Deploy SD-WAN Standard Edition instances in High Availability mode in Azure - Release Version 10.2 and above 编辑

August 22, 2022 Contributed by:  HC

The Citrix SD-WAN Azure solution deploys Citrix SD-WAN in Edge Gateway Mode as a single instance, or a cluster pair for High Availability (HA). In an HA deployment, an Azure Load Balancer (ALB) controls the failover between the WAN interfaces of the Citrix SD-WAN appliances.

You can use the Azure load-balancer (ALB) on the LAN side to control failover on the LAN side of the SD-WAN appliances. The Citrix SD-WAN Azure solution in HA creates two separate ALBs (each one on LAN and WAN).

The following diagram illustrates the Citrix SD-WAN Azure HA deployment:

Azure HA lb

The SD-WAN Standard Edition deployment in Azure is required to be deployed in Edge or Gateway mode deployment where the SD-WAN instance acts as the gateway for the LAN environment. For more information, see Gateway mode
.


How to deploy Citrix SD-WAN

To create Citrix SD-WAN Standard Edition (SE) instance:

  1. Search for Citrix SD-WAN in the Azure Marketplace and select Citrix SD-WAN Standard Edition 10.2.X.

    Citrix SD-WAN se 10-2-x

  2. Click Create button to create the Citrix SD-WAN SE 10.2.X Instance.

    Create

  3. Configure Basic settings page and provide the Resource group name with the appropriate Location.

    Basic settings location

    Note

    To create an instance either a new resource group must be created or the resource group must be empty to be reused.

  4. Name the Virtual Machine, select Enabled for HA Deployment Mode, and create a Username and Password.

    Admin password Azure

    Note

    Use admin as a user name for the provisioned instance with the same password that was given during provisioning to get the admin access. In the previously mentioned screenshot, the provisioned user has the guest privilege.

  5. Select the Virtual Machine size based on the requirement.

    VM size

  6. From Citrix SD-WAN 11.0.3 release, by default 120 GB of OS Disk Size is allocated. If necessary, you can modify the disk size to a value between 40 GB to 999 GB.

    OS disk size

  7. Use an existing VNet in the location specified or create a new.

    Existing VNet

  8. Once the Vnet is created, confirm the auto-populated subnets for Management, LAN, WAN, and AUX, then click OK.

    Subnet-AUX

  9. Validate the configuration before the Instance creation.

    10-2 Azure HA step4

  10. Click Create.

    10-2 Azure HA step5

How to configure Citrix SD-WAN HA in Azure

  1. Determine the IP addresses assigned to the SD-WAN interfaces. Navigate to Virtual Machines > SDWSEA (or as appropriate)> Networking, and examine the IP of each Azure Network Interface.

    • In this deployment, SDWSEA Interface 0 for Management is 10.100.254.4/13.67.93.144.

      Deploy HA Azure

    • The SDWSEA Interface 1 LAN VIP is 10.100.1.4. SDWAN LAN

    • The SDWSEA Interface 2 WAN VIP is 10.100.0.4. SDWAN WAN2

    • The SDWSEA Interface 3 HA Tracking IP (not VIP) is 10.100.253.4: Interface HA

    • Repeat the procedure for the secondary Citrix SD-WAN appliance.

  2. Determine the SD-WAN ALB Public IP. Navigate to Load Balancers > sdwanha-external. Select the correct ALB based on the Resource Group created during the deployment.

    Load balancer Azure

    You can see 2 load balancer as following:

    • External: External LB contains the public IP that you configure in the WAN link configuration.
    • Internal: Internal LB contains private IP. All LAN side traffic comes to the internal LB. So you can configure the route table with Internal LB IP as a next hop.
  3. Proceed to the SD-WAN MCN appliance or SD-WAN Center to configure the SD-WAN HA site. In this topic, the SDWSWEA and SDWSEASec appliances are the MCN appliances.

    Note

    You can configure Citrix SD-WAN HA in Azure through SD-WAN Orchestrator as well.

  4. The SDWANSEA and SDWANSEASec Interface Group Configuration is provided as follows. Bypass mode is set to fail-to-block since only one Ethernet/physical interface is used per virtual interface. The WAN Interface must be set to Trusted to accept connections from the ALB.

    Interface group Azure

  5. The Virtual IP configuration is provided as follows. Note the HA VIP is not the IP addressed assigned to Interface three. Use an available IP address in the appropriate subnet (the subnet assigned to the AUX interface) and not the IP assigned to the Citrix SD-WAN appliances. Note only one VIP in each subnet is the Identity IP.

    Virtual IP Azure

    Two virtual IPs are assigned for both LAN and WAN Virtual Interfaces. One IP belongs to Primary SD-WAN Virtual Machine and the other IP belongs to Secondary SD-WAN Virtual Machine both on LAN and WAN respectively. Only the Primary IP is enabled with Identity.

  6. The SDWANSEA WAN Link Settings are provided as follows. Note to configure External load balancer Public IP Address as part of WAN link Public IP Address setting. The SD-WAN license determines the bandwidth settings.

    WAN link Azure settings

  7. The Access Interface settings are as follows. The 10.100.0.1 IP is an Azure reserved IP.

    Access interface Azure

  8. HA settings are as follows. The primary and secondary IP address as part of this HA setting must be configured with the AUX Interface IP address of both Primary and Secondary Virtual Machines respectively.

    HA settings Azure

  9. Click Apply.

  10. To have LAN traffic go through SD-WAN, add a route table on Azure with a route whose next hop points to Azure Internal Load-balancer IP. And associate the LAN subnet to the route table created.

    If at all you must route all the traffic through SD-WAN, create a default route whose next-hop is pointing to Internal Load balancer IP.

    Add route

    Associate LAN subnet


Internet breakout for Azure MCN (HA mode)

To configure Internet breakout on Azure MCNs deployed in HA mode:

  1. In the MCN appliance configure DHCP IP on the WAN interface with Public IP configured for the WAN link.
  2. Configure Internet service on the MCN.
  3. Add an Outbound Dynamic port restricted NAT with the inside service as Internet.
  4. Add a firewall policy on the MCN to allow Azure load balancer health probes on port number 500.
  5. Add another load balancing rule on the Azure external load balancer for TCP on port number 80, with direct server return disabled.

    Direct server return disabled

  6. On the end client machine that must breakout to the internet, set the route next hop IP address to the Internal Load Balancer private IP address. The load balancer IP is configured as LAN VIP in the MCN.

Note

  • Azure MCNs do not support DHCP IP configuration on HA appliances running a software version prior to SD-WAN 11.2.1.
  • Standalone Azure MCNs support static IP configurations.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:78 次

字数:11219

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文