NetScaler ADC and Amazon Web Services Validated Reference Design Part 7

September 21, 2022

Author:  Luis Ugarte, Beth Pollack, Dave Potter

Continued from Part 6

Step 9:

Navigate to Traffic Management > GSLB > Virtual Servers.

Click Add to create the virtual server. Name the server, DNS Record Type is set as A, Service Type is set as HTTP, and check the boxes for Enable after Creating and AppFlow Logging. Click OK to create the GSLB Virtual Server. (NetScaler ADC GUI)

Step 10:

When the GSLB Virtual Server is created, click No GSLB Virtual Server ServiceGroup Binding.

Click Add to create the virtual server. Name the server, DNS Record Type is set as A, Service Type is set as HTTP, and check the boxes for Enable after Creating and AppFlow Logging. Click OK to create the GSLB Virtual Server. (NetScaler ADC GUI)

Step 11:

Under ServiceGroup Binding use Select Service Group Name to select and add the Service Groups that were created in the previous steps.

Step 12:

Next configure the GSLB Virtual Server Domain Binding by clicking No GSLB Virtual Server Domain Binding. Configure the FQDN and Bind, the rest of the settings can be left as the defaults.

Step 13:

Configure the ADNS Service by clicking No Service. Add a Service Name, click New Server, and enter the IP Address of the ADNS server.

Also, if your ADNS is already configured you can select Existing Server and then choose your ADNS from the menu. Make sure the Protocol is ADNS and the traffic is over Port 53.

Configure the Method as LEASTCONNECTION and Backup Method as ROUNDROBIN

NetScaler ADC back end auto scaling with AWS

AWS includes a feature called Auto Scaling that spins up additional instances running in AWS based on rules set by the administrator. These rules are defined by CPU utilization and revolve around creating and deleting instances on demand. NetScaler ADC directly integrates with the AWS Auto Scaling solution making the NetScaler ADC aware of all available back-end servers that it can load balance. The limitation of this feature is that it currently only functions within one AZ in AWS.

Configure AWS components

Step 1:

Sign in to your AWS resource group and navigate to EC2. Within EC2 navigate to AUTO SCALING > Launch Configuration. Click Create launch configuration.

Step 2:

From this step, you can choose the server type of your choosing. This is where you configure what VMs you want to auto scale. For this example, we must choose Amazon Linux AMI.

Step 3:

Choose which type of instance you need by selecting from potential variance for back end resources. Name your instance for the remainer of the runguide. The name of the instance is known as Backend-Server. Configure storage for the instance and add it to a security group, or create a new security group which encompasses all AWS components created in this run guide.

Step 4:

An additional note for your security group. For this runguide, the following the opened ports:

NetScaler ADC back end auto scaling groups and policies

Configure NetScaler ADC Front End Auto Scaling in AWS:

Step 1:

Sign in to your AWS resource group and navigate to EC2. Within EC2 navigate to AUTO SCALING > Auto Scaling Group.

Click the Radio button to create an Auto Scaling group from an existing launch configuration. Be sure to select the BackendServer that we created in the previous step of the lab guide.

Under Create Auto Scaling Group add the group name, choose the initial group size, choose the Network and Subnet, and then click Next.

Note:

The Subnet must be reachable from the subnet IP (SNIP) of the NetScaler ADC.

Step 2:

On the Create Auto Scaling Group configuration page, configure your scaling policies. You can accomplish this by clicking the radio button for use scaling policies to adjust the capacity of this group. Next, click Scale the Auto Scaling group using step or simple scaling policies.

Step 3:

Select Add new alarm.

Step 4:

While you are creating the alarm, configure to send a notification to your NetScaler ADC. Configure the alarm so that Average of CPU Utilization is >= 70 for at least one consecutive period of 5 minutes. Apply the policy.

Step 5:

Configure in your Auto Scaling Group to add one instance when the policy is triggered.

Step 6:

Configure the same alarm and policy, but this time to remove a Backend-Server when the CPU averages <=30 for 5 minutes. Set the decrease group size to Remove 1 instance when the decrease policy is triggered.

Note:

For deletion of servers, we are notifying NetScaler ADC to not send any traffic to a Backend-Server marked for deletion.

Click through Configure Notifications and Configure Tags to review and create Auto Scaling group.

Note:

The Min and Max variables can be configured to set the fewest and highest number of instances that will be created and running within the Auto Scaling Group. Currently AWS supports spinning up additional instances with only one network interface.

Create a NetScaler ADC in AWS

Step 1:

Sign in to your AWS resource group and navigate to EC2. Within EC2 navigate to Instances > Instances.

Step 2:

Navigate to AWS Marketplace on the left and then search for NetScaler ADC. Choose Citrix Networking VPX – Customer Licensed. Make sure you version number is 12.0.51.x or later to use Auto Scaling. You can select previous versions to choose a version of NetScaler ADC that supports Auto Scaling.

Step 3:

Navigate to AWS Marketplace on the left and then search for NetScaler ADC. Choose Citrix Networking VPX – Customer Licensed. Make sure you version number is 12.0.51.x or later to use Auto Scaling. You can select previous versions to choose a version of NetScaler ADC that supports Auto Scaling.

Choose the Instance Type, for example General Purpose m4.xlarge 4vCPU and 16gb RAM. Click Next.

Step 4:

On the Configure Instance Details tab, select the Subnet (three subnets eventually have to be configured for NSIP, SNIP, and VIP/Gateway). Also, you have to add an IAM role. Click to create a new IAM Role. Add the IAM Roles that are found in the following step. After this role is created, you need to add this to your Cloud Profile on your NetScaler ADC.

Step 5:

Configurations for the Cloud Profile are as follows:

By default the CloudFormation Template creates and attaches the below IAM Role

"Version": "2012-10-17",

"Statement": [

    {

        "Action": [

            "ec2:DescribeAddresses",

            "ec2:AssociateAddress",

            "ec2:DisassociateAddress",

            "ec2:DescribeInstances",

            "ec2:DescribeNetworkInterfaces",

            "ec2:DetachNetworkInterface",

            "ec2:AttachNetworkInterface",

            "ec2:StopInstances",

            "ec2:StartInstances",

            "ec2:RebootInstances",

            "autoscaling:*",

            "sns:*",

            "sqs:*",

            "iam:GetRole",

            "iam:SimulatePrincipalPolicy"

        ]

        Resource: "*"

        Effect: Allow

    }

]

The IAM Role permissions can be further restricted as follows:

       "Action": [

            ec2:DescribeInstances,

            ec2:DescribeNetworkInterfaces,

            ec2:DetachNetworkInterface,

            ec2:AttachNetworkInterface,

            ec2:StartInstances,

            ec2:StopInstances,

            ec2:RebootInstances,

            ec2:DescribeAddresses,

            ec2:AssociateAddress,

            ec2:DisassociateAddress,

            ec2:AssignPrivateIpAddress,

            ec2:UnAssignPrivateIpAddress,

            autoscaling:*,

            sns:CreateTopic,

            sns:DeleteTopic,

            sns:ListTopics,

            sns:Subscribe,

            sqs:CreateQueue,

            sqs:ListQueues,

            sqs:DeleteMessage,

            sqs:GetQueueAttributes,

            sqs:SetQueueAttributes,

            iam:SimulatePrincipalPolicy,

            iam:GetRole

        ]

Step 6:

Click the Add Storage option. On the Add Tags tab, set the Key value as Name and the Value as NetScaler ADC-Autoscale to tag these EC2 resources.

Step 7:

On the Configure Security Group tab, create a new security group with the following port requirements:

Review and launch the instance.

Step 8:

Navigate to NETWORK & SECURITY > Network Interfaces and click Create Network Interface.

Add a description and then select a subnet. This subnet is utilized for your SNIP so it should be placed on a subnet in the internal network. Also, choose the security group crated in the previous step. Click Yes, Create.

Add an additional Network Interface. This is a Public facing subnet for your Gateway/LB VIP. Create a description and choose the security group configured above.

Step 9:

Navigate back to Instances and select your NetScaler ADC. To add the Network Interfaces to the NetScaler ADC, the instance has to be stopped. In the Actions list, select Instance State and then click Stop.

Again click the Actions button and navigate down to Networking and Attach Networking Interface.

The NSIP interface is already attached to the VM, the next interface to be added should be the LB-VIP, followed by adding the server/internal interface for the SNIP. Once the Network Interfaces are attached, the instance can be Started.

Configure a new Elastic IP and associate it with your NSIP interface.

Configure NetScaler ADC to integrate with AWS Auto Scaling

Step 1:

Navigate to the Elastic IP you associated with the NSIP in the previous step of this lab guide to access the NetScaler ADC Management console.

The first step to configuring the NetScaler ADC is to attach a Cloud Profile. Click AWS and then Cloud Profile. Next click Add to create a Cloud Profile.

Provide a name for the cloud profile. The Virtual Server IP Address should populate and correlate with an internal IP on your NetScaler ADC. The Auto Scale Group is the one that you created in previous steps of this lab guide. Select Graceful, this allows a time-out for back-end instances to be deleted, allowing any packet transfers to complete and sessions not to be terminated within the grace period. The time delay for the grace period can be adjusted.

Continued on Part 8