Jump to content
Welcome to our new Citrix community!

  • Deliver Apps in AWS using NetScaler

    Guest

    By Guest

      • Validation Status: Validated
      Summary: Step by Step guide to deploy and configure NetScaler in AWS and expose Apps to end user
      Has Video?: No
     Share
    NetScaler has multiple deployment solutions in AWS – standalone, HA (failover) within zone or across zones, Auto scale etc. In this article, we will be focusing on HA across zone within a AWS VPC which is active passive deployment and very popular among NetScaler users in AWS. Following is the high-level topology that we will be deploying in AWS:

    image.png.a1d09ea1b67511e1fe65d1887e93a5bd.png

    Above HA pair of NetScaler's can take care of failover for both publicly available external apps and internal private apps. NetScaler support AWS CloudFormation Templates for various deployments. In this tutorial, we will be using ha-3nic-across-az-pipeip.yaml template.
     

    Initial Setup
    Prior to using the above template, the following needs to be configured in your AWS infrastructure.

    1. Create a VPC
    2. 6 subnets – 3 subnets in each Availability Zone (AZ)
      1. Primary NetScaler subnets
        1. Management side subnet
        2. Client-side subnet
        3. Server-side subnet
      2. Secondary NetScaler subnets
        1. Management side subnets
        2. Client-side subnet
        3. Server-side subnet
    3. 3 unallocated Elastic IPs
      1. 1 each for NetScaler (Primary and Secondary) management access
      2. 1 for VIP
    4. EC2 keypair
    5. Subscribe for any of the NetScaler product offering from AWS Marketplace that you would like to deploy:
      2. Free VPX Express edition
    We will be using Customer Licensed for this tutorial

    Note: If you do not have a VPC already ready, we have a CFT for you to get started. It creates the necessary initial network infrastructure to get started.
    Click HERE to go to our GitHub repository. You will get the template which satisfies the above pre-requisites. Scroll down and click Launch Stack against the AWS region you wish to deploy.

    NetScaler Deployment
    Once the required pre-requisites are ready, let us start the actual deployment.
    1. Click here to go Citrix’s GitHub repository
    2. Scroll down for Quick Launch Links section and click on the Launch Stack corresponding to the AWS region where the VPC infrastructure is present.
    3. Fill in the values to AWS Infrastructure and NetScaler configurations in Parameters section. Some guidance on few parameters is here:
      1. Source address range to access NetScaler management interfaces via SSH, HTTP, HTTPS ports
        1. This is a CIDR range in the format x.x.x.x/x.
        2. If you wish to restrict login to NetScaler management interface only from your computer, give your PublicIP address. eg., If your Public IP address is 1.2.3.4, then provide 1.2.3.4/32 in the input parameter.
      2. Do you have any custom NetScaler AMI to be deployed?
        1. The CFT by default deploys “NetScaler Customer Licensed BYOL” image.
        2. However, if you wish to deploy other NetScaler images, you can give the AMI ID of the product here.
        3. You can find all the AMIs for a particular NetScaler product here.
      3. NetScaler instance type - m5.xlarge is the recommended one. Refer our NetScaler AWS  instance support guide for further info.
      4. PublicIP (EIP) be assigned to management interfaces?
        1. If you wish to login NetScaler via public IP, select “Yes”
        2. Note: If you select “No”, then you need to have a bastion-host in the VPC to access the NetScaler management interface.
        3. For this demo, we recommend having this as “Yes”
    4. Click Next on the Configure stack options page
    5. On the Review page, scroll down and acknowledge that CFT creates IAM role.
      1. image.png.dde3a1eebbfc99465291aeed634161ed.png
    6. Create Stack
      It takes only 3 minutes to deploy the CloudFormation stack
       
    Resources Deployed
    As part of the deployment, the below resources are deployed.
    1. Two NetScaler EC2 instances
      1. One for Primary NetScaler in one AZ
      2. One for Secondary NetScaler in another AZ. If Primary NetScaler goes down for any reason, Secondary NetScaler becomes active and handles client’s traffic for your apps.
      3. Two LB V Servers are pre-configured for you as part of CFT deployment for trying out HA:
        1. Internal_lb lbvserver – You can expose your internal apps via this lbvserver
        2. External_lb lbvserver – You can expose your external public facing apps via this lbvserver
    2. IAM Role with the below policy – This is required to handle failover scenarios
    image.png.b3799e9c461bd6e14db2523e14b49982.png
    1. Six Elastic Network Interfaces (ENIs)
      1. Two ENIs – for Primary and Secondary NetScaler management traffic
      2. Two ENIs – for Primary and Secondary NetScaler client traffic
      3. Two ENIs – for Primary and Secondary NetScaler backend-server traffic
    2. Three Security Groups
      1. For each of the above three kinds of network interfaces
      2. Primary and Secondary management traffic share same security group.
      3. Primary and secondary client traffic share same security group.
      4. Primary and secondary backend-server traffic share same security group.
    3. Three Elastic IP (Public IP)

      1. One for Primary NetScaler management access

      2. One for Secondary NetScaler management access

      3. One for Client traffic. You will expose your external apps via this Public IPs.
         

    Post Deployment - Deliver your apps via NetScaler

    1. Change user password:

      1. NetScaler asks the users to change the password at first login. The default username is nsroot. The default password is the Primary EC2 instance’s instance-id.

    2. Configure LB vservers for your internal and external apps :

    After deployment, you can login to Primary NetScaler via GUI or CLI. You can also find the NSIP, VIP and SNIPs. In the below screenshots:

    1. 192.168.10.10 is the internal lbvserver IP (VIP). You need to create a service to your internal facing apps and bind these services to this lbvserver.
    2. The other VIP (i.e., 10.0.2.204) is the external lbvserver IP (VIP). You need to create a service to your external facing apps and bind these services to this lbvserver.  The external lbvserver IP (10.0.2.204) will be associated to a Public IP in AWS. You can check that either via going to Outputs section of the CFT stack or EC2 instances. (screenshots below)

    GUI
    image.png.de93148f668934ecbf6764da84518899.png
    CLI
    image.png.91885e6794414cecc848366dcb5511ca.png
                           
    To find the public IP associated external lbvserver VIP (10.0.2.204),
    go to EC2 service à Instances à Select Primary NetScaler instance à Network Tab à scroll down to get network interface details.

    image.png.85ba8d94be340f8f08e4c7d8bee49544.png

    1. Setting up backend services and bind to above lbvservers by following the NetScaler commands here. Post the service configuration, Users can reach your public apps via AWS EIP and internal app via 192.168.10.10

    Validating the deployment

    To validate the deployment, we will trigger a failover signal from NetScaler and check if the Secondary NetScaler is taking Primary’s place and becomes new Primary.

    You can validate the deployment in below steps:

    1. Trigger failover signal (either through GUI or CLI)

      1. image.png.2d656cd04c1eeb54143d0de8e04415db.png

      2. image.png.185dec854fe0fad3d3311608ed9329e6.png

    2. CLI

      1. image.png.6c9dd82ae6ac49ccd2bc2d8a427aa7fc.png



    Upon a successful failover, the below changes will happen without any manual intervention and your apps will continue to be available via secondary NetScaler to end users.

    Before Failover

    After Failover

    There will be a Public IP (EIP) associated with Primary’s Client Network Interface

    The public IP (EIP) will be migrated to Secondary’s Client Network Interface

    We would have given a routing table ID during the CFT deployment.
    That routing table will have a route whose target is Primary’s Client Network Interface ID

    The route target will change to Secondary’s Client Network Interface ID.



    Related resources:

    1. NetScaler GitHub repo for this deployment
    2. High availability across different zones using Private IP
    3. High availability across different zones using Elastic IP
    4. FAQs on AWS HA

     Share
    Go to articles

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...