Citrix SD-WAN Platforms

Deploy SD-WAN Standard Edition instances in High Availability mode in Azure - Release Version 10.2 and above

The Citrix SD-WAN Azure solution deploys Citrix SD-WAN in Edge Gateway Mode as a single instance, or a cluster pair for High Availability (HA). In an HA deployment, an Azure Load Balancer (ALB) controls failover between the WAN interfaces of the Citrix SD-WAN appliances.

You can use Azure load-balancer (ALB) on the LAN side to control failover on the LAN side of the SD-WAN appliances. The Citrix SD-WAN Azure solution in HA creates two separate ALBs (each one on LAN and WAN).

The following diagram illustrates the Citrix SD-WAN Azure HA deployment:

Azure HA lb

The SD-WAN Standard Edition deployment in Azure is required to be deployed in Edge or Gateway mode deployment where the SD-WAN instance acts as the gateway for the LAN environment. For more information, see Gateway mode.

How to deploy Citrix SD-WAN

To create Citrix SD-WAN Standard Edition (SE) instance:

  1. Search for Citrix SD-WAN in Azure Marketplace and select Citrix SD-WAN Standard Edition 10.2.X.

    Citrix SD-WAN se 10-2-x

  2. Click Create button to create the Citrix SD-WAN SE 10.2.X Instance.


  3. Configure Basic settings page and provide the Resource group name with the appropriate Location.

    Basic settings location


    To create an instance either a new resource group must be created or the resource group must be empty to be reused.

  4. Name the Virtual Machine, select Enabled for HA Deployment Mode, and create a Username and Password.

    Admin password Azure


    Use admin as a username for the provisioned instance with the same password that was given during provisioning to get the admin access. In the aforementioned screenshot, the provisioned user (ctxsdwadmin) has the guest priviledge.

  5. Select the Virtual Machine size based on the requirement.

    VM size

  6. Use an existing VNet in the location specified or create a new.

    Existing VNet

  7. Once the Vnet is created, confirm the auto-populated subnets for Management, LAN, WAN, and AUX, then click OK.


  8. Validate the configuration before the Instance creation.

    10-2 Azure HA step4

  9. Click Create.

    10-2 Azure HA step5

How to configure Citrix SD-WAN HA in Azure

  1. Determine the IP addresses assigned to the SD-WAN interfaces. Navigate to Virtual Machines > SDWSEA (or as appropriate)> Networking, and examine the IP of each Azure Network Interface.

    • In this deployment, SDWSEA Interface 0 for Management is

      Deploy HA Azure

    • The SDWSEA Interface 1 LAN VIP is SDWAN LAN

    • The SDWSEA Interface 2 WAN VIP is SDWAN WAN2

    • The SDWSEA Interface 3 HA Tracking IP (not VIP) is Interface HA

    • Repeat the procedure for the secondary Citrix SD-WAN appliance.

  2. Determine the SD-WAN ALB Public IP. Navigate to Load Balancers > sdwanha-external. Select the correct ALB based on the Resource Group created during the deployment.

    Load balancer Azure

    You can see two load balancer as following:

    • External: External LB contains public IP that you configure in the WAN link configuration.
    • Internal: Internal LB contains private IP. All LAN side traffic comes to internal LB. So you can configure the route table with Internal LB IP as next hop.
  3. Proceed to the SD-WAN MCN appliance or SD-WAN Center to configure the SD-WAN HA site. In this topic, the SDWSWEA and SDWSEASec appliances are the MCN appliances.


    You can configure Citrix SD-WAN HA in Azure through SD-WAN Orchestrator as well.

  4. The SDWANSEA and SDWANSEASec Interface Group Configuration is provided as follows. Bypass mode is set to fail-to-block since only one Ethernet/physical interface is used per virtual interface. The WAN Interface must be set to Trusted to accept connections from the ALB.

    Interface group Azure

  5. The Virtual IP configuration is provided as follows. Note the HA VIP is not the IP addressed assigned to Interface three. Use an available IP address in the appropriate subnet (the subnet assigned to AUX interface) and not the IP assigned to the Citrix SD-WAN appliances. Note only one VIP in each subnet is the Identity IP.

    Virtual IP Azure

    Two virtual IPs are assigned for both LAN and WAN Virtual Interfaces. One IP belongs to Primary SD-WAN Virtual Machine and the other IP belongs to Secondary SD-WAN Virtual Machine both on LAN and WAN respectively. Only the Primary IP is enabled with Identity.

  6. The SDWANSEA WAN Link Settings are provided as follows. Note to configure External load balancer Public IP Address as part of WAN link Public IP Address setting. The SD-WAN license determines the bandwidth settings.

    WAN link Azure settings

  7. The Access Interface settings are as follows. The IP is an Azure reserved IP.

    Access interface Azure

  8. HA settings are as follows. The primary and secondary IP address as part of this HA setting must be configured with AUX Interface IP address of both Primary and Secondary Virtual Machines respectively.

    HA settings Azure

  9. Click Apply.

  10. To have LAN traffic go through SD-WAN, add a route table on Azure with a route whose next hop points to Azure Internal Load-balancer IP. And associate the LAN subnet to the route table created.

    If at all you must route all the traffic through SD-WAN, create a default route whose next-hop is pointing to Internal Load balancer IP.

    Add route

    Associate LAN subnet

Deploy SD-WAN Standard Edition instances in High Availability mode in Azure - Release Version 10.2 and above