NetScaler App Delivery and Security service

Create cloud access profiles

August 29, 2023

Contributed by:

C S C

A cloud access profile is used by the NetScaler App Delivery and Security service to acquire permissions on the customer’s AWS account for deploying application delivery infrastructure in customer owned VPCs. To create this profile, you must be the AWS account administrator that has the necessary permissions on the VPC that you intend to use for delivering your applications. Your AWS account must allow you to use AWS CloudFormation and IAM services.

As part of creating the cloud access profile, two IAM roles on AWS are created. One IAM role gives permissions to the service to provision infrastructure on your AWS account, such as networks, NAT Gateways, security groups, and ADC instances. The other IAM role is used by the NetScaler VPX instances deployed in your account. The role is used to enable support for back-end auto scaling, if your application servers are deployed as an AWS autoscaling group.

NetScaler provides a ready-made CloudFormation template (CFT) to simplify the configuration of these two IAM roles. The template helps an administrator in creating these two IAM roles that are needed for the cloud access profile creation.

IAM role created for NetScaler App Delivery and Security service

The IAM role gives permissions to the service’s AWS account to create and delete entities in AWS on your behalf. The following high-level permissions are granted to the service:

Provision instances using EC2.
Create and delete security groups and subnets.
Create and delete NAT gateway.
Create and delete network load balancers.
Create and delete DNS hosted zones and DNS records inside zones using AWS Route 53.
Attach and remove IAM roles to and from instances.

These high level permissions are used by the service in the following scenarios:

When the first application is deployed in a VPC:
- New ADC EC2 instances are assigned the second IAM role to enable back-end Autoscale support.
- NAT gateway, subnets, and security groups are created.
- Agent and NetScalers are provisioned.
When more applications are later deployed in the same VPC:
- IP addresses are acquired in the ADCs for the application.
- Network load balancing is configured with these application IP addresses.
- DNS entries are created with the domain specified for the application.
When autoscaling of ADCs is done to adjust to the traffic patterns. For example, a new ADC instance is created if the existing set of ADCs is operating at full capacity.

The IAM role is the mechanism in AWS by which you grant these permissions to the AWS account in which you run the service.

IAM role created for NetScaler VPX instances

During infrastructure provisioning when the first application is deployed in a VPC:

The NetScaler VPX instances are created.
The IAM role with the following set of permissions is assigned to the VPX instances by the service.

The high-level permissions are used for tasks such as:

Change IP address on network interfaces.
Listen to the Amazon simple queue service (SQS).
Learn about changes to Autoscale groups.

The permissions are needed for the ADC in the following scenarios:

During application delivery with origin application servers that are part of an Autoscale group. The ADC calls the AWS services to find the list of origin application servers that are part of the Autoscale group.
If the ADC cluster head fails or if the cluster ADC head is not reachable, then the ADC selects a new cluster head. The ADC then shifts the cluster head IP address to the newly elected cluster head.

Create a cloud access profile

Click Environments.
In the Cloud Access Profiles tab, click Create.
Type a name for the profile and click Generate Template.
Follow the instructions to create a profile.
Click Create.

Validate cloud access profile

If your existing cloud access profile that connects to AWS is not in sync with the latest permissions, the NetScaler App Delivery and Security service invalidates the cloud access profile. To synchronize and validate your cloud access profile with the latest IAM permissions, do the following:

Go to Environments > Cloud Access Profile.
Click the gear icon in the Actions column corresponding to the required cloud access profile.
Follow the instructions provided on the screen.
Click Validate.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Create cloud access profiles

August 29, 2023

Contributed by:

C S C

August 29, 2023

Contributed by:

C S C

Create cloud access profiles

IAM role created for NetScaler App Delivery and Security service

IAM role created for NetScaler VPX instances

Create a cloud access profile

Validate cloud access profile

In this article