Autoscale configuration

NetScaler Console manages all the NetScaler VPX clusters in AWS. NetScaler Console accesses the AWS resources using the Cloud Access Profile.

Prerequisites

This section describes the prerequisites that you must complete in AWS and NetScaler Console before you configure autoscaling NetScaler VPX instances.

This document assumes the following:

  1. You already possess an AWS account.
  2. You have created an Identity and Access Management (IAM) user with all administrative permissions.

Set up AWS components

Perform the following tasks in AWS before autoscaling NetScaler VPX instances in NetScaler Console:

  1. Create subnets.
  2. Create security groups.
  3. Subscribe to NetScaler VPX license in AWS.
  4. Create IAM roles.
  5. Register the DNS domain.

Tip

You can use AWS CloudFormation Templates to automate the AWS prerequisites step for the NetScaler autoscaling.

For more information on how to create VPC, subnet, and security groups, refer the AWS documentation.

Create subnets

Create three subnets in your VPC - one each for the management, client, and server connections. Specify an IPv4 CIDR block from the range that is defined in your VPC for each of the subnets. Specify the availability zone in which you want the subnet to reside. Create all the three subnets in each of the availability zones where servers are present.

  • Management. Existing subnet in your Virtual Private Cloud (VPC) dedicated for management. NetScaler must contact AWS services and requires internet access. Configure a NAT gateway and add a route table entry to allow internet access from this subnet.

    Note

    Ensure to open 27000 and 7279 ports in NetScaler Console. These ports are used to check out NetScaler licenses from NetScaler Console. For more information, see Ports.

  • Client. Existing subnet in your Virtual Private Cloud (VPC) dedicated for the client side traffic. Typically, NetScaler receives client traffic for the application via a public subnet from the internet. Associate the client subnet with a route table which has a route to an Internet gateway. This Subnet allows NetScaler to receive application traffic from the internet.

  • Server. Existing subnet in your Virtual Private Cloud (VPC) dedicated for server side traffic. NetScaler sends traffic to the back-end application servers through this subnet. All your application servers that receive application traffic must be present in this subnet. If the servers are outside this subnet, the application traffic is received through the subnet’s gateway.

Create security groups

Create a security group to control inbound and outbound traffic in the NetScaler VPX instance. Create rules for both incoming and outgoing traffic that you want to control in the NetScaler Autoscale groups. You can add as many rules as you want.

  • Management. Existing security group in your account dedicated for management of NetScaler VPX. Inbound rules are allowed on the following TCP and UDP ports.
    • TCP: 80, 22, 443, 3008–3011, 4001
    • UDP: 67, 123, 161, 500, 3003, 4500, 7000, 27000, 7279

    Make sure that the security group allows the agent to be able to access the VPX.

  • Client. Existing security group in your account dedicated for client side communication of NetScaler VPX instances.

    • TCP: 1025-11024, 11025-21024, 21025-31024
    • UDP : 1025-11024
  • Server. Existing security group in your account dedicated for server-side communication of NetScaler VPX. Typically, it blocks all inbound rules and allows outbound rules to reach the entire VPC.

Subscribe to NetScaler VPX license in AWS

  1. Go to the AWS marketplace.
  2. Log on with your credentials.
  3. Search for NetScaler VPX Customer Licensed, Premium, or Advanced edition.

    NetScalerlicenses1

  4. Subscribe to NetScaler VPX Customer Licensed, Premium Edition, or NetScaler VPX Advanced Edition licenses.

Note

If you want the NetScaler instances in the Autoscale group to check out the licenses from the NetScaler Console, ensure the following:

  • The required NetScaler licenses are available in the NetScaler Console.
  • The NetScaler VPX Customer Licensed product is subscribed.

Create IAM roles

Create IAM entities that grant permission to NetScaler Console and NetScaler instances to perform operations on your AWS account. The NetScaler Console creates or deletes the following from your AWS account:

  • NetScaler EC2 instances
  • Cloud LoadBalancers
  • Route53

Note

Ensure that the role names start with “Citrix-ADM” and the instance profile name starts with “Citrix-ADC.”

Create IAM entities for NetScaler Console:

Create an IAM role so that you can establish a trust relationship between your AWS account and the Citrix’s AWS account with a IAM policy that provides permissions for NetScaler Console to perform operations on your AWS account.

  1. In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role.

  2. You are connecting your AWS account with the AWS account in NetScaler Console. So, select Another AWS account to allow NetScaler Console to perform actions in your AWS account.

  3. Type in the 12-digit NetScaler Console AWS account ID. The Citrix ID is 835822366011. You can leave the external ID blank now. Later you must edit the IAM role. Specify the external ID provided by NetScaler Console during the cloud access profile creation in NetScaler Console.

    Cloud-access-profile1

  4. Click Permissions.
  5. In Attach permissions policies page, click Create policy.
  6. You can create and edit a policy in the visual editor or by using JSON.

    The list of permissions from Citrix for NetScaler Console is provided in the following box:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "tag:GetResources",
                "tag:TagResources",
                "tag:UntagResources",
                "tag:getTagKeys",
                "tag:getTagValues",
                "ec2:DescribeInstances",
                "ec2:UnmonitorInstances",
                "ec2:MonitorInstances",
                "ec2:CreateKeyPair",
                "ec2:ResetInstanceAttribute",
                "ec2:ReportInstanceStatus",
                "ec2:DescribeVolumeStatus",
                "ec2:StartInstances",
                "ec2:DescribeVolumes",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:DescribeKeyPairs",
                "ec2:CreateTags",
                "ec2:ResetNetworkInterfaceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DeleteNetworkInterface",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:AssignPrivateIpAddresses",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeImageAttribute",
                "ec2:AssociateAddress",
                "ec2:DescribeSubnets",
                "ec2:DeleteKeyPair",
                "ec2:DisassociateAddress",
                "ec2:DescribeAddresses",
                "ec2:DeleteTags",
                "ec2:RunScheduledInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeRegions",
                "ec2:DescribeDhcpOptions",
                "ec2:GetConsoleOutput",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:ReleaseAddress",
                "ec2:RebootInstances",
                "ec2:TerminateInstances",
                "ec2:DetachNetworkInterface",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeTags",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeHosts",
                "ec2:DescribeImages",
                "ec2:DescribeVpcs",
                "ec2:AttachNetworkInterface",
                "ec2:AssociateIamInstanceProfile",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeInternetGateways",
                "ec2:GetEbsEncryptionByDefault",
                "kms:CreateGrant",
                "kms:DescribeKey",
                "kms:Decrypt",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:ReEncryptFrom",
                "kms:ReEncryptTo"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "VisualEditor0"
        },
        {
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "VisualEditor1"
        },
        {
            "Action": [
                "route53:CreateHostedZone",
                "route53:CreateHealthCheck",
                "route53:GetHostedZone",
                "route53:ChangeResourceRecordSets",
                "route53:ChangeTagsForResource",
                "route53:DeleteHostedZone",
                "route53:DeleteHealthCheck",
                "route53:ListHostedZonesByName",
                "route53:GetHealthCheckCount"
                "route53:ListResourceRecordSets",
                "route53.AssociateVPCWithHostedZone",
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "VisualEditor2"
        },
        {
            "Action": [
                "iam:ListInstanceProfiles",
                "iam:ListAttachedRolePolicies",
                "iam:SimulatePrincipalPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "VisualEditor3"
        },
        {
            "Action": [
                "ec2:ReleaseAddress",
                "elasticloadbalancing:DeleteLoadBalancer",
                "ec2:DescribeAddresses",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeregisterTargets",
                "ec2:DescribeSubnets",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "ec2:AllocateAddress"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "VisualEditor4"
        }
      ]
    }
    
    <!--NeedCopy-->
    
  7. Copy and paste the list of permissions in the JSON tab and click Review policy.
  8. In the Review policy page, type a name for the policy, enter a description, and click Create policy.

    Note

    Ensure that the name starts with “Citrix-ADM-.”

  9. In the Create Role page, enter the name of the role.

    Note

    Ensure that the role name starts with “Citrix-ADM-.”

Create IAM entities for NetScaler instances created by NetScaler Console:

Create an IAM role with a IAM policy that provides permissions for a NetScaler to perform operations on your AWS account. This role is attached to NetScaler instances that will be created by NetScaler Console thereby enabling NetScaler instances to access your account.

  1. In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role.

Similarly, create a profile for the NetScaler instances by providing a different name starting with “Citrix-ADC”.

Ensure that you select AWS service > EC2,

  1. In Attach permissions policies page, click Create policy.

  2. You can create and edit a policy in the visual editor or by using JSON.

Create role

The list of permissions from Citrix for NetScaler instances is provided in the following box:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:SimulatePrincipalPolicy",
        "autoscaling:*",
        "sns:*",
        "sqs:*",
        "cloudwatch:*",
        "ec2:AssignPrivateIpAddresses",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DetachNetworkInterface",
        "ec2:AttachNetworkInterface",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    }
  ]
}
<!--NeedCopy-->

Register the DNS domain

Ensure that you have registered the DNS domain for hosting your applications.

Assess the number of elastics IPs (EIP) required in your network.

The number of EIPs required varies based on whether you are deploying DNS based autoscaling or NLB based autoscaling. To increase the number of EIPs, create a case with AWS.

  • For DNS based autoscaling, the number of EIPs required per availability zone is equal to the number of applications multiplied by the maximum number of VPX instances you want to configure in the Autoscale groups.
  • For NLB based autoscaling, the number of EIPs required is equal to the number of applications multiplied by the number of availability zones in which the applications are getting deployed.

Assess the instance limit requirements:

When assessing instance limits, ensure that you consider space requirements for NetScaler instances also.

Set up NetScaler Console components

Perform the following tasks in AWS before you Autoscale NetScaler VPX instances in NetScaler Console:

  1. Provision NetScaler agent on AWS.
  2. Create a site.
  3. Attach the site to a NetScaler agent.

Provision NetScaler agent on AWS

The agent works as an intermediary between the NetScaler Console and the discovered instances in the data center or on the cloud.

  1. Navigate to Infrastructure > Instances > Agents.

  2. Click Provision.

  3. Select AWS and click Next.

  4. In the Cloud Parameters tab, specify the following:

    • Name - specify the agent name.

    • Site - select the site you have created to provision an agent and NetScaler VPX instances.

    • Cloud Access Profile - select the cloud access profile from the list.

    • Availability Zone - Select the zones in which you want to create the Autoscale groups. Depending on the cloud access profile that you have selected, availability zones specific to that profile are populated.

    • Security Group - Security groups control the inbound and outbound traffic in the NetScaler agent. You create rules for both incoming and outgoing traffic that you want to control.

    • Subnet - Select the management subnet where you want to provision an agent.

    • Tags - Type the key-value pair for the Autoscale group tags. A tag consists of a case-sensitive key-value pair. These tags enable you to organize and identify the Autoscale groups easily. The tags are applied to both AWS and NetScaler Console.

  5. Click Finish.

Alternatively, you can install the agent from the AWS marketplace. For more information, see Install NetScaler agent on AWS.

Create a site

Create a site in NetScaler Console and add the details of the VPC associated with your AWS role.

  1. In NetScaler Console, navigate to Infrastructure > Sites.
  2. Click Add.
  3. Select the service type as AWS and enable Use existing VPC as a site.
  4. Select the cloud access profile.
  5. If the cloud access profile doesn’t exist in the field, click Add to create a profile.

    1. In the Create Cloud Access Profile page, type the name of the profile with which you want to access AWS.
    2. Type the ARN associated with the role that you have created in AWS.
    3. Copy the autogenerated External ID to update the IAM role.
  6. Click Create.

  7. Again click Create to create the site.

  8. Update the IAM role in AWS using the auto-generated External ID:

    Cloud-access-profile

    1. Log in to your AWS account and navigate to the role that you want to update.

    2. In the Trust relationships tab, click Edit trust relationship and append the following condition within the Statement block:

      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<External-ID>"
        }
      }
      <!--NeedCopy-->
      

    Enabling external ID for a IAM role in AWS allows you to connect to a third-party account. The external ID increases the security of your role.

    The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with your IAM role in AWS are imported in NetScaler Console.

Attach the site to a NetScaler agent

  1. In NetScaler Console, navigate to Infrastructure > Instances > Agents.

  2. Select the agent for which you want to attach a site.

  3. Click Attach Site.

  4. Select the site from the list that you want to attach.

  5. Click Save.

Step 1: Initialize Autoscale configuration in NetScaler Console

  1. In NetScaler Console, navigate to Infrastructure > Public Cloud > Autoscale Groups.
  2. Click Add to create Autoscale groups. The Create AutoScale Group page appears.
  3. Enter the following details.

    • Name. Type a name for the Autoscale group.
    • Site. Select the site that you have created to provision the NetScaler VPX instances on AWS.
    • Cloud Access Profile. Select the cloud access profile.

      Note

      If the cloud access profile does not exist in the field, click Add to create a profile.

      • Type the ARN associated with the role that you have created in AWS.
      • Type the external ID that you provided while creating an Identity and Access Management (IAM) role in AWS. Depending on the cloud access profile that you select, the availability zones are populated.
    • NetScaler Profile. Select the NetScaler profile from the list. This profile will be used by NetScaler Console whenever it requires to log on to the instance.

    • Traffic Distribution Mode. The Load Balancing using NLB option is selected as default traffic distribution mode. If applications are using UDP traffic, then select DNS using AWS route53.

      Note

      After the Autoscale configuration is set up, new availability zones cannot be added or existing availability zones cannot be removed.

    • Enable AutoScale Group. Enable or disable the status of the ASG groups. This option is enabled, by default. If this option is disabled, autoscaling is not triggered.

    • Availability Zones. Select the zones in which you want to create the Autoscale groups. Depending on the cloud access profile that you have selected, availability zones specific to that profile are populated.

    • Tags. Type the key-value pair for the Autoscale group tags. A tag consists of a case-sensitive key-value pair. These tags enable you to organize and identify the Autoscale groups easily. The tags are applied to both AWS and NetScaler Console.

      Create-autoscale-group1

  4. Click Next.

Step 2: Configure Autoscale parameters

  1. In the AutoScale Parameters tab, enter the following details.
  2. Select one or more than one of the following threshold parameters whose values must be monitored to trigger a scale-out or a scale-in.
    • Enable CPU Usage Threshold: Monitor the metrics based on the CPU usage.
    • Enable Memory Usage Threshold: Monitor the metrics based on the memory usage.
    • Enable Throughput Threshold: Monitor the metrics based on the throughput.

      Note

      • Default minimum threshold limit is 30 and maximum threshold limit is 70. However, you change modify the limits.
      • Minimum threshold limit must be equal or less than half of the maximum threshold limit.
      • More than one threshold parameters can be selected for monitoring. In such cases, a scale-in is triggered if at least one of the threshold parameters is above the maximum threshold. However, a scale-in is triggered only if all the threshold parameters are operating below their normal thresholds.

      Create-autoscale-group3

    • Keep a Spare Node for faster Scale Out: This option helps to achieve faster scale-out. NetScaler Console provisions a spare node before the scale-out action occurs and shuts it down. When the scale-out action occurs for the Autoscale group, the NetScaler Console starts the spare node that is already provisioned. As a result, it reduces the time taken for scale-out.

    • Minimum Instances. Select the minimum number of instances that must be provisioned for this Autoscale group.
    • By default, the minimum number of instances is equal to the number of zones selected. You can increment the minimum instances by multiples of the number of zones.
    • For example, if the number of availability zones is 4, the minimum instances is 4 by default. You can increase the minimum instances by 8, 12, 16.
    • Maximum Instances. Select the maximum number of instances that must be provisioned for this Autoscale group.
    • The maximum number of instances must be greater than or equal to the minimum instances value. The maximum number of instances that can be configured is equal to the number of availability zones multiplied by 32.
    • Maximum number of instances = number of availability zones * 32
    • Drain Connection Timeout (minutes). Select the drain connection timeout period. During scale-in, once an instance is selected for deprovisioning, NetScaler Console removes the instance from processing new connections to the Autoscale group and waits until the specified time expires before deprovisioning. This option allows existing connections to this instance to be drained out before it gets deprovisioned.
    • Cooldown period (minutes). Select the cooldown period. During scale-out, the cooldown period is the time for which evaluation of the statistics has to be stopped after a scale-out occurs. This scale-out ensures organic growing of instances of an Autoscale group by allowing current traffic to stabilize and average out on the current set of instances before the next scaling decision is made.
    • DNS Time To Live(seconds). Select the amount of time (in seconds) that a packet is set to exist inside a network before being discarded by a router. This parameter is applicable only when the traffic distribution mode is DNS using AWS route53.
    • Watch-Time (minutes). Select the watch-time duration. The time for which the scale parameter’s threshold has to stay breached for a scaling to happen. If the threshold is breached on all the samples collected in this specified time then a scaling happens.

    Create-autoscale-group4

  3. Click Next.

Step 3: Configure licenses for provisioning NetScaler instances

Select one of the following modes to license NetScaler instances that are part of the Autoscale Group:

  • Using NetScaler Console: While provisioning NetScaler instances, the Autoscale group checks out the licenses from the NetScaler Console.

  • Using the AWS Cloud: The Allocate from Cloud option uses the NetScaler product licenses available in the AWS marketplace. While provisioning NetScaler instances, the Autoscale group uses the licenses from the marketplace.

    If you choose to use licenses from the AWS marketplace, specify the product or license in the Provision Parameters tab.

For more information, see Licensing Requirements.

Use licenses from NetScaler Console

  1. In the License tab, select Allocate from NetScaler Console.

  2. In License Type, select one of the following options from the list:

    • Bandwidth Licenses: You can select one of the following options from the Bandwidth License Types list:

      • Pooled Capacity: Specify the capacity to allocate for every new instance in the Autoscale group.

        From the common pool, each NetScaler instance in the Autoscale group checks out one instance license and only as much bandwidth is specified.

      • VPX Licenses: When a NetScaler VPX instance is provisioned, the instance checks out the license from the NetScaler Console.

    • Virtual CPU Licenses: The provisioned NetScaler VPX instance checks out licenses depending on the number of active CPUs running in the Autoscale group.

    Note

    When the provisioned instances are removed or destroyed, the applied licenses return to the NetScaler Console license pool. These licenses can be reused to provision new instances during the next Autoscale.

  3. In License Edition, select the license edition. The Autoscale group uses the specified edition to provision instances.

  4. Click Next.

Step 4: Configure cloud parameters

  1. In the Cloud Parameters tab, enter the following details.

    • IAM Role: Select the IAM role that you have created in AWS. An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

    • Instance Type: Select the EC2 instance type.

      Note

      The recommended instance type for the selected product is auto-populated, by default.

    • Hyper Threading: This option is enabled by default. If you disable this option, the NetScaler instance gets provisioned with a single thread in each CPU core.

    • AWS AMI ID: Enter the AMI ID specific to the region that you have selected.

    • Origin Server CIDR: When application servers and NetScaler instances are on different VPCs, provide the CIDR block of a VPC where you have application servers.

      Important

      Set up AWS Transit Gateway or VPC peering between application servers VPC and NetScaler instances VPC.

      • For the VPC where the NetScaler instances are provisioned, update the route table and security group of the server subnet.
      • For the VPC where the application servers reside, update the route table and security group of the application servers.

      For more information, see AWS Transit Gateway and VPC peering.

    • IP’s in server subnet per node: Select the number of IP addresses in the server subnet per node for the security group.

      Create-autoscale-group5

    In this tab, you can also specify and configure the required NICs. Select Security Group and Subnet for each NIC.

    • Security Groups: Security groups control the inbound and outbound traffic in a NetScaler VPX instance. Select a security group for Management, Client, and Server traffic. For more information on management, client, and server security groups, see Security Groups.

    • Zones: The number of zones that are populated is equal to the number of availability zones that you have selected. For each zone, select the appropriate values for the subnets.

      You must have three separate subnets such as Management, client, and server subnet to Autoscale NetScaler subnets. Subnets contain the required entities for autoscaling. Select For more information, see Subnets.

      Create-autoscale-group6

  2. Click Finish.

    A progress window with the status for creating the Autoscale group appears. It might take several minutes for the creation and provisioning of Autoscale groups.

    Autoscale-configuration-step7

Step 5: Configure an application for the Autoscale group

  1. In NetScaler Console, navigate to Infrastructure > Public Cloud > Autoscale groups.

  2. Select the Autoscale group that you created and click Configure.

  3. In Configure Application, specify the following details:

    • Application Name - Specify the name of an application.

    • Access Type - You can use the NetScaler Console autoscaling solution to both external and internal applications. Select the required application access type.

    • FQDN Type - Select a mode of assigning domain and zone names.

      If you want to specify manually, select User-Defined. To automatically assign domain and zone names, select Auto-generated.

    • Domain Name - Specify the domain name of an application. This option is applicable only when you select User-defined FQDN type.

    • Zone of the Domain - Select the zone name of an application from the list. This option is applicable only when you select User-defined FQDN type.

      This domain and zone name redirects to the virtual servers in AWS. For example, if you host an application in app.example.com, the app is the domain name and example.com is the zone name.

    • Protocol - Select the protocol type from the list. The configured application receives the traffic depending on the selected protocol type.

    • Port - Specify the port value. The specified port is used to establish a communication between the application and the Autoscale group.

    • Auto Redirect HTTP traffic to HTTPS - Select this option to receive secured traffic to the application. Specify the HTTP port that you want to redirect.

    • NetScaler Configuration mode - Select the mode how you want to configure the application. You can either select StyleBooks or NetScaler CLI commands.

    Configure ASG applications

    If you want to configure an application using StyleBooks, select Yes in the confirmation window.

    Configure an application using StyleBooks

Note

Change the access type of an application if you want to modify the following details in the future:

  • FQDN Type
  • Domain Name
  • Zone of the domain

For more information to use StyleBooks or CLI commands, see Create an application configuration for the Autoscale group.

Autoscale configuration