ADC

View PDF

Configure HA-INC nodes by using the Citrix high availability template with Azure ILB

August 16, 2023

Contributed by:

C S

You can quickly and efficiently deploy a pair of VPX instances in HA-INC mode by using the standard template for intranet applications. The Azure internal load balancer (ILB) uses an internal or private IP address for the front end as shown in Figure 1. The template creates two nodes, with three subnets and six NICs. The subnets are for management, client, and server-side traffic with each subnet belonging to a different NIC on each device.

Figure 1: Citrix ADC HA pair for clients in an internal network

HA pair in an internal network

You can also use this deployment when the Citrix ADC HA pair is behind a firewall as shown in Figure 2. The public IP address belongs to the firewall and is NAT’d to the front-end IP address of the ILB.

Figure 2: Citrix ADC HA pair with firewall having public IP address

HA pair with firewall

You can get the Citrix ADC HA pair template for intranet applications at theAzure portal.

Complete the following steps to launch the template and deploy a high availability VPX pair by using Azure Availability Sets.

From the Azure portal, navigate to theCustom deploymentpage.
TheBasicspage appears. Create a Resource Group. Under theParameterstab, enter details for the Region, Admin user name, Admin Password, license type (VM sku), and other fields.
ClickNext : Review + create >.
It might take a moment for the Azure Resource Group to be created with the required configurations. After completion, select the Resource Group in the Azure portal to see the configuration details, such as LB rules, back-end pools, health probes. The high availability pair appears as ADC-VPX-0 and ADC-VPX-1.
如果需要进一步的修改你的哈setup, such as creating more security rules and ports, you can do that from the Azure portal.
Once the required configuration is complete, the following resources are created.
You must log on toADC-VPX-0andADC-VPX-1nodes to validate the following configuration:
- NSIP addresses for both nodes must be in the management subnet.
- On the primary (ADC-VPX-0) and secondary (ADC-VPX-1) nodes, you must see two SNIP addresses. One SNIP (client subnet) is used for responding to ILB probes and the other SNIP (server subnet) is used for back-end server communication.
Note

In the HA-INC mode, the SNIP address of the ADC-VPX-0 and ADC-VPX-1 VMs are different while in the same subnet, unlike with the classic on-premises ADC HA deployment where both are the same. To support deployments when the VPX pair SNIP is in different subnets, or anytime the VIP is not in the same subnet as a SNIP, you must either enable Mac-Based Forwarding (MBF), or add a static host route for each VIP to each VPX node.

On the primary node (ADC-VPX-0)
On the secondary node (ADC-VPX-1)
After the primary and secondary nodes are UP and the Synchronization status isSUCCESS, you must configure the load balancing virtual server or the gateway virtual server on the primary node (ADC-VPX-0) with the private floating IP (FIP) address of the ADC Azure load balancer. For more information, see theSample configurationsection.
To find the private IP address of ADC Azure load balancer, navigate toAzure portal > ADC Azure Load Balancer > Frontend IP configuration.
In theAzure Load Balancerconfiguration page, the ARM template deployment helps create the LB rule, back-end pools, and health probes.
- The LB Rule (LbRule1) uses port 80, by default.
- Edit the rule to use port 443, and save the changes.
  
  Note
  
  For enhanced security, Citrix recommends you to use SSL port 443 for LB virtual server or Gateway virtual server.

To add more VIP addresses on the ADC, perform the following steps:

Navigate toAzure Load Balancer > Frontend IP configuration, and clickAddto create a new internal load balancer IP address.
In theAdd frontend IP addresspage, enter a name, choose the client subnet, assign either dynamic or static IP address, and clickAdd.
The front-end IP address is created but an LB Rule is not associated. Create a new load balancing rule, and associate it with the front-end IP address.
In theAzure Load Balancerpage, selectLoad balancing rules, and then clickAdd.
Create a new LB Rule by choosing the new front-end IP address and the port.Floating IPfield must be set toEnabled.
Now theFrontend IP configurationshows the LB rule that is applied.

Sample configuration

To configure a gateway VPN virtual server and load balancing virtual server, run the following commands on the primary node (ADC-VPX-0). The configuration auto synchronizes to the secondary node (ADC-VPX-1).

Gateway sample configuration

              enable feature aaa LB SSL SSLVPN enable ns mode MBF add vpn vserver vpn_ssl SSL 10.11.1.4 443 add ssl certKey ckp -cert wild-cgwsanity.cer -key wild-cgwsanity.key bind ssl vserver vpn_ssl -certkeyName ckp 
             

Load balancing sample configuration

              enable feature LB SSL enable ns mode MBF add lb vserver lb_vs1 SSL 10.11.1.7 443 bind ssl vserver lb_vs1 -certkeyName ckp 
             

You can now access the load balancing or VPN virtual server using the fully qualified domain name (FQDN) associated with the internal IP address of ILB.

See theResourcessection for more information about how to configure the load-balancing virtual server.

Resources:

The following links provide additional information related to HA deployment and virtual server configuration:

Related resources:

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configure HA-INC nodes by using the Citrix high availability template with Azure ILB

August 16, 2023

Contributed by:

C S

August 16, 2023

Contributed by:

C S

Configure HA-INC nodes by using the Citrix high availability template with Azure ILB

Sample configuration

In this article