Create cloud access profiles

A cloud access profile is used by Citrix App Delivery and Security service to acquire permissions on the customer’s AWS account for deploying application delivery infrastructure in customer owned VPCs. To create this profile, you must be the AWS account administrator that has the necessary permissions on the VPC that you intend to use for delivering your applications. Your AWS account must allow you to use AWS CloudFormation and IAM services.

As part of creating the cloud access profile, two IAM roles on AWS are created. One IAM role gives permissions to the service to provision infrastructure on your AWS account, such as networks, NAT Gateways, security groups, and ADC instances. The other IAM role is used by the ADC VPX instances deployed in your account. The role is used to enable support for back-end auto scaling, if your application servers are deployed as an AWS autoscaling group.

Citrix provides a ready-made CloudFormation template (CFT) to simplify the configuration of these two IAM roles. The template helps an administrator in creating these two IAM roles that are needed for the cloud access profile creation.

IAM role created for Citrix App Delivery and Security service

The IAM role gives permissions to the service’s AWS account to create and delete entities in AWS on your behalf. The following high-level permissions are granted to the service:

  • Provision instances using EC2.
  • Create and delete security groups and subnets.
  • Create and delete NAT gateway.
  • Create and delete network load balancers.
  • Create and delete DNS hosted zones and DNS records inside zones using AWS Route 53.
  • Attach and remove IAM roles to and from instances.

These high level permissions are used by the service in the following scenarios:

  1. When the first application is deployed in a VPC:
    • New ADC EC2 instances are assigned the second IAM role to enable back-end Autoscale support.
    • NAT gateway, subnets, and security groups are created.
    • Citrix agent and Citrix ADCs are provisioned.
  2. When more applications are later deployed in the same VPC:
    • IP addresses are acquired in the ADCs for the application.
    • Network load balancing is configured with these application IP addresses.
    • DNS entries are created with the domain specified for the application.
  3. When autoscaling of ADCs is done to adjust to the traffic patterns. For example, a new ADC instance is created if the existing set of ADCs is operating at full capacity.

The IAM role is the mechanism in AWS by which you grant these permissions to the AWS account in which you run the service.

IAM role created for Citrix ADC VPX instances

During infrastructure provisioning when the first application is deployed in a VPC:

  • The ADC VPX instances are created.
  • The IAM role with the following set of permissions is assigned to the VPX instances by the service.

The high-level permissions are used for tasks such as:

  • Change IP address on network interfaces.
  • Listen to the Amazon simple queue service (SQS).
  • Learn about changes to Autoscale groups.

The permissions are needed for the ADC in the following scenarios:

  • During application delivery with origin application servers that are part of an Autoscale group. The ADC calls the AWS services to find the list of origin application servers that are part of the Autoscale group.
  • If the ADC cluster head fails or if the cluster ADC head is not reachable, then the ADC selects a new cluster head. The ADC then shifts the cluster head IP address to the newly elected cluster head.

Create a cloud access profile

  1. Click Environments.
  2. In the Cloud Access Profiles tab, click Create.
  3. Follow the instructions to create a profile.
  4. Click Create.
Create cloud access profiles