Citrix ADC CPX, Citrix Ingress Controller, and Application Delivery Management on Google Cloud

Citrix product overview for GCP K8’s architecture and components

The five major Citrix components of GCP

  1. Citrix ADC VPX as tier 1 ADC for ingress-based internet client traffic.

    A VPX instance in GCP enables you to take advantage of GCP computing capabilities and use Citrix load balancing and traffic management features for your business needs. You can deploy VPX in GCP as a standalone instance. Both single and multiple network interface card (NIC) configurations are supported.

  2. The Kubernetes cluster using Google Kubernetes Engine (GKE) to form the container platform.

    Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It enables rapid deployment and management of your applications and services.

  3. Deploy a sample Citrix web application using the YAML file library.

    Citrix has provided a sample microservice web application to test the two-tier application topology on GCP. We have also included the following components in the sample files for proof of concept:

    • Sample Hotdrink Web Service in Kubernetes YAML file
    • Sample Colddrink Web Service in Kubernetes YAML file
    • Sample Guestbook Web Service in Kubernetes YAML file
    • Sample Grafana Charting Service in Kubernetes YAML file
    • Sample Prometheus Logging Service in Kubernetes YAML file


  4. Deploy the Citrix ingress controller for tier 1 Citrix ADC automation into the GKE cluster.

    The Citrix ingress controller built around Kubernetes automatically configures one or more Citrix ADC based on the ingress resource configuration. An ingress controller is a controller that watches the Kubernetes API server for updates to the ingress resource and reconfigures the ingress load balancer accordingly. The Citrix ingress controller can be deployed either directly using YAML files or by Helm Charts.


    Citrix has provided sample YAML files for the Citrix ingress controller automation of the tier 1 VPX instance. The files automate several configurations on the tier 1 VPX including:

    • Rewrite Polices and Actions
    • Responder Polices and Actions
    • Contents Switching URL rules
    • Adding/Removing CPX Load Balancing Services

    The Citrix ingress controller YAML file for GCP is located here:

Two-tier ingress deployment on GCP

In a dual-tiered ingress deployment, deploy Citrix ADC VPX/MPX outside the Kubernetes cluster (Tier 1) and Citrix ADC CPXs inside the Kubernetes cluster (Tier 2).

The tier 1 VPX/MPX would load balance the tier 2 CPX inside the Kubernetes cluster. This is a generic deployment model followed widely irrespective of the platform, whether it’s Google Cloud, Amazon Web Services, Azure, or an on-premises deployment.

Automation of the tier 1 VPX/MPX

The tier 1 VPX/MPX automatically load balances the tier 2 CPXs. Citrix ingress controller completes the automation configurations by running as a pod inside the Kubernetes cluster. It configures a separate ingress class for the tier 1 VPX/MPX so that the configuration does not overlap with other ingress resources.


Citrix deployment overview

Install and configure the tier 1 Citrix ADC on GCP

You can deploy Citrix ADC using one of the following:

Now you need to deploy Citrix VPX (tier-1-adc) using 3-NIC GDM template.

Prerequisites (mandatory):

  1. Create GCP account using your Citrix mail id only

  2. Create cnn-selab-atl as project name on GCP console: GCP

  3. Install the gcloud utility on your device. Follow the link to find the utility:

  4. Authenticate to your Google account using gcloud API gcloud auth login.

  5. Install kubectl on your client:

  6. Run the following command on the gcloud utility to create an image.

    gcloud compute images create netscaler12-1 --source-uri=gs://tme-cpx-storage/NSVPX-GCP-12.1-50.28_nc.tar.gz --guest-os-features=MULTI_IP_SUBNET

    It might take a moment for the image to be created. After the image is created, it appears under Compute > Compute Engine in the GCP console.

Deploy a Citrix VPX (tier-1-adc) on GCP

  1. GCP VPC instances: To address the separation of the External, Internal, and DMZ networks for security purposes. We must create three NICs as shown in the following table:

    Network Comments Management Network (vpx-snet-mgmt) Client Network (vpx-snet-vip) Server Network (vpx-snet-snip)


    Build the three-arm network VPCs before you deploy any VM instances.

    A VPC can be created by SDK by using gcloud APIs or through Google Cloud Platform Console

    VPC by gcloud API

    Create a VPC for Management or NSIP Traffic

     gcloud compute --project=cnn-selab-atl networks create vpx-snet-mgmt --subnet-mode=custom
     gcloud compute --project=cnn-selab-atl networks subnets create vpx-snet-mgmt --network=vpx-snet-mgmt --region=us-east1 --range=

    Create a VPC for Client or VIP Traffic

     gcloud compute --project=cnn-selab-atl networks create vpx-snet-vip --subnet-mode=custom
     gcloud compute --project=cnn-selab-atl networks subnets create vpx-snet-vip --network=vpx-snet-vip --region=us-east1 --range=

    Create a VPC for Server or SNIP Traffic where you host your kubernetes Cluster

     gcloud compute --project=cnn-selab-atl networks create vpx-snet-snip --subnet-mode=custom
     gcloud compute --project=cnn-selab-atl networks subnets create vpx-snet-snip --network=vpx-snet-snip --region=us-east1 --range=

    *VPC by GCP GUI Console

    From the Google console, select Networking > VPC network > Create VPC network and enter the required fields, as shown below. Then click Create.


    Similarly, create VPC networks for client and server-side NICs to create three subnets.


    All three VPC networks should be in the same region, which is us-east1 in this scenario.


  2. After you create three networks and three subnets under VPC Network, deploy the Citrix ADC VPX instance using the GDM template. Make sure both configuration.yml and are in same folder or directory. Use the following command from Google SDK to deploy the instance.

     gcloud deployment-manager deployments create tier1-vpx --config configuration.yml
  3. After a successful deployment, go to Compute Engine to check the citrix-adc-tier1-vpx section, and validate the internal IPs.


The Citrix ingress controller can automate the static route configuration in the tier 1 VPX. Configure the subnet IP (SNIP) address that should be of the same subnet/virtual private cloud of the Kubernetes cluster.


The tier 1 VPX/MPX deployed is going to load balance the CPXs inside the Kubernetes cluster. Configure the SNIP in the tier 1 VPX.

From a PuTTY session on the tier 1 VPX, complete the following commands to add SNIP and enable management access to SNIP:

clear config -force full
add ns ip -type snip -mgmt enabled
enable ns mode mbf

Deploy a Kubernetes cluster using GKE

One can deploy Kubernetes cluster either by Google Cloud SDK or through Google Cloud Platform GUI console.

Gcloud API Command to create k8s cluster

gcloud beta container --project "cnn-selab-atl" clusters create "k8s-cluster-with-cpx" --zone "us-east1-b" --username "admin" --cluster-version "1.11.7-gke.12" --machine-type "n1-standard-1" --image-type "COS" --disk-type "pd-standard" --disk-size "100" --scopes "","","","","","" --num-nodes "3" --enable-cloud-logging --enable-cloud-monitoring --no-enable-ip-alias --network "projects/cnn-selab-atl/global/networks/vpx-snet-snip" --subnetwork "projects/cnn-selab-atl/regions/us-east1/subnetworks/vpx-snet-snip" --addons HorizontalPodAutoscaling,HttpLoadBalancing --enable-autoupgrade --enable-autorepair

Google Cloud Platform GUI console steps

  1. Search for a Kubernetes Engine on GCP console and click Create Cluster.


  2. Create a cluster in the same subnet where your VPX SNIP is (vpx-snet-snip). This cluster automates the configuration push into the tier 1 ADC from Citrix ingress controller in the K8s cluster.



  3. Click Advanced options to change the subnet to vpx-snet-snip and select the following fields.


  4. To access this cluster from the cloud SDK, click the Kubernetes Connect to the cluster button and paste the command in the cloud SDK.


  5. Validate the GKE Cluster deployment by running the following command:

kubectl get nodes


Deploy a sample application using the sample YAML file library

Citrix ADC offers the two-tier architecture deployment solution to load balance the enterprise grade applications deployed in microservices and accessed through the Internet. Tier 1 has heavy load balancers such as VPX/SDX/MPX to load balance North-South traffic. Tier 2 has CPX deployment for managing microservices and load balances East-West traffic.

  1. If you are running your cluster in GKE, then ensure that you have used cluster role binding to configure a cluster-admin. You can do that using the following command.

     kubectl create clusterrolebinding citrix-cluster-admin --clusterrole=cluster-admin --user=<email-id of your google account>.
  2. Access the current directory where you have the deployment YAML files. Run the following command to get the node status.

     kubectl get nodes


  3. Create the namespaces:

     kubectl create -f namespace.yaml

    Verify the namespace command:

     kubectl get namespaces


  4. Deploy the rbac.yaml in the default namespace.

     kubectl create -f rbac.yaml
  5. Deploy the CPX for hotdrink, colddrink, and guestbook microservices using the following commands.

     kubectl create -f cpx.yaml -n tier-2-adc
     kubectl create -f hotdrink-secret.yaml -n tier-2-adc
  6. Deploy the three-hotdrink beverage microservices–the SSL type microservice with the hair-pin architecture.

     kubectl create -f team_hotdrink.yaml -n team-hotdrink
     kubectl create -f hotdrink-secret.yaml -n team-hotdrink
  7. Deploy the colddrink beverage microservice–the SSL_TCP type microservice.

     kubectl create -f team_colddrink.yaml -n team-colddrink
     kubectl create -f colddrink-secret.yaml -n team-colddrink
  8. Deploy the guestbook–a NoSQL type microservice.

     kubectl create -f team_guestbook.yaml -n team-guestbook
  9. Validate the CPX deployed for above three applications. First, obtain the CPX pods deployed as tier-2-adc and then get the CLI access to CPX.

    ``` To get CPX pods in tier-2-adc namespace, enter: kubectl get pods -n tier-2-adc

    To get CLI access (bash) to the CPX pod (hotdrinks-cpx pod), enter: kubectl exec -it "copy and paste hotdrink CPX pod name from the above step" bash -n tier-2-adc.

    For example,

    kubectl exec -it cpx-ingress-hotdrinks-768b674f76-pcnw4 bash -n tier-2-adc

    To check whether the CS vserver is running in the hotdrink-cpx, enter the following command after the root access to CPX: cli-script"sh csvs".

    For example,

    root@cpx-ingress-hotdrinks-768b674f76-pcnw4:/# "sh csvs"

  10. Deploy the VPX ingress and ingress controller to the tier 2 namespace, which configures VPX automatically. Citrix Ingress Controller (CIC) automates the tier-1-adc (VPX).

     kubectl create -f ingress_vpx.yaml -n tier-2-adc
     kubectl create -f cic_vpx.yaml -n tier-2-adc
  11. Add the DNS entries in your local machine’s host files for accessing microservices through the Internet.

    For Windows Clients, go to: C:\Windows\System32\drivers\etc\hosts

    For macOS Clients, in the Terminal, enter: sudo nano /etc/hosts`

    Add the following entries in the host’s file and save the file. (static-external-traffic-ip-tier1-vpx) (static-external-traffic-ip-tier1-vpx) (static-external-traffic-ip-tier1-vpx) (static-external-traffic-ip-tier1-vpx) (static-external-traffic-ip-tier1-vpx)
  12. Now you can access each application over the Internet. For example,


Enable the Rewrite and Responder policies for the sample application

Now it’s time to push the Rewrite and Responder policies on VPX through the custom resource definition (CRD).

  1. Deploy the CRD to push the Rewrite and Responder policies in to tier-1-adc in default namespace.

   kubectl create -f crd_rewrite_responder.yaml
  1. Blacklist URLs Configure the Responder policy on to block access to the coffee page.

   kubectl create -f responderpolicy_hotdrink.yaml -n tier-2-adc

After you deploy the Responder policy, access the coffee page on Then you receive the following message.


  1. Header insertion Configure the Rewrite policy on to insert the session ID in the header.

   kubectl create -f rewritepolicy_colddrink.yaml -n tier-2-adc

After you deploy the Rewrite policy, access with developer mode enabled on the browser. In Chrome, press F12 and preserve the log in network category to see the session ID, which is inserted by the Rewrite policy on tier-1-adc (VPX).


Open source tool sets

  1. Deploy Cloud Native Computing Foundation (CNCF) monitoring tools, such as Prometheus and Grafana to collect ADC proxy stats.

     kubectl create -f monitoring.yaml -n monitoring
     kubectl create -f ingress_vpx_monitoring.yaml -n monitoring

Prometheus log aggregator

  1. Log in to and complete the following one-time setup.

    1. Log in to the portal using administrator credentials.
    2. Click Add data source and select the Prometheus data source.
    3. Configure the following settings and click the Save and test button.


Grafana visual dashboard

  1. From the left panel, select the Import option and upload the grafana_config.json file provided in the yamlFiles folder. Now you can see the Grafana dashboard with basic ADC stats listed.


Delete a deployment

  1. To delete the Citrix VPX (tier-1-adc) deployment, go to the Google SDK CLI console to delete the instance:

    gcloud deployment-manager deployments delete tier1-vpx
  2. To delete the GKE Kubernetes cluster, go to the GCP console, select kubernetes cluster, and click Delete to erase the cluster.

    GCP ```