Manage an environment

An environment represents the infrastructure that is used for application delivery in a region or a data center. Typically you create one environment for an AWS VPC. The necessary infrastructure, such as NAT gateways, agents, and ADCs, is prepared as part of the environment deployment. Once deployed, this environment can be used to deliver multiple applications.

Prerequisites

The service creates three subnets per availability zone for deploying the app delivery infrastructure. Each subnet has 255 addresses. That is, the service blocks 765 (3*255) IP addresses. Ensure that the following conditions are met for the VPC CIDR block size where the app delivery infrastructure is deployed:

• To deploy the environment in two availability zones, the VPC CIDR block size must be greater than the /21 netmask (2,048 IP addresses).

• To deploy the environment in one availability zone, the VPC CIDR block size must be greater than the /22 netmask (1,024 IP addresses). Since the infrastructure is deployed in one availability zone, we recommend to not use it for a production environment. It is best suited for staging or POC.

• An instance created in the VPC must have access to the Internet through the NAT gateway and it must be able to resolve the DNS. The agent is in communication with the service at <pop>.appdeliverysecurity.cloud.com and it must be able to resolve the domain.

How does the NetScaler App Delivery and Security service connect to the origin application servers

The NetScaler App Delivery and Security service provisions the infra in different subnets in your VPC to connect to your origin application servers. Typically, you configure your application server’s security group to allow ingress traffic from all the IP addresses in the VPC. This configuration works well by default because during environment creation, it creates subnets in the VPC for provisioning the infra to reach your origin application servers. However, to increase security, you can restrict the IP addresses that the NetScaler App Delivery and Security service uses to connect to your application servers. You can do so during environment creation by specifying the subnets you created exclusively for the NetScaler App Delivery and Security service. Doing so, avoids creating default subnets and the service provisions the infra in the specified subnets. Also, ensure that you change your application server’s security group to allow ingress traffic from the subnets you have specified. For information on creating specific subnets for the NetScaler App Delivery and Security service, see Specify a subnet.

The NetScaler App Delivery and Security service allows you to add origin application servers from multiple sources. You can add origin application servers residing in the following sources and connect them with the VPC that hosts the service infrastructure:

• Origin application server is in the same VPC
• Origin application server is in a different VPC
• Origin application server is outside the AWS account

If the origin application server is in the same VPC, then no additional connections are required.

If the origin application server is in a different VPC, then you can connect to the VPC that hosts the NetScaler App Delivery and Security service infrastructure using VPC peering or transit gateway. For more information, see Connect to an origin application server in a different VPC.

If the origin application server is outside the AWS account, then you must establish the routes between the app delivery infrastructure and application server subnets. For more information, see Connect to an origin application server outside the AWS account.

Specify a subnet

1. While creating an environment, select Specify subnets to be used by the NetScaler App Delivery and Security infra to reach the origin application servers.

2. Specify subnets for each of the availability zones.

   

Note

• If your origin application servers are in different VPCs, ensure that Transit Gateway and VPC peering are configured for the customized subnets.
• If your origin application servers are outside the current AWS account, ensure that the server subnets that you have added are configured to route the traffic to the origin application server subnets.

Connect to an origin application server in a different VPC

Deploying the app delivery infrastructure in the same VPC as the origin application servers saves cost and reduces management overhead. However, you might want to deploy both in different VPCs to isolate the infrastructure. For this deployment to work, the app delivery infrastructure in one VPC must be able to send traffic to the origin application servers in another VPC.

To establish communication between the VPC of the app delivery infrastructure and the VPC of the origin application servers, the following options are available:

• VPC Peering: Use for network connections between two VPCs.

• Transit Gateway: Use for network connections between many VPCs.

The terms app delivery infrastructure VPC and NetScaler App Delivery and Security service VPC are used interchangeably in this document.

Prerequisites

Configure VPC peering or Transit Gateway in your AWS account so that you can select them in the NetScaler App Delivery and Security service GUI.

Notes

• The origin application server VPC cannot have overlapping CIDRs with the NetScaler App Delivery and Security service VPC.
• The origin application server VPCs must have unique CIDRs.
• To avoid latency between the NetScaler App Delivery and Security service VPC and the origin application servers, both must be in the same region.

For VPC peering, perform the following steps in your AWS account:

1. Create a VPC peering connection between the NetScaler App Delivery and Security service VPC and origin application server VPC. A peering ID is allocated as a result.

2. Add entries to the route table for origin application servers to respond to the NetScaler App Delivery and Security service VPC using the peering ID. For a sample routing table entry, see Routing table for the VPC peering option.

   Note

   The NetScaler App Delivery and Security service configures the routes for the NetScaler App Delivery and Security service VPC to send traffic to the origin application server VPC.

3. Add rules to the security group attached to the origin application server to allow traffic from the NetScaler App Delivery and Security service VPC.

For Transit Gateway, perform the following steps in your AWS account:

1. Create a transit gateway.
2. Attach the VPC of the origin application servers to the transit gateway.

3. Add entries to the route table for the origin application servers to respond to the NetScaler App Delivery and Security service VPC. For a sample routing table entry, see Routing table for the Transit Gateway option.

   Note

   The NetScaler App Delivery and Security service configures the routes for the NetScaler App Delivery and Security service VPC to send traffic to the origin application server VPC.

4. Add rules to the security group attached to the origin application server to allow traffic from the NetScaler App Delivery and Security service VPC.

For more information about VPC peering and Transit Gateway, see the AWS documentation.

Routing table for the VPC peering option

This section helps in adding entries to the route table for origin application servers to respond to the NetScaler App Delivery and Security service VPC by using the peering ID.

For the preceding illustration, the routing table entry in the origin application server VPC must be defined as follows:

Routing table for the Transit Gateway option

This section helps in adding entries to the route table for origin application servers to respond to the NetScaler App Delivery and Security service VPC by using a transit gateway.

For the preceding illustration, the routing table entry for each origin application server VPC must be defined as follows:

Connect to an origin application server outside the AWS account

The NetScaler App Delivery and Security service allows you to add the origin application servers that are deployed outside the current AWS account. For example, consider that the origin application server is in a VPC belonging to another AWS account, a private data center, or in another cloud account.

Prerequisites

• The origin application server VPC cannot have overlapping CIDRs with the NetScaler App Delivery and Security service VPC.
• The origin application server VPCs must have unique CIDRs.
• To avoid latency between the NetScaler App Delivery and Security service VPC and the origin application servers, both must be in the same region.

To add origin application servers outside your AWS account, you must create specific subnets that the NetScaler App Delivery and Security service infra must use to reach the origin application servers. While creating an AWS environment, on the Create AWS Environment page, select Specify subnets to be used by the NetScaler App Delivery and Security infra to reach the origin application servers and add the required subnets. Only if Specify subnets to be used by the NetScaler App Delivery and Security infra to reach the origin application servers is selected, the External tab gets enabled, where you can add the IP address or subnet of the origin application server. For more information, see Specify a subnet.

For this deployment to work, you must ensure network connectivity between the origin application servers and the app delivery infrastructure. The app delivery infrastructure must be able to send traffic to the origin application servers and also receive traffic from the origin application servers.

Create an environment

1. In the left navigation pane, click Environments.
2. In the Environments tab, click Create and select AWS.
3. Select a Cloud Access Profile, AWS Region, Availability Zone, and AWS VPC where the app delivery infrastructure is to be deployed.
4. If you want app delivery infrastructure to be deployed in specific subnets, select Specify subnets to be used by the NetScaler App Delivery and Security service infra to reach the origin application servers and add the subnet values.
5. Select the following tabs based on where your origin application server sites are present.

   • Internal: Origin application servers and app delivery infrastructure are present in the same VPC.

     

   • Peering: Origin application servers and app delivery infrastructure are in two different VPCs and are connected using VPC peering.

     

   • Transit Gateway: Origin application servers and app delivery infrastructure are spread across multiple VPCs and are connected using the transit gateway.

     

   • External: Origin application servers are provisioned in a different AWS account, a data center, or a different cloud platform. You must establish a connection between the app delivery infrastructure and the external subnets where the origin application servers are deployed.

     Note:

     The External tab is visible only when Specify subnets to be used by the NetScaler App Delivery and Security service infra to reach the origin application servers is selected.

     

6. Add any tags for resources if required by your AWS subscription.

   

7. (Optional) Select Enable Troubleshooting to diagnose and fix any issues related to the agents and ADCs deployed during environment creation. When enabled, NetScalers and agents allow login from the NetScaler supportability PoP by opening port 22 (SSH) of the security group of the client of the NetScaler and security group of the agent. Also the management subnet route is modified to target internet gateway if the destination is NetScaler supportability PoP.

8. Click Create.

Auto-upgrade an environment

As a network administrator, you might manage many environments running on a NetScaler App Delivery and Security. An environment upgrade is a major operational activity for the administrators who manage NetScaler instances. The NetScaler App Delivery and Security service automatically upgrades environments to the latest builds, thus simplifying the upgrade process in the following ways:

• The service provides three time slot options to schedule an upgrade. If you do not choose a time slot from the suggested options, the service automatically upgrades the environment in the default upgrade time slot.

• The service includes security-related updates when upgrading the environment.

Benefits

The service automatically creates maintenance jobs to upgrade your environments. The auto-upgrade feature provides the following benefits:

• Seamless upgrade of the environments.
• Service level agreement management. For more information, see Service level agreement.

Prerequisites

You have created an environment and a cloud access profile.

View environment upgrade schedule

Navigate to Environments> Settings to view the following information:

• List of environments and their upgrade status.

• Environments for which an upgrade is scheduled.

• Environments for which an upgrade is in-progress. This view also shows the percentage of upgrade completed and the estimated time to complete the upgrade job in the pie chart. The pie chart representation of the in-progress upgrade is also shown.

• Environments in error state because of an upgrade failure are shown with a red indicator.

• Environments for which an upgrade is completed are shown with a green tick.

Upgrade environments

The Citrix Environment Upgrade Scheduled page displays the available environments. The release notes link guides you to the specific ADC release notes. You can review the new features, fixed, and known issues.

You can choose one of the following upgrade options:

• Default schedule – The service automatically upgrades the environment.
• Select from system recommendation – Select a time slot from the three available options. If a time slot is not selected, the service automatically upgrades the environment at the default upgrade time slot.

Perform the following steps to upgrade an environment:

1. In Environments, click Settings.
2. Select Default schedule or Select from system recommendation schedule and choose a time slot from the list.
3. Click Save.

Notes:

• If an auto-upgrade fails, the environment rolls back to the previous version and the upgrade status displays an error state. The upgrade is then scheduled in the next time slot.
• If the rollback also fails, contact NetScaler support to resolve the issue. During this time the traffic is uninterrupted for the existing environment.

Undeploy an environment

When you undeploy an environment, all the applications linked to that environment are deleted. A warning is shown if there is at least one application in the DEPLOYED state.

You can choose to cancel, undeploy the application first, and then come back to undeploy the environment.