Design Decision: Requirements and Limitations

Within the Azure cloud, the Citrix ADC virtual and containerized appliances have reduced feature sets. Some features, such as VLAN tagging, are no longer necessary because Azure performs the functionality at the infrastructure level. Understanding the limitations and the requirements are key to planning your migration. Using GSLB and Azure for the HSM Key Vault have other requirements that you should be aware of.

Azure Key Vault

Citrix ADC integrates with Azure Key Vault and stores its private keys in the Key Vault, which increases the security protection of the keys. Using Azure Key Vault simplifies the storage and management of keys. Azure Key Vault provides a central key management location for all enterprise ADC appliances across both Azure and the on-premises data centers.

Some questions to answer during the planning stages might include the following:

How does the ADC application integrate with Azure Key Vault and what are its limitations?

  • Citrix ADC integration with Azure Key Vault requires the use of the TLS 1.3 protocol

  • FIPS 140-2 level 2 compliance requires Azure Key Vault Premium pricing tier and the use of hardware security module (HSM) backed keys

  • The ADC will access the Key Vault for each SSL handshake

  • Access to the Azure Key Vault requires an Azure Enterprise application and service principal

  • Citrix ADC use of Azure Key Vault has the following limitations:

    • Azure Key Vault limits the number of concurrent calls and the limits vary by request type and key type
    • Elliptic-curve cryptography (ECC) keys are not supported
    • HDX Enlightened Data Transport (EDT) and Datagram Transport Layer Security (DTLS) protocols cannot be used to communicate with Azure Key Vault
    • Clustering and admin partitions are not supported
    • The Azure application, Azure Key Vault, and HSM certificate-key pair cannot be updated in Azure after adding them to the Citrix ADC appliance
    • HSM certificate bundles are not supported
    • An HSM key cannot be bound to a DTLS virtual server
    • Neither the SSL Service or Online Certificate Status Protocol (OCSP) requests can use a certificate-key pair created with the HSM key
    • No error is generated when an HSM key and certificate mismatch occurs


As businesses transition their workloads to the Azure Cloud, they need a hybrid model that allows DNS resolution in a secure manner. The Azure DNS Private Zone service is the key to this transition. With Private DNS zones, businesses can create a hybrid model that allows DNS resolution for both on-premises and Azure-based servers. The Azure servers can be connected to the on-premises data center via an ExpressRoute or VPN tunnel. Citrix ADC provides a seamless way for distributing traffic across both the on-premises and Azure workloads at a global scale. The Global Server Load Balancing (GSLB) feature provides that global scale and relies on the ADNS service within the Citrix ADC console.

This GSLB feature supports business goals including: migrating from on-premises to the Azure cloud, DNS-based failover, and blue-green environment testing. Both Round Robin and Location-based (static proximity) server routing methods are available. GSLB can be used for any service or host resolution, including StoreFront.

What are the requirements and limitations of using Citrix ADC for GSLB across both my on-premises and Azure cloud hybrid deployment?

  • The ADNS service is a DNS server that runs on the Citrix ADC appliance. ADNS supports delegation of DNS name spaces, such that the Citrix ADC is the authoritative name server for the zone and all hosts within it

  • Support for GSLB Private DNS zones is implemented using Citrix ADC appliances in the Azure cloud running the ADNS service

  • Plan to use DNS forwarders for both virtual networks and data center networks

  • All DNS queries are routed first to the local DNS forwarder to provide the best user experience

  • GSLB DBS Service requires the following:

    • Citrix ADC version 12.0.57 or later and Microsoft Azure Load Balancer instances
    • Citrix ADC GSLB Service Group Feature Enhancements
    • GSLB Service Group entity: Citrix ADC version 12.057 or later
    • DBS feature components must be bound to the GSLB service group

What are the limitations of running Citrix ADC VPX instances on Azure?

  • A secure tunnel between Azure and the on-premises data center must exist, typically across an ExpressRoute or VPN connection

  • Assign a static Internal IP address to the Citrix ADC virtual machine to avoid issues caused by the IP address changing after a VM deallocation

What data center Citrix ADC functionality is not available in the Azure Citrix ADC?

  • High availability does not work if the Public IP (PIP) address is associated with the VPX instance instead of an Azure Load Balancer

  • The Azure architecture does not support the following Citrix ADC features:
    • Clustering, unless deployed via the Citrix ADM Autoscale feature
    • IPv6
    • Gratuitous ARP (GARP)
    • L2 Mode (Bridging); however, Transparent virtual servers with MAC rewrite (L2) will work for servers on the same subnet as the ADC’s SNIP
    • Tagged VLAN
    • Dynamic Routing
    • Virtual MAC
    • USIP
    • Jumbo Frames
  • Public IP addresses do not support protocols where the port mapping is opened dynamically, such as passive FTP or ALG

Azure Key Vault service limits

Support for Azure Key Vault

Deployment Guide Citrix ADC VPX on Azure - GSLB

Citrix ADC VPX on Azure Deployment Guide

Configure a Citrix ADC VPX standalone instance

Deployment Guide Citrix ADC VPX on Azure – Disaster Recovery

MAC Moves Observed on NetScaler on Azure

Design Decision: Requirements and Limitations