The old limitations of using a single IP on an interface for a NetScaler Gateway solution in Azure are no more.
You may have heard that now the NetScaler is able to have one interface with multiple IP addresses, one interface with one IP address, Multiple interfaces with single IPs and Multiple interfaces with multiple IPs. What does this mean?
Well, the old methods of putting a load balancer in front to NAT 443 addresses to 4443 gateway IPs is no longer required. You can still use it if you wish, and will need the Azure Load Balancer if doing the HA setup.
I can have multiple IPs and assign them to a single NIC on the NetScaler Azure VPX. This is known as multi-IP architecture.
In Azure, assigning multiple IP’s to an interface looks like this:
Above, you can see that I have a single IP address “ipconfig1” which is my NetScaler NSIP. (I removed the public IP that was assigned).
In a multi-NIC, multi-IP Azure NetScaler VPX deployment, the private IP associated with the primary (first) IPConfig of the primary (first) NIC is automatically added as the management NSIP of the appliance. The remaining private IP addresses associated with IPConfigs need to be added in the NetScaler appliance as a VIP or SNIP.
You can see that I have added a SNIP IP and my Gateway IP with a internal and public IP.
So why am I focusing on having a Gateway in Azure?
Well, something I stress about going to the Citrix Cloud is having a NetScaler and StoreFront in your Resource location. Why?
You lose Cloud access and you lose the ability to broker connections to your VDA machines in Resource locations. This is about having a way to access your resources in that event.
You will still be able to access and broker connections in your resource location because the Citrix Connector Servers also act as proxy brokers, and they contain the Local Host Cache. (Please check out my webinar at the Virtual Expo for more on this.) So, even placing one NetScaler Gateway appliance in an Azure Resource location acts as a bit of resilience for your Citrix Cloud solution.
Typically, it is more likely that a customer’s internet connectivity will be interrupted (which could be due to 3rd party factors such as ISP or power problems), versus the highly reliable and redundant Citrix Cloud management plane running in Azure.
There are plenty of articles on creating NetScalers in a traditional environment and I will highlight some here by some other fellow CTPs:
The art of building a NetScaler in Azure is less known. Hopefully, this article will provide some enlightenment, and you can start forming your resilient Citrix Cloud solution using an Azure resource location.
Before you create your NetScaler in Azure, here are some prerequisites you should know about.
- Create a resource Group for your NetScaler Instance. (A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group.)
TIP – In a Citrix Azure world, I put the NetScalers in one resource group, Infrastructure in another and VDAs in a separate Resource Group.
Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
Also something to keep in mind, for compliance reasons, is that you may need to ensure that your data is stored in a particular region.
More on Resource Groups can be found here – https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-portal
- Pre-create PIP (Public IP) for the gateway and the NSG (Network Security Group) in your appropriate Resource Group:
NSG inbound outbound rules can be defined as below – You can make this more restrictive if you like.
This is just an example:
You can then simply add these objects when you create the NetScaler in the Azure market place.
- Have your Vnet and Subnets in your virtual network pre-created.
- Have any internal VIP (Virtual IP) addresses ready and your internal Gateway IP. Know your infrastructure IPs for LDAP, Service account passwords, Storefront URLs, STA IPs and DNS so you are able to configure the Gateway wizard set up.
- Have your Certificates ready for 443 connections and do not forget to have all the intermediates!
- Have your public DNS configured for your Gateway URL. You can do this as you can create your PIP for the Gateway in your Resource Group before VPX deployment in Azure.
So how do you build this Appliance?
First you choose your appliance In the Azure Market Place.
I have my own license so I chose the machine below –
Review and click create.
Next simply go through some basic configuration steps.
Name your NetScaler. My preference is name of NetScaler – Domain – Region. (example – NS01-CITXEN-UKS)
Choose your password, disk type, resource group and location.
Next, you can choose the machine specification you will use for the NetScaler instance.
VPX virtual appliances can be deployed on any instance type that has two or more cores and more than 4 GB memory. Remember to size appropriately for your particular environment.
Next you can choose a lot of settings such as Availability Set, Storage account, virtual network, subnet and NSG.
The NSG (Network Security Group) assigned to your resource Group acts like a firewall. If this is created before the NetScaler market place wizard, you can simply choose the NSG and assign it to the NetScaler’s NIC.
Option to choose virtual network below.
Options to choose or create subnet.
Options to create or choose NSG.
In about five minutes, your NetScaler will be deployed as you can see below.
Now you need to navigate to your interface via the newly created machine’s Networking menu and then click on the highlighted Network Interface in the right pane.
Next go to IP Configurations and click Add.
Now, you configure your additional IP’s on the interface.
Create your SNIP IP.
Do the same for the NetScaler Gateway Virtual IP (VIP).
Set the IP to static and choose your Public IP that you created before set up.
In the end you should have three static IPs assigned to your NIC as seen below.
Remember to set up your external DNS so your URL can resolve to the Gateway!
At this point you should be able to access your NetScaler from your internal network and via your public management IP (if you added inbound rule port 80 to your NSG) and proceed with the initial configuration setup, upload licencing and your SSL certs and proceed with your Gateway wizard setup. (After configuration, I usually remove the PIP from the management IP).
There is no requirement for an Azure Load Balancer in this Single deployment method. If I was deploying my VDAs in a Resource Location in Azure as part of a Citrix Cloud Solution this solution would suffice for that little extra reassurance against losing your connection to the Cloud Management Plane.
Look up my blog where I run through the configuration of Netscalers in HA (High Availability) in Azure using the new NetScaler 12 HA template.
Hope this helps somebody!
Follow me on Twitter @CitXen