Cloud Direct Service
The Cloud Direct service delivers SD-WAN functionalities as a cloud service through reliable and secure delivery for all internet-bound traffic regardless of the host environment (data center, cloud, and internet). It improves network visibility and management. It enables partners to offer managed SD-WAN services for business critical SaaS applications to their end customers.
Cloud direct service offers the following advantages:
- Redundancy - Uses multiple internet WAN links and provides seamless failover.
- Link aggregation - Uses all internet WAN links at the same time.
- Intelligent load-balancing across WAN connections from different providers:
- Measuring packet loss, jitter and throughput.
- Custom application identification.
- Application requirement and circuit performance matching (adapt to real-time network conditions).
- SLA-grade Dynamic QoS Capability to internet circuit:
- Dynamically adapts to varying circuit throughput.
- Adaption through the tunnel at ingress and egress endpoints.
- Rerouting VOIP calls between circuits without dropping the call.
- End-to-end monitoring and visibility.
Cloud direct service workflow
Before you begin deploying the Cloud Direct Service, ensure that the following steps are completed:
-
Have a 410-SE, 210-SE, or 1100-SE/PE edition appliance. If the factory shipped SD-WAN version of the appliance is earlier than 9.3.5, then you must follow the USB reimaging procedure to upgrade the appliance to the latest shipping base image.
-
Perform single step upgrade procedure to install the software version that supports Cloud Direct Service.
-
Configure the MCN appliance and establish the virtual paths with its branches:
-
Configure branch site. See Configure Branch for more information.
-
Create application objects for application-based routes.
-
If you intend to selectively steer the applications through the Cloud direct service, create the application objects by including the corresponding applications, see how to create Application Objects, which are routed through the Cloud direct service. To manage Internet bound traffic, the Internet service must be created from the appliance configuration editor. For more information, see Internet Service.
-
If you intend to steer all internet bound traffic through the Citrix Cloud direct service, then you can skip creating the specific application objects.
-
-
Licensing
The Cloud Direct service feature is licensed independently from the base licenses of SD-WAN. Ensure that you have installed the required licenses for the Cloud Direct service on SD-WAN Center. For more information, see Citrix SD-WAN Center as a license server.sd-wan-center-as-license-server.
The Licensing page provides details about the installed Cloud Direct service license information.
Note There is a grace period of 30 days for the expired or deleted Cloud Direct licenses, before which you need to install the valid licenses for the deployed Cloud Direct sites to be functional. If no valid licenses are installed before the expiry of the Grace period, SD-WAN Center disables the Cloud Direct service on site using the expired license.
Configure cloud direct service in SD-WAN Center
-
In the SD-WAN Center GUI, navigate to Configuration > Cloud Connectivity > Cloud Direct.
-
Log in with Citrix Cloud credentials.
The Cloud Direct home page appears after you successfully logged into the Citrix Cloud Service.
-
Click Pull Active Config to retrieve latest active MCN configuration.
-
Click Add a new site. Sites that are eligible for the Cloud Direct service deployment are displayed in the menu.
Note
-
The Cloud Direct service feature is supported on 210, 410, and 1100 hardware appliances.
-
From 11.2 release onwards, the Cloud Direct service is supported on SD-WAN 2100, 4100, and 6100 appliances. Both SD-WAN Center and Orchestrator allow the Cloud Direct service feature to be deployed on SD-WAN 2100, 4100, and 6100 appliances. SD-WAN Center supports up to 250 Mbps subscription licenses for Cloud Direct.
-
-
When a site is chosen, the public internet WAN links that are associated with the selected site are displayed, along with the appliance model information and the region in which the appliance is deployed.
-
Select the WAN links that you would like to use for Cloud Direct service traffic, along with the WAN Link Type, Application Objects, Subscription Bandwidth, Primary POP, and Secondary POP options.
Note
-
Up to four WAN links are supported for Cloud Direct service.
-
A WAN link bandwidth is no longer needed to be reserved exclusively for the Cloud Direct service. If the Cloud Direct service is not active then the other services such as virtual path, internet, or intranet services configured on that WAN link can use the bandwidth as per the configured shares.
-
Site Name: Displays the sites that are eligible for the Cloud Direct feature deployment.
- Model: For the selected site, corresponding appliance model name is auto populated.
-
Region: For the selected site, the appliance specific deployed region details are auto populated.
-
WAN Link: For the selected site, the associated public internet WAN links are displayed.
-
WAN Link Type: Select the WAN link type from the menu.
-
Standby Mode: The standby mode is retrieved from the WAN link configuration.
-
Bandwidth for Cloud Direct Service: Enter the bandwidth that the Cloud Direct Service can use exclusively. The selected bandwidth must be lesser than the configured permitted bandwidth and would not be available for use by the Virtual Path, Internet, and Intranet services.
-
External NAT: It is required that the public internet traffic originated from the branch LAN network is source NAT from a specific IP address. By default, this is automatically performed and taken care as part of the SD-WAN network configuration. If you would like to configure the NAT IP (LAN Network) outside the SD-WAN device (for example, in an external firewall), you can choose the External NAT option when deploying sites. The IP to which the LAN traffic has to be the source NAT is available in the Details page of the deployed Cloud Direct site.
-
Application objects: You can choose specific application objects or select “All Internet Traffic” to be redirected through the Cloud Direct service. In case when the specific application objects are selected, the traffic for those applications is sent through the Cloud Direct service, and the rest of the traffic is steered using the internet service configured on the appliance.
-
Subscription bandwidth: Subscription bandwidth is associated with the licensing for the cloud direct service.
- Billing Mode: When a customer plans to deploy a Cloud Direct site as part of validating proof of concept (POC), the Billing Mode field must set as Demo. For all other cases, set the billing mode as Production.
NOTE: The following situation occurs, if the Billing Mode is selected as Demo or Production:
- If a Cloud Direct site is created with Billing Mode as Demo, the settings can be edited to Production.
- If a Cloud Direct site is created with Billing Mode as Production, the setting cannot be edited to Demo.
The Billing Mode option enables the use of Cloud Direct trial/evaluation licenses, which can be provided by Citrix sales or authorized partners. Sites operating with Cloud Direct evaluation licenses must be set to the Demo Billing Mode option. Sites upgrading to full Cloud Direct subscription licenses must be set to the Production Billing Mode option.
- Primary/Secondary POP: Ensure that the primary and secondary POP is not the same. Select the POPs depending on the location proximity. Click Add.
-
-
After the sites are added, the service status is shown as Deployment is Pending. Select the site for which you want to deploy Cloud Direct service and click Deploy.
A notification stating that the deploy operation initiates a change management on the MCN appliance is displayed. You can click Yes or No.
After successfully deploying the sites, the cloud direct service page displays the following:
- Service status: Deployed
- Appliance status: Enabled
- Subscription Bandwidth (Mbps): 10 Mbps
- Consumed the installed license
The above change management step auto generate and add the needed Cloud Direct service configurations to the running configuration.
Note
The auto-created Cloud Direct Service (intranet service) is associated with the Default_RoutingDomain.
Firewall Settings
Provisioning Sites in SD-WAN application GUI
Monitoring Cloud Direct service
You can view the configured Cloud Direct service after the sites are deployed and enabled. Click the exclamation icon in the Details column to view the site details.
You can view the site summary graphs by navigating to Dashboard > Cloud Direct > Network Summary and Site Summary.
Editing site in SD-WAN Center
You can choose to edit the sites to modify bandwidth and wan link type.
Note
POP selections cannot be edited.
The service status displays as redeployment pending. Deploy the site. The deployment process is completed for the edited site.
Enable and Disable Site
You can enable a deployed site that has an appliance status shown as disabled. To enable a site, click Enable.
Click Disable to disable a deployed site. Disabling site would no longer use cloud direct service to steer the internet traffic. All traffic is redirected through the internet service, if configured on the appliance.
Site Deletion
You can choose to delete the sites that no longer require Cloud Direct connectivity. To delete sites, select the site and click Delete. A confirmation message to delete sites is displayed. All cloud direct service configuration is removed through the change management process.
Cloud Direct Service status on Citrix SD-WAN
You can verify the Cloud Direct service status on a local SD-WAN appliance.
Go to the Citrix SD-WAN GUI, navigate to Configuration > expand the Appliance Settings > select Cloud Direct Service.
Click Disable option to disable the Cloud Direct service.
Troubleshooting
The most common error messages that might occur on SD-WAN Center when deploying Cloud Direct service are as follows.
Error/status messages are displayed on SDW-AN Center under Configuration > Cloud Connectivity > Cloud Direct.
‘Cloud Direct License error! Please upload additional license for {bandwidth} Mbps bandwidth’
- Upload a valid Cloud Direct license on SD-WAN Center by navigating to Configuration > Licensing > File Management option and then proceed with deploying this feature
‘Cloud Direct configuration HA due to Citrix Cloud Workspace login issue’
- Reenter credentials for Citrix Cloud Workspace login on SD-WAN Center by navigating to Configuration > Cloud Connectivity option.
‘Cloud Direct configuration processing error! Site: {site_name}(IP: {mgmt_ip}) is not reachable or is missing Cloud Direct support’
- Check if SD-WAN appliance or appliances (in case of HA deployment) are reachable on the management port.
‘Cloud Direct configuration HA Config Check error for site: {site_name}’
- Check for connectivity of both appliances in HA pair corresponding to site being deployed.
‘Both the HA Pair Appliances have to be reachable to perform Cloud Direct Configuration’
- When deploying Cloud Direct service on SD-WAN appliances in HA pair, both secondary and primary appliances must be reachable on the management port.
‘Cloud Direct configuration processing error! Site: {site_name}(IP: {mgmt_ip}) has SSO Login Issue’
- Check if SD-WAN appliance is up/running and reachable on the management port. This error is displayed when SD-WAN Center is unable to perform single sign-on to the SD-WAN appliance.
‘Internal error encountered during Cloud Direct configuration processing’
- This might occur due to multiple error conditions while carrying out configuration check or rest of the processing. A user might need to review the logs and perform the operation again.
‘Cloud Direct configuration processing canceled! MCN is not ready for change management’
- Check if MCN is accessible and up and running and that its change management state is “network_staging.”
‘Cloud Direct configuration processing error! Site: {site_name}(IP: {mgmt_ip}) does not have Cloud Direct support. Please do single step upgrade to have a Cloud Direct support’
- Perform single step software upgrade on the SD-WAN appliance through MCN > Change Management. After this procedure, reattempt deploying Cloud Direct service for this site.
‘Cloud Direct configuration processing error! SD WAN change management operation failed’
- Change management operation somehow did not succeed. Check SD-WAN Center logs for details.
‘Cloud Direct configuration processing error! Enabling service at site: {site_name} failed’
- Unable to enable Cloud Direct service on SD-WAN appliance. Check for connectivity of specific appliance or for those in HA pair or for any issue when performing single sign-on. Check logs on SD-WAN Center and appliance for details.
‘Cloud Direct configuration processing error! Disabling service at site: {site_name} failed’
- Unable to disable Cloud Direct service on SD-WAN appliance. Check for connectivity of specific appliance or those in HA pair or for any issue when performing single sign-on. Check logs on SD-WAN Center and appliance for details.
‘Cloud Direct configuration processing error! Config image push to site: {site_name} failed’
- Unable to upload service-specific image on appliance via REST api or not able to access both appliances in HA pair.
‘Cloud Direct Service encountered an error during configuration processing. Audit errors found in the SD WAN config!’
- Audit errors found when attempting to compile the SD-WAN config. Check SD-WAN Center logs for details.
‘Cloud Direct configuration processing error! Create Site failed for Site: {site_name}’
- Service-side error when attempting to create a site for the corresponding SD-WAN appliance. Review SD-WAN Center logs for additional details.
‘Cloud Direct configuration processing error! Update Site failed for Site: {site_name}’
- Service-side error when attempting to modify site related settings for the corresponding SD-WAN appliance. Review SD-WAN Center logs for additional details.
Error messages seen in logs (SDWAN_common.log)
Here are few scenarios where Cloud Direct service is deployed on SD-WAN appliance, but might not function as expected. You can download and review the logs on the local SD-WAN appliance using the SDWAN_common.log for more details.
Scenario 1
“Detected Cloud Direct VM is not responding … Disabling Cloud Direct Service now!” “Cloud Direct service has been disabled.”
Underlying KVM running on local SD-WAN appliance is not functioning in expected manner. In such case, Cloud Direct service functionality is disabled on the appliance.
Scenario 2
“No tunneled packets seen for past 5 mins … Disabling Cloud Direct Service now!” “Cloud Direct service has been disabled.”
There is no tunnel established between SD-WAN appliance and tunnel endpoint in-use for Cloud Direct service. This might be due to misconfiguration of wan-link, lack of internet connectivity over configured wan-link, incompatible or invalid data/config image pushed to appliance or any firewall rule that might be dropping UDP tunnel packets when received over wan-link. In such case, Cloud Direct service functionality is disabled on the appliance.
When you activate a configuration on MCN with different Cloud Direct configuration (For example: NAT configuration is changed for Cloud Direct) and it might lead to the permanent interruption of traffic. To overcome this block, you can follow either one of the following steps to select the different routes present on the appliance:
-
In the SD-WAN Center GUI, navigate to Configuration > Cloud Connectivity > Cloud Direct. Select the cloud direct appliance and click Disable option to disable the cloud direct service.
-
Navigate to Configuration > Cloud Connectivity > Cloud Direct and pull active config to get the clean-up notification. You can click the Cleanup Missing Sites notification button shown for the affected cloud direct appliance. This operation disables Cloud Direct service running on the appliance.
-
Redeploy the Cloud Direct service on SD-WAN Center to use the Cloud Direct service for affected appliances.