How to deploy VPX high availability pair in different AWS HA zones with USIP mode enabled?

[Isha Khurana]

Consider a scenario where the customer wants to deploy VPX high availability pair in different AWS HA zones with USIP mode enabled(i.e. using Client IP as Source and not the SNIP) and  backend server’s gateway as SNIP, so that the server’s response always go through the ADC. As nodes are in different AWS HA zones ,two different SNIPs will be associated with each zone but it isn't a floating SNIP.

Is there any possible way to dynamically update a static route to force the return traffic back to the active ADC SNIP?

[Richard Faulkner]

Does the backend server reside in one of the two networks where the SNIP exists? If it is in the same network as one but not the other, how would it use the other's SNIP as the gateway?

Perhaps the resources could exist in a third subnet, with a router that participates in BGP. Then the dynamic routing capabilities of the ADC can update the route to point ot the active ADC SNIP for the outbound traffic.

You can look through the options here, as there are actually three routing tables maintained on each ADC. https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-dynamic-routes.html

Thoughts?

[Ronan OBrien]

If there are different zones, with different servers in each zone, then perhaps this is a case for INC mode? In this way, you manually add a snip on EACH appliance. The SNIP doesnt float, and in each zone, you can set the default network gateway of the servers to the appropriate SNIP for that zone.

Also - we try to avoid using USIP where we can, as you lose some protection and get no multiplexing benefits. I always ask *why* USIP is required, and often the need can be met with a header insertion or some rewrite actions...

[Ravichandra Sutrave]

The main issue with USIP is the reverse traffic will be directed towards client IP instead of SNIP. Hence it will not be routed to Netscaler.

We need a way to route this response traffic from back-end server to Netscaler. This should work with HA no matter which instance is active.

We can use the fact that the Netscaler will move all the routes pointing to previous primary to new primary in HA across AZ using private IP.

We can create a route table associated with server subnet and add a route to send this traffic to Netscaler ENI.

As the destination in the route will be netscaler ENI, it will be moved to new primary after failover.

Even though this route is not for the CIDR outside VPC CIDR, the route will still move to new primary ENI. Tis is due to the failover logic that has been implemnted in a generic way to move any routes pointing to previous primary to new primary.

Below diagram explains this before and after HA failover.

We have 2 route tables:

1. For VIP traffic in client subnet. VIP is selected in a CIDR outside the VPC CIDR. This route table is associated with client subnet. It will route all client traffic towards VIP to Netscaler ENI (ENI in cient subnet).
2. For Response traffic from server. As USIP is used, the destination IP of response traffic will be client IP. So this route will need to route all traffic towards client IP to netscaler ENI (ENI in server subnet). This route table is associated with client subnet.

After failover, both these routes (in fact any route in any route table in the same VPC) pointing towards Netscaler ENI will move to new primary after failover.

Due to this generic logic of failover we don't need any extra code and existing logic will take care of this use case.

We will document this in our feature documentation.

References:

https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-addressing/enabling-use-source-ip-mode.html

https://docs.citrix.com/en-us/citrix-adc/current-release/deploying-vpx/deploy-aws/vpx-ha-pip-different-aws-zones.html