NetScaler ADC and Amazon Web Services Validated Reference Design Part 4

September 21, 2022

Author:  Luis Ugarte, Beth Pollack, Dave Potter

Continued from Part 3

Step 3: Launch an instance into your VPC 14

When you launch an EC2 instance into a VPC, you must specify the subnet in which to launch the instance. In this case, you’ll launch an instance into the public subnet of the VPC you created. You’ll use the Amazon EC2 launch wizard in the Amazon EC2 console to launch your instance.

The following diagram represents the architecture of your VPC after you’ve completed this step.

To launch an EC2 instance into a VPC

1. Open the Amazon EC2 console.
2. In the navigation bar, on the top-right, ensure that you select the same region in which you created your VPC and security group.
3. From the dashboard, choose Launch Instance.
4. On the first page of the wizard, choose the AMI that you want to use. For this exercise, we recommend that you choose an Amazon Linux AMI or a Windows AMI.
5. On the Choose an Instance Type page, you can select the hardware configuration and size of the instance to launch. By default, the wizard selects the first available instance type based on the AMI you selected. You can leave the default selection, and then choose Next: Configure Instance Details.
6. On the Configure Instance Details page, select the VPC that you created from the Network list, and the subnet from the Subnet list. Leave the rest of the default settings, and go through the next pages of the wizard until you get to the Tag Instance page.
7. On the Tag Instance page, you can tag your instance with a Name tag; for example, Name=MyWebServer. This helps you to identify your instance in the Amazon EC2 console after you’ve launched it. Choose Next: Configure Security Group when you are done.
8. On the Configure Security Group page, the wizard automatically defines the launch-wizard-x security group to allow you to connect to your instance. Instead, choose the Select an existing security group option, select the WebServerSG group that you created previously, and then choose Review and Launch.
9. On the Review Instance Launch page, check the details of your instance, and then choose Launch.
10. In the Select an existing key pair or create a new key pair dialog box, you can choose an existing key pair, or create a new one. If you create a new key pair, ensure that you download the file and store it in a secure location. You’ll need the contents of the private key to connect to your instance after it’s launched. To launch your instance, select the acknowledgment check box, and then choose Launch Instances.
11. On the confirmation page, choose View Instances to view your instance on the Instances page. Select your instance, and view its details in the Description tab. The Private IPs’ field displays the private IP address that’s assigned to your instance from the range of IP addresses in your subnet.

Step 4: Assign an elastic IP address to your instance

In the previous step, you launched your instance into a public subnet - a subnet that has a route to an Internet gateway. However, the instance in your subnet also needs a public IP address to be able to communicate with the Internet. By default, an instance in a nondefault VPC is not assigned a public IP address. In this step, you’ll allocate an Elastic IP address to your account, and then associate it with your instance. For more information about Elastic IP addresses, see Elastic IP Addresses.

The following diagram represents the architecture of your VPC after you’ve completed this step.

To allocate and assign an Elastic IP address

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Elastic IPs.
3. Choose Allocate New Address, and then Yes, Allocate.

    

    

   Note:

    

   If your account supports EC2-Classic, first select EC2-VPC from the Network platform list.

    

    

4. Select the Elastic IP address from the list, choose Actions, and then choose Associate Address.
5. In the dialog box, choose Instance from the Associate with list, and then select your instance from the Instance list. Choose Yes, Associate when you’re done.

Your instance is now accessible from the Internet. You can connect to your instance through its Elastic IP address using SSH or Remote Desktop from your home network. For more information about how to connect to a Linux instance, see Connecting to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances. For more information about how to connect to a Windows instance, see Connect to Your Windows Instance Using RDP in the Amazon EC2 User Guide for Windows Instances.

This completes the exercise; you can choose to continue using your instance in your VPC, or if you do not need the instance, you can terminate it and release its Elastic IP address to avoid incurring charges for them. You can also delete your VPC — note that you are not charged for the VPC and VPC components created in this exercise (such as the subnets and route tables).

Configure Unified Gateway for Citrix Virtual Apps and Desktops

Navigate to the admin console of your NetScaler ADC.

Log into the NetScaler ADC using nsroot and the Instance ID that AWS assigned during the build process.

Install SSL Certificate:

1. Navigate to Traffic Management – SSL. Right-click and enable this feature.
2. Import SSL certificate a key pair.

Install SSL Certificate:

1. Expand Citrix Gateway and select Virtual Servers.
2. Click Add.

    

   Enter a name for the gateway and IP Address that is in the Public Subnet you assigned during the NetScaler ADC Build process.

    

    

   NOTE:

    

   Write down this IP Address as we need it when allocating the Elastic IP Addresses later on.

    

    

3. Click OK, then click No Server Certificate, and select the certificate you imported earlier. Click Bind.
4. Click OK and Done, and at this stage you should have a Citrix Gateway shown in an “Up” state.

To configure the Unified Gateway, see https://support.citrix.com/article/CTX205485/how-do-i-configure-unified-gateway-for-common-enterprise-applications.

Provide external access to the Unified Gateway Instance:

1. Log in to your AWS Portal at aws.amazon.com and navigate to your instances.
2. Right click your NetScaler ADC, select Networking and then Manage Private IP Addresses.

    

   

    

3. Click Assign New IP on the interface you want to run the NetScaler ADC Gateway on.
4. Assign the IP Address make sure you use the SAME address that you assigned to your NetScaler ADC Gateway.

    

   

    

5. Click Yes Update. This will assign the new IP Address to the instance at an AWS level. You can now assign a new Elastic IP to this Private IP.
6. Navigate to Network and Security and Elastic IPs.
7. Click Allocate New Address, when prompted – select Yes to get a new IP Address.

    

   

    

8. Select the address from the list and select Associate Address.

    

   

    

9. Select the NetScaler ADC instance you built previously from the Instance List. Once this is selected you will be able to select the IP Address you statically assigned to the instance (the same address as your Citrix Gateway) and select Associate.

    

   

    

10. Point your DNS name record to the elastic IP address Amazon assigned you.
11. Log into your Citrix Gateway.

High availability load balancing for StoreFront

Please see Citrix configuration steps.

Configure GSLB in two AWS locations

Setting up GSLB for NetScaler ADC on AWS largely consists of configuring the NetScaler ADC to load balance traffic to servers located outside the VPC that the NetScaler ADC belongs to, such as within another VPC in a different Availability Region or an on-premises data center and so on.

Domain-Name based services (GSLB DBS) with Cloud load balancers

GSLB and DBS overview

NetScaler ADC GSLB support using DBS (Domain Based Services) for Cloud load balancers allows for the autodiscovery of dynamic cloud services using a cloud load balancer solution. This configuration allows the NetScaler ADC to implement Global Server Load Balancing Domain-Name Based Services (GSLB DBS) in an Active-Active environment. DBS allows the scaling of back-end resources in AWS and Microsoft Azure environments from DNS discovery.

This section covers integrations between NetScaler ADC in the AWS and Azure Auto Scaling environments. The final section of the document details the ability to set up a HA pair of NetScaler ADCs that span two different Availability Zones (AZs) specific to an AWS region.

Prerequisites

The prerequisites for the NetScaler ADC GSLB Service Groups include a functioning AWS / Microsoft Azure environment with the knowledge and ability to configure Security Groups, Linux Web Servers, NetScaler ADCs within AWS, Elastic IPs, and Elastic Load Balancers.

GSLB DBS Service integration requires NetScaler ADC version 12.0.57 for AWS ELB and Microsoft Azure ALB load balancer instances.

NetScaler ADC GSLB Service Group feature enhancements

GSLB Service Group entity: NetScaler ADC version 12.0.57

GSLB Service Group is introduced which supports autoscale using BDS dynamic discovery.

DBS Feature Components (domain based service) shall be bound to the GSLB service group

Example:

copy

> add server sydney_server LB-Sydney-xxxxxxxxxx.ap-southeast-2.elb.amazonaws.com

> add gslb serviceGroup sydney_sg HTTP -autoScale DNS -siteName sydney

> bind gslb serviceGroup sydney_sg sydney_server 80

Domain-name based services – AWS ELB

GLSB DBS utilizes the FQDN of your Elastic Load Balancer to dynamically update the GSLB Service Groups to include the back-end servers that are being created and deleted within AWS. The back-end servers or instances in AWS can be configured to scale based on network demand or CPU utilization. To configure this feature, we point the NetScaler ADC to our Elastic Load Balancer to dynamically route to different servers in AWS without having to manually update the NetScaler ADC every time an instance is created and deleted within AWS. The NetScaler ADC DBS feature for GSLB Service Groups uses DNS aware service discovery to determine the member service resources of the DBS namespace identified in the AutoScaler group.

Diagram:

NetScaler ADC GSLB DBA AutoScale components with Cloud Load Balancers

Continued on Part 5