Citrix ADC

High availability across AWS availability zones

You can configure two Citrix ADC VPX instances on two different subnets or two different AWS availability zones, as a high availability active-passive pair in Independent Network Configuration (INC) mode. If for any reason, the primary node is unable to accept connections, the secondary node takes over.

For more information about high availability, see High availability. For more information about INC, see Configuring high availability nodes in different subnets.

Points to note

  • Read the following documents before you start your deployment:
  • The VPX high availability pair can either reside in the same availability zone in a different subnet or in two different AWS availability zones.
  • Citrix recommends that you use different subnets for management (NSIP), client traffic (VIP), and back-end server (SNIP).
  • High availability must be set in Independent Network Configuration (INC) mode for a failover to work.
  • The two instances must have port 3003 open for UDP traffic as that is used for heartbeats.
  • The management subnets of both the nodes must have access to internet or to AWS API server through internal NAT so that the rest APIs are functional.
  • IAM role must have E2 permission for the public IP or elastic IP (EIP) migration and EC2 Route Table permissions for the private IP migration.

You can deploy high availability across AWS availability zones in the following ways:

  • Using elastic IP addresses
  • Using private IP addresses

How high availability across AWS availability zones works

Upon failover, the EIP of the VIP of the primary instance migrates to the secondary, which takes over as the new primary. In the failover process, AWS API

  1. Checks the virtual servers that have IPSets attached to them.
  2. Finds the IP address that has an associated public IP, from the two IP addresses the virtual server is listening on. One that is directly attached to the virtual server, and one that is attached through the IP set.
  3. Reassociates the public IP (EIP) to the private IP belonging to the new primary VIP.


To protect your network from attacks such as denial-of-service (DoS), when using an EIP, you can create security groups in AWS to restrict the IP access. For high availability, you can switch from EIP to a private IP movement solution as per your deployments.

High availability across AWS availability zones