Product Documentation

NetScaler SD-WAN Standard Edition Virtual Appliance (VPX) high availability Support for Microsoft Azure

The SD-WAN solution template is a unified template in Microsoft Azure that allows users to deploy both SD-WAN Standard Edition appliance or a high availability cluster of SD-WAN appliances. For high availability to work and to create the cluster using solution template, the user or administrator can create a registered application with the role of an owner. The user then obtains the key for registered application with the application ID. After the application is registered, the KEY for the application is displayed only once after creation. The user has to store the key since it needs to be uploaded as input for the high availability solution template. The application ID and the subscription ID can be obtained anytime which are also potential inputs to create SD-WAN solution template for high availability.

The registered application is used to automatically populate the LAN routing table based on high availability convergence to ensure that LAN always points to the latest active appliance as the next-hop for reaching remote sites through WAN.

localized image

Note: Due to known limitations with prior releases, it is recommended to use SD-WAN release 10.0 version 3 for high availability deployment in Azure.

The SD-WAN Standard Edition deployment in Azure is required to be deployed in Edge or Gateway mode deployment where the SD-WAN instance acts as the gateway for the LAN environment. For more information, see Gateway mode.

The following sections describe the workflow to create solution template in Microsoft Azure and configure high availability in SD-WAN GUI.

  1. Register application - obtain application ID, application Key, and the Directory ID required to create solution template for high availability deployment.
  2. Create solution template for high availability.
  3. Configure high availability in SD-WAN GUI - Assign Virtual IP addresses and interfaces as required for LAN, WAN, and high availability control exchange.
  4. More configuration steps in Microsoft Azure – Manually create IAM role and add LAN subnet in the Azure LAN routing table.

How to Register Application in Microsoft Azure

The application key is used for local LAN routing table updates.

To register the application:

  1. Log into the Azure Active Directory and select App registrations.   localized image
  2. Click on + New application registration. Provide a name for the application. Select Application type as Web app/API and the Sign-on URL can be a dummy URL. After the new application is created and registered, an Application ID is generated for the newly created application. Store the Application ID so that it can be used when creating the solution template for high availability. localized image
  3. For the newly created App Registration select Settings > Keys. Then create a key description and select Never expires. Save your selections. localized image

  4. Note and store the newly created Application KEY value. You need this as an input when creating solution template for high availability deployment.

    localized image

  5. Go to Azure Active Directory > Properties to collect the Directory ID attribute. Note and store the Directory ID and provide it when creating solution template for high availability deployment. localized image

How to create solution template for high availability deployment

To create NetScaler SD-WAN high availability solution template:

  1. Search for NetScaler SD-WAN in the Marketplace. Select NetScaler SD-WAN Standard Edition and click Create.

    localized image

  2. In the Configure basic settings page, provide the Resource group name and the Location where you want the resource group to be created and click OK.

    localized image

  3. Navigate to Administrator settings page to configure deployment settings. Provide a name for creating the high availability virtual machine. On the Virtual Machine name page, the primary instance is created, and the secondary instance is auto-created and suffixed with HA. For high availability deployment, you must enable it in HA Deployment Mode. Create Username and Password of choice. Confirm password as shown in the following figure. Click OK.

    localized image

  4. Go to SDWAN settings. This allows you to use existing storage or create storage in the resource group.

    • Choose the Virtual machine size in which you want to run the image. The Standard_D3_V2 instance is applicable to the VPX SE appliance only. The Standard_D4_V2, F8, F16 instance types are supported for the VPX-L SE appliance. The selected site device in the SD-WAN configuration should match with this selection. If the Azure instance is intended to be a client node, then the VPX-SE (Standard D3 V2) can be sufficient. If you are looking to promote the Azure instance as the MCN, then the larger VPX-L is required, enabling up to 128 Virtual Paths.
    • After selecting the virtual machine size, choose the desired SD-WAN SKU (BYOL in this example).
    • Select Storage account. Create new.

    localized image

  5. Next navigate to Public IP address for management access of Primary NetScaler SD-WAN and provide a name as some unique string.

    localized image

  6. Next navigate to Public IP address for management access of Secondary NetScaler SD-WAN and provide a name as some unique string.

    localized image

  7. Next navigate to Wan link public IP of NetScaler SD-WAN and provide a name as some unique string.

    localized image

    Note: Create public IP for the Azure Load Balancer that governs the WAN side of the high availability cluster. This public IP is what is known by the remote sites connecting to the hosts or the network behind the cluster of SD-WAN appliances. Create the assignment as “STATIC” so that the IP is retained even after reboot. It is recommended for high availability.

  8. Next select Virtual network, and choose the address space to be assigned to the instance network interfaces used for the high availability cluster. This is populated with 10.0.0.0/16. It can be changed and administered the way you want it. The network range for various NICs of Management, LAN, WAN and for HA control traffic can be chosen and created automatically as part of the solution template.

    localized image

  9. Configure subnets. Name the NICs to be created for the high availability cluster of SD-WAN devices. The order should be as follows; MANAGEMENT, LAN, WAN, and the AUX subnet used for high availability control packets exchange for achieving high availability convergence and state association of Active/Standby. Take note of the subnets used for each interface. The subnets should match the desired topology and the SD-WAN configuration for the Azure site.

    localized image

    Review the SDWAN settings and click OK.

Configure SDWAN Route Settings:

  1. Configure the SDWAN Route Settings to identify any backend subnets in the Azure region that are expected to operate over the SD-WAN solution. You can input 0.0.0.0/0 or a specific subnet as the network so that the local LAN routing table for the host is updated accordingly so that all the hosts have their next-hop as the SD-WAN LAN-eth1 IP address. Whichever SD-WAN instance is primary, its LAN NIC IP is automatically set as the next-hop gateway. During HA failover, the SD-WAN automatically updates the LAN routing table with the new active post convergence as the LAN next-hop. Also input the Application ID, Application Key, and Directory ID stored earlier. Click OK. Click Summary to view the complete settings and configuration.

    localized image

    After all the steps are completed, the final step is to run the parameters for validation and check for errors in deployment to determine success or failure. The notifications section in Azure provides details on the latest status of the deployment creation and whether the deployment succeeded or failed. If failed, Azure indicates comprehensive output on failure that can be addressed. You can get more details of your deployment progress by selecting the Resource Group and Deployments under Settings.

    localized image

    After successful deployment, try to access the GUI through the assigned public IP addresses for management. This can be identified by selecting the newly created instances under Virtual Machines, then identify the assigned Public IP address in the Overview detail. Use the default credentials (admin/password) to log in. Modify the default password for security purposes.

    localized image

    After you log into the SD-WAN GUI, notice that the virtual WAN service is disabled. This is because the instance does not have configuration and the license is not installed. If this instance is intended to be a client node, upload package that is intended for this site with the matching subnet IP addresses defined. If this instance is intended to be the Master Control Node (MCN), begin by promoting to an MCN and building the configuration. For more information about configuring the SD-WAN environment, refer to SD-WAN configuration.

Configuring high availability in SD-WAN GUI

To configure high-availability for SD-WAN appliances:

  1. In SD-WAN GUI of the MCN appliance, go to Configuration > Virtual WAN > Configuration Editor. Expand the DC (Azure) site for which you want to configure interface groups for high availability.

  2. Go to Interface Groups. Configure LAN (eth1), WAN (eth2), and high availability (eth3) control exchange interfaces as shown in the following figure. localized image

    Note: It is important to ensure that the WAN facing interface (eth2) is configured as ‘Trusted’ for the Security setting because the Network Security Group settings protect the Azure environment. If ‘Untrusted’ is configured for the WAN interface, it can break the communication between the SD-WAN instance and the Azure Load Balancer.

    Cloud platforms have associated IP addresses for every interface (LAN/WAN). Define both IP addresses for the LAN/WAN network in Azure instance configuration for both primary and secondary instances. This is configured so that the platform is aware of the correct IP address that becomes primary and is able to respond to ARPs based on whichever instance is active. For high availability control exchange NIC Virtual IP definition, the network interface IP addresses configured as part of Azure solution template configuration should be used for high availability configuration in SD-WAN as the Primary and Secondary address. For Virtual IP definition at interface group level, you can use one random unused IP address on the same subnet as that of the network. In the following example, use the topology to identify the required input for Virtual IP Addresses for the Azure site in the Configuration Editor.

    localized image

  3. Configure Virtual IP Addresses, which are used for Primary and Secondary instances of LAN, WAN, and high availability respectively.

    • 192.168.201.4/24 is defined for the LAN interface for the Primary and associated with eth1 Virtual Interface. 192.168.201.5/24 also is defined for the LAN interface for the Secondary and associated with the same eth1 Virtual Interface. The second IP is required to have “identity” disabled.
    • 192.168.202.4/24 is defined for the WAN interface for the Primary and associated with eth2 Virtual Interface.

    • 192.168.202.5/24 also is defined for the WAN interface for the Secondary and associated with the same eth2 Virtual Interface. The second IP is required to have “identity” disabled.

    • 192.168.203.x/24 is the high availability control exchange subnetwork and the actual addresses configured as part of network interfaces should be used in the HA configuration. Here a dummy IP of 192.168.203.254/24 is used for input for the Virtual IP Address and associated with the eth3 (AUX in Azure) interface.

      localized image

  4. Create the WAN Link for the Azure network. The WAN link Settings reflect the speed and the Static IP address associated with the WAN VIP in Azure. Locate the Static Public IP address associated with “nssdwan-vip-ip1” in your Azure account and input that IP address in the Public IP Address input field of the WAN link definition. “Autodetect Public IP” cannot be used when High Availability is deployed.

    localized image

    The Access Interface is defined with the IP subnet used for the WAN interface when building the template.

    localized image

  5. Enable High Availability for the Azure site. Create a virtual Interface and input the actual interface IP addresses assigned to the AUX (eth3) interfaces of the instances in Azure. localized image

  6. Verify that there are no warnings with the configuration and push the configuration through the Change Management. For more information, see Change Management process.

  7. Change Management provides the “active” software/configuration package for each SD-WAN instance in Azure. Download the provided packages.

    localized image

  8. Separately log in to each SD-WAN instance in Azure using the default admin/password credentials. Upload the packages downloaded in the previous step to the appropriate primary and secondary instances using the One Touch Start wizard. Do not upload the same package to both instances. Also, install a license file when prompted in the wizard. Clear your browser cache to access the GUI after installation of new software or configuration package and wait a few moments before the internal licensing service becomes available.

    localized image

  9. After the package and license has been enabled, navigate to the SD-WAN GUI dashboard to validate and confirm the high availability configuration status and Virtual Path status. Allow some time for the virtual machines to fully boot before the web interface becomes 100% operational.

    localized image

Configuration in Microsoft Azure

The Web App created earlier in the Application Registration step is used for updating local LAN routing tables.

  1. Manually add the LAN subnet to the SdwanRouteHATable (Lan Routing table) using the VNET used to create the high availability instances.

    • In the Azure portal, navigate to All Resources, locate, and select the SdWanRouteTable.

      localized image

    • Select Subnet and click Associate.

    localized image

    • Select your VNET from the Virtual Network Selection and choose the LAN subnet used in creating the instance.

      localized image

    • Validate that the correct LAN subnet is added to the SdWanRouteTable.

      localized image

  2. The IAM role is created manually.

    • With the SdWanRouteTable still selected, select Access Control (IAM), then click Add.

      localized image

    • Select the Role as Owner and the Assign access to as Azure AD user, group, or application. Then search and find the App registered in the earlier steps.

    localized image

Troubleshooting High Availability (HA) instances in Azure

Troubleshooting the instances in Azure can be accomplished using the built-in diagnostics tools in the SD-WAN web interface.

  1. To troubleshoot the WAN interface, on the Active HA instance ensure that the Monitoring > Statistics > Show ARP table populates with the gateway properly responding to ARP requests from the SD-WAN.

    localized image

  2. Utilize the Configuration > System Maintenance > Diagnostics > Packet Capture tool to ensure the heartbeat packet are seen between the WAN interface and the Azure Load Balancer, in addition to the encapsulated SD-WAN Virtual Path traffic. To start capture, select Interface 2 (the WAN interface) and click Capture.

    localized image

    • Identify that TCP port 500 are being communicated properly in both direction between the Azure Load Balancer and the SD-WAN WAN configured VIP.

    localized image

    • Identify that the UDP encapsulated packets are communicated properly in both direction between the SD-WAN WAN configured VIP and the remote SD-WAN partner device.

    localized image

  3. Packet captures can be performed on the interface dedicated to High Availability communication between the two HA instances. Select Interface 3, then click Capture.

    localized image

    Validate that high availability heartbeats over port 4980 are properly being negotiated between the two interface VIPs.

    localized image

NetScaler SD-WAN Standard Edition Virtual Appliance (VPX) high availability Support for Microsoft Azure