当前位置：文江博客知识库 citrix en-us citrix-application-delivery-management-service hybrid-multi-cloud-deployments provisioning-vpx-aws

Provisioning Citrix ADC VPX Instances on AWS 编辑

When you move your applications to the cloud, the components that are part of your application increase, become more distributed, and need to be dynamically managed.

With Citrix ADC VPX instances on AWS, you can seamlessly extend your L4-L7 network stack to AWS. With Citrix ADC VPX, AWS becomes a natural extension of your on-premises IT infrastructure. You can use Citrix ADC VPX on AWS to combine the elasticity and flexibility of the cloud, with the same optimization, security, and control features that support the most demanding websites and applications in the world.

With Citrix ADM monitoring your Citrix ADC instances, you gain visibility into the health, performance, and security of your applications. You can automate the setup, deployment, and management of your application delivery infrastructure across hybrid multi-cloud environments.

AWS terminology

The following section provides a brief description of the AWS terms used in this document:

Term	Definition
Amazon Machine Image (AMI)	A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.
Elastic Compute Cloud (EC2)	A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Elastic network interface (ENI)	A virtual network interface that you can attach to an instance in a VPC.
Instance type	Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications.
Identity and Access Management (IAM) role	An AWS identity with permission policies that determine what the identity can and cannot do in AWS. You can use an IAM role to enable applications running on an EC2 instance to securely access your AWS resources.
Security groups	A named set of allowed inbound network connections for an instance.
Subnets	A segment of the IP address range of a VPC that EC2 instances can be attached to. You can create subnets to group instances according to security and operational needs.
Virtual Private Cloud (VPC)	A web service for provisioning a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.

Prerequisites

This document assumes the following:

You possess an AWS account.
You have created the required VPC and selected the availability zones.
You have added the Citrix ADM agent in AWS.

For more information on how to create an account and other tasks, see AWS Documentation.

For more information on how to install Citrix ADM agent on AWS, see Installing Citrix ADM agent on AWS.

Architecture Diagram

The following image provides an overview of how Citrix ADM connects with AWS to provision Citrix ADC VPX instances in AWS.

Provision standalone VPX

Configuration tasks

Perform the following tasks on AWS before you provision Citrix ADC VPX instances in Citrix ADM:

Create subnets
Create security groups
Create an IAM role and define a policy

Perform the following tasks on Citrix ADM to provision the instances on AWS:

Create site
Provision Citrix ADC VPX instance on AWS

To create subnets

Create three subnets in your VPC. The three subnets that are required to provision Citrix ADC VPX instances in your VPC - are management, client, and server. Specify an IPv4 CIDR block from the range that is defined in your VPC for each of the subnets. Specify the availability zone in which you want the subnet to reside. Create all the three subnets in the same availability zone. The following image illustrates the three subnets created in your region and their connectivity to the client system.

Provision AWS VPX standalone

For more information on VPC and subnets, see VPCs and Subnets.

To create security groups

Create a security group to control inbound and outbound traffic in the Citrix ADC VPX instance. A security group acts as a virtual firewall for your instance. Create security groups at the instance level, and not at the subnet level. It is possible to assign each instance in a subnet in your VPC to a different set of security groups. Add rules for each security group to control the inbound traffic that is passing through the client subnet to instances. You can also add a separate set of rules that control the outbound traffic that passes through the server subnet to the application servers. Although you can use the default security group for your instances, you might want to create your groups. Create three security groups - one for each subnet. Create rules for both incoming and outgoing traffic that you want to control. You can add as many rules as you want.

For more information on security groups, see Security Groups for your VPC.

To create an IAM role and define a policy

Create an IAM role so that you can establish a trust relationship between your users and the Citrix trusted AWS account and create a policy with Citrix permissions.

In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role.
You are connecting your AWS account with the AWS account in Citrix ADM. So, select Another AWS account to allow Citrix ADM to perform actions in your AWS account.
Type in the 12-digit Citrix ADM AWS account ID. The Citrix ID is 835822366011. You can also find the Citrix ID in Citrix ADM when you create the cloud access profile.
Enable Require external ID to connect to a third-party account. You can increase the security of your role by requiring an optional external identifier. Type an ID that can be a combination of any characters.
Click Permissions.
In the Attach permissions policies page, click Create policy.

You can create and edit a policy in the visual editor or by using JSON.

The list of permissions from Citrix is provided in the following box:

{
"Version": "2012-10-17",
"Statement":
[
    {
         "Effect": "Allow",
        "Action": [
            "ec2:DescribeInstances",
            "ec2:DescribeImageAttribute",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeRegions",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeHosts",
            "ec2:DescribeImages",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeNetworkInterfaceAttribute",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeAddresses",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeTags",
            "ec2:DescribeVolumeStatus",
            "ec2:DescribeVolumes",
            "ec2:DescribeVolumeAttribute",
            "ec2:CreateTags",
            "ec2:DeleteTags",
            "ec2:CreateKeyPair",
            "ec2:DeleteKeyPair",
            "ec2:ResetInstanceAttribute",
            "ec2:RunScheduledInstances",
            "ec2:ReportInstanceStatus",
            "ec2:StartInstances",
            "ec2:RunInstances",
            "ec2:StopInstances",
            "ec2:UnmonitorInstances",
            "ec2:MonitorInstances",
            "ec2:RebootInstances",
            "ec2:TerminateInstances",
            "ec2:ModifyInstanceAttribute",
            "ec2:AssignPrivateIpAddresses",
            "ec2:UnassignPrivateIpAddresses",
            "ec2:CreateNetworkInterface",
            "ec2:AttachNetworkInterface",
            "ec2:DetachNetworkInterface",
            "ec2:DeleteNetworkInterface",
            "ec2:ResetNetworkInterfaceAttribute",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:AssociateAddress",
            "ec2:AllocateAddress",
            "ec2:ReleaseAddress",
            "ec2:DisassociateAddress",
            "ec2:GetConsoleOutput"
        ],
            "Resource": "*"
    }
]
}
<!--NeedCopy-->

分享到QQ

分享到微博