Deployment Guide Citrix ADC VPX on AWS - Autoscale 编辑
Contributors
Author: Blake Schindler
Overview
Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments.
As an undisputed leader of service and application delivery, Citrix ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, Citrix ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. Citrix ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.
Citrix VPX
The Citrix ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms:
Citrix Hypervisor
VMware ESX
Microsoft Hyper-V
Linux KVM
Amazon Web Services
Microsoft Azure
Google Cloud Platform
This deployment guide focuses on Citrix ADC VPX on Amazon Web Services.
Amazon Web Services
Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services can offer tools such as compute power, database storage, and content delivery services.
AWS offers the following essential services
AWS Compute Services
Migration Services
Storage
Database Services
Management Tools
Security Services
Analytics
Networking
Messaging
Developer Tools
Mobile Services
AWS Terminology
Here is a brief description of the key terms used in this document that users must be familiar with:
Amazon Machine Image (AMI) - A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.
Auto Scaling - A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks.
AWS Auto Scaling Group - An AWS auto scaling group is a collection of EC2 instances that share similar characteristics and are treated as a logical grouping for the purposes of instance scaling and management.
Elastic Block Store - Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.
Elastic Compute Cloud (EC2) - A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Elastic Load Balancing (ELB) - Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. Distributing the traffic increases the fault tolerance of user applications.
Elastic Network Interface (ENI) - A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC).
Elastic IP (EIP) address - A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change.
IAM-Instance-Profile - An identity provided to the Citrix ADC instances provisioned in a cluster in AWS. The profile allows the instances to access AWS services when it starts to load balance the client requests.
Identity and Access Management (IAM) - An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup.
Instance type - Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications.
Listener - A listener is a process that checks for connection requests, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to the targets in one or more target groups.
NLB - Network load balancer. NLB is an L4 load balancer available in the AWS environment.
Route 53 - Route 53 is Amazon’s highly available and scalable cloud domain name system (DNS) web service.
Security groups - A named set of allowed inbound network connections for an instance.
Subnet - A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs.
Virtual Private Cloud (VPC) - A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define.
Here is a brief description of other terms used in this document that we recommend you are familiar with:
- Autoscale Groups - An Autoscale group is a group of Citrix ADC instances that load balance applications as a single entity and trigger autoscaling when the threshold parameters breach the limits. Citrix ADC instances scale-out or scale-in dynamically based on the autoscale groups configuration.
Note:
A Citrix autoscale group is called autoscale group throughout this document whereas the AWS autoscale group is explicitly called AWS autoscale group.
Citrix ADC Clusters - A Citrix ADC cluster is a group of Citrix ADC VPX instances and each instance is called a node. The client traffic is distributed across the nodes to provide high availability, high throughput, and scalability.
CloudFormation - A service for writing or changing templates that create and delete related AWS resources together as a unit.
Cooldown period - After a scale-out, the cooldown period is the time for which evaluation of the statistics has to be stopped. The cooldown period ensures organic growing of an autoscale group by allowing current traffic to stabilize and average out on the current set of instances before the next scaling decision is made. Default cooldown period value is 10 minutes and is configurable.
Note:
Default value is determined based on the time required for the system to stabilize after a scale-out (approximately 4 minutes) plus Citrix ADC configuration and DNS advertisement time.
- Drain Connection Timeout - During scale-in, once an instance is selected for deprovisioning, Citrix ADM removes the instance from processing new connections to the autoscale group and waits until the specified drain connection timeout period expires before deprovisioning. This timeout allows existing connections to this instance be drained out before it gets deprovisioned. If the connections are drained before the drain connection timeout expires, even then the Citrix ADM waits for the drain connection timeout period to expire before starting a new evaluation.
Note:
If the connections are not drained even after the drain connection timeout expires, the Citrix ADM removes the instances which might impact the application. Default value is 5 minutes and is configurable.
Key pair - A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key.
Route table - A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.
Simple Storage Service (S3) - Storage for the Internet. It is designed to make web-scale computing easier for developers.
Tags - Each autoscale group is assigned a tag which is a key and value pair. You can apply tags to the resources that enable you to organize and identify resources easily. The tags are applied to both AWS and Citrix ADM. Example: Key= name, Value = webserver. Use a consistent set of tags to easily track the autoscale groups that might belong to various groups such as development, production, testing.
Threshold Parameters - Parameters that are monitored for triggering scale-out or scale-in. The parameters are CPU usage, memory usage, and throughput. You can select one parameter or more than one parameter for monitoring.
Time to Live (TTL) - Specifies the time interval that the DNS resource record may be cached before the source of the information should again be consulted. Default TTL value is 30 seconds and is configurable.
Watch Time - The time for which the scale parameter’s threshold has to stay breached for a scaling to happen. If the threshold is breached on all the samples collected in this specified time, then a scaling happens. If the threshold parameters remain at a value higher than the maximum threshold value throughout this duration, a scale-out is triggered. If the threshold parameters operate at a value lower than the minimum threshold value, a scale-in is triggered. Default value is 3 minutes and is configurable.
Use Cases
Compared to alternative solutions that require each service to be deployed as a separate virtual appliance, Citrix ADC on AWS combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, and other essential application delivery capabilities in a single VPX instance, conveniently available via the AWS Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises Citrix ADC deployments. The net result is that Citrix ADC on AWS enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers.
Data center Expansion with Autoscale
There are organizations looking to expand their Citrix footprint in the public cloud, and they are thinking about using native public cloud services. A common use case is for businesses to migrate to the cloud at their own pace so that they can focus on higher ROI workloads or applications. And by using our solution, which often includes using pooled capacity devices to keep workloads both on-prem and in the cloud by decoupling the bandwidth and instances, they can go ahead and move to whichever cloud they choose at their own pace.
Now the public cloud provides elasticity, which is also a significant use case for customers who want to host applications on demand while not worrying about over or under provisioning of resources.
Efficient hosting of applications in a cloud involves easy and cost-effective management of resources depending on the application demand. For example, consider that a business has an e-commerce web portal running on AWS. This portal sometimes offers enormous discounts during which there is a spike in the application traffic. When application traffic increases during these offers, the applications must be scaled out dynamically and network resources might likewise also need to be increased.
The Citrix ADM autoscaling feature supports provisioning and autoscaling of Citrix ADC instances in AWS. The Citrix ADM autoscaling feature constantly monitors the threshold parameters such as memory usage, CPU usage, and throughput. Users can select one of these parameters or more than one parameter for monitoring. These parameter values are then compared to the user configured values. If the parameter values breach the limits, then scale-out or scale-in is triggered as needed.
The Citrix ADM autoscale feature architecture is designed in such a way that users can configure the minimum and maximum number of instances for each of the autoscale groups. Pre-setting these numbers ensures that each application is always up and running and aligns to customer demand.
Benefits of Autoscaling
High availability of applications. Autoscaling ensures that your application always has the right number of Citrix ADC VPX instances to handle the traffic demands. This is to ensure that your application is up and running all the time irrespective of traffic demands.
Smart scaling decisions and zero touch configuration. Autoscaling continuously monitors your application and adds or removes Citrix ADC instances dynamically depending on the demand. When demand spikes upward, the instances are automatically added. When the demand spikes downward, the instances are automatically removed. The addition and removal of Citrix ADC instances happens automatically making it a zero-touch manual configuration.
Automatic DNS management. The Citrix ADM autoscale feature offers automatic DNS management. Whenever new Citrix ADC instances are added, the domain names are updated automatically.
Graceful connection termination. During a scale-in, the Citrix ADC instances are gracefully removed avoiding the loss of client connections.
Better cost management. Autoscaling dynamically increases or decreases Citrix ADC instances as needed. Running only needed instances enables users to optimize the costs involved. Users save money by launching instances only when they are needed and terminate them when they are not needed. Thus, users pay only for the resources they use.
Observability. Observability is essential to application dev-ops or IT personnel to monitor the health of the application. The Citrix ADM’s autoscale dashboard enables users to visualize the threshold parameter values, autoscale trigger time stamps, events, and the instances participating in autoscale.
Deployment Types
Three-NIC Deployment
Typical Deployments
Typical Deployments
StyleBook driven
With ADM
With GSLB (Route53 w/domain registration)
Licensing - Pooled/Marketplace
Use Cases
Three-NIC Deployments are used to achieve real isolation of data and management traffic.
Three-NIC Deployments also improve the scale and performance of the ADC.
Three-NIC Deployments are used in network applications where throughput is typically 1 Gbps or higher and a Three-NIC Deployment is recommended.
CFT Deployment
Customers would deploy using CloudFormation Templates if they are customizing their deployments or they are automating their deployments.
Deployment Steps
Three-NIC Deployment for data center Expansion with Autoscale
The Citrix ADC VPX instance is available as an Amazon Machine Image (AMI) in the AWS marketplace, and it can be launched as an Elastic Compute Cloud (EC2) instance within an AWS VPC. The minimum EC2 instance type allowed as a supported AMI on Citrix VPX is m4.large. The Citrix ADC VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. An EC2 instance launched within an AWS VPC can also provide the multiple interfaces, multiple IP addresses per interface, and public and private IP addresses needed for VPX configuration. Each VPX instance requires at least three IP subnets:
A management subnet
A client-facing subnet (VIP)
A back-end facing subnet (SNIP)
Citrix recommends three network interfaces for a standard VPX instance on AWS installation.
AWS currently makes multi-IP functionality available only to instances running within an AWS VPC. A VPX instance in a VPC can be used to load balance servers running in EC2 instances. An Amazon VPC allows users to create and control a virtual networking environment, including their own IP address range, subnets, route tables, and network gateways.
Note:
By default, users can create up to 5 VPC instances per AWS region for each AWS account. Users can request higher VPC limits by submitting Amazon’s request form: Amazon VPC Request.
Licensing Requirements
The Citrix ADC instances that are created for the Citrix autoscale group use Citrix ADC Advanced or Premium ADC licenses. Citrix ADC clustering feature is included in Advanced or Premium ADC licenses.
Users can choose one of the following methods to license Citrix ADCs provisioned by Citrix ADM:
Using ADC licenses present in Citrix ADM: Configure pooled capacity, VPX licenses, or virtual CPU licenses while creating the autoscale group. So, when a new instance is provisioned for an autoscale group, the already configured license type is automatically applied to the provisioned instance.
Pooled Capacity: Allocates bandwidth to every provisioned instance in the autoscale group. Ensure users have the necessary bandwidth available in Citrix ADM to provision new instances. For more information, see: Configure Pooled Capacity. Each ADC instance in the autoscale group checks out one instance license and the specified bandwidth from the pool.
VPX licenses: Applies the VPX licenses to newly provisioned instances. Ensure users have the necessary number of VPX licenses available in Citrix ADM to provision new instances. When a Citrix ADC VPX instance is provisioned, the instance checks out the license from the Citrix ADM. For more information, see: Citrix ADC VPX Check-in and Check-out Licensing.
Virtual CPU licenses: Applies virtual CPU licenses to newly provisioned instances. This license specifies the number of CPUs entitled to a Citrix ADC VPX instance. Ensure users have the necessary number of Virtual CPUs in Citrix ADM to provision new instances. When a Citrix ADC VPX instance is provisioned, the instance checks out the virtual CPU license from the Citrix ADM. For more information, see: Citrix ADC virtual CPU Licensing.
When the provisioned instances are destroyed or de-provisioned, the applied licenses are automatically returned to Citrix ADM.
To monitor the consumed licenses, navigate to the Networks > Licenses page.
- Using AWS subscription licenses: Configure Citrix ADC licenses available in the AWS marketplace while creating the autoscale group. So, when a new instance is provisioned for the autoscale group, the license is obtained from AWS Marketplace.
Deploying Citrix ADC VPX Instances on AWS
When customers move their applications to the cloud, the components that are part of their application increase, become more distributed, and need to be dynamically managed.
With Citrix ADC VPX instances on AWS, users can seamlessly extend their L4-L7 network stack to AWS. With Citrix ADC VPX, AWS becomes a natural extension of their on-premises IT infrastructure. Customers can use Citrix ADC VPX on AWS to combine the elasticity and flexibility of the cloud, with the same optimization, security, and control features that support the most demanding websites and applications in the world.
With Citrix Application Delivery Management (ADM) monitoring their Citrix ADC instances, users gain visibility into the health, performance, and security of their applications. They can automate the setup, deployment, and management of their application delivery infrastructure across hybrid multi-cloud environments.
Architecture Diagram
The following image provides an overview of how Citrix ADM connects with AWS to provision Citrix ADC VPX instances in AWS.
Configuration Tasks
Perform the following tasks on AWS before provisioning Citrix ADC VPX instances in Citrix ADM:
Create subnets
Create security groups
Create an IAM role and define a policy
Perform the following tasks on Citrix ADM to provision the instances on AWS:
Create site
Provision Citrix ADC VPX instance on AWS
To Create Subnets
Create three subnets in a VPC. The three subnets that are required to provision Citrix ADC VPX instances in a VPC - are management, client, and server. Specify an IPv4 CIDR block from the range that is defined in the VPC for each of the subnets. Specify the availability zone in which the subnet is to reside. Create all the three subnets in the same availability zone.
The following image illustrates the three subnets created in the customer region and their connectivity to the client system.
For more information on VPC and subnets, see: VPCs and Subnets.
To Create Security Groups
Create a security group to control inbound and outbound traffic in the Citrix ADC VPX instance. A security group acts as a virtual firewall for a user instance. Create security groups at the instance level, and not at the subnet level. It is possible to assign each instance in a subnet in the user VPC to a different set of security groups. Add rules for each security group to control the inbound traffic that is passing through the client subnet to instances. Users can also add a separate set of rules that control the outbound traffic that passes through the server subnet to the application servers. Although users can use the default security group for their instances, they might want to create their own groups. Create three security groups - one for each subnet. Create rules for both incoming and outgoing traffic that users want to control. Users can add as many rules as they want.
For more information on security groups, see: Security Groups for Your VPC.
To Create an IAM Role and Define a Policy
Create an IAM role so that customers can establish a trust relationship between their users and the Citrix trusted AWS account and create a policy with Citrix permissions.
In AWS, click Services. In the left side navigation pane, select IAM > Roles > Create role.
Users are connecting their AWS account with the AWS account in Citrix ADM. So, select Another AWS account to allow Citrix ADM to perform actions in the AWS account.
Type in the 12-digit Citrix ADM AWS account ID. The Citrix ID is 835822366011. Users can also find the Citrix ID in Citrix ADM when they create the cloud access profile.
Enable Require external ID to connect to a third-party account. Users can increase the security of their roles by requiring an optional external identifier. Type an ID that can be a combination of any characters.
Click Permissions.
In Attach permissions policies page, click Create policy.
The list of permissions from Citrix is provided in the following box:
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImageAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRegions",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeAddresses",
"ec2:DescribeKeyPairs",
"ec2:DescribeTags",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeAttribute",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:ResetInstanceAttribute",
"ec2:RunScheduledInstances",
"ec2:ReportInstanceStatus",
"ec2:StartInstances",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:ResetNetworkInterfaceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:AssociateAddress",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:DisassociateAddress",
"ec2:GetConsoleOutput"
],
"Resource": "*"
}
]
}
<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论