Citrix SD-WAN Platforms

Deploy Citrix SD-WAN on AWS Outposts

AWS Outposts is a fully managed service that offers the AWS infrastructure, AWS services, APIs, and tools to virtually any data center, co-location space, or on-premises facility for a consistent hybrid cloud experience. AWS services such as compute, storage, database, and other services run locally on Outposts, and you can access the full range of AWS services available in the Region to build, manage, and scale your on-premises applications using familiar AWS services and tools.

With the addition of AWS Outposts to the AWS offering, Citrix SD-WAN customers now can use Citrix SD-WAN’s hybrid-cloud solution to easily connect AWS Outposts instances to their existing WAN infrastructure. With this integration customers will be able to manage SD-WAN connectivity from branches to the AWS cloud and Outposts using Citrix SD-WAN management tools.

  • A BYOL license for Citrix SD-WAN VPX
  • Minimum 40 GB storage for VPX and minimum 200 GB for VPX-L configuration
  • Availability of m5 & c5 instances
  • A couple of elastic IPs (for WAN interface and management interface respectively)

NOTE

You might choose not to host the management interface over a public IP.

Solution validation topology/network architecture

Solution validation network architecture

Below is the step-by-step configuration guide to provision an SD-WAN appliance in AWS Outposts.

Prerequisites

  1. Log into the Outposts AWS Account.
  2. Have access to the Citrix SD-WAN AMI from the market place of AWS Outposts.

NOte

All the snapshots of AWS Outpost console provided in the configuration guide are done with the new console launched by AWS and may not be looking exactly the same, if a legacy UI is selected.

Creation of VPC on Outposts for Citrix SD-WAN appliance (VPXL type)

  1. Provide a CIDR block for the AWS Outpost VPC. For this configuration we use a CIDR of 192.168.100.0/22.
  2. Leave all other attributes as default.
  3. Provide the tag names as necessary to identify the appliance from the instance list for future.

    VPC settings

  4. Verify that the VPC is created and the IPv4 CIDR details are updated and a VPC ID is obtained for the resource created.
  5. The status should be associated.

    VPC verification

  6. Once the VPC is created, the VPC list should show up the new VPC created with the CIDR details in the Your VPCs section of VPC AWS outposts service.

    Your VPCs

Creation of Internet Gateway and associate to VPC (Internet access for WAN and MANAGEMENT Interface of SD-WAN)

The Internet Gateway is created for the SD-WAN VPC to ensure that we have the management connectivity over the Internet and also for the WAN Link of the SD-WAN appliance to be able to form the virtual path over the Internet (Since the Azure instance hosts an Internet link)

  • We create a single Internet Gateway instance for the VPC using “Internet Gateways” section of the VPC AWS Outpost service.

  • Click Create Internet Gateway.

Create the Internet Gateway for the VPC

Internet gateway VPC

  • The Internet gateway is just a resource creation and has nothing special to be configured. If needed, ensure to configure the name tag and the relevant resource tags to search for the resource among the IGW’s in the list in future.

  • Click Create Internet gateway.

Create internet gateway

Once the Internet Gateway is created, associate the Internet gateway to a specific VPC we just created.

  • Click the IGW resource and in the actions field select Attach to VPC.

    Select attach to VPC

  • Once the attach to VPC is clicked, select the VPC we created in step 1 which is for the SD-WAN.
  • Click the Available VPC’s drop-down list and select the SD-WAN VPC created.
  • Click Attach Internet Gateway.

Associate the VPC to the Internet Gateway

Attach VPC1

Attach VPC2

Creation of LAN, WAN and MGMT Subnets for Citrix SD-WAN VPXL appliance

The SD-WAN standalone appliance hosts 3 Interfaces in general.

  1. Management Interface
  2. LAN Interface
  3. WAN Interface

The order of association of the interfaces also are important and the first interface that is associated is the management, followed by LAN and then the WAN subnet.

Management subnet

  • Click Subnets under VPC
  • Click Create subnet

Management subnet

  • In the subnet creation window, select the VPC created for SD-WAN as in step 1 and associate.
  • Select any availability zone of your choice.
  • Provide the management interface a subnet prefix from the VPC CIDR.
  • For this configuration guide, the management interface will be configured with 192.168.102.0/24.
  • Click create.

Create subnet1

Create subnet2

Create subnet3

LAN subnet

  1. In the subnet creation window, select the VPC created for SD-WAN as in step 1 and associate.
  2. Select any availability zone of your choice.
  3. Provide the LAN interface a subnet prefix from the VPC CIDR.
  4. For this configuration guide, the LAN interface will be configured with 192.168.100.0/24.
  5. Click Create.

    Create subnet4

    Create subnet5

WAN subnet

  1. In the subnet creation window, select the VPC created for SD-WAN as in step 1 and associate.
  2. Select any availability zone of your choice.
  3. Provide the LAN interface a subnet prefix from the VPC CIDR.
  4. For this configuration guide, the WAN interface will be configured with 192.168.101.0/24.
  5. Click Create.

    Create subnet6

    Create subnet7

Define route tables for the LAN/WAN/MGMT Subnet

Route tables are helpful to signify routing for each subnet and we need to create the route tables for Management and WAN table so that the Internet access and the other related routes can be configured with the Internet Gateway configured.

Management subnet route table

  • Click Route tables under VPC.
  • Click create route table.
  • Select the VPC created for SD-WAN in step 1.
  • Click Create.
  1. Create the Management route table.

    Management route table

  2. Associate the VPC to the management Route Table.

    Create route table1

    Create route table2

    The next step is to associate the route table to the Management subnet created.

    • Select the Management route table from the list.
    • Click the Actions drop-down list.
    • Select Edit Subnet associations.
    • Associate the Management Subnet to the route table which hosts the IP 192.168.102.0/24.
  3. Edit Subnet Associations for management Route Table.

    Create route table3

    Create route table4

  4. Add Routes for management Subnet (Default via IGW).

    Next step is to add the route to the management to reach the Internet for public Access.

    • Select the management route table.
    • Click Edit routes.
    • Provide a new DEFAULT route 0.0.0.0/0 via the IGW instance we created in step 2.
    • Save Routes.

    Create route table5

    Create route table6

    Create route table7

Define route tables for the WAN subnet

  1. Create the Route table for WAN Interface

    • Click Route tables under VPC.
    • Click create route table.
    • Select the VPC created for SD-WAN in step 1.
    • Click create.

    Create route table8

  2. Associate the VPC to the WAN routing table.

    Create route table9

    Create route table10

  3. Edit Subnet Associations for WAN Route Table.

    The next step is to associate the route table to the WAN subnet created.

    • Select the WAN route table from the list.
    • Click the Actions drop-down list.
    • Select Edit Subnet associations.
    • Associate the WAN Subnet to the route table which hosts the IP 192.168.101.0/24.

    Create route table11

    Edit subnet associations

  4. Add Routes for WAN Subnet (Default via IGW).

    Next step is to add the route to the WAN to reach the Internet for public Access.

    • Select the WAN route table.
    • Click Edit routes.
    • Provide a new DEFAULT route 0.0.0.0/0 via the IGW instance we created in step 2.
    • Save Routes.

    Create route table12

    Edit route1

    Edit route12

Define route tables for the LAN subnet

  1. Create the Route table for LAN Interface

    • Click Route tables under VPC.
    • Click create route table.
    • Select the VPC created for SD-WAN in step 1.
    • Click create.

    Create route table13

  2. Associate the LAN routing table to the VPC.

    Create route table14

    Create route table15

  3. Edit Subnet Associations for LAN Route Table.

    The next step is to associate the route table to the LAN subnet created.

    • Select the WAN route table from the list.
    • Click the Actions drop-down list.
    • Select Edit Subnet associations.
    • Associate the LAN Subnet to the route table which hosts the IP 192.168.100.0/24.

    Create route table16

    Create route table17

Outpost AMI Instance Provisioning/Deployment

Launch AMI Instance (Private)

  1. Choose the Private AMI by uploading the shared AMI into outposts (If not published in Marketplace yet).

    Choose AMI

  2. Select the right type of instance (VPXL – M5.2xlarge).

    Choose instance type

    • Configure the Instance Details like the VPC network, Subnet.
    • Select the VPC created for the instance in the Network.
    • Select the MGMT subnet as the primary interface.
    • Select Enabled for Auto assign public IP.
    • Provide a custom Private IP as well for the management interface in the bottom of the instance details page.

    Configure instance details

  3. Select default Storage.

    Select default storage

  4. Add relevant tags for instance search/indexing later.

    Add tags

  5. Define the relevant Security Group for the instance.

    Configure security groups

  6. Summary of the Network Security Group of the Citrix SD-WAN Outpost Instance.

    Summary

  7. Download the Keypair for the instance launch via SSH for later use.

    Key pair

  8. Initiate the LAUNCH of the instance.

    Launch

    Launch status

  9. Verify the Instance status and its health check in the EX2 Dashboard post launch.

    Instances1

    Instances2

    Instances3

Creation of LAN/WAN Network Interfaces and Association

LAN Network Interface

  1. Create the LAN Network Interface.

    Create interface1

  2. Associate the Subnet related to LAN Interface.

    Create interface2

  3. Associate a custom LAN Private IP 192.168.100.5 and associate the NSG (Network Security Group).

    Create interface3

WAN Network Interface

  1. Create the WAN Network Interface.

    Create interface4

  2. Associate the WAN Subnet to the network interface.

    Create interface5

  3. Provide a private custom WAN IP as 192.168.101.5 and associate the Network Security Group.

    Create interface6

Change SOURCE/DEST Check on LAN/WAN/Management Interfaces

Disabling the Source/Dest. Check attribute enables the interface to handle network traffic that is not destined for the EC2 instance. As the NetScaler SD-WAN AMI acts as a go-between for network traffic, the Source/Dest. Check attribute must be disabled for proper operation.

Management Interface disable SRC/DEST check

Create interface7

Create interface8

LAN Interface disable SRC/DEST check

Create interface9

WAN Interface disable SRC/DEST check

Create interface10

Attach the LAN/WAN Network Interfaces to Outpost Citrix SD-WAN

LAN Interface Association

  1. Attach the LAN Network Interface to the SD-WAN.

LAN network interface

Attach network interface

WAN Interface Association

  1. Attach the WAN Network Interface to the SD-WAN.

WAN interface1

WAN interface

Note

Attaching the Mgmt, LAN, and WAN in that order attaches to eth0, eth1, eth2 in the SD-WAN AMI. This aligns with the mapping of the provisioned AMI and ensures that interfaces are not reassigned incorrectly in the event of AMI reboot.

Create and Associate ELASTIC IPs to MGMT and WAN Interfaces of Outpost Citrix SD-WAN

Management IP Elastic IP

  1. Allocate a new ELASTIC IP for MGMT Interface.

    Elastic IP1

    Elastic IP2

    Elastic IP3

  2. Associate the newly created ELASTIC IP to Management Interface.

    The Management Elastic IP is needed for SSH/UI browsing over 80/443 of the Outpost based Citrix SD-WAN appliance. This makes management simpler.

    We will be specifically linking the elastic IP to the Management Network Interface and further specifically to th private IP associated with the management subnet which is “192.168.102.11”.

    • Select Network Interface
    • Select the Management network interface
    • Assign a private IP Address “192.168.102.11”
    • Associate

    Elastic IP4

    Elastic IP5

WAN Interface Elastic IP

  1. Allocate a new ELASTIC IP for WAN Interface

    Elastic IP6

    Elastic IP7

  2. Associate the newly created ELASTIC IP to WAN Interface.

    The WAN Elastic IP is needed for enabling the overlay communication between different sites to the Outpost based Citrix SD-WAN appliance and have the IP connectivity to the external world. This would be the Public IP of the WAN Link that we will provide for an MCN or a Branch. This IP is essentially to be known by all the remote appliances/peers to help have an overlay control/data channel establishment. We will be specifically linking the elastic IP to the WAN Network Interface and further specifically to the private IP associated with the WAN subnet which is “192.168.102.11”.

    • Select Network Interface
    • Select the WAN network interface
    • Assign a private IP Address “192.168.101.5”

    Elastic IP8

    Elastic IP9

Outpost VPXL SD-WAN VM as an MCN

Access/Configure the Outpost Citrix SD-WAN as an MCN

  1. Access MGMT Interface IP.

    Note down the elastic IP of the Management interface and type in https://<elastic_ip_mgmt_interface> to access the SD-WAN UI.

    Management IP login screen

  2. Authenticate with admin credentials.

    User name is admin and password is the INSTANCE ID (Highlighted below)

    Credentials

  3. Make the role of the Outpost Citrix SD-WAN VM as an MCN (Master Control Node)

    One touch start1

    One touch start2

  4. Add a new site for the MCN (Outpost SD-WAN).

    Add site

  5. Configure the Outpost VM (MCN) Network Interface Groups for LAN and WAN.

    Configure outpost

  6. Configure the Outpost VM (MCN) Virtual IP Addresses (VIPs) for LAN and WAN.

    Configure outpost2

  7. Configure the Outpost VM (MCN) WAN Link.

    • DOWNLOAD/UPLOAD capacity definitions on the WAN link.

      Configure outpost3

      Configure outpost4

    • Configure the Access Interface and the Gateway IP of the WAN Link.

      Configure outpost5

Citrix SD-WAN 210 as a HOME USER BRANCH SD-WAN

Configure the 210 Citrix SD-WAN as a BRANCH

  1. Add a 210 site as a Branch in Client mode.

    Add site2

  2. Configure the 210 HOME OFFICE Branch Network Interface Groups for LAN and WAN.

    Add site2

  3. Configure the 210 HOME OFFICE Branch Virtual IP Addresses (VIPs) for LAN and WAN.

    Add site3

  4. Configure the 210 HOME OFFICE Branch WAN Link.

    • DOWNLOAD/UPLOAD capacity definitions on the WAN link.

      Add site4

    • Configure the Access Interface and the Gateway IP of the WAN Link.

      Add site5

Perform Change Management and Stage the configuration to the appliances

Add site6

Add site7

Activate the Configuration

Add site8

Verify the Virtual PATH creation

On the Outpost MCN VM

Outpost MCN virtual machine

On the 210 HOME Branch

Home branch

Home branch2

Validate Traffic over Virtual PATH between Outpost VM and 210 Branch.

  • Step 1 – Initiate Ping between the 210 Branch and the Outposts MCN
  • Step 2 – Check Flows on both 210 and MCN VM on Upload/Download direction and verify the SIP, DIP, IP Protocol and the Service used for processing traffic
  • Step 3 – Check firewall connection on the Outpost MCN and the 210 for the ICMP traffic between the 2 sites
  • Verify that Ping traffic initiated between the 210 Branch and the Outposts MCN is processed via Virtual Path

    • Flows should indicate flows via right service type as Virtual Path

      • Check Flows on Outpost MCN – SIP, DIP, IP Protocol should match including Service as Virtual Path
      • Check the paths in the flow for best path used – Should be one of the best paths in the list of paths available
    • Check flows on the 210 Branch - SIP, DIP, IP Protocol should match including Service as Virtual Path

      • Check the paths in the flow for best path used – Should be one of the best paths in the list of paths available
    • Check Firewall to check the connection

      • Check Firewall on the Outpost MCN should have the connection information with the Application as ICMP for response. Should have SIP-SPORT (MCN), DIP-DPORT (210) including Source Service and Dest service as Local and Virtual Path respectively
      • Source
      • Check Firewall on the 210 Branch should have the connection information with the Application as ICMP for request. Should have SIP-SPORT (210), DIP-DPORT (MCN) including Source Service and Dest service as Local and Virtual Path respectively

Initiate PING from the end laptop to 192.168.100.5 (LAN side VIP of the Outposts SD-WAN)

  • Command – ping 192.168.100.5
  • Source Ip address of initiating laptop – 192.168.5.160
  • This traffic is intended to traverse the Virtual path due to the routing table installed on the branch with the 192.168.100.0/24 installed as a prefix reachable over VP

Initiate PING from the end laptop to 192.168.100.5 (LAN side VIP of the SD-WAN)

Verify Flows that the LAN to WAN and WAN to LAN direction entries are seen in both the MCN (Outpost VM) and the 210 Branch

Verify FLOWS on the 210 Home Branch

On the Home Branch

LAN to WAN (From Branch towards MCN)

  • Source IP – 192.168.5.160
  • Dest IP – 192.168.100.5
  • Proto/IPP – ICMP

WAN to LAN (From MCN towards Branch)

  • Dest IP – 192.168.5.160
  • Source IP – 192.168.100.5
  • Proto/IPP – ICMP

Flows

  • Verify that the service used is Virtual Path and the service name is that if between the MCN (Outpost VM) to the Branch 210

  • Also check the path will display the current best path that is taking the ICMP traffic through the Virtual Path (Which is WL1 on the 210 to the only existing link at the MCN side)

Note

Check the current path in the “Path” Column in the below snapshot.

Monitoring

Verify on the MCN (Outposts VM)

On the MCN Outpost VM side

WAN to LAN (From Branch towards MCN)

  • Source IP – 192.168.5.160
  • Dest IP – 192.168.100.5
  • Proto/IPP – ICMP

LAN to WAN (From MCN towards Branch)

  • Dest IP – 192.168.5.160
  • Source IP – 192.168.100.5
  • Proto/IPP – ICMP

Monitoring1

  • Verify that the service used is Virtual Path and the service name is that if between the MCN (Outpost VM) to the Branch 210

  • Also check the path will display the current best path that is taking the ICMP traffic through the Virtual Path (Which is WL1 on the 210 to the only existing link at the MCN side)

Verify Firewall details on the MCN (Outposts VM)

Below details are validated for the flow at the MCN (Outposts VM)

  • Application – ICMP
  • Source Service – Virtual PATH (Traffic came via VP from the Branch side)
  • Destination Service – IPHOST (Because we are pinging to the IP of the SD-WAN and is intended to the device)
  • State - Established

For information on support policies, see support and services

Monitoring2

Verify Firewall details on 210 Home Branch

Below details are validated for the flow at the 210 Branch side.

  • Application – ICMP
  • Source Service – Local (Initiated from a host behind the 210 Branch)
  • Destination Service – Virtual Path (Because we are pinging to the IP of the SD-WAN and is intended to the device and is carried via Virtual Path)
  • State - Established

For information on support policies see support and services Monitoring3

Deploy Citrix SD-WAN on AWS Outposts