Citrix

Product Documentation



Download full document

High Availability

May 13, 2014

Two Citrix® NetScaler® VPX™ instances in AWS can be configured as a high availability (HA) pair. With one instance configured as the primary node and the other as the secondary node, the primary node accepts connections and manages servers while the secondary node monitors the primary. If, for any reason, the primary node is unable to accept connections, the secondary node takes over.

The following figure shows an example of the HA deployment architecture for NetScaler VPX on AWS.
Figure 1. NetScaler VPX on AWS - HA Deployment


To deploy HA for VPX on AWS, you must configure at least two ENIs on the primary instance and a single ENI on the secondary instance. On each instance, configure the NetScaler IP (NSIP) address (the management address) on the default ENI. On the primary instance, use the additional ENIs for client and server connections.

For instructions on obtaining access and secret keys, in the AWS documentation, see "How Do I Get Security Credentials?" and "Creating, Modifying, and Viewing User Access Keys (AWS Management Console)." For instructions to create an IAM user and set permissions, see "Creating an IAM Account."

Example format for a key file is:
ACCESS_KEY="AKIAJPBBBBBBBVA2PR2OHJNA" 
SECRET_KEY="d75KxU7ukd44444NNNNtrrAOgynwBdJoSiooP"
Note: For HA failover to work:
  1. The NSIP addresses for each NetScaler instance in an HA pair must be configured on the default ENI of the instance.
  2. Both the primary and secondary instances must have EIPs associated with the NSIP or NAT configured to handle outgoing traffic in order to have access to the AWS API servers.
  3. Client and server traffic (data-plane traffic) must not be configured on the default ENI.
  4. Access and secret keys associated with the user's AWS Identity and Access Management (IAM) account. If the correct key information is not used when creating VPX instances, the HA deployment will fail. The access and secret keys are required for sending Query APIs to the AWS server.
  5. Nameservers/DNS servers are configured at VPC level using DHCP options.
Notes on HA:
  • Because Amazon does not allow any broadcast/multicast packets in AWS, HA is implemented by migrating data-plane ENIs from the primary to the secondary (new primary) VPX instance when the primary VPX instance fails.
  • To deploy HA for VPX on AWS, you must configure at least two ENIs on the primary instance and a single ENI on the secondary instance.
  • Because the default ENI cannot be moved to another VPX instance, you should not use the default ENI for data.
  • The message AWSCONFIG IOCTL NSAPI_HOTPLUG_INTF success output 0 indicates that the two data ENI's have successfully attached to the secondary instance (the new primary).
  • Failover might take up to 20 seconds due to the AWS detach/attach ENI mechanism.
  • Upon failover, the failed instance always restarts.
  • The secondary node always has one ENI interface (for management) and the primary node can have up to four ENIs.
  • The heartbeat packets are received only on the management interface.
  • The configuration file of the primary and secondary NetScaler appliances is synchronized, including the nsroot password. The nsroot password of the secondary node is set to that of the primary node after the HA configuration synchronization.
  • The AWS debug messages are available in the log file, /var/log/ns.log, on the VPX instance.

Configuring High Availability for VPX on AWS

To deploy HA for two VPX instances on AWS, you must create the primary NetScaler VPX instances with three ENIs and the secondary NetScaler VPX with a single ENI.

Following is an example of launching a primary VPX instance with three ENIs:

C:\aws-vpc-config>ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -f ./access-secret-key-file -a :0:subnet-15fa057e:"NSIP":10.20.15.21 -a :1:subnet-1547ba7e:"CLIENT-SIDE":10.20.10.21::::"10.20.10.22,10.20.10.23,10.20.10.24,10.20.10.25,10.20.10.26,10.20.10.27,10.20.10.28,10.20.10.29,10.20.10.30" -a :2:subnet-cc47baa7:"SERVER-SIDE":10.20.1.21::::"10.20.1.22,10.20.1.23,10.20.1.24,10.20.1.25,10.20.1.26,10.20.1.27,10.20.1.28,10.20.1.29,10.20.1.30"

Following is an example of launching a secondary VPX instance with a single ENI:

C:\aws-vpc-config>ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -f access-secret-key-file -a :0:subnet-15fa057e:"NSIP":10.20.15.31
Note: The access-secret-key-file argument contains the access and secret key. (You cannot change the access-secret-key-file associated with a VPC instance after it is created.)

After the two NetScaler instances are UP, configure the HA pairing on both the instances. You have to configure the instance with two or more ENIs before configuring HA on the instance with one ENI. Use the add HA node command, from within the NetScaler CLI, or from the NetScaler GUI. For example:

On the VPX instance with two or more ENIs:

add HA node 1 10.20.15.31

On the VPX instance with one ENI:

add HA node 1 10.20.15.21

After you enter add HA node commands, the two nodes form an HA pair, and configuration information is synchronized between the two VPX instances.

To remove HA from NetScaler VPX pair
You can remove HA configuration from the NetScaler VPX pair by using the remove ha node command. You have to remove the HA configuration from the secondary NetScaler VPX before removing the HA configuration from the primary NetScaler VPX.

For example, on the Secondary NetScaler VPX instance, at the NetScaler command line, type:

remove ha node

save config

On the Primary NetScaler VPX instance, at the NetScaler command line, type:

remove ha node

save config

Launching NetScaler VPX pairs for HA by using Citrix CloudFormation

  1. In a web browser, open the website at www.aws.amazon.com and log on with AWS credentials.

  2. Click My Account/Console, and then click AWS Management Console.

  3. On the Amazon Web Services page, in the Deployment & Management section, click Cloud Formation.

  4. On the CloudFormation Stacks page, select the Region in which you plan to deploy the NetScaler VPX instance, and then click Create New Stack.

  5. In the Create Stack dialog box, specify value for Stack Name, select the Upload a Template File option, and then click Browse. Select the template for HA NetScaler VPX from the local drive, and then click Continue.

  6. In the next pane, specify values for:
    • VpcID: An identifier to assign to the Virtual Private Cloud (VPC).
    • NsipSubnet: Subnet in which the NSIP is configured in VPC.
    • ServerSubnet: Subnet in which the server farm is configured in VPC.
    • ClientSubnet: SubnetId in which the client side is configured in VPC.
    • SecurityGroup: VPC Security group id.
    • VPXPrimary: Name of Primary VPX instance type.
    • AccessKey: Access Key for IAM user account.
    • SecretKey: Secret Key for IAM user account.
    • TenancyType: Instance tenancy type, can be default or dedicated.
    • NsIP: Private IP assigned to the NSIP ENI. The last octet of NSIP should be between 5 and 254.
    • NsIPSec: Private IP assigned to the NSIP ENI of Secondary. last octet has to be between 5 and 254.
    • ServerIP: Private IP assigned to the Server ENI. The last octet should be between 5 and 254.
    • ClientIP: Private IP assigned to the Client ENI. The last octet should be between 5 and 254.
    • KeyName: Name of an existing EC2 KeyPair to enable SSH access to the instances.
    Note: Make sure that the VPC, subnets, security groups, routes associations, gateway associations are already configured.

  7. Click Continue.
  8. Review the specified values in the Create Stack dialog box.

  9. Click Continue to create a Stack.

  10. Click Close to close the Create Stack dialog box.
  11. The new stack that you created appears on the CloudFormation Stacks page.

Back to Top