Jump to content
Welcome to our new Citrix community!
  • Deployment Guide NetScaler ADC VPX on AWS - Disaster Recovery


    Richard Faulkner
    • Validation Status: Validated
      Summary: Deployment Guide NetScalerADC VPX on AWS - Disaster Recovery
      Has Video?: No

    Deployment Guide NetScaler ADC VPX on AWS - Disaster Recovery

    Contributors

    Author: Blake Schindler, Solutions Architect

    Overview

    NetScaler ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments.

    As an undisputed leader of service and application delivery, NetScaler ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, NetScaler ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. NetScaler ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.

     

    NetScaler VPX

    The NetScaler ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms:

    • Citrix Hypervisor

    • VMware ESX

    • Microsoft Hyper-V

    • Linux KVM

    • Amazon Web Services

    • Microsoft Azure

    • Google Cloud Platform

    This deployment guide focuses on NetScaler ADC VPX on Amazon Web Services.

     

    Amazon Web Services

    Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services can offer tools such as compute power, database storage, and content delivery services.

    AWS offers the following essential services:

    • AWS Compute Services

    • Migration Services

    • Storage

    • Database Services

    • Management Tools

    • Security Services

    • Analytics

    • Networking

    • Messaging

    • Developer Tools

    • Mobile Services

    AWS Terminology

    Here is a brief description of key terms used in this document that users must be familiar with:

    • Elastic Network Interface (ENI) - A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC).

    • Elastic IP (EIP) address - A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change.

    • Subnet - A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs.

    • Virtual Private Cloud (VPC) - A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define.

    Here is a brief description of other terms used in this document that users should be familiar with:

    • Amazon Machine Image (AMI) - A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.

    • Elastic Block Store - Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.

    • Simple Storage Service (S3) - Storage for the Internet. It is designed to make web-scale computing easier for developers.

    • Elastic Compute Cloud (EC2) - A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

    • Elastic Load Balancing (ELB) - Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. ELB increases the fault tolerance of user applications.

    • Instance type - Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications.

    • Identity and Access Management (IAM) - An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup.

    • Internet Gateway - Connects a network to the Internet. Users can route traffic for IP addresses outside their VPC to the Internet gateway.

    • Key pair - A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key.

    • Route table - A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.

    • Auto Scaling - A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks.

    • CloudFormation - A service for writing or changing templates that create and delete related AWS resources together as a unit.

    Use Cases

    Disaster Recovery (DR)

    Disaster is a sudden disruption of business functions caused by natural calamities or human caused events. Disasters affect data center operations, after which resources and the data lost at the disaster site must be fully rebuilt and restored. The loss of data or downtime in the data center is critical and collapses the business continuity.

    One of the challenges that customers face today is deciding where to put their DR site. Businesses are looking for consistency and performance regardless of any underlying infrastructure or network faults.

    Possible reasons many organizations are deciding to migrate to the cloud are:

    • Usage economics — The capital expense of having a data center on-prem is well documented and by using the cloud, these businesses can free up time and resources from expanding their own systems.

    • Faster recovery times — Much of the automated orchestration enables recovery in mere minutes.

    • Also, there are technologies that help replicate data by providing continuous data protection or continuous snapshots to guard against any outage or attack.

    • Finally, there are use cases where customers need many different types of compliance and security control which are already present on the public clouds. These make it easier to achieve the compliance they need rather than building their own.

    Deployment Types

    One-NIC Deployment

    • Typical Deployments

      • Standalone
    • Use Cases

      • Customers typically use One-NIC Deployments to deploy into a non-production environment, to set up an environment for testing, or to stage a new environment before production deployment.

      • One-NIC Deployments are also used to deploy directly to the cloud quickly and efficiently.

      • One-NIC Deployments are used when customers seek the simplicity of a single subnet configuration.

    Three-NIC Deployment

    • Typical Deployments

      • Standalone

      • High Availability

    • Use Cases

      • Three-NIC Deployments are used to achieve real isolation of data and management traffic.

      • Three-NIC Deployments also improve scale and performance of the ADC.

      • Three-NIC Deployments are used in network applications where throughput is typically 1 Gbps or higher and a Three-NIC Deployment is recommended.

    CFT Deployment

    Customers would deploy using CloudFormation Templates if they are customizing their deployments or they are automating their deployments.

    Sample NetScaler ADC VPX Deployment on AWS Architecture

    image.jpg.c3d786db33aa1c727dcf332e56c5860b.jpg

    The preceding figure shows a typical topology of an AWS VPC with a NetScaler ADC VPX deployment.

    The AWS VPC has

    1. A single Internet gateway to route traffic in and out of the VPC.

    2. Network connectivity between the Internet gateway and the Internet.

    3. Three subnets, one each for management, client, and server.

    4. Network connectivity between the Internet gateway and the two subnets (management and client).

    5. A standalone NetScaler ADC VPX instance deployed within the VPC. The VPX instance has three ENIs, one attached to each subnet.

    Deployment Steps

    One-NIC Deployment for DR

    The NetScaler ADC VPX Express instance is available as an Amazon Machine Image (AMI) in AWS marketplace. The minimum EC2 instance type allowed as a supported AMI on NetScaler VPX is m4.large. Download and create an instance of the VPX using a single VPC subnet. The NetScaler ADC VPX instance requires a minimum of 2 virtual CPUs and 2 GB of memory. Initial configuration performed includes network interface configuration, VIP configuration, and feature configuration. Further configuration can be performed by logging in to the GUI or via SSH (user name: nsroot).

    The output of the configuration includes:

    • InstanceIdNS - Instance Id of newly created VPX instance. This is the default password for the GUI / ssh access.

    • ManagementURL - Use this HTTPS URL to the Management GUI (uses self-signed cert) to log in to the VPX and configure it further.

    • ManagementURL2 - Use this HTTP URL to the Management GUI (if your browser has problems with the self-signed cert) to log in to the VPX.

    • PublicNSIP - Use this public IP to ssh into the appliance.

    • PublicIpVIP - The Public IP where load balanced applications can be accessed.

    The VPX is deployed in a single-NIC mode.

    The standard NetScaler IP addresses: NSIP (management IP), VIP (where load balanced applications are accessed), and SNIP (the IP used to send traffic to back end instances) are all provisioned on the single NIC and are drawn from the (RFC1918) address space of the provided VPC subnet. The (RFC1918) NSIP is mapped to the Public IP of the VPX Instance and the RFC1918 VIP is mapped to a public Elastic IP.

    Licensing

    A NetScaler ADC VPX instance on AWS requires a license.

    The following licensing options are available for NetScaler ADC VPX instances running on AWS:

    Deployment Options

    Users can deploy a NetScaler ADC VPX standalone instance on AWS by using the following options

    • AWS web console

    • Citrix-authored CloudFormation template

    • AWS CLI

    Deployment Steps

    Users can deploy a NetScaler ADC VPX instance on AWS through the AWS web console.

    The deployment process includes the following steps:

    • Create a Key Pair

    • Create a Virtual Private Cloud (VPC)

    • Create the VPX instance

    • Create a single VPC subnet

    • Create network interface configuration

    • Map the NSIP to the Public IP of the VPX Instance

    • Map the VIP to a public Elastic IP

    • Connect to the VPX instance

    Create a Key Pair

    Amazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to an instance, users must create a key pair, specify the name of the key pair when they launch the instance, and provide the private key when they connect to the instance.

    When users review and launch an instance by using the AWS Launch Instance wizard, they are prompted to use an existing key pair or create a new key pair.

    For more information about how to create a key pair, see Amazon EC2 Key Pairs and Linux Instances

     

    Create a VPC

    A NetScaler ADC VPC instance is deployed inside an AWS VPC. A VPC allows users to define virtual networks dedicated to their AWS account.

    For more information about AWS VPC, see Getting Started With IPv4 for Amazon VPC.

    While creating a VPC for a NetScaler ADC VPX instance, keep the following points in mind.

    Use the VPC with a Single Public Subnet Only option to create an AWS VPC in an AWS availability zone.

    Citrix recommends that users map the previously created NSIP and VIP addresses to the public subnet.

     

    Create a NetScaler ADC VPX Instance by using the AWS Express AMI

    Create a NetScaler ADC VPX instance from the AWS VPX Express AMI.

    From the AWS dashboard, go to Compute > Launch Instance > AWS Marketplace.

    Before clicking Launch Instance, users should ensure their region is correct by checking the note that appears under Launch Instance.

    In the Search AWS Marketplace bar, search with the keyword NetScaler ADC VPX.

    Select the desired version to deploy and then click Select.

    For the NetScaler ADC VPX version, users have the following options

    • A licensed version

    • NetScaler ADC VPX Express appliance (a free virtual appliance, which is available from NetScaler ADC 12.0 56.20.)

    • Bring your own device

    The Launch Instance wizard starts. Follow the wizard to create an instance.

    The wizard prompts users to

    • Choose Instance Type

    • Configure Instance

    • Add Storage

    • Add Tags

    • Review

    Allocate and Associate Elastic IPs

    If users assign a public IP address to an instance, it remains assigned only until the instance is stopped. After that, the address is released back to the pool. When users restart the instance, a new public IP address is assigned.

    In contrast, an elastic IP (EIP) address remains assigned until the address is disassociated from an instance.

    Allocate and associate an elastic IP for the management NIC.

    For more information about how to allocate and associate elastic IP addresses, see these topics:

    These steps complete the procedure to create a NetScaler ADC VPX instance on AWS. It can take a few minutes for the instance to be ready. Check that the instance has passed its status checks. Users can view this information in the Status Checks column on the Instances page.

    Connect to the VPX Instance

    After users have created the VPX instance, users can connect to the instance by using the GUI and an SSH client.

     

    GUI connection

    The following are the default administrator credentials to access a NetScaler ADC VPX instance

    • User name: nsroot

    • Password: The default password for the nsroot account is set to the AWS instance-ID of the NetScaler ADC VPX instance.

    SSH Client connection

    From the AWS management console, select the NetScaler ADC VPX instance and click Connect. Follow the instructions given on the Connect to Your Instance page.

    For more information about how to deploy a NetScaler ADC VPX standalone instance on AWS by using the AWS web console, see

    Three-NIC Deployment for DR

    The NetScaler ADC VPX instance is available as an Amazon Machine Image (AMI) in AWS marketplace, and it can be launched as an Elastic Compute Cloud (EC2) instance within an AWS VPC. The minimum EC2 instance type allowed as a supported AMI on NetScaler VPX is m4.large. The NetScaler ADC VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. An EC2 instance launched within an AWS VPC can also provide the multiple interfaces, multiple IP addresses per interface, and public and private IP addresses needed for VPX configuration.

    Each VPX instance requires at least three IP subnets

    • A management subnet

    • A client-facing subnet (VIP)

    • A back-end facing subnet (SNIP)

    Citrix recommends three network interfaces for a standard VPX instance on AWS installation.

    AWS currently makes multi-IP functionality available only to instances running within an AWS VPC. A VPX instance in a VPC can be used to load balance servers running in EC2 instances. An Amazon VPC allows users to create and control a virtual networking environment, including their own IP address range, subnets, route tables, and network gateways.

    Note:

    By default, users can create up to 5 VPC instances per AWS region for each AWS account. Users can request higher VPC limits by submitting Amazon’s request form:

    Licensing

    A NetScaler ADC VPX instance on AWS requires a license.

    The following licensing options are available for NetScaler ADC VPX instances running on AWS

    Deployment Options

    Users can deploy a NetScaler ADC VPX standalone instance on AWS by using the following options

    • AWS web console

    • Citrix-authored CloudFormation template

    • AWS CLI

    Deployment Steps

    Users can deploy a NetScaler ADC VPX instance on AWS through the AWS web console.

    The deployment process includes the following steps

    • Create a Key Pair

    • Create a Virtual Private Cloud (VPC)

    • Add more subnets

    • Create security groups and security rules

    • Add route tables

    • Create an internet gateway

    • Create a NetScaler ADC VPX instance

    • Create and attach more network interfaces

    • Attach elastic IPs to the management NIC

    • Connect to the VPX instance

    Create a Key Pair

    Amazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to an instance, users must create a key pair, specify the name of the key pair when they launch the instance, and provide the private key when they connect to the instance.

    When users review and launch an instance by using the AWS Launch Instance wizard, they are prompted to use an existing key pair or create a new key pair.

    For more information about how to create a key pair, see Amazon EC2 Key Pairs and Linux Instances

    Create a VPC

    A NetScaler ADC VPC instance is deployed inside an AWS VPC. A VPC allows users to define virtual networks dedicated to their AWS account.

    For more information about AWS VPC, see Getting Started With IPv4 for Amazon VPC

    While creating a VPC for a NetScaler ADC VPX instance, keep the following points in mind

    • Use the VPC with a Single Public Subnet Only option to create an AWS VPC in an AWS availability zone.

    • Citrix recommends that users create at least three subnets, of the following types:

      • One subnet for management traffic. Place the management IP (NSIP) on this subnet. By default, elastic network interface (ENI) eth0 is used for the management IP.

      • One or more subnets for client-access (user-to-NetScaler ADC VPX) traffic, through which clients connect to one or more virtual IP (VIP) addresses assigned to NetScaler ADC load balancing virtual servers.

      • One or more subnets for the server-access (VPX-to-server) traffic, through which user servers connect to VPX-owned subnet IP (SNIP) addresses.

      • All subnets must be in the same availability zone.

    Add Subnets

    When the VPC wizard is used for deployment, only one subnet is created. Depending on user requirements, users may want to create more subnets.

    For more information about how to create more subnets, see VPCs and Subnets.

    Create Security Groups and Security Rules

    To control inbound and outbound traffic, create security groups and add rules to the groups.

    For more information about how to create groups and add rules, see Security Groups for Your VPC.

    For NetScaler ADC VPX instances, the EC2 wizard gives default security groups, which are generated by AWS Marketplace and is based on recommended settings by Citrix. However, users can create more security groups based on their requirements.

    Note:

    Port 22, 80, 443 to be opened on the Security group for SSH, HTTP, and HTTPS access respectively.

    Add Route Tables

    Route tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table.

    For more information about how to create a route table, see Route Tables.

    Create an Internet Gateway

    An internet gateway serves two purposes: to provide a target in the VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

    Create an internet gateway for internet traffic.

    For more information about how to create an Internet Gateway, see the section Creating and Attaching an Internet Gateway

    Create a NetScaler ADC VPX Instance by using the AWS EC2 Service

    To create a NetScaler ADC VPX instance by using the AWS EC2 service, complete the following steps

    • From the AWS dashboard, go to Compute > EC2 > Launch Instance > AWS Marketplace.

    • Before clicking Launch Instance, users should ensure their region is correct by checking the note that appears under Launch Instance.

    • In the Search AWS Marketplace bar, search with the keyword NetScaler ADC VPX.

    • Select the version users want to deploy and then click Select. For the NetScaler ADC VPX version, users have the following options:

    • A licensed version

      • NetScaler ADC VPX Express appliance (a free virtual appliance, which is available from NetScaler ADC 12.0 56.20.)

      • Bring your own device

    The Launch Instance wizard starts. Follow the wizard to create an instance.

    The wizard prompts users to

    • Choose Instance Type

    • Configure Instance

    • Add Storage

    • Add Tags

    • Configure Security Group

    • Review

    Create and Attach more Network Interfaces

    Create two more network interfaces for the VIP and SNIP.

    For more information about how to create more network interfaces, see the section Creating a Network Interface.

    After users have created the network interfaces, they must attach the interfaces to the VPX instance. Before attaching the interfaces, shut down the VPX instance, attach the interfaces, and power on the instance.

    For more information about how to attach network interfaces, see the section Attaching a Network Interface When Launching an Instance.

    Allocate and Associate Elastic IPs

    If users assign a public IP address to an EC2 instance, it remains assigned only until the instance is stopped. After that, the address is released back to the pool. When users restart the instance, a new public IP address is assigned.

    In contrast, an elastic IP (EIP) address remains assigned until the address is disassociated from an instance.

    Allocate and associate an elastic IP for the management NIC.

    For more information about how to allocate and associate elastic IP addresses, see these topics

    These steps complete the procedure to create a NetScaler ADC VPX instance on AWS. It can take a few minutes for the instance to be ready. Check that the instance has passed its status checks. Users can view this information in the Status Checks column on the Instances page.

    Connect to the VPX Instance

    After users have created the VPX instance, users can connect to the instance by using the GUI and an SSH client.

    GUI connection

    The following are the default administrator credentials to access a NetScaler ADC VPX instance

    • User name: nsroot

    • Password: The default password for the nsroot account is set to the AWS instance-ID of the NetScaler ADC VPX instance.

    SSH Client connection

    From the AWS management console, select the NetScaler ADC VPX instance and click Connect. Follow the instructions given on the Connect to Your Instance page.

    For more information about how to deploy a NetScaler ADC VPX standalone instance on AWS by using the AWS web console, see

    CFT Deployment

    NetScaler ADC VPX is available as Amazon Machine Images (AMI) in the AWS Marketplace.

    AWS Marketplace

    Before using a CloudFormation template to provision a NetScaler ADC VPX in AWS, the AWS user has to accept the terms and subscribe to the AWS Marketplace product. Each edition of the NetScaler ADC VPX in the Marketplace requires this step.

    Each template in the CloudFormation repository has collocated documentation describing the usage and architecture of the template. The templates attempt to codify recommended deployment architecture of the NetScaler ADC VPX, or to introduce the user to the NetScaler ADC or to demonstrate a particular feature, edition, or option. Users can reuse, modify, or enhance the templates to suit their particular production and testing needs. Most templates require full EC2 permissions in addition to permissions to create IAM roles.

    The CloudFormation templates contain AMI Ids that are specific to a particular release of the NetScaler ADC VPX (for example, release 12.0-56.20) and edition (for example, NetScaler ADC VPX Platinum Edition - 10 Mbps) OR NetScaler ADC BYOL. To use a different version / edition of the NetScaler ADC VPX with a CloudFormation template requires the user to edit the template and replace the AMI Ids.

    The latest NetScaler ADC AWS-AMI-IDs are available on GitHub at NetScaler ADC AWS CloudFormation Master.

    CFT Single-NIC Deployment

    The CloudFormation template requires sufficient permissions to create IAM roles and lambda functions, beyond normal EC2 full privileges. The user of this template also needs to accept the terms and subscribe to the AWS Marketplace product before using this CloudFormation template.

    This CloudFormation template creates an instance of the VPX Express from the VPX Express AMI using a single VPC subnet. The CloudFormation template also provisions a lambda function that initializes the VPX instance. Initial configuration performed by the lambda function includes network interface configuration, VIP configuration, and feature configuration. Further configuration can be performed by logging in to the GUI or via SSH (user name: nsroot).

    The output of the CloudFormation template includes

    • InstanceIdNS - Instance Id of newly created VPX instance. This is the default password for the GUI / ssh access.

    • ManagementURL2 - Use this HTTP URL to the Management GUI (if your browser has problems with the self-signed cert) to log in to the VPX.

    • PublicNSIP - Use this public IP to ssh into the appliance.

    • PublicIpVIP - The Public IP where load balanced applications can be accessed.

    The CloudFormation template deploys the VPX in a single-NIC mode. The standard NetScaler IP addresses: NSIP (management IP), VIP (where load balanced applications are accessed) and SNIP (the IP used to send traffic to back end instances) are all provisioned on the single NIC and are drawn from the (RFC1918) address space of the provided VPC subnet. The (RFC1918) NSIP is mapped to the Public IP of the VPX Instance and the RFC1918 VIP is mapped to a public Elastic IP. If the VPX is restarted, the Public NSIP mapping is lost. In this case the NSIP is only accessible from within the VPC subnet, from another EC2 instance in the same subnet. Other possible architectures include 2 and 3-NIC configurations across multiple VPC subnets.

    CFT Three-NIC Deployment

    This template deploys a VPC, with 3 subnets (Management, client, server) for 2 Availability Zones. It deploys an Internet Gateway, with a default route on the public subnets. This template also creates a HA pair across Availability Zones with two instances of NetScaler ADC: 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on primary and 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on secondary. All the resource names created by this CFT are prefixed with a tagName of the stack name.

    The output of the CloudFormation template includes

    • PrimaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Primary VPX (uses self-signed cert)

    • PrimaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Primary VPX

    • PrimaryCitrixADCInstanceID - Instance Id of the newly created Primary VPX instance

    • PrimaryCitrixADCPublicVIP - Elastic IP address of the Primary VPX instance associated with the VIP

    • PrimaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Primary VPX

    • PrimaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Primary VPX

    • PrimaryCitrixADCPrivateVIP - Private IP address of the Primary VPX instance associated with the VIP

    • PrimaryCitrixADCSNIP - Private IP address of the Primary VPX instance associated with the SNIP

    • SecondaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Secondary VPX (uses self-signed cert)

    • SecondaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Secondary VPX

    • SecondaryCitrixADCInstanceID - Instance Id of the newly created Secondary VPX instance

    • SecondaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Secondary VPX

    • SecondaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Secondary VPX

    • SecondaryCitrixADCPrivateVIP - Private IP address of the Secondary VPX instance associated with the VIP

    • SecondaryCitrixADCSNIP - Private IP address of the Secondary VPX instance associated with the SNIP

    • SecurityGroup - Security group id that the VPX belongs to

    When providing input to the CFT, the against any parameter in the CFT implies that it is a mandatory field. For example, VPC ID is a mandatory field.

    The following prerequisites must be met. The CloudFormation template requires sufficient permissions to create IAM roles, beyond normal EC2 full privileges. The user of this template also needs to accept the terms and subscribe to the AWS Marketplace product before using this CloudFormation template.

    The following should also be present

    • Key Pair

    • 3 unallocated EIPs

      • Primary Management

      • Client VIP

      • Secondary Management

    For more information on provisioning NetScaler ADC VPX instances on AWS, users can visit Provisioning NetScaler ADC VPX Instances on AWS

    Prerequisites

    Before attempting to create a VPX instance in AWS, users should ensure they have the following

    • An AWS account to launch a NetScaler ADC VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud (VPC). Users can create an AWS account for free at www.aws.amazon.com.

    • An AWS Identity and Access Management (IAM) user account to securely control access to AWS services and resources for users.

    For more information about how to create an IAM user account, see Creating IAM Users (Console).

    An IAM role is mandatory for both standalone and high availability deployments.

    The IAM role must have the following privileges

    • ec2:DescribeInstances

    • ec2:DescribeNetworkInterfaces

    • ec2:DetachNetworkInterface

    • ec2:AttachNetworkInterface

    • ec2:StartInstances

    • ec2:StopInstances

    • ec2:RebootInstances

    • ec2:DescribeAddresses

    • ec2:AssociateAddress

    • ec2:DisassociateAddress

    • autoscaling:*

    • sns:*

    • sqs:*

    • iam:SimulatePrincipalPolicy

    • iam:GetRole

    If the Citrix CloudFormation template is used, the IAM role is automatically created. The template does not allow selecting an already created IAM role.

    Note:

    When users log on the VPX instance through the GUI, a prompt to configure the required privileges for IAM role appears. Ignore the prompt if the privileges have already been configured.

    For more information, see

    What Is the AWS Command Line Interface?

    Note:
    Users also need the AWS CLI to change the network interface type to SR-IOV.

    Limitations and Usage Guidelines

    The following limitations and usage guidelines apply when deploying a NetScaler ADC VPX instance on AWS

    • Users should read the AWS terminology listed above before starting a new deployment.

    • The clustering feature is supported only when provisioned with Citrix ADM Auto Scale Groups.

    • For the high availability setup to work effectively, associate a dedicated NAT device to the management Interface or associate an Elastic IP (EIP) to NSIP.

    For more information on NAT, in the AWS documentation, see NAT Instances

    • Data traffic and management traffic must be segregated with ENIs belonging to different subnets.

    • Only the NSIP address must be present on the management ENI.

    • If a NAT instance is used for security instead of assigning an EIP to the NSIP, appropriate VPC level routing changes are required.

    For instructions on making VPC level routing changes, in the AWS documentation, see Scenario 2: VPC with Public and Private Subnets.

    • A VPX instance can be moved from one EC2 instance type to another (for example, from m3.large to an m3.xlarge).

    For more information, visit Limitations and Usage Guidelines

    • For storage media for VPX on AWS, Citrix recommends EBS, because it is durable and the data is available even after it is detached from instance.

    • Dynamic addition of ENIs to VPX is not supported. Restart the VPX instance to apply the update. Citrix recommends users to stop the standalone or HA instance, attach the new ENI, and then restart the instance. The primary ENI cannot be changed or attached to a different subnet once it is deployed. Secondary ENIs can be detached and changed as needed while the VPX is stopped.

    • Users can assign multiple IP addresses to an ENI. The maximum number of IP addresses per ENI is determined by the EC2 instance type.

    See the section “IP Addresses Per Network Interface Per Instance Type” in Elastic Network Interfaces.

    • Users must allocate the IP addresses in AWS before they assign them to ENIs.

    For more information, see Elastic Network Interfaces.

    • Citrix recommends that users avoid using the enable and disable interface commands on NetScaler ADC VPX interfaces.

    • The NetScaler ADC set ha node \<NODE\_ID\> -haStatus STAYPRIMARY and set ha node \<NODE\_ID\> -haStatus STAYSECONDARY commands are disabled by default.

    • IPv6 is not supported for VPX.

    • Due to AWS limitations, these features are not supported:

      • Gratuitous ARP(GARP)

      • L2 mode (bridging). Transparent vServers are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP.

      • Tagged VLAN

      • Dynamic Routing

      • Virtual MAC

    • For RNAT, routing, and Transparent vServers to work, ensure Source/Destination Check is disabled for all ENIs in the data path.

    For more information, see “Changing the Source/Destination Checking” in Elastic Network Interfaces

    • In a NetScaler ADC VPX deployment on AWS, in some AWS regions, the AWS infrastructure might not be able to resolve AWS API calls. This happens if the API calls are issued through a non-management interface on the NetScaler ADC VPX instance. As a workaround, restrict the API calls to the management interface only. To do that, create an NSVLAN on the VPX instance and bind the management interface to the NSVLAN by using the appropriate command.

    • For example:

      • set ns config -nsvlan <vlan id> -ifnum 1/1 -tagged NO

      • save config

    • Restart the VPX instance at the prompt.

    For more information about configuring NSVLAN, see Configuring NSVLAN.

    • In the AWS console, the vCPU usage shown for a VPX instance under the Monitoring tab might be high (up to 100 percent), even when the actual usage is much lower. To see the actual vCPU usage, navigate to View all CloudWatch metrics.

    For more information, seen Monitor your Instances using Amazon CloudWatch

    • Alternately, if low latency and performance are not a concern, users may enable the CPU Yield feature allowing the packet engines to idle when there is no traffic.

    For more details about the CPU Yield feature and how to enable it, visit Citrix Support Knowledge Center.

    AWS-VPX Support

    Supported VPX Models on AWS**

    • NetScaler ADC VPX Standard/Enterprise/Platinum Edition - 200 Mbps
    • NetScaler ADC VPX Standard/Enterprise/Platinum Edition - 1000 Mbps
    • NetScaler ADC VPX Standard/Enterprise/Platinum Edition - 3 Gbps
    • NetScaler ADC VPX Standard/Enterprise/Platinum Edition - 5 Gbps
    • NetScaler ADC VPX Standard/Advanced/Premium - 10 Mbps
    • NetScaler ADC VPX Express - 20 Mbps
    • NetScaler ADC VPX - Customer Licensed

    Supported AWS Regions

    • US West (Oregon) Region
    • US West (N. California) Region
    • US East (Ohio) Region
    • US East (N. Virginia) Region
    • Asia Pacific (Seoul) Region
    • Canada (Central) Region
    • Asia Pacific (Singapore) Region
    • Asia Pacific (Sydney) Region
    • Asia Pacific (Tokyo) Region
    • Asia Pacific (Hong Kong) Region
    • Canada (Central) Region
    • China (Beijing) Region
    • China (Ningxia) Region
    • EU (Frankfurt) Region
    • EU (Ireland) Region
    • EU (London) Region
    • EU (Paris) Region
    • South America (São Paulo) Region
    • AWS GovCloud (US-East) Region

    Supported AWS Instance Types

    • m3.large, m3.large, m3.2xlarge
    • c4.large, c4.large, c4.2xlarge, c4.4xlarge, c4.8xlarge
    • m4.large, m4.large, m4.2xlarge, m4.4xlarge, m4.10xlarge
    • m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.12xlarge, m5.24xlarge
    • c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge, c5.24xlarge
    • C5n.large, C5n.xlarge, C5n.2xlarge, C5n.4xlarge, C5n.9xlarge, C5n.18xlarge

    Supported AWS Services

    • #EC2
    • #Lambda
    • #S3
    • #VPC
    • #route53
    • #ELB
    • #Cloudwatch
    • #AWS AutoScaling
    • #Cloud formation
    • Simple Queue Service (SQS)
    • Simple Notification Service (SNS)
    • Identity & Access Management (IAM)

    For higher bandwidth, Citrix recommends the following instance types

    Instance TypeBandwidthEnhanced Networking (SR-IOV)
    M4.10x large3 Gbps and 5 GbpsYes
    C4.8x large3 Gbps and 5 GbpsYes
    C5.18xlarge/M5.18xlarge25 GbpsENA
    C5n.18xlarge30 GbpsENA

    To remain updated about the current supported VPX models and AWS regions, instance types, and services, visit VPX-AWS support matrix.

    The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.
    DIESER DIENST KANN ÜBERSETZUNGEN ENTHALTEN, DIE VON GOOGLE BEREITGESTELLT WERDEN. GOOGLE LEHNT JEDE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG IN BEZUG AUF DIE ÜBERSETZUNGEN AB, EINSCHLIESSLICH JEGLICHER GEWÄHRLEISTUNG DER GENAUIGKEIT, ZUVERLÄSSIGKEIT UND JEGLICHER STILLSCHWEIGENDEN GEWÄHRLEISTUNG DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN DRITTER.
    CE SERVICE PEUT CONTENIR DES TRADUCTIONS FOURNIES PAR GOOGLE. GOOGLE EXCLUT TOUTE GARANTIE RELATIVE AUX TRADUCTIONS, EXPRESSE OU IMPLICITE, Y COMPRIS TOUTE GARANTIE D'EXACTITUDE, DE FIABILITÉ ET TOUTE GARANTIE IMPLICITE DE QUALITÉ MARCHANDE, D'ADÉQUATION À UN USAGE PARTICULIER ET D'ABSENCE DE CONTREFAÇON.
    ESTE SERVICIO PUEDE CONTENER TRADUCCIONES CON TECNOLOGÍA DE GOOGLE. GOOGLE RENUNCIA A TODAS LAS GARANTÍAS RELACIONADAS CON LAS TRADUCCIONES, TANTO IMPLÍCITAS COMO EXPLÍCITAS, INCLUIDAS LAS GARANTÍAS DE EXACTITUD, FIABILIDAD Y OTRAS GARANTÍAS IMPLÍCITAS DE COMERCIABILIDAD, IDONEIDAD PARA UN FIN EN PARTICULAR Y AUSENCIA DE INFRACCIÓN DE DERECHOS.
    本服务可能包含由 Google 提供技术支持的翻译。Google 对这些翻译内容不做任何明示或暗示的保证,包括对准确性、可靠性的任何保证以及对适销性、特定用途的适用性和非侵权性的任何暗示保证。
    このサービスには、Google が提供する翻訳が含まれている可能性があります。Google は翻訳について、明示的か黙示的かを問わず、精度と信頼性に関するあらゆる保証、および商品性、特定目的への適合性、第三者の権利を侵害しないことに関するあらゆる黙示的保証を含め、一切保証しません。
    ESTE SERVIÇO PODE CONTER TRADUÇÕES FORNECIDAS PELO GOOGLE. O GOOGLE SE EXIME DE TODAS AS GARANTIAS RELACIONADAS COM AS TRADUÇÕES, EXPRESSAS OU IMPLÍCITAS, INCLUINDO QUALQUER GARANTIA DE PRECISÃO, CONFIABILIDADE E QUALQUER GARANTIA IMPLÍCITA DE COMERCIALIZAÇÃO, ADEQUAÇÃO A UM PROPÓSITO ESPECÍFICO E NÃO INFRAÇÃO.
     
     
     
     

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...