Citrix ADC GSLB on Microsoft Azure Step-by-Step

This blog post is cross posted on arnaudpain.com and tech-addict.fr, as we (Arnaud Pain and Samuel Legrand) have decided to work together to present this topic in mulitple events in 2019.

We have decided to work on this presentation to help users understand how they can rely on Azure for their data protection.

Here after some more information on the implementation and our feedback.

What is ADC and GSLB?

Citrix ADC on Azure vs On-premises

  • In an on-premises deployment, a Citrix ADCVPX instance requires, at least three IP addresses:
    • Management IP address called the Citrix ADC IP (NSIP)
    • Subnet IP (SNIP) address for communicating with the server farm
    • Vitual server IP (VIP) address for accepting client requests
  • In an Azure deployment, only one IP address (a private (internal) address) is assigned to an instance during provisioning through DHCP.

Why ADC + GSLB on Azure and not Azure Traffic Manager?

Citrix ADC can be used in combination with GSLB feature to provide Business Continuity or Disaster Recovery for Citrix solutions but also to protect for example web sites.

Azure Deployment

You can deploy Citrix ADC VPX instances on ARM either as standalone instances or as high availability pairs in active-active or active-standby modes.

In this scenario, each VM has three NICs – NIC 0/1, 1/1, and 1/2. The NICs are configured for the following purposes.

  • NIC 0/1: to serve management traffic
  • NIC 1/1: to serve client-side traffic
  • NIC 1/2: to communicate with back-end servers

Our Lab

The following procedure is based on a Lab we used for our tests.

The Lab is composed of 2 Citrix ADC 13.0 in HA pair, 1 in US and 1 in France.

Behind those ADC we have a Web Server for the purpose of this Demo.

We will show you how to deploy and configure GSLB Active-Active configuration with static proximity.

Step-by-Step guide

ADC HA Pair deployment

Web Server Deployment

Reduce costs

By default our ADC HA pair is deployed using DS3 v2 instances for around $170 in East US 2 Azure resource location, changing to B2ms will help reduce costs to around $62.

Changing type from Premium SSD to Standard SSD will also help to reduce cost.

It can be interesting to change instance size and disk for Dev/Test, for production this will need validation to ensure to not impact the performance.

External Access to Citrix ADC

By default you will not be able to access ADC web portal, in fact only SSH port 22 is opened when Template is deployed.

You will need to add an inbound rules, in our case we will authorize SSL connection.

ADC Configuration

Now we can access our ADC using the public IP on SSL.

We will make the initial configuration which is basic:

  • Install License
  • Configure Load Balance Virtual Server for our internal Web Server
  • Validate access to the web server

Reminder: GSLB Feature require Enterprise License

Azure GLSB PIP using Azure Web Portal

Azure GSLB PIP using PowerShell

If you want to use Azure PowerShell to create GSLB PIP, you will need first to provide some variable (to adjust based on your environment)

$locName=”East US 2”

$rgName=”CitrixADC”

$pubIPName4=”PIPFORGSLB1”

$domName4=”usvpxgslbdns”

$lbName=”alb”

$frontEndConfigName2=”FrontEndIP2”

$backendPoolName1=”bepool-11″

$lbRuleName2=”LBRuleGSLB1”

$lbRuleName3=”LBRuleGSLB2”

$lbRuleName4=”LBRuleDNS”

$healthProbeName=”probe-11”

After you will need to run the following command

$pip4=New-AzureRmPublicIpAddress -Name $pubIPName4 -ResourceGroupName $rgName -DomainNameLabel $domName4 -Location $locName -AllocationMethod Static

Get-AzureRmLoadBalancer -Name $lbName -ResourceGroupName $rgName | Add-AzureRmLoadBalancerFrontendIpConfig -Name $frontEndConfigName2 -PublicIpAddress $pip4 | Set-AzureRmLoadBalancer

$alb = get-AzureRmLoadBalancer -Name $lbName -ResourceGroupName $rgName

$frontendipconfig2=Get-AzureRmLoadBalancerFrontendIpConfig -LoadBalancer $alb -Name $frontEndConfigName2

$backendPool=Get-AzureRmLoadBalancerBackendAddressPoolConfig -LoadBalancer $alb -Name $backendPoolName1

$healthprobe=Get-AzureRmLoadBalancerProbeConfig -LoadBalancer $alb -Name $healthProbeName

$alb | Add-AzureRmLoadBalancerRuleConfig -Name $lbRuleName2 -BackendAddressPool $backendPool -FrontendIPConfiguration  $frontendipconfig2 -Protocol “Tcp” -FrontendPort 3011 -BackendPort 3011 -Probe $healthprobe -EnableFloatingIP  | Set-AzureRmLoadBalancer

$alb | Add-AzureRmLoadBalancerRuleConfig -Name $lbRuleName3 -BackendAddressPool $backendPool -FrontendIPConfiguration  $frontendipconfig2 -Protocol “Tcp” -FrontendPort 3010 -BackendPort 3010 -Probe $healthprobe -EnableFloatingIP  | Set-AzureRmLoadBalancer

$alb | Add-AzureRmLoadBalancerRuleConfig -Name $lbRuleName4 -BackendAddressPool $backendPool -FrontendIPConfiguration  $frontendipconfig2 -Protocol “Udp” -FrontendPort 53 -BackendPort 53 -Probe $healthprobe -EnableFloatingIP  | Set-AzureRmLoadBalancer

ADC GSLB Configuration

ADC GSLB Configuration using CLI

If you want to use Citrix ADC CLI to configure GSLB, you will need first to provide some variable (to adjust based on your environment):

enable ns feature LB GSLB

add service dnssvc 137.116.81.134 ADNS 53

add gslb site site1 40.89.140.106 -publicIP 40.89.140.106

add gslb site site2 137.116.81.134 -publicIP 137.116.81.134

add gslb service site1_gslb_http_svc1 40.89.142.161 HTTP 80 -publicIP 40.89.142.161 -publicPort 80 -siteName site1

add gslb service site2_gslb_http_svc1 52.179.142.180 HTTP 80 -publicIP 52.179.142.180 -publicPort 80 -siteName site2

add gslb vserver gslb_http_vip1 HTTP

bind gslb vserver gslb_http_vip1 -serviceName site1_gslb_http_svc1

bind gslb vserver gslb_http_vip1 -serviceName site2_gslb_http_svc1

bind gslb vserver gslb_http_vip1 -domainName gslb.tech-addict.fr -TTL 5

ADC GSLB Verification

Azure GSLB Rules

To have GSLB MEP works correctly we will need to create some rules to allow traffic between HA pair

ADC GSLB Validation

DNS Entries

You will need then to create DNS entries for GSLB to work correctly:

1 Global entry with type NS point to each Azure Resource Location Load Balancer Public IP

In our example:

  • gslb.tech-addict.fr Type: NS Target: usnsadns.tech-addict.fr
  • gslb.tech-addict.fr Type: NS Target: frnsadns.tech-addict.fr

2 entries with type A for each pointing to GSLB PIP:

  • usnsadns.tech-addict.fr Type: NS Target: 137.116.81.134
  • frnsadns.tech-addict.fr Type: NS Target: 40.89.140.106

DNS Validation

Configuration Validation

Test GSLB

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.