Connect. Follow the instructions given on the Connect to Your Instance page.

For more information about how to deploy a Citrix ADC VPX standalone instance on AWS by using the AWS web console, see

Three-NIC Deployment for DR

The Citrix ADC VPX instance is available as an Amazon Machine Image (AMI) in AWS marketplace, and it can be launched as an Elastic Compute Cloud (EC2) instance within an AWS VPC. The minimum EC2 instance type allowed as a supported AMI on Citrix VPX is m4.large. The Citrix ADC VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. An EC2 instance launched within an AWS VPC can also provide the multiple interfaces, multiple IP addresses per interface, and public and private IP addresses needed for VPX configuration.

Each VPX instance requires at least three IP subnets

  • A management subnet

  • A client-facing subnet (VIP)

  • A back-end facing subnet (SNIP)

Citrix recommends three network interfaces for a standard VPX instance on AWS installation.

AWS currently makes multi-IP functionality available only to instances running within an AWS VPC. A VPX instance in a VPC can be used to load balance servers running in EC2 instances. An Amazon VPC allows users to create and control a virtual networking environment, including their own IP address range, subnets, route tables, and network gateways.

Note:

By default, users can create up to 5 VPC instances per AWS region for each AWS account. Users can request higher VPC limits by submitting Amazon’s request form: Amazon VPC Request

Licensing

A Citrix ADC VPX instance on AWS requires a license.

The following licensing options are available for Citrix ADC VPX instances running on AWS

Deployment Options

Users can deploy a Citrix ADC VPX standalone instance on AWS by using the following options

  • AWS web console

  • Citrix-authored CloudFormation template

  • AWS CLI

Deployment Steps

Users can deploy a Citrix ADC VPX instance on AWS through the AWS web console.

The deployment process includes the following steps

  • Create a Key Pair

  • Create a Virtual Private Cloud (VPC)

  • Add more subnets

  • Create security groups and security rules

  • Add route tables

  • Create an internet gateway

  • Create a Citrix ADC VPX instance

  • Create and attach more network interfaces

  • Attach elastic IPs to the management NIC

  • Connect to the VPX instance

Create a Key Pair

Amazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to an instance, users must create a key pair, specify the name of the key pair when they launch the instance, and provide the private key when they connect to the instance.

When users review and launch an instance by using the AWS Launch Instance wizard, they are prompted to use an existing key pair or create a new key pair.

For more information about how to create a key pair, see Amazon EC2 Key Pairs and Linux Instances

Create a VPC

A Citrix ADC VPC instance is deployed inside an AWS VPC. A VPC allows users to define virtual networks dedicated to their AWS account.

For more information about AWS VPC, see Getting Started With IPv4 for Amazon VPC

While creating a VPC for a Citrix ADC VPX instance, keep the following points in mind

  • Use the VPC with a Single Public Subnet Only option to create an AWS VPC in an AWS availability zone.

  • Citrix recommends that users create at least three subnets, of the following types:

    • One subnet for management traffic. Place the management IP (NSIP) on this subnet. By default, elastic network interface (ENI) eth0 is used for the management IP.

    • One or more subnets for client-access (user-to-Citrix ADC VPX) traffic, through which clients connect to one or more virtual IP (VIP) addresses assigned to Citrix ADC load balancing virtual servers.

    • One or more subnets for the server-access (VPX-to-server) traffic, through which user servers connect to VPX-owned subnet IP (SNIP) addresses.

    • All subnets must be in the same availability zone.

Add Subnets

When the VPC wizard is used for deployment, only one subnet is created. Depending on user requirements, users may want to create more subnets.

For more information about how to create more subnets, see VPCs and Subnets.

Create Security Groups and Security Rules

To control inbound and outbound traffic, create security groups and add rules to the groups.

For more information about how to create groups and add rules, see Security Groups for Your VPC.

For Citrix ADC VPX instances, the EC2 wizard gives default security groups, which are generated by AWS Marketplace and is based on recommended settings by Citrix. However, users can create more security groups based on their requirements.

Note:

Port 22, 80, 443 to be opened on the Security group for SSH, HTTP, and HTTPS access respectively.

Add Route Tables

Route tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table.

For more information about how to create a route table, see Route Tables.

Create an Internet Gateway

An internet gateway serves two purposes: to provide a target in the VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Create an internet gateway for internet traffic.

For more information about how to create an Internet Gateway, see the section Creating and Attaching an Internet Gateway

Create a Citrix ADC VPX Instance by using the AWS EC2 Service

To create a Citrix ADC VPX instance by using the AWS EC2 service, complete the following steps

  • From the AWS dashboard, go to Compute > EC2 > Launch Instance > AWS Marketplace.

  • Before clicking Launch Instance, users should ensure their region is correct by checking the note that appears under Launch Instance.

  • In the Search AWS Marketplace bar, search with the keyword Citrix ADC VPX.

  • Select the version users want to deploy and then click Select. For the Citrix ADC VPX version, users have the following options:

  • A licensed version

    • Citrix ADC VPX Express appliance (a free virtual appliance, which is available from Citrix ADC 12.0 56.20.)

    • Bring your own device

The Launch Instance wizard starts. Follow the wizard to create an instance.

The wizard prompts users to

  • Choose Instance Type

  • Configure Instance

  • Add Storage

  • Add Tags

  • Configure Security Group

  • Review

Create and Attach more Network Interfaces

Create two more network interfaces for the VIP and SNIP.

For more information about how to create more network interfaces, see the section Creating a Network Interface.

After users have created the network interfaces, they must attach the interfaces to the VPX instance. Before attaching the interfaces, shut down the VPX instance, attach the interfaces, and power on the instance.

For more information about how to attach network interfaces, see the section Attaching a Network Interface When Launching an Instance.

Allocate and Associate Elastic IPs

If users assign a public IP address to an EC2 instance, it remains assigned only until the instance is stopped. After that, the address is released back to the pool. When users restart the instance, a new public IP address is assigned.

In contrast, an elastic IP (EIP) address remains assigned until the address is disassociated from an instance.

Allocate and associate an elastic IP for the management NIC.

For more information about how to allocate and associate elastic IP addresses, see these topics

These steps complete the procedure to create a Citrix ADC VPX instance on AWS. It can take a few minutes for the instance to be ready. Check that the instance has passed its status checks. Users can view this information in the Status Checks column on the Instances page.

Connect to the VPX Instance

After users have created the VPX instance, users can connect to the instance by using the GUI and an SSH client.

GUI connection

The following are the default administrator credentials to access a Citrix ADC VPX instance

  • User name: nsroot

  • Password: The default password for the nsroot account is set to the AWS instance-ID of the Citrix ADC VPX instance.

SSH Client connection

From the AWS management console, select the Citrix ADC VPX instance and click Connect. Follow the instructions given on the Connect to Your Instance page.

For more information about how to deploy a Citrix ADC VPX standalone instance on AWS by using the AWS web console, see

CFT Deployment

Citrix ADC VPX is available as Amazon Machine Images (AMI) in the AWS Marketplace.

AWS Marketplace

Before using a CloudFormation template to provision a Citrix ADC VPX in AWS, the AWS user has to accept the terms and subscribe to the AWS Marketplace product. Each edition of the Citrix ADC VPX in the Marketplace requires this step.

Each template in the CloudFormation repository has collocated documentation describing the usage and architecture of the template. The templates attempt to codify recommended deployment architecture of the Citrix ADC VPX, or to introduce the user to the Citrix ADC or to demonstrate a particular feature, edition, or option. Users can reuse, modify, or enhance the templates to suit their particular production and testing needs. Most templates require full EC2 permissions in addition to permissions to create IAM roles.

The CloudFormation templates contain AMI Ids that are specific to a particular release of the Citrix ADC VPX (for example, release 12.0-56.20) and edition (for example, Citrix ADC VPX Platinum Edition - 10 Mbps) OR Citrix ADC BYOL. To use a different version / edition of the Citrix ADC VPX with a CloudFormation template requires the user to edit the template and replace the AMI Ids.

The latest Citrix ADC AWS-AMI-IDs are available on GitHub at Citrix ADC AWS CloudFormation Master.

CFT Single-NIC Deployment

The CloudFormation template requires sufficient permissions to create IAM roles and lambda functions, beyond normal EC2 full privileges. The user of this template also needs to accept the terms and subscribe to the AWS Marketplace product before using this CloudFormation template.

This CloudFormation template creates an instance of the VPX Express from the VPX Express AMI using a single VPC subnet. The CloudFormation template also provisions a lambda function that initializes the VPX instance. Initial configuration performed by the lambda function includes network interface configuration, VIP configuration, and feature configuration. Further configuration can be performed by logging in to the GUI or via SSH (user name: nsroot).

The output of the CloudFormation template includes

  • InstanceIdNS - Instance Id of newly created VPX instance. This is the default password for the GUI / ssh access.

  • InstanceIdNS - Instance Id of newly created VPX instance. This is the default password for the GUI / ssh access.

  • ManagementURL2 - Use this HTTP URL to the Management GUI (if your browser has problems with the self-signed cert) to log in to the VPX.

  • PublicNSIP - Use this public IP to ssh into the appliance.

  • PublicIpVIP - The Public IP where load balanced applications can be accessed.

The CloudFormation template deploys the VPX in a single-NIC mode. The standard NetScaler IP addresses: NSIP (management IP), VIP (where load balanced applications are accessed) and SNIP (the IP used to send traffic to back end instances) are all provisioned on the single NIC and are drawn from the (RFC1918) address space of the provided VPC subnet. The (RFC1918) NSIP is mapped to the Public IP of the VPX Instance and the RFC1918 VIP is mapped to a public Elastic IP. If the VPX is restarted, the Public NSIP mapping is lost. In this case the NSIP is only accessible from within the VPC subnet, from another EC2 instance in the same subnet. Other possible architectures include 2 and 3-NIC configurations across multiple VPC subnets.

CFT Three-NIC Deployment

This template deploys a VPC, with 3 subnets (Management, client, server) for 2 Availability Zones. It deploys an Internet Gateway, with a default route on the public subnets. This template also creates a HA pair across Availability Zones with two instances of Citrix ADC: 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on primary and 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on secondary. All the resource names created by this CFT are prefixed with a tagName of the stack name.

The output of the CloudFormation template includes

  • PrimaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Primary VPX (uses self-signed cert)

  • PrimaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Primary VPX

  • PrimaryCitrixADCInstanceID - Instance Id of the newly created Primary VPX instance

  • PrimaryCitrixADCPublicVIP - Elastic IP address of the Primary VPX instance associated with the VIP

  • PrimaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Primary VPX

  • PrimaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Primary VPX

  • PrimaryCitrixADCPrivateVIP - Private IP address of the Primary VPX instance associated with the VIP

  • PrimaryCitrixADCSNIP - Private IP address of the Primary VPX instance associated with the SNIP

  • SecondaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Secondary VPX (uses self-signed cert)

  • SecondaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Secondary VPX

  • SecondaryCitrixADCInstanceID - Instance Id of the newly created Secondary VPX instance

  • SecondaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Secondary VPX

  • SecondaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Secondary VPX

  • SecondaryCitrixADCPrivateVIP - Private IP address of the Secondary VPX instance associated with the VIP

  • SecondaryCitrixADCSNIP - Private IP address of the Secondary VPX instance associated with the SNIP

  • SecurityGroup - Security group id that the VPX belongs to

When providing input to the CFT, the against any parameter in the CFT implies that it is a mandatory field. For example, VPC ID is a mandatory field.

The following prerequisites must be met. The CloudFormation template requires sufficient permissions to create IAM roles, beyond normal EC2 full privileges. The user of this template also needs to accept the terms and subscribe to the AWS Marketplace product before using this CloudFormation template.

The following should also be present

  • Key Pair

  • 3 unallocated EIPs

    • Primary Management

    • Client VIP

    • Secondary Management

For more information on provisioning Citrix ADC VPX instances on AWS, users can visit Provisioning Citrix ADC VPX Instances on AWS

Prerequisites

Before attempting to create a VPX instance in AWS, users should ensure they have the following

  • An AWS account to launch a Citrix ADC VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud (VPC). Users can create an AWS account for free at www.aws.amazon.com.

  • An AWS Identity and Access Management (IAM) user account to securely control access to AWS services and resources for users.

For more information about how to create an IAM user account, see Creating IAM Users (Console).

An IAM role is mandatory for both standalone and high availability deployments.

The IAM role must have the following privileges

  • ec2:DescribeInstances

  • ec2:DescribeNetworkInterfaces

  • ec2:DetachNetworkInterface

  • ec2:AttachNetworkInterface

  • ec2:StartInstances

  • ec2:StopInstances

  • ec2:RebootInstances

  • ec2:DescribeAddresses

  • ec2:AssociateAddress

  • ec2:DisassociateAddress

  • autoscaling:*

  • sns:*

  • sqs:*

  • iam:SimulatePrincipalPolicy

  • iam:GetRole

If the Citrix CloudFormation template is used, the IAM role is automatically created. The template does not allow selecting an already created IAM role.

Note:

When users log on the VPX instance through the GUI, a prompt to configure the required privileges for IAM role appears. Ignore the prompt if the privileges have already been configured.

For more information, see

What Is the AWS Command Line Interface?

Note: Users also need the AWS CLI to change the network interface type to SR-IOV.

Limitations and Usage Guidelines

The following limitations and usage guidelines apply when deploying a Citrix ADC VPX instance on AWS

  • Users should read the AWS terminology listed above before starting a new deployment.

  • The clustering feature is supported only when provisioned with Citrix ADM Auto Scale Groups.

  • For the high availability setup to work effectively, associate a dedicated NAT device to the management Interface or associate an Elastic IP (EIP) to NSIP.

For more information on NAT, in the AWS documentation, see NAT Instances

  • Data traffic and management traffic must be segregated with ENIs belonging to different subnets.

  • Only the NSIP address must be present on the management ENI.

  • If a NAT instance is used for security instead of assigning an EIP to the NSIP, appropriate VPC level routing changes are required.

For instructions on making VPC level routing changes, in the AWS documentation, see Scenario 2: VPC with Public and Private Subnets.

  • A VPX instance can be moved from one EC2 instance type to another (for example, from m3.large to an m3.xlarge).

For more information, visit Limitations and Usage Guidelines

  • For storage media for VPX on AWS, Citrix recommends EBS, because it is durable and the data is available even after it is detached from instance.

  • Dynamic addition of ENIs to VPX is not supported. Restart the VPX instance to apply the update. Citrix recommends users to stop the standalone or HA instance, attach the new ENI, and then restart the instance. The primary ENI cannot be changed or attached to a different subnet once it is deployed. Secondary ENIs can be detached and changed as needed while the VPX is stopped.

  • Users can assign multiple IP addresses to an ENI. The maximum number of IP addresses per ENI is determined by the EC2 instance type.

See the section “IP Addresses Per Network Interface Per Instance Type” in Elastic Network Interfaces.

  • Users must allocate the IP addresses in AWS before they assign them to ENIs.

For more information, see Elastic Network Interfaces.

  • Citrix recommends that users avoid using the enable and disable interface commands on Citrix ADC VPX interfaces.

  • The Citrix ADC set ha node \<NODE\_ID\> -haStatus STAYPRIMARY and set ha node \<NODE\_ID\> -haStatus STAYSECONDARY commands are disabled by default.

  • IPv6 is not supported for VPX.

  • Due to AWS limitations, these features are not supported:

    • Gratuitous ARP(GARP)

    • L2 mode (bridging). Transparent vServers are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP.

    • Tagged VLAN

    • Dynamic Routing

    • Virtual MAC

  • For RNAT, routing, and Transparent vServers to work, ensure Source/Destination Check is disabled for all ENIs in the data path.

For more information, see “Changing the Source/Destination Checking” in Elastic Network Interfaces

  • In a Citrix ADC VPX deployment on AWS, in some AWS regions, the AWS infrastructure might not be able to resolve AWS API calls. This happens if the API calls are issued through a non-management interface on the Citrix ADC VPX instance. As a workaround, restrict the API calls to the management interface only. To do that, create an NSVLAN on the VPX instance and bind the management interface to the NSVLAN by using the appropriate command.

  • For example:

    • set ns config -nsvlan <vlan id> -ifnum 1/1 -tagged NO

    • save config

  • Restart the VPX instance at the prompt.

For more information about configuring NSVLAN, see Configuring NSVLAN.

  • In the AWS console, the vCPU usage shown for a VPX instance under the Monitoring tab might be high (up to 100 percent), even when the actual usage is much lower. To see the actual vCPU usage, navigate to View all CloudWatch metrics.

For more information, seen Monitor your Instances using Amazon CloudWatch

  • Alternately, if low latency and performance are not a concern, users may enable the CPU Yield feature allowing the packet engines to idle when there is no traffic.

For more details about the CPU Yield feature and how to enable it, visit Citrix Support Knowledge Center.

AWS-VPX Support

Supported VPX Models on AWS**

  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 200 Mbps
  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 1000 Mbps
  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 3 Gbps
  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 5 Gbps
  • Citrix ADC VPX Standard/Advanced/Premium - 10 Mbps
  • Citrix ADC VPX Express - 20 Mbps
  • Citrix ADC VPX - Customer Licensed

Supported AWS Regions

  • US West (Oregon) Region
  • US West (N. California) Region
  • US East (Ohio) Region
  • US East (N. Virginia) Region
  • Asia Pacific (Seoul) Region
  • Canada (Central) Region
  • Asia Pacific (Singapore) Region
  • Asia Pacific (Sydney) Region
  • Asia Pacific (Tokyo) Region
  • Asia Pacific (Hong Kong) Region
  • Canada (Central) Region
  • China (Beijing) Region
  • China (Ningxia) Region
  • EU (Frankfurt) Region
  • EU (Ireland) Region
  • EU (London) Region
  • EU (Paris) Region
  • South America (São Paulo) Region
  • AWS GovCloud (US-East) Region

Supported AWS Instance Types

  • m3.large, m3.large, m3.2xlarge
  • c4.large, c4.large, c4.2xlarge, c4.4xlarge, c4.8xlarge
  • m4.large, m4.large, m4.2xlarge, m4.4xlarge, m4.10xlarge
  • m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.12xlarge, m5.24xlarge
  • c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge, c5.24xlarge
  • C5n.large, C5n.xlarge, C5n.2xlarge, C5n.4xlarge, C5n.9xlarge, C5n.18xlarge

Supported AWS Services

  • #EC2
  • #Lambda
  • #S3
  • #VPC
  • #route53
  • #ELB
  • #Cloudwatch
  • #AWS AutoScaling
  • #Cloud formation
  • Simple Queue Service (SQS)
  • Simple Notification Service (SNS)
  • Identity & Access Management (IAM)

For higher bandwidth, Citrix recommends the following instance types

Instance Type Bandwidth Enhanced Networking (SR-IOV)
M4.10x large 3 Gbps and 5 Gbps Yes
C4.8x large 3 Gbps and 5 Gbps Yes
C5.18xlarge/M5.18xlarge 25 Gbps ENA
C5n.18xlarge 30 Gbps ENA

To remain updated about the current supported VPX models and AWS regions, instance types, and services, visit VPX-AWS support matrix.

Deployment Guide Citrix ADC VPX on AWS - Disaster Recovery