Product Documentation

Autoscale configuration

To start autoscaling of Citrix ADC VPX instances in AWS, you must complete the following steps:

Autoscale-configuration1

  1. Complete all the pre-requisites on AWS
  2. Complete all the pre-requisites on Citrix ADM
  3. Create autoscale groups

    1. Initialize autoscale configuration
    2. Configure autoscale parameters
    3. Configure provision parameters
  4. Deploy the application

Pre-requisites for AWS

Autoscale-configuration2

You must ensure that you have completed all the pre-requisites on the AWS to use the autoscale feature. This document assumes that you already possess an AWS account.

The next few sections assist you in performing all the necessary tasks in AWS before you create autoscale groups in Citrix ADM. The tasks that you must complete are as follows:

  1. Subscribe to the required Citrix ADC VPX instance on AWS.
  2. Create the required VPC or select an existing VPC.
  3. Define the corresponding subnets and security groups.
  4. Create two IAM roles, one for Citrix ADM and one for Citrix ADC VPX instance.
  5. Create a user for Citrix ADM and assign the role created for Citrix ADM to the user.
  6. Generate the Access Key ID and Secure Access Key for the user.

For more information on how to create VPC, subnet and security groups, refer AWS documentation.

Subscribe to Citrix ADC VPX license in AWS

  1. Go to aws marketplace.
  2. Log on with your credentials.
  3. Search for Citrix ADC VPX platinum or enterprise edition.

    CitrixADClicenses1

  4. Subscribe to either NetScaler ADC VPX Platinum Edition or NetScaler ADC VPX Enterprise Edition licenses.

    CitrixADClicenses1

Create subnets

Create three subnets in your VPC - one each for the management, client, and server connections. Specify an IPv4 CIDR block from the range that is defined in your VPC for each of the subnets. Specify the availability zone in which you want the subnet to reside. Create all the three subnets in each of the availability zones where servers are present.

  • Management. Existing subnet in your Virtual Private Cloud (VPC) dedicated for management. Citrix ADC needs to contact AWS services and requires internet access. Configure a NAT gateway and add a route table entry to allow internet access from this subnet.
  • Client. Existing subnet in your Virtual Private Cloud (VPC) dedicated for client side. Typically, Citrix ADC receives client traffic for the application via a public subnet from the internet. Associate the client subnet with a route table which has a route to an Internet gateway. This will allow Citrix ADC to receive application traffic from the internet.
  • Server. A server subnet where the application servers are provisioned. All your application servers will be present in this subnet and will be receiving application traffic from the Citrix ADC through this subnet.

Create security groups

Create a security group to control inbound and outbound traffic in the Citrix ADC VPX instance. Create rules for both incoming and outgoing traffic that you want to control in the Citrix autoscale groups. You can add as many rules as you want.

  • Management. Existing security group in your account dedicated for management of Citrix ADC VPX. Inbound rules should be allowed on the following TCP and UDP ports.

    • TCP: 80, 22, 443, 3008-3011, 4001
    • UDP: 67, 123, 161, 500, 3003, 4500, 7000

    Ensure that the security group allows the Citrix ADM agent to be able to access the VPX.

  • Client. Existing security group in your account dedicated for client side communication of Citrix ADC VPX instances. Typically, inbound rules are allowed on the TCP ports 80, 22, and 443.

  • Server. Existing security group in your account dedicated for server-side communication of Citrix ADC VPX.

Create IAM roles

Along with creating an IAM role and defining a policy, you must also create an instance profile in AWS. IAM roles allow Citrix ADM to provision Citrix ADC instance, create or delete Route53 entries.

While roles define “what can I do?” they do not define “who am I?” AWS EC2 uses an instance profile as a container for an IAM role. An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

When you create an IAM role using the console, the console creates an instance profile automatically and gives it the same name as the role it corresponds to. Roles provide a mechanism to define a collection of permissions. An IAM user represents a person and an instance profile represents the EC2 instances. If a user has role “A,” and an instance has an instance profile attached to “A,” these two principals can access the same resources in the same way.

Note

Ensure that the role names start with “Citrix-ADM-“ and the instance profile name starts with “Citrix-ADC-.”

To create an IAM role for Citrix ADM

Create an IAM role so that you can establish a trust relationship between your users and the Citrix trusted AWS account and create a policy with Citrix permissions.

  1. In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role.

  2. You are connecting your AWS account with the AWS account in Citrix ADM. So, select Another AWS account to allow Citrix ADM to perform actions in your AWS account.

  3. Type in the 12-digit Citrix ADM AWS account ID. The Citrix ID is 835822366011. You can also find the Citrix ID in Citrix ADM when you create the cloud access profile.

  4. Click Permissions.

  5. In Attach permissions policies page, click Create policy.

  6. You can create and edit a policy in the visual editor or by using JSON.

    The list of permissions from Citrix for Citrix ADM is provided in the following box:

JSON { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “ec2:DescribeInstances”, “ec2:UnmonitorInstances”, “ec2:MonitorInstances”, “ec2:CreateKeyPair”, “ec2:ResetInstanceAttribute”, “ec2:ReportInstanceStatus”, “ec2:DescribeVolumeStatus”, “ec2:StartInstances”, “ec2:DescribeVolumes”, “ec2:UnassignPrivateIpAddresses”, “ec2:DescribeKeyPairs”, “ec2:CreateTags”, “ec2:ResetNetworkInterfaceAttribute”, “ec2:ModifyNetworkInterfaceAttribute”, “ec2:DeleteNetworkInterface”, “ec2:RunInstances”, “ec2:StopInstances”, “ec2:AssignPrivateIpAddresses”, “ec2:DescribeVolumeAttribute”, “ec2:DescribeInstanceCreditSpecifications”, “ec2:CreateNetworkInterface”, “ec2:DescribeImageAttribute”, “ec2:AssociateAddress”, “ec2:DescribeSubnets”, “ec2:DeleteKeyPair”, “ec2:DisassociateAddress”, “ec2:DescribeAddresses”, “ec2:DeleteTags”, “ec2:RunScheduledInstances”, “ec2:DescribeInstanceAttribute”, “ec2:DescribeRegions”, “ec2:DescribeDhcpOptions”, “ec2:GetConsoleOutput”, “ec2:DescribeNetworkInterfaces”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeNetworkInterfaceAttribute”, “ec2:ModifyInstanceAttribute”, “ec2:DescribeInstanceStatus”, “ec2:ReleaseAddress”, “ec2:RebootInstances”, “ec2:TerminateInstances”, “ec2:DetachNetworkInterface”, “ec2:DescribeIamInstanceProfileAssociations”, “ec2:DescribeTags”, “ec2:AllocateAddress”, “ec2:DescribeSecurityGroups”, “ec2:DescribeHosts”, “ec2:DescribeImages”, “ec2:DescribeVpcs”, “ec2:AttachNetworkInterface”, “ec2:AssociateIamInstanceProfile” ], “Resource”: “” }, { “Sid”: “VisualEditor1”, “Effect”: “Allow”, “Action”: [ “iam:GetRole”, “iam:PassRole” ], “Resource”: “” }, { “Sid”: “VisualEditor2”, “Effect”: “Allow”, “Action”: [ “route53:CreateHostedZone”, “route53:CreateHealthCheck”, “route53:GetHostedZone”, “route53:ChangeResourceRecordSets”, “route53:ChangeTagsForResource”, “route53:DeleteHostedZone”, “route53:DeleteHealthCheck”, “route53:ListHostedZonesByName”, “route53:GetHealthCheckCount” ], “Resource”: “” }, { “Sid”: “VisualEditor3”, “Effect”: “Allow”, “Action”: [ “iam:ListInstanceProfiles”, “iam:ListAttachedRolePolicies”, “iam:SimulatePrincipalPolicy” ], “Resource”: “” }, { “Sid”: “VisualEditor4”, “Effect”: “Allow”, “Action”: [ “ec2:ReleaseAddress”, “elasticloadbalancing:DeleteLoadBalancer”, “ec2:DescribeAddresses”, “elasticloadbalancing:CreateListener”, “elasticloadbalancing:CreateLoadBalancer”, “elasticloadbalancing:RegisterTargets”, “elasticloadbalancing:CreateTargetGroup”, “elasticloadbalancing:DeregisterTargets”, “ec2:DescribeSubnets”, “elasticloadbalancing:DeleteTargetGroup”, “elasticloadbalancing:ModifyTargetGroupAttributes”, “ec2:AllocateAddress” ], “Resource”: “*” } ] } } ```

  1. Copy and paste the list of permissions in the JSON tab and click Review policy.
  2. In Review policy page, type a name for the policy, enter a description, and click Create policy.

    Note

    Ensure that the name starts with “Citrix-ADM-.”

  3. In the Create Role page, enter the name of the role.

    Note

    Ensure that the role name starts with “Citrix-ADM-.”

  4. Click Create Role.

To create an IAM role for Citrix ADC instances

Similarly, create an IAM role for Citrix ADC. The Citrix ADC can then login to your AWS account and perform the following actions:

  • re-assigning management IP address during node failures
  • listen to AWS autoscale events of backend servers, and so on.

Attach the policy with permissions provided by Citrix for AWS to access the Citrix ADC instances.

  1. In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role.

  2. Ensure that you select AWS service > EC2, and then click Permissions to create an instance profile.

    localized image

  3. Click Permissions.

  4. In Attach permissions policies page, click Create policy.

  5. You can create and edit a policy in the visual editor or by using JSON.

The list of permissions from Citrix for Citrix ADC instances is provided in the following box:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:SimulatePrincipalPolicy",
        "autoscaling:*",
        "sns:*",
        "sqs:*",
        "cloudwatch:*",
        "ec2:AssignPrivateIpAddresses",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DetachNetworkInterface",
        "ec2:AttachNetworkInterface",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    }
  ]
}

Register the DNS domain

You must also ensure that you have registered the DNS domain for hosting your applications.

Assess the number of elastics IPs (EIP) required in your network.

The number of EIPs required varies based on whether you are deploying DNS based autoscaling or NLB based autoscaling. To increase the number of EIPs, create a case with AWS.

  • For DNS based autoscaling, the number of EIPs required per availability zone is equal to the number of applications multiplied by the maximum number of VPX instances you want to configure in the autoscale groups.
  • For NLB based autoscaling, the number of EIPs required is equal to the number of applications multiplied by the number of availability zones in which the applications are getting deployed.

Assess the instance limit requirements

When assessing instance limits, ensure that you consider space requirements for Citrix ADC instances also.

Install Citrix ADM agent on AWS

The Citrix ADM agent works as an intermediary between the Citrix ADM and the discovered instances in the data center or on the cloud. Ensure that you have installed Citrix ADM agent in AWS. Add a route in AWS ADM agent so that ADM can reach the agent after you establish the layer 3 connectivity.

Follow these steps to add a route in the agent installed in AWS:

  1. Access the console of the ADM agent installed on AWS.

  2. Execute the following command at the prompt:

    route add –net <DMZ network> <gateway to ADM agent>

For example, “route add –net 10.x.x.0/24 21.1.1.10”

Note

The route is removed after the agent restarts. This behavior is specific to AWS/Azure agent images where network settings are skipped.

For details on how to install the Citrix ADM agent on AWS, see Installing Citrix ADM agent on AWS

Prerequisites for Citrix ADM

You must ensure that you have completed all the pre-requisites on the Citrix ADM to use the autoscale feature.

Autoscale-configuration2

Create a site

Create a site in Citrix ADM and add the details of the VPC associated with your AWS role.

  1. In Citrix ADM, navigate to Networks > Sites.
  2. Click Add.
  3. Select the service type as AWS and enable Use existing VPC as a site.
  4. Select the cloud access profile.
  5. If the cloud access profile doesn’t exist in the field, click Add to create a profile.

    1. In the Create Cloud Access Profile page, type the name of the profile with which you want to access AWS.

    2. Type the Access Key ID that is associated with the role that you have created in AWS.

    3. Type the Secret access Key generated while creating an IAM role for Citrix ADM in AWS.

      Cloud-access-profile

      The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with your IAM role in AWS are imported in Citrix ADM.

    4. Click Create.

  6. Again click Create to create the site.

Configure NTP server

Ensure to configure NTP server on Citrix ADM, so that the Citrix ADM clock has the same date and time settings as the Citrix ADCs deployed on AWS. For more information on how to configure NTP servers, see Configure NTP server. Configure domain name server The Citrix ADM requires internet connectivity to connect to the ADC instances deployed on the AWS. Configure DNS IP address on ADM to allow internet connectivity.

  1. In Citrix ADM, navigate to System > Set Up Citrix ADM, and select Network Configuration.

  2. In Network Configuration page, enter the IP address of the DNS configured in your network.

  3. Click OK.

Configure Layer 3 connectivity

You need to establish Layer 3 connectivity between Citrix ADM and the ADC VPX instances deployed on the public cloud. To establish the Layer 3 connectivity, you can use solutions such as Citrix CloudBridge Connector, Citrix SD-WAN, Direct Connect to AWS, VPN in Azure, or third-party connectors such as Equinix and so on.

For more information on how to create Layer 3 connectivity, see Add VPX Instances deployed in cloud to Citrix ADM.

Install Citrix ADM agent on AWS

The Citrix ADM agent works as an intermediary between the Citrix ADM and the discovered instances in the data center or on the cloud. For details on install the Citrix ADM agent on AWS, see Installing Citrix ADM agent on AWS.

Create autoscale groups

Initialize autoscale configuration

Autoscale-configuration4

  1. In Citrix ADM, navigate to Networks > AutoScale Groups.
  2. Click Add to create autoscale groups. The Create AutoScale Group page appears.
  3. Enter the following details.

    • Name. Type a name for the autoscale group.
    • Site. Select the site that you have created to provision the Citrix ADC VPX instances on AWS.
    • Agent. Select the Citrix ADM agent that manages the provisioned instances.
    • Cloud Access Profile. Select the cloud access profile.

    Note

    If the cloud access profile does not exist in the field, click Add to create a profile.

    • Type the ARN associated with the role that you have created in AWS.
    • Type the external ID that you provided while creating an Identity and Access Management (IAM) role in AWS. Depending on the cloud access profile that you select, the availability zones are populated.
    • Device Profile. Select the device profile from the list. The device profile will be used by Citrix ADM whenever it needs to log on to the instance.

    • Traffic Distribution Mode. The Load Balancing using NLB option is selected as default traffic distribution mode. If applications are using UDP traffic, then select DNS using AWS route53.

      Create-autoscale-group1

      Note: After the autoscale configuration is set up, new availability zones cannot be added or existing availability zones cannot be removed.

    • Enable AutoScale Group. Enable or disable the status of the ASG groups. This option is enabled, by default. If this option is disabled, autoscaling is not triggered.
    • Availability Zones. Select the zones in which you want to create the autoscale groups. Depending on the cloud access profile that you have selected, availability zones specific to that profile are populated.
    • Tags. Type the key-value pair for the autoscale group tags. A tag consists of a case-sensitive key-value pair. These tags enable you to organize and identify the autoscale groups easily. The tags are applied to both AWS and Citrix ADM.

      Create-autoscale-group2

  4. Click Next.

Configuring autoscale parameters

Autoscale-configuration5

  1. In the AutoScale Parameters tab, enter the following details.
  2. Select one or more than one of the following threshold parameters whose values must be monitored to trigger a scale-out or a scale-in.
    • Enable CPU Usage Threshold: Monitor the metrics based on the CPU usage.
    • Enable Memory Usage Threshold: Monitor the metrics based on the memory usage.
    • Enable Throughput Threshold: Monitor the metrics based on the throughput.

      Note:

      • Default minimum threshold limit is 30 and maximum threshold limit is 70. However, you change modify the limits.
      • Minimum threshold limit must be equal or less than half of the maximum threshold limit.
      • More than one threshold parameters can be selected for monitoring. In such cases, a scale-in is triggered if at least one of the threshold parameters is above the maximum threshold. However, a scale-in is triggered only if all the threshold parameters are operating below their normal thresholds.

      Create-autoscale-group3

    • Minimum Instances. Select the minimum number of instances that need to be provisioned for this autoscale group.
    • By default, the minimum number of instances is equal to the number of zones selected. You can increment the minimum instances by multiples of number of zones.
    • For example, if the number of availability zones is 4, the minimum instances is 4 by default. You can increase the minimum instances by 8, 12, 16.
    • Maximum Instances. Select the maximum number of instances that need to be provisioned for this autoscale group.
    • The maximum number of instances must be greater than or equal to the minimum instances value. The maximum number of instances that can be configured is equal to number of availability zones multiplied by 32.
    • Maximum number of instances = number of availability zones * 32
    • Drain Connection Timeout (minutes). Select the drain connection timeout period. During scale-in, once an instance is selected for deprovisioning, Citrix ADM removes the instance from processing new connections to autoscale group and waits until the specified time expires before deprovisioning. This allows existing connections to this instance to be drained out before it gets deprovisioned.
    • Cooldown period (minutes). Select the cooldown period. During scale-out, cooldown period is the time for which evaluation of the statistics has to be stopped after a scale-out occurs. This ensures organic growing of instances of an autoscale group by allowing current traffic to stabilize and average out on the current set of instances before the next scaling decision is made.
    • DNS Time To Live(seconds). Select the amount of time (in seconds) that a packet is set to exist inside a network before being discarded by a router. This parameter is applicable only when the traffic distribution mode is DNS using AWS route53.
    • Watch-Time (minutes). Select the watch-time duration. The time for which the scale parameter’s threshold has to stay breached for a scaling to happen. If the threshold is breached on all the samples collected in this specified time then a scaling happens.

      Create-autoscale-group4

  3. Click Next.

Configure provision parameters

Autoscale-configuration6

  1. In the Provision Parameters tab, enter the following details.

    • IAM Role: Select the IAM role that you have created in AWS. An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

    • Product: Select the Citrix ADC product version that you want to provision.

    • Version: Select the Citrix ADC product release version and build number. The release versions and build numbers are auto-populated based on the product that you have selected.

    • AWS AMI ID: Enter the AMI ID specific to the region that you have selected.

    • Instance Type: Select the EC2 instance type.

      Note

      The recommended instance type for the selected product is auto-populated, by default.

    • Security Groups: Security groups control the inbound and outbound traffic in the Citrix ADC VPX instance. You create rules for both incoming and outgoing traffic that you want to control. Select appropriate values for the following subnets:

    • group in your account dedicated for management of Citrix ADC VPX instances. Inbound rules should be allowed on the following TCP and UDP ports.

       TCP: 80, 22, 443, 3008-3011, 4001
       UDP: 67, 123, 161, 500, 3003, 4500, 7000
      

      Ensure that the security group allows the Citrix ADM agent to be able to access the VPX.

    • Client. Existing security group in your account dedicated for client side communication of Citrix ADC VPX instances. Typically, inbound rules are allowed on the TCP ports 80, 22, and 443.

    • Server. Existing security group in your account dedicated for server side communication of Citrix ADC VPX.

    • IP’s in server subnet per node: Select the number of IP addresses in server subnet per node for the security group.

      Create-autoscale-group5

    • Zone: The number of zones that are populated is equal to the number of availability zones that you have selected. For each zone, select the appropriate values for the following subnets:

    • Management. Existing subnet in your Virtual Private Cloud (VPC) dedicated for management. Citrix ADC needs to contact AWS services and requires internet access. Configure a NAT gateway and add a route table entry to allow internet access from this subnet.

    • Client. Existing subnet in your Virtual Private Cloud (VPC) dedicated for client side. Typically, Citrix ADC receives client traffic for the application via a public subnet from the internet. Associate the client subnet with a route table which has a route to an Internet gateway. This will allow Citrix ADC to receive application traffic from the internet.

    • Server. Application servers are provisioned in a server subnet. All your application servers will be present in this subnet and will be receiving application traffic from the Citrix ADC via this subnet.

      Create-autoscale-group6

  2. Click Finish.

    A progress window with the status for creating autoscale group appears. It might take several minutes for creation and provisioning of autoscale groups.

    Autoscale-configuration-step7

Configure application using Stylebooks

Autoscale-configuration7

  1. In Citrix ADM, navigate to Networks > Autoscale Groups.
  2. Select the autoscale group that you created and click Configure.
  3. The Choose StyleBook page displays all the StyleBooks available for your use to deploy configurations in the autoscale clusters.
    • Select the appropriate StyleBook. For example, you can use the HTTP/SSL Loadbalancing StyleBook. You can also import new StyleBooks.
    • Click on the StyleBook to create the required configuration. The StyleBook opens as a user interface page on which you can enter the values for all the parameters defined in this StyleBook.
    • Enter values for all the parameters.
    • If you are creating backend servers in AWS, select Backend Server Configuration. Further select AWS EC2 Autoscaling > Cloud and enter the values for all the parameters.

      localized image

    • There might be a few optional configurations required depending on the StyleBook that you have chosen. For example, you might have to create monitors, provide SSL certificate settings, and so on.
    • Click Create to deploy the configuration on the Citrix ADC cluster.

Note

  • The FQDN of application or the virtual server cannot be modified after it is configured and deployed.

    The FQDN of the application is resolved to the IP address using DNS. As this DNS record might be cached across various name servers, changing the FQDN might cause the traffic to be blackholed.

  • SSL session sharing work as expected within an availability zone but across availability zones, requires reauthentication.

    SSL sessions are synchronized within the cluster. As the autoscale group spanning across availability zones has separate clusters in each zones, SSL sessions cannot be synchronized across zones.

  • Shared limits such as max client and spill-over are set statically based on number of availability zones. This limit has to be set after calculating it manually. Limit = <Limit required>/<number of Zones>.

    Shared limits are distributed automatically across nodes within a cluster. As the autoscale group spanning across availability zones has separate clusters in each zones, these limits have to be calculated manually.

Upgrade Citrix ADC clusters

You must manually upgrade the cluster nodes. You first upgrade the image of existing nodes and then update AMI from the Citrix ADM.

Important

Ensure the following during an upgrade:

  • No scale-in or scale-out is triggered.
  • No configuration changes must be performed on the cluster in the autoscale group.
  • You keep a backup of ns.conf file of the previous version. In case an upgrade fails, you can fall back to the previous version.

Perform the following steps to upgrade the Citrix ADC cluster nodes.

  1. Disable the autoscale group on the MAS ASG portal.
  2. Select one of the clusters within the autoscale groups for upgrade.
  3. Follow the steps documented in the topic Upgrading or downgrading the Citrix ADC cluster.

    Note

    • Upgrade one node in the cluster.
    • Monitor the application traffic for any failures.
    • If you encounter any issues or failures, downgrade the node that was previously upgraded. Else, continue with the upgrade of all nodes.
  4. Continue upgrading the nodes in all the clusters in the autoscale group.

    Note

    If the upgrade for any cluster fails, downgrade all the clusters in the autoscale group to the previous version. ollow the steps documented in the topic Upgrading or downgrading the Citrix ADC cluster.

  5. After successful upgrade of all clusters, update AMI on MAS ASG Portal. AMI must be of the same version as the image used for the upgrade.
  6. Edit the autoscale group and type the AMI that corresponds to the upgraded version.
  7. Enable the autoscale group on the ADM portal.

Modify autoscale groups configuration

  • You can modify an autoscale group configuration or delete an autoscale group. You can modify only the following autoscale group parameters.

    • Traffic distribution mode
    • Maximum and minimum limits of the threshold parameters
    • Minimum and maximum instance values
    • Drain connection period value
    • Cooldown period value
    • Time to live value – If the traffic distribution mode is DNS
    • Watch duration value
  • You can also delete the autoscale groups after they are created.

    When you delete an autoscale group, all the domains and IP addresses are deregistered from DNS/NLB and the cluster nodes are deprovisioned.