How high availability on AWS works

You can configure two NetScaler VPX instances on AWS as a high availability (HA) active-passive pair. When you configure one instance as the primary node and the other as the secondary node, the primary node accepts connections and manages servers. The secondary node monitors the primary. If for any reason, the primary node is unable to accept connections, the secondary node takes over.

In AWS, the following deployment types are supported for VPX instances:

  • High availability within same zone
  • High availability across different zones


For high availability to work, ensure that both the NetScaler VPX instances are attached with IAM roles and assigned with the Elastic IP (EIP) address to the NSIP. You need not assign an EIP on NSIP if the NSIP can reach internet through the NAT instance.

High availability within the same zones

In a high-availability deployment within the same zones, both VPX instances must have similar networking configurations.

Follow these two rules:

Rule 1. Any NIC on one VPX instance must be in the same subnet as the corresponding NIC in the other VPX. Both instances must have:

  • Management interface on the same subnet (referred as management subnet)
  • Client interface on the same subnet (referred as client subnet)
  • Server interface on the same subnet (referred as server subnet)

Rule 2. Sequence of mgmt NIC, client NIC, and server NIC on both instances must be the same. For example, the following scenario is not supported.

VPX instance 1

NIC 0: management NIC 1: client NIC 2: Server

VPX instance 2

NIC 0: management

NIC 1: server

NIC 2: client

In this scenario, NIC 1 of instance 1 is in client subnet while NIC 1 of instance 2 is in server subnet. For HA to work, NIC 1 of both the instances must be either in the client subnet or in the server subnet.

From 13.0 41.xx, high availability can be achieved by migrating secondary private IP addresses attached to the NICs (client and server-side NICs) of the primary HA node to the secondary HA node after failover. In this deployment:

  • Both the VPX instances have the same number of NICs and subnet mapping according to NIC enumeration.

  • Each VPX NIC has one extra private IP address, except the first NIC - which corresponds to the management IP address. The extra private IP address appears as the primary private IP address in the AWS web console. In our document, we refer to this extra IP address as the dummy IP address).

  • The dummy IP addresses must be not configured on the NetScaler instance as VIP and SNIP.

  • Other secondary private IP addresses must be created, as required, and configured as VIP and SNIP.

  • On failover, the new primary node looks for configured SNIPs and VIPs and moves them from NICs attached to the previous primary to corresponding NICs on the new primary.

  • NetScaler instances require IAM permissions for HA to work. Add the following IAM privileges to the IAM policy added to each instance.

"iam:GetRole" "ec2:DescribeInstances" "ec2:DescribeNetworkInterfaces" "ec2:AssignPrivateIpAddresses"

Note: unassignPrivateIpAddress is not required.

This method is faster than the legacy method. In the older method, HA depends on the migration of AWS elastic network interfaces of the primary node to the secondary node.

For a legacy method, the following policies are required:

"iam:GetRole" "ec2:DescribeInstances" "ec2:DescribeAddresses" "ec2:AssociateAddress" "ec2:DisassociateAddress"

For more information, see Deploy a high availability pair on AWS.

High availability across different zones

You can configure two NetScaler VPX instances on two different subnets or two different AWS availability zones, as a high availability active-passive pair in Independent Network Configuration (INC) mode. Upon failover, the EIP (Elastic IP) of the VIP of the primary instance migrates to the secondary, which takes over as the new primary. In the failover process, the AWS API:

  • Checks the virtual servers that have IPSets attached to them.
  • Finds the IP address that has an associated public IP, from the two IP addresses the virtual server is listening on. One that is directly attached to the virtual server, and one that is attached through the IP set.
  • Reassociates the public IP (EIP) to the private IP belonging to the new primary VIP.

For HA across different zones, the following policies are required:

"iam:GetRole" "ec2:DescribeInstances" "ec2:DescribeAddresses" "ec2:AssociateAddress" "ec2:DisassociateAddress"

For more information, see High availability across AWS availability zones.

Before you start your deployment

Before you start any HA deployment on AWS, read the following document:


To troubleshoot any failure during a HA failover of NetScaler VPX instance on AWS cloud, check the cloud-ha-daemon.log file stored in the /var/log/ location.

How high availability on AWS works