Jump to content
Welcome to our new Citrix community!
  • NetScaler ADC and Amazon Web Services Validated Reference Design Part 5


    Richard Faulkner
    • Validation Status: Validated
      Summary: NetScaler ADC and Amazon Web Services Validated Reference Design Part 5
      Has Video?: No

    NetScaler ADC and Amazon Web Services Validated Reference Design Part 5

    September 21, 2022

    Author:  Luis Ugarte, Beth Pollack, Dave Potter

    Continued from Part 4

    Use NetScaler ADC HA in AWS across multiple availability zones

    Deploying the NetScaler ADC in AWS across different availability zones is a new feature released for the NetScaler ADC 12.1. This is done by attaching the NetScaler ADC to an Elastic Network IP address (ENI).

    citrix-adc-ha-in-aws-01

    The way the solution works is slightly different than others, as it requires you to set up the HA on the VPX and an independent network configuration. This solution uses a new capability of the IP set feature for the virtual server to maintain failover.

    To get started, you must log into the NetScaler ADC and define or stand up a server-side network address, client-side address, as well as the routing to both.

    citrix-adc-ha-in-aws-03

    In the AWS console, the first VPX has been set up with an elastic IP.

    citrix-adc-ha-in-aws-04

    Going into the elastic interface, the first thing to make the solution work is to associate that elastic IP to the existing private address on that interface.

    citrix-adc-ha-in-aws-06

    citrix-adc-ha-in-aws-07

    After that association is made, you are ready to go ahead and do the failover.

    citrix-adc-ha-in-aws-08

    At the bottom, there should be a second elastic IP now on the VPX.

    citrix-adc-ha-in-aws-09

    So go to the VPX to initiate a failover and go back into the AWS console. This time looking at the elastic IPs belonging to the first NetScaler ADC, notice that the new EIP is not there, as it’s now been moved to the second NetScaler ADC.

    citrix-adc-ha-in-aws-11

    citrix-adc-ha-in-aws-12

    To verify this, enter a show node command on the first and second NetScaler ADC to see that the second NetScaler ADC is now set up in a Primary state as before it was in standby.

    citrix-adc-ha-in-aws-13.1

    Now you can look at real time traffic flow.

    citrix-adc-ha-in-aws-14

    You can send a request over to the VIP after the failover. If you do a stat on the LB virtual server on the NetScaler ADC that was first active, notice that there’s no requests hit there. If you run the same command on the previously standby, now active NetScaler ADC, you can see that there is a virtual server hit there. Showing that after the HA transition, the traffic went to the new NetScaler ADC.

    citrix-adc-ha-in-aws-15

    Now if you want to do some debugging or see what the current status is, you can drop to the shell and look for the records to show you when the HA failover happened, as well as when the AWS config or API call out was made to swing all the EIPs over from the primary NetScaler ADC to the secondary.

    citrix-adc-ha-in-aws-16

     


    Configure AWS components

    Security groups

    Note:

    Recommendation should be to create different security groups for ELB, NetScaler ADC GSLB Instance, and Linux instance, as the set of rules required for each of these entities will be different. This example has a consolidated Security Group configuration for brevity.

    See Security Groups for Your VPC to ensure the proper configuration of the virtual firewall.

    Step 1:

    Log in to your AWS resource group and navigate to EC2. Within EC2 navigate to NETWORK & SECURITY > Security Groups.

    netscaler-and-amazon-aws-16

    Step 2:

    Click Create Security Group and provide a name and description. This security group encompasses the NetScaler ADC and Linux back-end web servers.

    netscaler-and-amazon-aws-17

    Step 3:

    Add the inbound port rules from the screenshot below.

    Note:

    Limiting Source IP access is recommended for granular hardening.

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-web-server

    netscaler-and-amazon-aws-18

    Amazon Linux back-end Web Services

    Step 4:

    Log in to your AWS resource group and navigate to EC2. Within EC2 navigate to Instances.

    netscaler-and-amazon-aws-19

    Step 5:

    Click Launch Instance using the details below configure the Amazon Linux instance.

    Fill in details about setting up a Web Server or back-end service on this instance.

    netscaler-and-amazon-aws-20

    Continued on Part 6

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...