Overview of Citrix App Delivery and Security service – Citrix Managed

Citrix App Delivery and Security Service – Citrix Managed provides an outcome-focused model that allows you to specify the functional and business intent of your application deployment. Based on the specified functional intent, Citrix App Delivery and Security Service – Citrix Managed creates policies to configure functionalities, such as security protection, load balancing, SSL offloading, content rules, and multi-site applications. For example, you select A+ profile and the service configures the ciphers and other entities required to get an A+ rating from Qualys Labs for your applications.

The service continuously optimizes the deployment by auto-redirecting traffic to a better site, auto-removing a server, or autoscaling capacity dynamically to match the application’s needs.

Discovery-driven configuration paradigm aims to automate, speed-up, and simplify the laborious process of application delivery, by discovering origin application servers automatically using APIs. For example, when specifying the application servers, you can specify the application EC2 instances or an AWS application Autoscale group. The service continuously maps these IDs to their corresponding IP addresses and discovers new IP addresses used by the application, or IP addresses that are no longer part of your application. The service also manages the allocation of your application public IP addresses and registers them in AWS Route 53 with a user provided domain name.

Based on the business intent, Citrix App Delivery and Security Service – Citrix Managed auto-sizes the required infrastructure and adjusts it on demand. For example, the service auto-adjusts if there is a change in the number of the origin application servers due to scaling events, and changes stickiness settings accordingly. After delivering the applications, you can use the rich analytics in Citrix App Delivery and Security Service – Citrix Managed to:

  • Monitor application performance.
  • Troubleshoot using the detected anomalies.
  • Visualize the threat details associated with security and take corrective actions to secure the applications.

The following diagram depicts the workflow.

Citrix App Delivery and Security Service – Citrix Managed workflow

Citrix App Delivery and Security provides the following benefits:

  • Intent based workflows: Prepares your AWS VPC to make it ready for delivering your application based on the specified intent.
  • Elastic provisioning: Provides on-demand provisioning and scaling of ADCs based on your application load. Your infrastructure is scaled up during heavy traffic and scaled down when there is less demand.
  • Simplified deployment: Deliver your applications in minutes. The service can also seamlessly integrate with AWS cloud native services and systems. You save on installation and configuration time, and also avoid wasting time and resources on potential errors introduced by the manual process.
  • Operational efficiency: Optimized and automated way to achieve higher operational productivity. Your operational costs are reduced by saving your time, money, and resources on maintaining and upgrading the traditional application delivery infrastructure. And you only pay for your actual consumption.
  • Analytics: The service aggregates data across all the applications and identifies anomalies in performance and security.


The following diagram illustrates the infrastructure of how Citrix App Delivery and Security is provisioned during delivery of applications on AWS.

Citrix App Delivery and Security Service – Citrix Managed architecture on AWS


Do not make manual changes to the infrastructure managed by Citrix App Delivery and Security. Doing so might interfere with the functioning of the service.

Citrix App Delivery and Security provisions the following elements in your AWS VPC:

  • Three subnets, one each for management network, client network, and server network.
  • NAT gateway that routes management (control plane) traffic from both the ADC and the agent to the internet.
  • Route table that contains entries for enabling management traffic to go to the internet through the NAT gateway.
  • Citrix agent instance that is a proxy for the service. An agent enables the service to communicate with one or multiple ADCs deployed in your VPC.
  • Security groups that are associated with the ADC instances and the agent. Security groups control inbound and outbound traffic.


    Only port 80 and port 443 are open.

  • ADC Autoscale cluster - A set of ADC instances that provide the ADC functionality. ADC instances receive traffic and distribute traffic to your application servers.


  • Citrix App Delivery and Security does not make any changes to the resources created by you in your VPC. It only provisions all the necessary infrastructure to deliver your applications. Provisioning includes cloud native infrastructure, such as network gateways, routing tables, subnets, security groups, ADC instances, and ADS service-agent instances. Provisioned ADC instance names start with the prefix “Citrix-“ for easy identification in your AWS console.

The following diagram illustrates the traffic flow in your environment. Application traffic is distributed across multiple availability zones depending on the deployment of your application servers. The ADC cluster processes the traffic and selects an origin application server to handle the request, based on the configured load balancing settings. The origin application server might be in the same or a different availability zone.

Citrix App Delivery and Security Service – Citrix Managed traffic flow on AWS

Overview of Citrix App Delivery and Security service – Citrix Managed