POC Guide: Migrating Applications from Citrix ADC to the new Citrix App Delivery and Security Service

Introduction

This document provides an overview of the steps, tools, architecture, and considerations for migrating Citrix ADC traffic management and security solutions to the new Citrix App Delivery and Security (CADS) service. This guide is intended for technical engineering and architectural teams who want to migrate applications to AWS. The scope of this guide is limited to Citrix ADC hardware or software-based appliances on product version 13 and later.

What is CADS Service - Citrix Managed?

CADS service – Citrix Managed is a new SaaS offering for application delivery and security. Citrix App Delivery and Security service removes the complexity from every step of app delivery, including provisioning, securing, on-boarding, and management, empowering IT to deliver a superior experience that keeps users engaged and productive.

Getting Started

There are four key steps for migrating to the new CADS service:

  1. Deployment models - Evaluation of the current deployment, assessment of how your applications fit together, and the design the architecture for the AWS environment.
  2. Use cases and feature mapping - Develop a high-level plan for your migration and making key decisions about what to migrate.
  3. Licensing – Identify the right CADS service – Citrix Managed entitlement by converting the current ADC capacity.
  4. Traffic flow - Migrate your application user’s traffic to the new site.

Follow the Getting Started Guide

Migration from ADC to CADS service - Citrix Managed

Migration from ADC to CADS service - Strategy

Deployment Models

Customers have designed their application architecture based on requirements such as specific feature need, performance, high availability, compliance, etc. When you migrate applications and their associated dependencies to AWS there is no standard approach.

The following table provides an overview of the common use cases for different applications and ADC workloads that are migrated to CADS service – Citrix Managed.

Application Type Use Case Suggested Action
Development/Testing/PoC web app with temporary capacity needs Web application utilizing SSL-offload, load balancing and content switching capabilities of Citrix ADC Depending on the required location of the datacenter, create an environment as described here. Use CADS service Modern App delivery workflow to deploy your application as documented here. Trial License can be used, for more details see the Licensing section.
Custom/Commercial, external facing application to be deployed across multiple Availability Zones, high availability (HA) You either plan to expand a datacenter or run a mix of self-managed and Citrix manged CADS services. You might have integrated Citrix Application Delivery Controller (ADC) as part of the application’s logic, and required it to port the same logic to CADS. You can leverage the Cloud Recommendation engine to determine the optimal site location for application. For details click here. Depending on the required location of the new datacenter, choose multiple availability zones for the region while you create an environment as described here. Review current Citrix ADC configurations (ns.conf) and break them down into the application components that need to be migrated. You can use the app migration workflow as described here. You can refer to feature mapping in Figure 2 to decide on modern app workflow or migration.
External application across multiple Regions, high availability (HA) with DNS / GSLB Expand application presence globally with the help of global server load-balancing capability of CADS Based on the feature usage, you can either choose the Modern App or Migration (Classic App) workflow for application deployment. Once the applications are deployed in the desired region and availability zones, you can use the Multi-Site application delivery to create a GSLBaaS solution with CADS as described here.
Internal application across multiple Availability Zones, high availability (HA) but no DNS / GSLB Deploy application for internal users only. In the Application creation workflow, while creating endpoints, ensures you select Internal for Access type. This ensures no public IP association for your application is configured.
Applications with high compliance or security-related requirements. WAF or IDS/IPS applications These applications require advanced security features such as signatures, bot protections, deep and complex WAF rule sets, protection from OWASP top 10. You need to have a CADS Premium license to use these features. Ensure you enable the desired security protection features for your application deployment as described here.
Cloud Native applications Use CADS to deploy an application as an Ingress controller to manage and route traffic into your Kubernetes cluster Not Supported with CADS. However, you can use CADS as the first (relatively static) tier of load balancing to an existing second tier of Citrix ADC CPX.

Use Cases and Feature Mapping

There are many aspects of migration that need to be considered, but before beginning your Citrix ADC workload migration, the following assessments help clarify the migration process.

  • Application and the associated feature dependency to migrate:

    Assess whether the entire application is moving or only the web (UI) tier. You should also consider additional dependencies around features like use of caching, compression, authentication, security and more. Your evaluation needs to determine what would be required from the network topology.

  • Reasons for application migration: You might be migrating your application because you are decommissioning your on-prem datacenter or because you want more elasticity or creating a disaster recovery site. Assess whether the application is migrating to have a per-application architecture, compared to the shared monolithic patterns common in many datacenters.

  • Destination of the migration: Assess if the application needs to move to a single VPC with one Availability Zone or two Availability Zones. Determine the peer or transit VPC topology, along with the need for multi-Region deployments. These will impact the migration pattern design

You can refer to Deployment types and the Datasheet for full set of supported features with CADS service – Citrix Managed. Following flow chart in Figure 2 shows the feature list for Modern and Classic App. You can start with the Modern App decision flow and check if all the required functionalities are addressed. If not, then you can validate the Classic app flow.

Feature based migration strategy

Licensing

The Citrix App Delivery and Security Service license is based on flexible consumption-based metering, where your applications automatically consume capacity from available entitlements. You get full architectural flexibility to deploy what you need when you need it. Details of the licensing entitlements are available here. Following calculation can be used to determine the consumption.

  • If your application serves an average throughput of 250 Mbps per year, then the annual data usage can be calculated.

  • Average application throughput per year (T) = 250 Mbps Data usage per sec (d) = T x 0.125 i.e. 250 x 0.125 = 31.25 MB per sec

  • Total data usage in TB per year = (d x 365 x 24 x 3600)/1048576 i.e. (31.25 x 24 x 3600)/1048576 = 939.85 TB.

  • For a data usage of ~1000 TB, the preferred license entitlement is Advance or Premium 1200 TB bandwidth + 100 million DNS queries.

Traffic Flow

With applications deployed with CADS service – Citrix Managed, the final step is to migrate the application traffic from an existing datacenter. For this, use Multi-site application delivery and define the existing and new Citrix Managed site. For traffic migration use weighted Round-Robin as the algorithm. Configure a weight in 90(existing site):10 (new Citrix managed site) ratio. Weights are proportional, i.e. 90 % of the traffic is received by the existing site and 10% by the Citrix Managed site. You can alter this to control the traffic proportions to your datacenters. Finally, perform application tests and complete the migration process with 100% traffic to the Citrix Managed site.

Summary

Following above pattern enables admins to migrate applications delivered and secured by an ADC to CADS service - Citrix Managed.

POC Guide: Migrating Applications from Citrix ADC to the new Citrix App Delivery and Security Service