Create an environment

An environment represents the infrastructure that is used for application delivery. The necessary infrastructure, such as gateways, agents, and ADCs, is prepared as part of the environment deployment. Once deployed, this environment can be used to deliver multiple applications.

The Citrix App Delivery and Security service provisions the following elements in the customer’s AWS VPC as part of environment deployment:

  • Deploy AWS CFT to create the following entities in the customer’s AWS VPC:
    • Three subnets, one each for management network, client network, and server network.
    • NAT gateway that routes management/control plane traffic from both the ADC and the agent to the internet.
    • Route table that contains entries for enabling management traffic to go to the internet through the NAT gateway.
    • Security groups that are associated with the ADC instances and the agent. Security groups control inbound and outbound traffic.
  • Citrix agent instance that is a proxy for the service. An agent enables the service to communicate with one or multiple ADCs deployed in the customer VPC.
  • ADC Autoscale cluster (a set of ADC instances) that provide the ADC functionality. ADC instances receive traffic and distribute traffic to your application servers.

Subnets

The service creates three subnets per availability zone for deploying the app delivery infrastructure. Each subnet has 255 addresses. That is, the service blocks 765 (3*255) IP addresses. Ensure that the following conditions are met for the VPC CIDR block size where the app delivery infrastructure is deployed:

  • To deploy the environment in two availability zones, the VPC CIDR block size must be greater than the /21 netmask (2,048 IP addresses).

  • To deploy the environment in one availability zone, the VPC CIDR block size must be greater than the /22 netmask (1,024 IP addresses). Since the infrastructure is deployed in one availability zone, Citrix recommends to not use it for a production environment. It is best suited for staging or POC.

Connect to an application server in a different VPC

Deploying the app delivery infrastructure in the same VPC as the origin application servers saves cost and reduces management overhead. However, you might want to deploy both in different VPCs to isolate the infrastructure. For this deployment to work, the app delivery infrastructure in one VPC must be able to send traffic to the origin application servers in another VPC.

To establish communication between the VPC of the app delivery infrastructure and the VPC of the origin application servers, the following options are available:

  • VPC Peering: Use for network connections between two VPCs.

  • Transit Gateway: Use for network connections between many VPCs.

The terms app delivery infrastructure VPC and CADS VPC are used interchangeably in this document.

Prerequisites

Configure VPC peering or Transit Gateway in your AWS account so that you can select them in the CADS service GUI.

Notes

  • The origin application server VPC cannot have overlapping CIDRs with the CADS VPC.
  • To avoid latency between the CADS VPC and the origin application servers, both must be in the same region.

For VPC peering, perform the following steps in your AWS account:

  1. Create a VPC peering connection between the CADS VPC and origin application server VPC. A peering ID is allocated as a result.
  2. Add entries to the route table for application servers to respond to the CADS VPC using the peering ID. For a sample routing table entry, see Routing table for the VPC peering option.

    Note

    The CADS service configures the routes for the CADS VPC to send traffic to the origin application server VPC.

  3. Add rules to the security group attached to the origin application server to allow traffic from the CADS VPC.

For Transit Gateway, perform the following steps in your AWS account:

  1. Create a transit gateway.
  2. Attach the VPC of the origin application servers to the transit gateway.
  3. Add entries to the route table for the origin application servers to respond to the CADS VPC. For a sample routing table entry, see Routing table for the Transit Gateway option.

    Note

    The CADS service configures the routes for the CADS VPC to send traffic to the origin application server VPC.

  4. Add rules to the security group attached to the origin application server to allow traffic from the CADS VPC.

For more information about VPC peering and Transit Gateway, see the AWS documentation.

Routing table for the VPC peering option

This section helps in adding entries to the route table for origin application servers to respond to the CADS VPC by using the peering ID.

VPC peering

For the preceding illustration, the routing table entry in the origin application server VPC must be defined as follows:

Destination Next Hop
192.2.0.0/16 peering ID

Routing table for the Transit Gateway option

This section helps in adding entries to the route table for origin application servers to respond to the CADS VPC by using a transit gateway.

Transit Gateway

For the preceding illustration, the routing table entry for each origin application server VPC must be defined as follows:

Destination Next Hop
192.2.0.0/16 TGW

Create an environment

  1. In the left navigation pane, click Environments.
  2. In the Environments tab, click Create.
  3. Specify values for the following parameters:
    • Name
    • Cloud Access Profile
    • AWS Region
    • Availability Zones
    • AWS VPC - The VPC where the app delivery infrastructure is to be deployed.

      If the app delivery infrastructure and origin application servers are in different VPCs, specify the following parameters for the origin application servers.

      • AWS VPC
      • Subnet

      Select how the CADS service connects to the origin application servers. Options are as follows:

      • VPC Peering

        Configure VPC peering

      • Transit Gateway

        Configure Transit Gateway

    • Tags
  4. Click Create.
Create an environment