Citrix Application Delivery Management service

Setting up service graph

Software requirements

Kubernetes Distribution Kubernetes Version Container Network Interfaces (CNI) CPX version CIC version Citrix ADM Agent Version
Open source v1.16.3 Flannel, Calico, or Canal 13.0–47.103 or later 1.6.1 or later 13.0–49.x or later

You can configure the Kubernetes cluster with various deployment topologies and the following table provides the topologies that are supported in service graph:

Topology Supported in service graph
Single-Tier or Unified ingress Yes
Dual-Tier Yes
Cloud Yes, but cloud load balancer is not shown in the graph
Service mesh lite Yes
Services of type LoadBalancer No
Services of type NodePort No

To complete setting up service graph in Citrix ADM, click the topology type that you have configured for your Kubernetes cluster and complete the mentioned procedures:


The procedure to set up service graph for dual-tier and service mesh lite topologies remains the same.

Single tier or Unified ingress topology

Ensure that you have:

Dual tier or Service Mesh Lite topology

Ensure that you have:

Configure Citrix ADM agent

To enable communication between Kubernetes cluster and Citrix ADM, you must install and configure a Citrix ADM agent. You can configure an agent using a hypervisor, public cloud services (such as Microsoft Azure, AWS), or built-in agent available on Citrix ADC instances (ideal for HA deployments).

Follow the procedure to configure an agent.


  • You can also use an existing agent.

  • The Citrix ADM agents are, by default, automatically upgraded to Citrix ADM latest build. You can view the agent details on the Networks > Agents page. You can also specify the time when you want the agent upgrades to happen. For more information, see Configuring Agent Upgrade Settings.

Configure static routes in Citrix ADM agent

Inside the Kubernetes cluster, all containerized pods use an overlay network. Establishing the communication using those private IP addresses directly is not possible. To enable communication from Citrix ADM to Kubernetes cluster, you must configure static routing in Citrix ADM agent.

Consider that you have the following IP addresses for your Kubernetes cluster:

  • Kubernetes master –

  • Kubernetes worker 1 –

  • Kubernetes worker 2 –

On the Kubernetes master, run the following command to identify the pod network to do the static routing:

kubectl get nodes -o jsonpath="{range .items[*]}{'podNetwork: '}{.spec.podCIDR}{'\t'}{'gateway: '}{.status.addresses[0].address}{'\n'}{end}"

The following is an example output after you run the command:

Example command

After successfully configuring a Citrix ADM agent:

  1. Using an SSH client, log on to Citrix ADM agent

  2. Configure the static routing using the command route add -net <public IP address range> <Kubernetes IP address>

    For example:

    route add -net

    route add -net

    route add -net

  3. Verify the configuration by using netstat -rn

    static routing

  4. Append these route commands in /mpsconfig/svm.conf file.

    1. In Citrix ADM agent, access the svm.conf file using the following command:

      vim /mpsconfig/svm.conf

    2. Add the static routes in svm.conf file.

      For example, route add -net

Download the sample deployment files from GitHub

  1. Use the command git clone to clone the git hub repository in the master node.

  2. To access the YAMLs:

    cd citrix-k8s-ingress-controller/example/servicegraph-demo/

Add parameters in CPX YAML file


If you are using CPX 58.x or later, you must use the non-nsroot password while registering to ADM agent. To ensure security, Citrix ADM agent 61.x or later releases need mandatory password change. If your Citrix ADM agent is upgraded to 61.x or latest version, you must ensure to use CPX 58.x or later build.

You must include the following parameters in the cpx.yaml file to ensure CPX registration with Citrix ADM:

- name: "NS_MGMT_SERVER"
  value: "xx.xx.xx.xx"
  value: "xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
- name: "NS_HTTP_PORT"
  value: "9080"
- name: "NS_HTTPS_PORT"
  value: 9443"
- name: "NS_MGMT_USER"
  value: nsroot
- name: "NS_MGMT_PASS
  value: <your password>
  value: "xx.xx.xx.xx"


  • NS_MGMT_SERVER – Indicates the Citrix ADM agent IP address

  • NS_MGMT_FINGER_PRINT – Indicates the authentication for CPX in Citrix ADM agent. To get the fingerprint:

    1. In Citrix ADM, navigate to Networks > Agents

    2. Select the agent and then click View Fingerprint


  • NS_HTTP_PORT – Indicates the HTTP port for communication

  • NS_HTTPS_PORT – Indicates the HTTPS port for communication

  • NS_MGMT_USER - Indicates the user name

  • NS_MGMT_PASS - Indicates the password. Specify a password of your choice

  • LOGSTREAM_COLLECTOR_IP – Indicates the Citrix ADM agent IP address, where Logstream protocol must be enabled to transfer log data from CPX to ADM

Add VPX or SDX or MPX or BLX instance in Citrix ADM

To get the tier-1 ADC instance analytics in service graph, you must add the VPX/SDX/MPX/BLX instance in Citrix ADM and enable Web Insight.

  1. Navigate to Networks > Instances > Citrix ADC

  2. Click the Add option to add the instance. For more information, see Add instances in Citrix ADM

  3. After adding the instance, select the virtual server and enable Web Insight. For more information, see Manage licensing and enable analytics on virtual servers

Add Kubernetes cluster in Citrix ADM

After you configure a Citrix ADM agent and configure static routes, you must add the Kubernetes cluster in Citrix ADM.

To add the Kubernetes cluster:

  1. Log on to Citrix ADM with administrator credentials.

  2. Navigate to Orchestration > Kubernetes > Cluster. The Clusters page is displayed.

  3. Click Add.

  4. In the Add Cluster page, specify the following parameters:

    1. Name - Specify a name of your choice.

    2. API Server URL - You can get the API Server URL details from the Kubernetes Master node.

      1. On the Kubernetes master node, run the command kubectl cluster-info.

        API Server URL

      2. Enter the URL that displays for “Kubernetes master is running at.”

    3. Authentication Token - Specify the authentication token. The authentication token is required to validate access for communication between Kubernetes cluster and Citrix ADM. To generate an authentication token:

      On the Kubernetes master node:

      1. Create a service account by using the YAML.

        kubectl create -f adm_svc_account.yaml

        The service account is created.

      2. Run kubectl create clusterrolebinding citrixadm-sa-admin --clusterrole=cluster-admin --serviceaccount=default:citrixadm-sa to bind the cluster role to service account.

        The service account now has the cluster-wide access.

        A token is automatically generated while creating the service account.

      3. Run kubectl describe sa citrixadm-sa to view the token.

      4. To get the secret string, run kubectl describe secret <token-name>.

        Generate token

    4. Select the agent from the list.


      Ensure to select the same agent that you have added in the CPX YAML.

    5. Click Create.

      add cluster

Deploy a sample microservice application

On the master node:

  1. Run kubectl create -f namespace.yaml to create a namespace.

  2. Deploy hotdrink microservices, ingress, and secrets using following commands:

    kubectl create -f team_hotdrink.yaml -n sg-demo

    kubectl create -f hotdrink-secret.yaml -n sg-demo

Deploy CPX and register CPX in ADM

  1. Run kubectl create -f rbac.yaml to deploy cluster role and cluster binding.

  2. Run kubectl create -f cpx.yaml -n sg-demo to deploy CPX.

After the deployment, the CPX registration is automatically done.

Enable auto select virtual servers for licensing


Ensure you have sufficient virtual server licenses. For more information, see Licensing

After you add Kubernetes cluster in Citrix ADM, you must ensure to auto-select virtual servers for licensing. Virtual servers must be licensed to display data in Service Graph. To auto-select virtual servers:

  1. Navigate to Accounts > Subscriptions.

  2. Under Virtual Server License Summary, enable Auto-select Virtual Servers and Auto-select non addressable Virtual Servers.

    Auto-select virtual server

Enable Web Transaction and TCP Transaction settings

After you add the Kubernetes cluster and enable the auto-select virtual servers, change the Web Transaction Settings and TCP Transactions Settings to All.

  1. Navigate to Analytics > Settings.

    The Settings page is displayed.

  2. Click Enable Features for Analytics.

  3. Under Web Transaction Settings, select All.


  4. Under TCP Transactions Settings, select All.


  5. Click OK.

Send traffic to microservices

Next, you must send traffic to microservices to get the service graph populated in Citrix ADM.

  1. Run kubectl get svc -n sg-demo to expose CPX through NodePort.


  2. Edit the etc/host file and create a domain IP entry for

    You can now access the microservice using

You can view service graph populated at Applications > Service Graphs > Kubernetes Service Graph. For more information, see Service Graph details.

Setting up service graph