Create cloud access profiles
A cloud access profile is used by the NetScaler App Delivery and Security service to acquire permissions on the customer’s AWS account for deploying application delivery infrastructure in customer owned VPCs. To create this profile, you must be the AWS account administrator that has the necessary permissions on the VPC that you intend to use for delivering your applications. Your AWS account must allow you to use AWS CloudFormation and IAM services.
As part of creating the cloud access profile, two IAM roles on AWS are created. One IAM role gives permissions to the service to provision infrastructure on your AWS account, such as networks, NAT Gateways, security groups, and ADC instances. The other IAM role is used by the NetScaler VPX instances deployed in your account. The role is used to enable support for back-end auto scaling, if your application servers are deployed as an AWS autoscaling group.
NetScaler provides a ready-made CloudFormation template (CFT) to simplify the configuration of these two IAM roles. The template helps an administrator in creating these two IAM roles that are needed for the cloud access profile creation.
IAM role created for NetScaler App Delivery and Security service
The IAM role gives permissions to the service’s AWS account to create and delete entities in AWS on your behalf. The following high-level permissions are granted to the service:
- Provision instances using EC2.
- Create and delete security groups and subnets.
- Create and delete NAT gateway.
- Create and delete network load balancers.
- Create and delete DNS hosted zones and DNS records inside zones using AWS Route 53.
- Attach and remove IAM roles to and from instances.
These high level permissions are used by the service in the following scenarios:
- When the first application is deployed in a VPC:
- New ADC EC2 instances are assigned the second IAM role to enable back-end Autoscale support.
- NAT gateway, subnets, and security groups are created.
- Agent and NetScalers are provisioned.
- When more applications are later deployed in the same VPC:
- IP addresses are acquired in the ADCs for the application.
- Network load balancing is configured with these application IP addresses.
- DNS entries are created with the domain specified for the application.
- When autoscaling of ADCs is done to adjust to the traffic patterns. For example, a new ADC instance is created if the existing set of ADCs is operating at full capacity.
The IAM role is the mechanism in AWS by which you grant these permissions to the AWS account in which you run the service.
IAM role created for NetScaler VPX instances
During infrastructure provisioning when the first application is deployed in a VPC:
- The NetScaler VPX instances are created.
- The IAM role with the following set of permissions is assigned to the VPX instances by the service.
The high-level permissions are used for tasks such as:
- Change IP address on network interfaces.
- Listen to the Amazon simple queue service (SQS).
- Learn about changes to Autoscale groups.
The permissions are needed for the ADC in the following scenarios:
- During application delivery with origin application servers that are part of an Autoscale group. The ADC calls the AWS services to find the list of origin application servers that are part of the Autoscale group.
- If the ADC cluster head fails or if the cluster ADC head is not reachable, then the ADC selects a new cluster head. The ADC then shifts the cluster head IP address to the newly elected cluster head.
Create a cloud access profile
- Click Environments.
- In the Cloud Access Profiles tab, click Create.
- Type a name for the profile and click Generate Template.
- Follow the instructions to create a profile.
Validate cloud access profile
If your existing cloud access profile that connects to AWS is not in sync with the latest permissions, the NetScaler App Delivery and Security service invalidates the cloud access profile. To synchronize and validate your cloud access profile with the latest IAM permissions, do the following:
- Go to Environments > Cloud Access Profile.
- Click the gear icon in the Actions column corresponding to the required cloud access profile.
- Follow the instructions provided on the screen.
- Click Validate.