Citrix SD-WAN Platforms

Install Citrix SD-WAN SE VPX on Google Cloud Platform

Deploying Citrix SD-WAN SE VPX on GCP enables organizations to establish a direct and highly secure connection between branches and applications hosted on GCP. It eliminates the need to backhaul cloud bound traffic through the Data Center. The key benefits of using Citrix SD-WAN on GCP are:

  • Create direct connections from every branch site to GCP.

  • Ensure an always-on connection to GCP.

  • Extend your secure perimeter to the cloud.

  • Evolve to a simple and easy to manage the branch network.

Citrix SD-WAN Standard Edition for GCP logically bonds multiple network links into a single secure logical virtual path. The solution enables organizations to use variety of connections from different service providers to get highly resilient virtual WAN paths. These virtual paths function as an overlay to seamlessly aggregate bandwidth capacities across multiple links and deliver consistent user experience even if some of the member links go down or suffer degradation. This is enabled by the per-packet load balancing and monitoring capabilities of Citrix SD-WAN.

Summary of deployment steps

  1. Choose a region where you want to deploy the instance and create three VPCs in different subnets. Optionally, you can create another VPC for HA if needed.

    NIC Associated network
    NIC 0 (default) Management subnet
    NIC 1 LAN subnet
    NIC 2 WAN subnet
    NIC 3 HA subnet (optional)

    Note

    If you are creating a new management subnet, allow port 443 in its firewall rules.

  2. Create a Citrix SD-WAN SE instance and associate the interfaces with the VPCs.

  3. Create firewall rules on WAN subnet VPC to enable ingress on UDP port 4980. It is used by Citrix SD-WAN instance to create the virtual path.

  4. Create a route on LAN subnet VPC to intercept all the traffic generated from LAN.

  5. Access the Citrix SD-WAN SE VPX using the management IP address.

Create VPC networks

Create VPC networks that will be associated with the management subnet, LAN subnet, and WAN subnet. While creating an image a default interface is available, this can be used as the management interface. Create two VPC network for LAN and WAN subnet.

  1. To create a VPC network, in the GCP console navigate to VPC network > VPC networks > Create VPC Network.

    Create VPC network

  2. Specify the name, description, region subnet IP address and create a LAN VPC network.

    Create VPC network1

  3. Similarly create a WAN VPC network.

    Create VPC network

  4. Optionally, for HA deployment create an HA VPC network.

    HA VPC network

    Note

    All four VPC networks must be in the same region.

  5. Create WAN link public IP.

    WAN link public IP

  6. Associate the WAN Public IP to WAN subnet after creating the instance.

    Note

    For the HA secondary instance you do not have to associate the WAN Public IP.

    Associate WAN public IP

Create the Citrix SD-WAN SE VPX instance

  1. In GCP Marketplace search for Citrix SD-WAN Standard Edition, open it, and click LAUNCH ON COMPUTE ENGINE.

    Create SD-WAN SE instance

    Create SD-WAN SE instance

  2. The required vCPU’s and memory are selected by default. Select the GCP Region.

    Note

    The GCP region must be same as the region of the VPC networks.

    Create SD-WAN SE instance

  3. From Existing network1 list select default, this is the management interface. Similarly, for Existing network2 and Existing network3 select the LAN and WAN subnets respectively. Ensure that useExNet is selected for all the three networks and click Deploy.

    Note

    If you are creating a new management subnet, allow port 443 in its firewall rules.

    Create SD-WAN SE instance

  4. Optionally, create another instance for HA as described in the previous steps. Ensure that the LAN and WAN network and subnets are the same for both the HA instances.

  5. After the SD-WAN SE VPX instance is deployed, use the default user name and password provided by GCP to log in into the SD-WAN SE VPX.

    Create SD-WAN SE instance

Create firewall rule on WAN subnet VPC

  1. Navigate to VPC Network > VPC Networks > WAN subnet VPC. In the Firewall rules tab, click Add firewall rule.

    Create SD-WAN SE instance

  2. Allow ingress for all instances on UDP port 4980. This port is used by the SD-WAN instance to create an overlay network.

    Create SD-WAN SE instance

  3. Optionally, for HA deployment ensure that the same firewall rule is created on HA subnet VPC as well and the UDP port number 4980 is allowed.

Create a route on LAN subnet VPC

Create a route on LAN subnet VPC to intercept all the traffic generated from LAN.

  1. Navigate to VPC Network > VPC Networks > LAN subnet VPC. In the Routes tab, click Add route.

    Create route

  2. Enter the Destination IP range, the LAN network of the other end. In the Next Hop field, select Specify IP address and in the Next hop IP address specify the SD-WAN LAN interface IP.

    Create route

  3. Optionally, for HA deployment, on the primary instance configure the Alias IP. This is used as the LAN interface IP in SD-WAN configuration.

    Alias IP

Access the SD-WAN SE VPX instance

Use the management interface IP address to access the GUI of the SD-WAN SE VPX instance. Use the default user name and password provided by GCP to log into the SD-WAN SE VPX.

Access SD-WAN SE VPX instance

NOTE

  • From 10.2.6 and 11.0.3 release onwards, it is mandatory to change the default admin user account password while provisioning any SD-WAN appliance or deploying a new SD-WAN SE VPX. This change is enforced using both CLI and UI.

  • A system maintenance account - CBVWSSH, exists for development and debugging and has no external login permissions. The account can only be accessed through a regular administrative user’s CLI session.

For HA to work, ensure that in the SD-WAN configuration the WAN interface is configured with DHCP. Use the alias IP to configure the LAN interface.

HA configuration

Install Citrix SD-WAN SE VPX on Google Cloud Platform