Deliver an application

An application is the central component in Citrix App Delivery and Security and contains the application delivery and security information required to deliver the customer’s application. Two main components of an application are its services and endpoints. Services correspond to the customer’s application servers. Endpoints correspond to the FQDN and virtual IP addresses that users use to reach the application.

The configuration of an application is organized as a set of application delivery features. These features help in optimizing, securing, accelerating, and ensuring availability of customers applications. Each application delivery feature allows a user to configure a specific feature provided by Citrix App Delivery and Security. Together they constitute the overall application delivery configuration for your application.

Create an application from scratch or migrate the configuration from an existing ADC setup. For more information about migrating a configuration, see Migrate an application from a Citrix ADC appliance.

You can also deliver your application globally in multiple locations around the world. Add locations to your application to reduce response time and improve the application experience for all users. Citrix App Delivery and Security automatically steers requests to the best location where your application is delivered. It bases this decision on the availability of each location and the state of the internet for each individual user.

Also, you no longer have to guess where to host the application servers. Based on the traffic insights, such as latency, availability, and throughout, Citrix App Delivery and Security recommends the best locations for hosting your applications. For more information, see Multi-site application.

Before you can deliver an application, you must create at least one cloud access profile and one application environment.

Cloud access profiles and IAM roles

A cloud access profile is used by Citrix App Delivery and Security to acquire permissions on the customer’s AWS account for deploying application delivery infrastructure in customer owned VPCs. To create this profile, you must be the AWS account administrator that has the necessary permissions on the VPC that you intend to use for delivering your applications. Your AWS account must allow you to use AWS CloudFormation and IAM services.

As part of creating the cloud access profile, two IAM roles on AWS are created. One IAM role gives permissions to Citrix App Delivery and Security to provision infrastructure on your AWS account, such as networks, NAT Gateways, security groups, and ADC instances. The other IAM role is used by the ADC VPX instances deployed in your account. The role is used to enable support for back-end auto scaling, if your application servers are deployed as an AWS autoscaling group.

Citrix provides a ready-made CloudFormation template (CFT) to simplify the configuration of these two IAM roles. The template helps an administrator in creating these two IAM roles that are needed for the cloud access profile creation.

IAM role created for Citrix App Delivery and Security

The IAM role gives permissions to the Citrix App Delivery and Security AWS account to create and delete entities in AWS on your behalf. The following high-level permissions are granted to Citrix App Delivery and Security:

  • Provision instances using EC2.
  • Create and delete security groups and subnets.
  • Create and delete NAT gateway.
  • Create and delete network load balancers.
  • Create and delete DNS hosted zones and DNS records inside zones using AWS Route 53.
  • Attach and remove IAM roles to and from instances.

These high level permissions are used by the Citrix App Delivery and Security in the following scenarios:

  1. When the first application is deployed in a VPC:
    • New ADC EC2 instances are assigned the second IAM role to enable back-end Autoscale support.
    • NAT gateway, subnets, and security groups are created.
    • Citrix agent and Citrix ADCs are provisioned.
  2. When more applications are later deployed in the same VPC:
    • IP addresses are acquired in the ADCs for the application.
    • Network load balancing is configured with these application IP addresses.
    • DNS entries are created with the domain specified for the application.
  3. When autoscaling of ADCs is done to adjust to the traffic patterns. For example, a new ADC instance is created if the existing set of ADCs is operating at full capacity.

The IAM role is the mechanism in AWS by which you grant these permissions to the AWS account in which you run the Citrix App Delivery and Security.

IAM role created for Citrix ADC VPX instances

During infrastructure provisioning when the first application is deployed in a VPC:

  • The ADC VPX instances are created.
  • The IAM role with the following set of permissions is assigned to the VPX instances by Citrix App Delivery and Security.

The high-level permissions are used for tasks such as:

  • Change IP address on network interfaces.
  • Listen to the Amazon simple queue service (SQS).
  • Learn about changes to Autoscale groups.

The permissions are needed for the ADC in the following scenarios:

  • During application delivery with origin application servers that are part of an Autoscale group. The ADC calls the AWS services to find the list of origin application servers that are part of the Autoscale group.
  • If the ADC cluster head fails or if the cluster ADC head is not reachable, then the ADC selects a new cluster head. The ADC then shifts the cluster head IP address to the newly elected cluster head.

Create a cloud access profile

  1. Click Environments.
  2. In the Cloud Access Profiles tab, click Create.
  3. Follow the instructions to create a profile.
  4. Click Create.


An environment represents the infrastructure that is used for application delivery. The necessary infrastructure, such as gateways, agents, and ADCs, is prepared as part of the environment deployment. Once deployed, this environment can be used to deliver multiple applications.

Citrix App Delivery and Security provisions the following elements in the customer’s AWS VPC as part of environment deployment:

  • Deploy AWS CFT to create the following entities in the customer’s AWS VPC.
  • Three subnets, one each for management network, client network, and server network.
  • NAT gateway that routes management/control plane traffic from both the ADC and the agent to the internet.
  • Route table that contains entries for enabling management traffic to go to the internet through the NAT gateway.
  • Security groups that are associated with the ADC instances and the agent. Security groups control inbound and outbound traffic.
  • Citrix agent instance that is a proxy for the service. An Agent enables the service to communicate with one or multiple ADCs deployed in the customer VPC.
  • ADC Autoscale cluster (a set of ADC instances) that provide the ADC functionality. ADC instances receive traffic and distribute traffic to your application servers.

Create an environment

  1. In the left navigation pane, click Environments.
  2. In the Environments tab, click Create.
  3. Specify values for the following parameters:
    • Name
    • Cloud Access Profile
    • AWS Region
    • AWS VPC
    • Availability Zones
    • Tags

      Create environment

  4. Click Create.

Create an application

Follow these steps to create an application:

  1. Specify application details.
  2. Create services.
  3. Define endpoints.
  4. Configure load balancers.
  5. Configure content rules.
  6. Configure security protection.

Specify application details

You must have at least one environment before you can proceed with application creation.

  1. Type a name for the application, and select an environment.
  2. Click Next.

Create services

Services represent the back-end servers in your VPC. These servers are the origin servers of your application.

  1. Click Create Service.
  2. Specify values for the following parameters:
    • Name
    • Protocol
    • Port
    • App Server Type: Select from Auto Scaling Group, EC2 Instances, or Servers. Select an auto scaling group, EC2 instance, or server type respectively. Only app servers from the selected environment are displayed.

      • Server type includes two options: IP address and FQDN. Select an option.
      • Specify an IP address or FQDN, and click Add Server. The details appear in the List of Servers table. Create service with server option
  3. Click Create. Create service
  4. Click Next.

Define endpoints

Endpoints represent the FQDN or the IP address that clients connect to. It can be internal, that is within the VPC. Clients can access the application only within the internal network. If an external endpoint is selected, any client can access the application over the internet.

The FQDN can be auto-allocated or user-defined. Auto-allocated lets you use a DNS provider other than AWS Route 53. User-defined lets you use AWS Route 53 as a DNS provider to host your application’s FQDN.

An endpoint must have a default content route associated with it. The route includes the conditions and a target service. If the traffic matches the condition, the request is directed to the specified service.

  1. Click Add Endpoint.
  2. Click Create Endpoint.
  3. Specify values for the following parameters:
    • Name
    • Access: Specify Internal or External.
    • FQDN: Specify Auto allocated or User defined.
    • Protocol: Specify HTTP or HTTPS. If you select HTTPS, you must add a certificate and optionally, add an SSL policy to get an A+ rating for your apps. For more information, see Add an SSL certificate.
    • Port
  4. Click Create Endpoint. Create endpoint
  5. Select the endpoint and click Select Endpoint.
  6. (Optional) To add a route based on some conditions click Add. Specify a name, condition, and a target service. Click Add. Add a route
  7. To add a default route, select a service from the Default Content route list. Click Add Default Content route. Requests that do match any condition are forwarded to this service. Default route

You have completed the steps to create an endpoint. Select from one of the following options:

  • Click Next to configure a load balancer, content rules, and security protection.
  • Click Deploy to start application delivery.

Add an SSL certificate

You must add an SSL certificate if you select the HTTPS protocol. You can add an SSL certificate in the endpoint workflow or using the SSL Certificate Manager. For more information about the SSL Certificate Manager, see SSL certificate manager.

To add an SSL certificate while adding an endpoint:

  1. Click Add SSL Certificate.
  2. In the Select SSL Certificates page, click Create SSL Certificate.
  3. In the Create SSL Certificate page, type a certificate name.
  4. Browse to the location of the certificate and key file on your computer.
  5. If the key is encrypted, add a password.
  6. To add the certificate in the certificate chain, select Add certificate in certificate chain.
  7. Click Create.

To get an A+ profile from Qualys labs

Perform the following actions to get an A+ rating from Qualys Labs for your apps.

  1. Click Add SSL Policy.
  2. In the Create SSL Policy page, type a name for the policy.
  3. Select A+ Security.
  4. Click Create.

Other configuration

Use load balancing to evenly distribute network traffic and avoid overloading any back-end server. Select an algorithm from the list to direct client requests to a server. Define stickiness to forward all requests from a client to the same server during a session. You can also limit the maximum number of requests to a server to avoid overloading it and redirect traffic to another URL if the server is not reachable. Use health checks to monitor the health of a server. For more information, see Load balancing.

Using content rules, you can evaluate an incoming request and apply one or more actions based on the evaluation. For example, you can drop a connection if DDoS attack is suspected or manipulate the data in HTTP requests and responses. Citrix App Delivery and Security supports both rewrite and responder content rules. For more information, see Content rules.

The security protection feature of Citrix App Delivery and Security protects your applications from security threats. Create security protection to configure features, such as allow or block requests, add exceptions, define rules to examine the traffic, geo blocking, rate limiting, and cookie consistency. Exceptions can be added for cross-site scripting protection and buffer overflow protection. Exceptions help avoid false positives and bypass the traffic. For more information, see Security protection.

Manage an application

In the Applications page, click Edit or Delete in the Actions column to manage your deployed apps. Redeploy the application after making changes.

Manage an app

Modify and redeploy an application

You can edit the application details, services, endpoints, load balancing, content rules, and security protection settings for an application.

  1. Click the Edit icon.
  2. Click any of the tabs to change the configured values and click Deploy.

You have completed the steps to modify and redeploy an application.

Deliver an application