Public cloud adoption especially Azure & AWS is on the rise in EMEA region, though government policies are restricting government entities to go all in with public cloud never the less enterprises are very much starting to ride the wave. OPEX model given the current situation especially in GCC (Oil Prices & War)is what most customer are looking for so the cloud offers a safe haven and an optimal solution. Citrix strategy is Cloud, no doubt about it, the recent alignment with Microsoft (Azure RemoteApp depreciated for XenApp Essentials and DaaS with XenDesktop Essentials to be released soon) and Citrix Cloud is the way of the future in terms of OPEX management.
I don’t want to repeat myself by stating that Citrix documentation is inefficient to say the least ( I did repeat myself ) so lets jump into the actual configuration. The whole aim of this post is to give a more detailed step by step guide on how to configure Active-Active load balancing of Citrix NetScaler on Azure ARM (Azure Resource Manager). The Active-Passive configuration has been covered by many CTPs and can be easily googled so no need to showcase that as well.
ARM Virtual Network is created with at least 2 subnets (Each NetScaler will be hosted on a separate subnet but within the same virtual network), not mandatory but for the sake of making this post more clear . Check earlier post [ http://www.diyar.online/2016/06/netscaler-cloudbridge-connector-with-microsoft-azure-ipsec-vpn-on-mikrotik-router/ ] on how to create a virtual network and subnets through GUI and earlier post [ http://www.diyar.online/2017/02/configuring-multiple-vips-for-citrix-netscaler-vpx-on-microsoft-azure-arm-cloud-guide/ ] on how to do it through PowerShell. AD,XD,SF and other components better be on a different subnet as well but not mandatory nor required.
Citrix XD/SF and Active Directory are already implemented on Azure or available through an IPSEC tunnel configured On-Premise. On how to create an site to site IPSEC tunnel with Azure using NetScaler CloudBridge Connector on-premise check this post and applies to other routers/firewalls [ http://www.diyar.online/2016/06/netscaler-cloudbridge-connector-with-microsoft-azure-ipsec-vpn-on-mikrotik-router/ ].
All deployed components are within the same Resource Group and Region.
Create two NetScaler VPX, each connected to a different subnet, and both connected to the same Availability Set which would be created within the new VPX wizard. A public IP for each NetScaler VPX is not required as management can be NATed through the load balancer never the less for the sake of testing I am going to add a public IP for each and also configure NATing later for your reference (mgmt. of each NetScaler VPX would be accessible using the Load Balancer public IP with different ports) . Each NetScaler will have identical configuration for Access Gateway except for the mgmt. IP obviously.
Create a Load Balancer with a FrontEnd IP Pool mapped to a new public IP, connect backend IP Pool to the two NetScaler VPX instances created earlier, configure health probes, and create the load balancing rules for NetScaler Access Gateway. Also configure NaTing for mgmt. access of both VPX.
Configure Access Gateway on each NetScaler independently.
Create a new VPX (NetScaler-1):
Make sure that the virtual network that is going to be used for NetScaler is within the Resource Group chosen below.
Select the size required for the NetScaler VPX, the more size chosen the more SSL connections/requests can be handled. Check the NetScaler Azure guide from Citrix for more information.
Choose the existing virtual network (The small lock beside it is because its the only virtual network available in the resource group chosen in earlier steps), Choose from one of the subnets, Keep the new public IP (not required), Create a new Network Security Group with default inbound rules (will change later), Create a new Availability Set with defaults, OK to continue, and Purchase.
Create the secondary NetScaler VPX (NetScaler-2) using the same procedure but connecting to same virtual network, second subnet, new public IP, and joining the Availability Set created earlier (NetScaler-AvailabilitySet):
After deployment, lets check the private and public IP of NetScaler-1 and NetScaler-2. Also add an https 443 allow on the NetScaler-SecurityGroup to allow management from the public IP of each VPX (Since we did not create the load balancer yet, the public IP of each VPX came in handy). More so lets initialize and configure Access Gateway on each NetScaler.
Private & Public IP of NetScaler-1
Private & Public IP of NetScaler-2
Open port 443 on NetScaler-SecurityGroup ( which would apply on both NetScaler VPX public IPs since both are part of this security group ). Press on the box beside inbound security rules.
Don’t mind the red marks its because I have them already created with the same name but I edited them out of the pic for your convenience (That is why the SSH default rule is not showing). Choose whatever name makes sense like NS Mgmt. . Later on the public IPs of both NS can be removed and NATing on the load balancer can be used to access mgmt. interface.
Since NetScaler on Azure has several well known ports restricted (used internally by Citrix) ex. 80, 443, 9000 … The Access Gateway created on each NetScaler will have a custom port of our choosing which doesn’t conflict with the restricted ports. No worries, AG will be accessible from 443 later using PAT built into Azure load balancing but for now we have to open access to the port used. For my example I am using port 15000, the same port will be used on both AG hosted on the first and second NetScaler.
Add a rule to Allow port 15000 using the same procedure before and the following should be the final look of the inbound security rules.
Now public IP of NetScaler-1 and NetScaler-2 should be accessible for NetScaler management. Lets start by configuring NetScaler-1:
Do not enter a subnet-IP (NetScaler on Azure runs in Single IP mode) and make sure other settings are configured including licensing (Bring-Your-Own).
Make sure required basic features are enabled (For our case only NetScaler Gateway, Load Balancing, and SSL Offloading are required).
Go to the NetScaler for XenApp & XenDesktop wizard to start the AG deployment (I already added an SSL cert to the NS).
Gateway FQDN is a public domain that is mapped in public DNS to the public IP of the load balancer that will be created later so services are accessed using the Azure LB Public IP. The IP of the gateway is the same private IP assigned to the NetScaler. The port as discussed earlier will be 15000.
Change the theme for this Access Gateway so that it is differentiated when testing from the second Access Gateway that will be created on the second VPX.
Connect to the public IP of the second NetScaler and configure the same as before except that the IP of the Access Gateway would be the private IP of the second NetScaler.
Again the dedicated public IPs created for both NS VPX will come to some benefit here. We can now test both Access Gateways by using the public IP of each NS and port 15000.
Great. Now lets create the Azure Load balancer which will allow us to achieve two very important requirements. Actively load balance both Access Gateways & Access through port 443.
Create new Azure Load Balancer:
Create new public IP and make sure to assign as static. Resource Group is the same that was used earlier.
After the deployment of the load balancer is complete, navigate to the created load balancer and go to Frontend IP Pool. This should be configured automatically since we chose to create the IP using the LB wizard never the less if you have a new IP created earlier then click on Add and choose it.
Navigate to BackEnd pools, and click on Add. Make sure the Availability set selected is the one created earlier for NetScaler and choose both NetScaler virtual machines.
Navigate to Health probes and create a probe on port 9000 (This port is an internal port used by NetScaler and is recommended from Citrix to be used as probe target for Azure LB).
Navigate to Load Balancing Rules, click on ADD, and fill a depicted below.
Load balancing is done and now Access Gateway on both NetScalers should be accessible from the public IP which I have created a DNS record of ag.diyarunited.com for testing purposes. One more thing is to add two NAT rules for mgmt. NetScaler-1 and NetScaler-2 after which the public IPs created for them can be deleted safely. I will choose mgmt. port of 16000 for NetScaler-1 and 18000 for NetScaler-2.
NetScaler-1 Management: https://ag.diyarunited.com:16000
NetScaler-1 Management: https://ag.diyarunited.com:18000
Active-Active Access Gateway ( Because of Client IP persistence, the test should be done from different connections): https://ag.diyarunited.com (pointing to Azure LB PIP).
NetScaler-1 & NetScaler-2 Management (note the ports):
That’s it, Active-Active NetScaler Load Balancing on Azure Resource Manager, would love to hear your comments and suggestions.