GSLB with CADS service Multi-Site Application Delivery

CADS Service is a SaaS from Citrix, that radically simplifies application delivery and security and accelerates IT modernization by bringing intent-based configuration, automated self-healing and internet awareness to hybrid multi-cloud deployments (more info).

CADS service will improve and simplify your secure app delivery and ensure compliance by deploying and configuring infrastructure in your public cloud data center in line with your business intent. CADS also provides Internet state awareness with billions of real users’ measurements a day, from every corner of the internet. It monitors internet traffic issues in real time and automatically steers your user traffic to an optimal site. Whether you host your applications and content on premises, in the cloud or in content delivery networks (CDNs), CADS service allows you to globally load balance all traffic, dynamically optimizing the user experience and lowering service costs. Real user monitoring (RUM) gives a direct understanding of how internet performance impacts customer satisfaction and engagement. CADS service gathers RUM data from clients as they access applications across clouds, data centers, and CDNs, and builds a holistic picture of internet health.

Use-Case:

Resilient delivery of applications for globally-distributed  publicly deployed application workloads in hybrid data centres.

Architecture:

With the Citrix Managed multi-site application feature, you can configure Global Server Load Balancing (GSLB) to deliver applications from multiple cloud environments for high availability and reliability. GSLB enables fast site failover, disaster recovery and improved user experience.

When an application is deployed across multiple sites, requests can be intelligently distributed across all of an organization’s data centers. Once an application is configured as multi-site, CADS services will monitor the health and availability of each site. The latency from users across the globe to each PoP is measured using real user measurements (RUM) in near real-time. For more details click here.  Figure 1 shows a multi-site set up where both a Citrix-Managed deployment of CADS service and independent sites are configured into CADS service. This can improve the experience for each individual user as they access the application from across the globe. When an application is configured as a multi-site application on CADS Service, client requests are routed to the optimal data center for each individual user. This minimizes network latency and improves user experience by accelerating application response time. For more information click here.

Figure 1: Architecture for CADS and ITM integration for global application delivery

Pre-Requisites

Before you deliver a multi-site application, you must complete the following preliminary steps: 

• Create a Citrix cloud account profile.
• Ensure your application environment is publicly addressable with an IP or FDQN. If you want Citrix Managed Service for your application delivery as shown in Figure 2, see Deliver an application.

Steps to deploy a CADS service managed Application as your GSLB site

1. Your Citrix manged application will be available in the CADS service user interface (UI) under Applications. The following example shows two Citrix Managed deployments with applications in the Virginia-Prod-Site and the EU-Prod-Env in the AWS North Virginia and Ireland regions respectively. 

Figure 2: Existing applications on your Citrix Managed Datacenter

2. You need to configure your Multi-Site application by clicking on New Multi-Site Application. There are three steps to configure your Multi-Site Application delivery.
   1. Specify the name “GlobalApp”, you can choose the application FQDN type as “User Defined” for Route53 Hosted Zones or CADS service will generate an FQDN if the “Auto-allocated” option is selected (#.itm.appdeliverysecurity.com). You can also specify the DNS time to live as show in Figure 3.

Figure 3: Create new multi-site application

1. 2. Specify the Site details. In this example, as shown in Figure 4, we will add the two managed Sites that are shown in Step 1

Figure 4: Create site1 from available Citrix Managed site

Select Managed, specify the Site name “Site1”. Select the Application “Virginia-Prod-Site” and the Endpoint. The FQDN, the Location and Monitor details are auto-populated. You may, optionally, select Geo Fencing to ensure users from a particular region access a particular site (North American users will be sent to Virginia in this example) as shown in Figure 5.

Figure 5: Geo fencing settings

Add the Second Site, “Site2” for the Application “EU-Prod-Env” and endpoint and Add Site as shown in Figure 6

Figure 6: Add Site2

Now the Citrix Managed Sites are added as shown in Figure 7.

Note: Here we have added Citrix-managed sites. If you would like to add sites which are user defined or self manged, refer to Appendix 4.a

Figure 7: Site and location details added for Site1 and Site2

1. 3. Select the GSLB Algorithm and Stickiness settings as shown in Figure 8. CADS Service supports three Algorithms – “Failover”, “Round Robin” and “Optimal RTT”. In this example deployment Optimal RTT is used. For detailed steps refer to this document.

Figure 8 : GSLB method and stickiness configuration for the GSLB sites

Once the deployment is successful as shown in Figure 9, Click “Manage Multi-Site Applications” to see the FQDN generated for the APP as shown in Figure 10.

Figure 9:  Deploying Multi-site application on CADS service

Figure 10:  Multi-site application details

If you selected Route53 the autogenerated FQDN is automatically mapped to a friendly FQDN name, otherwise, you can Map your multi-site application FQDN to “0014.16ed2.itm.appdeliverysecurity.cloud.com” in your DNS provider (CNAME entry).

1. 4. Now you can test the application traffic routing in dnscheker.org, From the diagram it can be seen that all North America users are routed to North Virginia Site with IP 34.231.174.213 as shown in Figure 11.

Figure 11:  DNS checker results for the multi-site application

1. 5. Analytics for your multi-site application

Figure 12: Site health information for selected duration

The GlobalApp’s status is shown in Figure 12. There are legends which describe the site status. Namely, Health, Unhealthy (When all sites are down), Degraded (when some of the sites are down), Maintenance, Not Deployed.  Figure 13 shows the max and average user request rate for your Multi-Site Application.

Figure 13:  Application user’s request rate

Geo based access data is show in Figure 14. Which displays the total number of application requests that are received by CADS service, Top 5 locations from where the user traffic is originating.

Figure 14:  Geo map showing the top five locations of users accessing the multi-site application

3. Conclusion

CADS Service provides a simplified way to configure an internet-aware, intelligent global server load balancing solution for a multi-cloud environment. In this example Geo Fencing has been used to ensure application traffic from users accessing from a particular location are steered to a specific site. With this, the overall user experience will be improved with the use of the Optimal RTT algorithm offered by CADS service. Since the users are always routed to an optimal performing site, this implicitly provides disaster recovery across all the configured sites.

4. Appendix
   1. Adding a non Citrix Managed Site

You can Select “User-Defined” and specify the IP Address (v4 or v6) or FQDN names where the application is deployed publicly. Note: In order to configure Optimal RTT as the GSLB Algorithm, you need to enable “Configure Radar” in - Refer to section 4.2.

1. 2. Enable “Configure Radar” Option for the Site by specifying the path to the r20.gif on your server and location of the Site. If you do not have the radar tags configured, you can host it on an Apache server (Step 4.3)

1. 3. Steps to deploy our Radar Objects on a host with Apache2

Note: The instructions were tested against Ubuntu20, but the Radar Objects can be served by any modern operating system and webserver.

1. 1. 1. Install required packages

sudo apt-get install apache2 git

1. 1. 2. Create the Apache2 directory and populate it

sudo mkdir -p /var/www/radar-objects

sudo git clone https://github.com/cedexis/testobjects /var/www/radar-objects/

1. 1. 3. Disable the default Apache2 VirtualHost

sudo rm /etc/apache2/sites-enabled/000-default.conf

1. 1. 4. Enable required Apache2 mods

sudo a2enmod headers

sudo a2enmod rewrite

sudo a2enmod ssl

sudo systemctl restart apache2

1. 1. 5. Add the Apache2 site configuration

cat > /etc/apache2/sites-available/radar-objects.conf << 'EOF'

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

DocumentRoot /var/www/radar-objects

Header add "Timing-Allow-Origin" "*"

RewriteEngine on

RedirectMatch 404 /\.git

<VirtualHost *:80>

    RewriteRule ^/img/(.*)/(.*)$ /img/$2 [L]

    RewriteRule ^/sm/(.*)/(.*)$ /sm/$2 [L]

</VirtualHost>

SSLStaplingCache shmcb:${APACHE_RUN_DIR}/logs/stapling_cache(128000)

SSLSessionCache shmcb:${APACHE_RUN_DIR}/logs/ssl_scache(512000)

<VirtualHost *:443>

SSLEngine On

SSLCertificateFile /etc/ssl/public.crt

SSLCertificateKeyFile /etc/ssl/private.key

SSLCACertificateFile /etc/ssl/ca-certs.pem

SSLProtocol -all +TLSv1.3 +TLSv1.2

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

SSLUseStapling On

SSLSessionCacheTimeout 300

    RewriteRule ^/img/(.*)/(.*)$ /img/$2 [L]

    RewriteRule ^/sm/(.*)/(.*)$ /sm/$2 [L]

</VirtualHost>

EOF

1. 1. 6. Enable the new Apache site and restart Apache2

sudo ln -s /etc/apache2/sites-available/radar-objects.conf /etc/apache2/sites-enabled/radar-objects.conf

sudo systemctl restart apache2

1. 1. 7. Verify that the Radar Objects are being served

curl https://<FQDN>/img/r20.gif