Deploy SD-WAN Standard Edition Instances in High Availability Mode in Azure - Release Version 9.3

The Citrix SD-WAN Azure solution deploys SD-WAN in Edge Gateway Mode as a single instance, or a cluster pair for High Availability (HA). In a HA deployment, a Azure Load Balancer (ALB) controls failover between the WAN interfaces of the Citrix SD-WAN appliances. The Citrix SD-WAN appliances themselves update the Azure Route Table (RT) to control failover on the LAN side of the Citrix SD-WAN appliances. The Citrix SD-WAN Azure solution in HA automatically creates the ALB (azure load balancer) named sdwanhalb and RT (route table) named SdWanRouteTable.

The following diagram illustrates the Citrix SD-WAN Azure HA deployment:

localized image

localized image

The following sections describe the workflow to deploy a Citrix SD-WAN solution in Microsoft Azure and configure HA in the SD-WAN GUI.

  1. Create an Application Registration - obtain Application ID, Application Key, and the Directory ID (Object ID) for HA deployment.
  2. Deploy Citrix SD-WAN.
  3. Configure the Citrix SD-WAN appliances.

The SD-WAN Standard Edition deployment in Azure is required to be deployed in Edge or Gateway mode deployment where the SD-WAN instance acts as the gateway for the LAN environment. For more information, see Gateway mode.

How to create and application registration in Azure for Citrix SD-WAN

The application key is used for local LAN routing table updates.

To register the application:

  1. Log into the Azure Active Directory and select App registrations.   localized image localized image

  2. Click on + New application registration. Provide a name for the application. Choose Web app / API for Application type, and populate the home page field with any http address. Document the Application ID and Object ID for SD-WAN. Click Settings. localized image localized image
  3. For the newly created App Registration select Settings > Keys. Then create a key description and select Never expires. Save the new key after documenting the value and proceed to deploy Citrix SD-WAN. localized image

How to deploy Citrix SD-WAN

To deploy Citrix SD-WAN in high availability:

For the deployment, an Azure VNET is required. Either create a VNET during deployment or choose an existing VNET for the Citrix SD-WAN.

Following is a screenshot of the subletting in the VNET used in this topic.

localized image

  1. Create an Azure resource. Search for SD-WAN and select WAN Standard Edition release 9.3.

  2. Configure basic settings page and provide the Resource group name.

    localized image

  3. Name the Virtual Machine, select Enabled for HA Deployment Mode, and create a Username and Password.

    localized image

  4. Configure SDWAN settings. In the Subnets section, the Management subnet contains the SD-WAN management IPs. The Aux subnet contains the HA IPs. The LAN VIPs update the SdWanHaRoute Azure RT while the WAN VIPs are available behind the sdwanhalb ALB.

    localized image

  5. Configure the Route that Citrix SD-WAN updated, then define remote SD-WAN network as the destination, and enter the Application ID, Directory (Object) ID, and the Application Key Value. Citrix SD-WAN controls all Route statements beginning with the name defined in the Route table name field which is SEAvnetSDWgw in this document.

    localized image

  6. In step 5, validate the configuration and then create the SD-WAN HA pair. Proceed to configuring the Citrix SD-WAN appliances.

How to configure Citrix SD-WAN HA in Azure

  1. Determine the IP addresses assigned to the SD-WAN interfaces. Navigate to Virtual Machines > SDWSEA (or as appropriate)> Networking, and examine the IP of each Azure Network Interface.

    • In this deployment, SDWSEA Interface 0 for Management is 10.100.254.4/13.67.93.144.

      localized image

    • The SDWSEA Interface 1 LAN VIP is 10.100.1.4. localized image

    • The SDWSEA Interface 2 WAN VIP is 10.100.0.4. localized image

    • The SDWSEA Interface 3 HA Tracking IP (not VIP) is 10.100.253.4: localized image

    • Repeat the procedure for the secondary Citrix SD-WAN appliance.

  2. Determine the SD-WAN ALB Public IP. Navigate to Load Balancers > sdwanhalb. Select the correct ALB based on the Resource Group created during the deployment. In this environment, the SD-WAN WAN link public IP address.

    localized image

  3. Connect to the management IP with a web browser.

    • Log in with admin/password. To change the admin password, select the Configuration tab, and Appliance Settings > Administrator Interface in the left navigation bar, provide the current admin password, and the new password, confirm new password, then click Change Password button. You are prompted to log out.

      localized image

  4. Proceed the SD-WAN MCN appliance or SD-WAN Center to configure the SD-WAN HA site. The supported release version is 10.0.6. In this topic, the SDWSWEA and SDWSEASec appliances are the MCN appliances.
  5. The SDWANSEA and SDWANSEASec Interface Group Configuration is provided as follows. Note the Interfaces are failed to block per Edge Gateway Mode. The WAN Interface must be set to Trusted to accept connections from the ALB.

    localized image

  6. The Virtual IP configuration is provided as follows. Note the HA VIP is not the IP addressed assigned to Interface three. Use an available IP address in the appropriate subnet and not the IP assigned to the Citrix SD-WAN appliances. Note only one VIP in each subnet is the Identity IP.

    localized image

  7. The SDWANSEA WAN Link Settings are provided as follows. Note the Public IP address. The SD-WAN License determine the bandwidth settings.

    localized image

  8. The Access Interface settings are as follows. The 10.100.0.1 IP is an Azure reserved IP.

    localized image

  9. HA settings are as follows.

    localized image

  10. Add an export route for the VNET if the SD-WAN is to route to and from more than the SDWSEA-LAN subnet with the SDWSEA-LAN Azure reserved IP as the gateway.

    localized image

  11. In the Azure Route Table, routes that the SDWSEA appliances control should start with SEAvnetSDWgw. This diagram shows the WAN sites in SDWANSEA deployment.

    localized image

    • Route table when the SDWSEA appliance is active.

    localized image

    • Route table when SDWSEASec appliance is active.

    localized image

Deploy SD-WAN Standard Edition Instances in High Availability Mode in Azure - Release Version 9.3