Product Documentation

Provisioning Citrix ADC VPX Instances on AWS

When you move your applications to the cloud, the components that are part of your application increase, become more distributed and need to be dynamically managed.

With Citrix ADC VPX instances on AWS, you can seamlessly extend your L4-L7 network stack to AWS. With Citrix ADC VPX, AWS becomes a natural extension of your on-premises IT infrastructure. You can use Citrix ADC VPX on AWS to combine the elasticity and flexibility of the cloud, with the same optimization, security and control features that support the most demanding websites and applications in the world.

With Citrix Application Delivery Management (ADM) monitoring your Citrix ADC instances, you gain visibility into the health, performance, and security of your applications. You can automate the setup, deployment, and management of your application delivery infrastructure across hybrid multi-cloud environments.

AWS terminology

The following section provides a brief description of AWS terms used in this document:

Term Definition
Amazon Machine Image (AMI) A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.
Elastic Compute Cloud (EC2) A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Elastic network interface (ENI) A virtual network interface that you can attach to an instance in a VPC.
Instance type Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications.
Identity and Access Management (IAM) role An AWS identity with permission policies that determine what the identity can and cannot do in AWS. You can use an IAM role to enable applications running on an EC2 instance to securely access your AWS resources.
Security groups A named set of allowed inbound network connections for an instance.
Subnets A segment of the IP address range of a VPC that EC2 instances can be attached to. You can create subnets to group instances according to security and operational needs.
Virtual Private Cloud (VPC) A web service for provisioning a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.

Supported Citrix ADC AMI instance types

For higher bandwidth, Citrix recommends the following instance types:

Instance types Bandwidth
M4.X Large Platinum Edition 10 Mbps
M4.X Large Platinum Edition 200 Mbps

Prerequisites

This document assumes the following:

  • You possess an AWS account.

  • You have created the required VPC and selected the availability zones.

  • You have added Citrix ADM service agent in AWS.

For more information on how to create an account and other tasks, see AWS Documentation.

For more information on how to install Citrix ADM service agent on AWS, see Installing Citrix ADM service agent on AWS.

Architecture Diagram

The following image provides an overview of how Citrix ADM connects with AWS to provision Citrix ADC VPX instances in AWS.

localized image

Configuration tasks

Perform the following tasks on AWS before you provision Citrix ADC VPX instances in Citrix ADM:

  • Create subnets

  • Create security groups

  • Create IAM role and define a policy

Perform the following tasks on Citrix ADM to provision the instances on AWS:

  • Create site

  • Provision Citrix ADC VPX instance on AWS

To create subnets

Create three subnets in your VPC. The three subnets that are required to provision Citrix ADC VPX instances in your VPC - are management, client, and server. Specify an IPv4 CIDR block from the range that is defined in your VPC for each of the subnets. Specify the availability zone in which you want the subnet to reside. Create all the three subnets in the same availability zone. The following image illustrates the three subnets created in your region and their connectivity to the client system.

localized image

For more information on VPC and subnets, see VPCs and Subnets.

To create security groups

Create a security group to control inbound and outbound traffic in the Citrix ADC VPX instance. A security group acts as a virtual firewall for your instance. Create security groups at the instance level, and not at the subnet level. It is possible to assign each instance in a subnet in your VPC to a different set of security groups. Add rules for each security group to control the inbound traffic that is passing through the client subnet to instances. You can also add a separate set of rules that control the outbound traffic that passes through the server subnet to the application servers. Although you can use the default security group for your instances, you might want to create your groups. Create three security groups - one for each subnet. Create rules for both incoming and outgoing traffic that you want to control. You can add as many rules as you want.

For more information on security groups, see Security Groups for your VPC.

To create an IAM role and define a policy

Create an IAM role so that you can establish a trust relationship between your users and the Citrix trusted AWS account and create a policy with Citrix permissions.

  1. In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role.

  2. You are connecting your AWS account with the AWS account in Citrix Citrix ADM. So, select Another AWS account to allow Citrix ADM to perform actions in your AWS account.

    Type in the 12-digit Citrix ADM AWS account ID. The Citrix ID is 835822366011. You can also find the Citrix ID in Citrix ADM when you create the cloud access profile.

    localized image

  3. Enable Require external ID to connect to a third-party account. You can increase the security of your role by requiring an optional external identifier. Type an ID that can be a combination of any characters.

  4. Click Permissions.

  5. In Attach permissions policies page, click Create policy.

  6. You can create and edit a policy in the visual editor or by using JSON.

    The list of permissions from Citrix is provided in the following box:

    {
    "Version": "2012-10-17",
    "Statement":
    [
        {
             "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeRegions",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeHosts",
                "ec2:DescribeImages",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeAddresses",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumeAttribute",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:ResetInstanceAttribute",
                "ec2:RunScheduledInstances",
                "ec2:ReportInstanceStatus",
                "ec2:StartInstances",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:UnmonitorInstances",
                "ec2:MonitorInstances",
                "ec2:RebootInstances",
                "ec2:TerminateInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:CreateNetworkInterface",
                "ec2:AttachNetworkInterface",
                "ec2:DetachNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:ResetNetworkInterfaceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:AssociateAddress",
                "ec2:AllocateAddress",
                "ec2:ReleaseAddress",
                "ec2:DisassociateAddress",
                "ec2:GetConsoleOutput"
            ],
                "Resource": "*"
        }
    ]
    }
    
  7. Copy and paste the list of permissions in the JSON tab and click Review policy.

  8. In Review policy page, type a name for the policy, enter a description, and click Create policy.

To create a site in Citrix ADM

Create a site in Citrix ADM and add the details of the VPC associated with your AWS role.

  1. In Citrix ADM, navigate to Networks > Sites.

  2. Click Add.

  3. Select the service type as AWS and enable Use existing VPC as a site.

  4. Select the cloud access profile.

  5. If the cloud access profile doesn’t exist in the field, click Add to create a profile.

    1. In the Create Cloud Access Profile page, type the name of the profile with which you want to access AWS.

    2. Type the ARN associated with the role that you have created in AWS.

    3. Type the external ID that you provided while creating an Identity and Access Management (IAM) role in AWS. See step 4 in To create an IAM role and define a policy task. Ensure that the IAM role name that you specified in AWS starts with “Citrix-ADM-“ and it correctly appears in the Role ARN.

    localized image

    The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with your IAM role in AWS are imported in Citrix ADM.

  6. Type a name for the site.

  7. Click Create.

To provision Citrix ADC VPX on AWS

Use the site that you have created earlier to provision the Citrix ADC VPX instances on AWS. Provide Citrix ADM service agent details to provision those instances that are bound to that agent.

  1. In Citrix ADM, navigate to Networks > Sites.

  2. Select the site that you created earlier and click Provision VPX.

  3. Type a name for the Citrix ADC instance that is provisioned in AWS.

  4. Configure the following parameters. The values for all these parameters are imported from AWS.

    • Select the Citrix ADM service agent.

    • Select the cloud access profile.

    • Select the AWS Citrix AMI from the list.

    • Select the EC2 instance type.

    • Select the security groups for the three subnets that you have created.

    • Select the availability zones.

    • Select the three subnets - management, client, and server connections.

  5. Click OK.

The Citrix ADC VPX instance is now provisioned on AWS.

Note

Currently, Citrix ADM doesn’t support deprovisioning of Citrix ADC instances from AWS.

To view the Citrix ADC VPX provisioned in AWS

  1. From AWS home page, navigate to Services and click EC2.

  2. On the Resources page, click Running Instances.

  3. You can view the Citrix ADC VPX provisioned in AWS.

The name of the Citrix ADC VPX instance is the same that you provided while provisioning the instance in Citrix ADM.

To view the Citrix ADC VPX provisioned in Citrix ADM

  1. In Citrix ADM, navigate to Networks > Instances > Citrix ADC.

  2. Select Citrix ADC VPX tab.

  3. The Citrix ADC VPX instance provisioned in AWS is listed here.

Provisioning Citrix ADC VPX Instances on AWS