Design Decision: Deployment Architecture and Considerations
Designing your ADC architecture and planning the deployment are the two key activities for the transition. Selecting the correct features and the best architecture model for your ADC deployments can be both time consuming and challenging. This section provides guidance about the Citrix ADC features and functionality to help you choose the best model.
What types of deployments are available and what are the best practices when deploying that type?
Use multi-NIC and multi-IP design when you are deploying into production where high-availability requirements for redundancy or security exist
- Using Citrix Solution Templates in the Azure marketplace is the recommended deployment method
- Citrix recommends deploying the multi-NIC architecture using the “Citrix ADC” Citrix solution template from the Azure Marketplace
Choosing this Citrix solution template gives you the following software plan options:- Citrix ADC VPX Bring Your Own License
- Citrix ADC VPX Subscription License
- Citrix ADC HA (Availability Zone) - SL
- Citrix ADC HA (Availability Set) BYOL
- Citrix ADC HA (Availability Set) - SL
- Citrix ADC HA (Availability Zone) BYOL
- Citrix ADC FIPS HA (Availability Zone) BYOL
- Citrix ADC FIPS Standalone BYOL
- Citrix ADC FIPS HA (Availability Set) BYOL
- 集成了GSLB Citrix ADM(交通等内容ement) and Licensing
- Best for the following use cases
- Isolation of data and management traffic
- Improved scale and performance of the ADC
- Where applications require more than 1 Gbps of throughput
- Web Application Firewall (WAF) deployments
- Use the single-NIC, multi-IP design for production environments with a single subnet or for non-production environments, such as testing
- With a single NIC, you have 3 IP configurations:
- ipconfig1 is management
- ipconfig2 is client-side traffic
- ipconfig3 is back-end server traffic
- Ipconfig3 should not have a public IP address associated with it
- Add IP addresses for all the configurations in the Azure portal first before configuring them in the Citrix ADC
- Create an untagged VLAN for each data interface on the ADC VPX and bind the primary IP of the NIC. This procedure helps prevent MAC moves and interface changes in Azure from unexpectedly impacting your ADC.
- With a single NIC, you have 3 IP configurations:
- Use the single-NIC, single-IP for a Citrix ADC in standalone mode.
- 所有功能,NSIP、剪断、VIP被绑定到一个年代ingle Citrix ADC IP address
- Configure the resource group, network security groups, and virtual network before you provision the Citrix ADC VPX VM so the network information is available before provisioning
- Only available in Azure and on Azure stack
- When deploying High Availability using Availability Sets (recommended)
- The ADC VPX needs an HA independent Network Configuration (INC)
- The Azure Load Balancer must be configured in Direct Server Return (DSR) mode
- When deploying High Availability using Availability Zones
- Use the “Citrix ADC” Citrix Solution template in the Azure Marketplace with a software plan where “(Availability Zone)” is included in the name
- Currently, not all Azure regions support Availability Zones, so check in your region before deploying this Solution template
What are the benefits of using Azure accelerated networking?
Accelerated networking is not available on all instance types and the VMs must be stopped to before enabling accelerated networking on a NIC
You must perform all configuration changes from the Citrix ADC VPX PV interface. Use the ADCshow interfacecommand to determine which physical interface is bound to PV
Citrix recommends not performing any operations on the Citrix ADC VPX VF interface. If you must perform operations on the VF interface, Citrix only allows theclear statsorenable,disable, and*reset interfaceoperations. VLAN binding is unavailable.
What methods are available for deploying Citrix ADC?
Deploy through the Azure Marketplace. The Citrix ADC VPX virtual appliance is available as an image in the Microsoft Azure Marketplace.
Deploy using the Citrix ADC Azure Resource Manager (ARM) json template available on GitHub.
Deploy using Citrix ADM service.
Traffic Distribution
With DNS-based autoscaling, DNS is the layer that decides where the traffic is routed. The traffic manager uses DNS to direct the client traffic to the appropriate Citrix ADC instance that is available in the Citrix Application Delivery and Management autoscaling group. Azure traffic manager resolves the FQDN to the VIP address of the Citrix ADC instance.
With Azure Load-Balancer (ALB) as the traffic manager, inbound traffic goes first to the ALB and it decides where the traffic is routed. ALB manages the client traffic and distributes it to Citrix ADC VPX clusters. ALB sends the client traffic to Citrix ADC VPX cluster nodes that are available in the Citrix Application Delivery and Management autoscaling group across availability zones.
With both traffic distribution options, the Citrix Application Delivery and Management triggers the scale-out or scale-in action at the cluster level. When a scale-out is triggered, the registered virtual machines are provisioned and added to the cluster. Similarly, when a scale-in is triggered, the nodes are removed and de-provisioned from the Citrix ADC VPX clusters.
How do you deploy Citrix ADC VPX on Azure with Global Server Load Balancing (GSLB) and use Azure DNS Private Zones?
When using DNS-based traffic management, each Citrix ADC instance in the Citrix Application Delivery and Management Autoscale group requires a public IP address.
对以域名系统自动定量、应用交付一个d Management waits for the specified Time-To-Live (TTL) period. After the TTL expires, it waits for existing connections to drain before initiating node de-provisioning.
When using ALB-based traffic management, the public IP address is allocated to Azure Load Balancer. Citrix ADC VPX instances do not require a public IP address.
The Citrix ADC requires either a DNS virtual server or a nameserver configured which is used by the Azure Load balancer for resolution
For a Hybrid GLSB configuration (multi-cloud/data center)
- A SNIP address or GLB Site IP address must be configured on each Citrix ADC node for metrics exchange between the nodes
- The ADNS or ADNS-TCP service must be set up on the Citrix ADC nodes to process the DNS traffic
- The Azure cloud security groups and firewalls must allow traffic on ports 53 and 3009
- Support for GSLB Load-balancing solutions other than Citrix ADC is limited
- Use the Multi-cloud GLB StyleBook for configuration of Global Load Balancing
Autoscale Guidance
An Autoscale group is a group of Citrix ADC instances that load-balance applications as a single entity. The number of instances in the ADC Autoscale group is based on the configured parameters, such as CPU usage. The Azure infrastructure (ALB or Azure traffic manager) sends the client traffic to a Citrix Application Delivery and Management autoscaling group in the availability set. Citrix Application Delivery and Management triggers the scale-out or scale-in action at the cluster level.
What are the requirements for integrating Citrix ADC with Azure Autoscale?
Using Autoscale with Azure virtual machine scale sets (VMSS) with multi-IP deployments enabled for high-availability minimizes costs. Citrix recommends using Autoscale to reduce the amount of configuration and overhead necessary to monitor the server performance across VNets.
An Azure Active Directory (AAD) application and service principal with contributor role on the affected resources are required to implement Autoscale
With auto-scaling an IP set is created on clusters in every availability zone. After which, the domain and instance IP addresses are registered with the Azure traffic manager or ALB. When the application is removed, the domain and instance IP addresses are deregistered from the Azure traffic manager or ALB. Then, the IP set is deleted.
SD-WAN
With SD-WAN, the Citrix ADC appliance can provide connectivity between your enterprise data centers and the Azure cloud. Citrix SD-WAN makes Azure a seamless extension of the enterprise network. Citrix ADC encrypts the connection between the enterprise data center and the Azure cloud so that all data transferred between the two is secure. To secure the communications, a Citrix SD-WAN Connector tunnel between a data center and the Azure cloud uses the open-standard Internet Protocol security (IPSec) protocol suite.
What are the limitations to deploying a Citrix SD-WAN connector tunnel?
The Citrix ADC appliance must have a public facing IPv4 address (type SNIP) to use as a tunnel end-point address for the SD-WAN Connector tunnel
The Citrix ADC appliance should not be behind a NAT device
Citrix SD-WAN connector tunnel supports only IKE1, AES, and HMAC SHA1 for IPSec settings
- Citrix SD-WAN requires the edge firewall to pass the following packets through to the ADC
- Any UDP packets on port 4500 or port 500
- Any ESP packets of protocol type 50
IKE rekeying is not supported. You need to set a large value for the security association lifetime so the tunnel does not go down unexpectedly.
- Configure Azure before setting up the SD-WAN tunnel because Azure setup generates the IP address and PSK that is used for the tunnel configuration.
Citrix Application Delivery Management (ADM) Service
The Citrix Application Delivery Management Service (ADM) within Citrix Cloud provides a centralized location to manage your Citrix ADC deployments. These deployments include Azure cloud or on-premises versions of the following: Citrix ADC MPX, Citrix ADC VPX, Citrix ADC SDX, Citrix ADC CPX, Citrix Gateway, and Citrix Secure Web Gateway appliances. Citrix ADM is a cloud-based solution that manages, monitors, and assists with troubleshooting your entire application delivery infrastructure. Citrix ADM includes all the necessary capabilities to deploy, automate, and license Citrix ADC within an easy to navigate cloud-based console.
How does the Citrix ADM service work?
Deploy through the Azure Marketplace. The Citrix ADC VPX virtual appliance is available as an image in the Microsoft Azure Marketplace.
Deploy using the Citrix ADC Azure Resource Manager (ARM) json template available on GitHub
Deploy using Citrix ADM service
StyleBooks
The most complex part of deploying an ADC is configuring it to work with your authentication system and your applications. Citrix offers StyleBooks to help ease the configuration experience. StyleBooks offer a way to simplify the complex task of Citrix ADC configurations. A StyleBook is a pre-configured template that users can use to create or manage Citrix ADC configurations. StyleBooks exist for most of the common applications and configurations. For instance, The SSO Office 365 StyleBook allows you to enable SSO for Microsoft Office 365 through Citrix ADC instances.
What are the Citrix ADM StyleBook applications templates and how do I use them?
We recommend using StyleBooks for initial configurations if one is available. StyleBooks for Microsoft 365, Skype, Exchange, SharePoint, and ADFS are available
- Microsoft SharePoint StyleBook requires the following:
- Sharepoint 2016 or later
- Citrix ADM v12.0 or later
- Citrix ADC v10.5 or later
Microsoft SharePoint StyleBook supports the Load Balancing, Content switching, Responder, Rewrite, Compression, and Integrated Caching features of Citrix ADC
When using SSL with the SharePoint StyleBook, verify that the Rewrite configuration parameter is enabled in the SharePoint Advanced Settings section of the StyleBook
- Citrix recommends you first select Dry Run to view the configuration objects that the StyleBook creates on the target Citrix ADC instances, If acceptable, then go ahead and execute the actual configuration.
Load-balancing with Azure Tag
For Citrix ADC VPX standalone and high-availability instances deployed on the Azure Cloud, now you can create load-balancing service groups associated with an Azure tag. The VPX instance constantly monitors Azure virtual machines (back-end servers) and network interfaces (NICs), or both, with the respective tag and updates the service group accordingly. The VPX instance creates the service group that load balances the back-end servers using tags. Whenever a VM or NIC with the appropriate tag is added or deleted, the ADC detects the change and updates the service group automatically.
How do I configure Load Balancing to use Azure Tags?
Tags must be assigned to the VM instance or the VM’s NIC
When using the Azure CLI to propagate tags, the secondary (standby) Citrix ADC must terminate the rain_tags process after a warm restart. This behavior prevents the old information from being used inadvertently
The ADC VPX needs to be able to reach the tagged IP Address for the back-end server. For a tagged VM, this is the primary IP address, for a tagged NIC, it is the NIC’s IP address. If the VM is on a different VNet, then VNet Peering must be enabled.
Save all configurations so they persist between VM restarts
Links to Other Resources
Citrix ADC VPX on Azure Deployment Guide
Deployment Guide Citrix ADC VPX on Azure – Disaster Recovery
Configure a Citrix ADC VPX instance to use Azure accelerated networking
Provisioning Citrix ADC VPX instances on Microsoft Azure
Citrix ADC for Azure DNS Private Zone Deployment Guide
Deployment Guide Citrix ADC VPX on Azure - GSLB
Autoscale architecture for Microsoft Azure
Deployment Guide Citrix ADC VPX on Azure - Autoscale
Configuring a CloudBridge Connector tunnel between a datacenter and Azure cloud
Microsoft SharePoint StyleBook
StyleBooks for Citrix ADC Configurations