Citrix SD-WAN

Azure

The procedure to deploy zero touch deployment process for cloud instances is slightly different from appliance deployment for zero touch service.

Update the configuration to add a new remote site with a ZTD capable SD-WAN cloud device using SD-WAN Center network configuration

If the SD-WAN configuration was not built using the SD-WAN Center Network Configuration, import the active configuration from the MCN and begin modifying the configuration using SD- WAN Center. For Zero Touch Deployment capability, the SD-WAN Administrator must build the configuration using SD-WAN Center. The following procedure should be used to add a new cloud node targeted for zero touch deployment.

  1. Design the new site for SD-WAN cloud deployment by first outlining the details of the new site (i.e. VPX size, Interface Groups usage, Virtual IP Addresses, WAN Link(s) with bandwidth and their respective Gateways).

    Note

    • Cloud deployed SD-WAN instances must be deployed in Edge/Gateway mode.

    • The template for the cloud instance is limited to three interfaces; Management, LAN, and WAN (in that order).

    • The available Azure cloud templates for SD-WAN VPX are currently hard-set to obtain the 10.9.4.106 IP for the WAN, 10.9.3.106 IP for the LAN, and 10.9.0.16 IP for the Management address.  The SD-WAN configuration for the Azure node targeted for Zero Touch must match this layout.

    • The Azure site name in the configuration must be all lowercase with no special characters (e.g. ztdazure).

    localized image

    This is an example deployment of a SD-WAN cloud deployed site, the Citrix SD-WAN device is deployed as the edge device servicing a single Internet WAN link in this cloud network.  Remote sites will be able to leverage multiple distinct Internet WAN links connecting into this same Internet Gateway for the cloud, providing resiliency and aggregated bandwidth connectivity from any SD-WAN deploy site to the cloud infrastructure.  This provides cost effective and highly reliable connectivity to the cloud.

  2. Open the SD-WAN Center web management interface and navigate to the Configuration > Network Configuration page.

    localized image

  3. Make sure a working configuration is already in place, or import the configuration from the MCN.

  4. Navigate to the Basic tab to create a new site.

  5. Open the Sites tile to display the currently configured sites.

  6. Quickly built the configuration for the new cloud site by utilizing the clone feature of any existing site, or manually build a new site.

    localized image

  7. Populate all the required fields from the topology designed earlier for this new cloud site.

    Keep in mind that the template available for Azure cloud ZTD deployments is currently hard-set to obtain the 10.9.4.106 IP for the WAN, 10.9.3.106 IP for the LAN, and 10.9.0.16 IP for the Management address.  If the configuration is not set to match the expected VIP address for each interface, then the device will not be able to properly establish ARP to the cloud environment gateways and IP connectivity to the Virtual Path of the MCN.

    It is import that the site name be compliant with what Azure expects.  The site name must be in all lower case, at least 6 characters, with no special characters, it must confirm to the following regular expression ^[a-z][a-z0-9-]{1,61}[a-z0-9]$.

    localized image

  8. After cloning a new site, navigate to the site’s Basic Settings, and verify that the Model of SD-WAN is correctly selected which would support the zero touch service.

    localized image

  9. Save the new configuration on SD-WAN Center, and use the export to the “Change Management inbox” option to push the configuration using Change Management.

  10. Follow the Change Management procedure to properly stage the new configuration, which makes the existing SD-WAN devices aware of the new site to be deployed via zero touch, you will need to utilize the “Ignore Incomplete” option to skip attempting to push the configuration to the new site that still needs to go through the ZTD workflow.

    localized image

  1. In the Zero Touch Deployment page, login with your Citrix account credentials. Under the Deploy New Site tab, select the running network configuration file.

  2. After the running configuration file is selected, the list of all the branch sites with ZTD capable Citrix SD-WAN devices will be displayed.

    localized image

  3. Select the target cloud site you want to deploy using the Zero Touch service, click Enable, and then Provision and Deploy.

    localized image

  4. A pop-up window will appear, where the Citrix SD-WAN Admin can initiate the deployment for Zero Touch.  Validate that the site name complys with the requirements on Azure (lowercase with no special characters). Populate an email address where the activation URL can be delivered, and select Azure as the Provision Type for the desired Cloud, before clicking Next.

    localized image

  5. After clicking Next, the Provision and Deploy Azure (step 1of 2) window will require input of obtained from the Azure account.

    Copy and paste each required field after obtaining the information from your Azure account.  The steps below outline how to obtain the required Subscription ID, Application ID, Secret Key, and Tenant ID from your Azure account, then proceed by clicking Next.

    localized image

    1. On the Azure account, we can identify the required Subscription ID by navigating to “More Services” and select Subscriptions.

      localized image

    2. To identify the required *Application ID, navigate to Azure Active Directory, Application registrations, and click New application registration.

      localized image

    3. In the app registration create menu, enter a Name and a Sign-on URL (this can be any URL, the only requirement is that it must be valid), then click Create.

      localized image

    4. Search for and open the newly created Registered App, and note the Application ID.

      localized image

    5. Again open the newly created Registration App, and to identify the required Security Key, under API Access, select Required permissions, to allow a third party to provision and instance. Then select Add.

      localized image

    6. When adding the Required permissions, Select an API, then highlight Windows Azure Service Management API.

      localized image

    7. Enable Delegate Permissions to provision instances, then click Select and Done.

      localized image

    8. For this Registered App, under API Access, select Keys, and create a secret key description and the desired duration for the key to be valid.  Then click Save which will produce a secret key (the key is only required for the provisioning process, it can be deleted after the instance is made available).

      localized image

    9. Copy and save the secret key (note you will not be able to retrieve this later).

      localized image

    10. To identify the required Tenant ID, navigate back to the App registration pane, and select Endpoints.

      localized image

    11. Copy the Federation Metadata Document, to identify your Tenant ID (note the Tenant ID is 36-character string located between the “online.com/” and the “/federation” in the URL).

      localized image

    12. The last item required is the SSH Public Key.  This can be created using Putty Key Generator or ssh-keygen and will be utilized for authentication, eliminating the need for passwords to log in.  The SSH public key can be copied (including the heading ssh-rsa and trailing rsa-key strings).  This public key will be shared through SD-WAN Center input to the Citrix Zero Touch Deployment Service.

      localized image

    13. Additional steps are required to assign the application a role.  Navigate back to More Services, then Subscriptions.

      localized image

    14. Select the active subscription, then Access control (AIM), next click Add.

      localized image

    15. In the add permissions pane, select “Owner” role, assign access to Azure AD user, group, or application and search for the registered app in the Select field to allow the Zero Touch Deployment Cloud Service to create and configure the instance on the Azure subscription. Once the app is identified, select it and make sure it populates as a Selected member before clicking Save.

      localized image

    16. After collecting the required inputs and entering them into SD-WAN Center, click Next.  If the inputs are not correct, you will encounter an authentication failure.

      localized image

SD-WAN center provision and deploy Azure (Step 2 of 2)

  1. Once the Azure authentication is successful, populate the appropriate fields to select the desired Azure Region, and the appropriate Instance Size, then click Deploy.

    localized image

  2. Navigating to the Pending Activation tab in SD-WAN Center, will help track the current status of the deployment.

    localized image

  3. An email with an activation code will be delivered to the email address inputted in step 1, obtain the email and open the activation URL to trigger the process and check the activation status.

    localized image

  4. An email with an activation URL will be delivered to the email address inputted in step 1.  Obtain the email and open the activation URL to trigger the process and check the activation status.

    localized image

  5. It will take a few minutes for the instance to be provisioned by the SD-WAN Cloud Service.  You can monitor the activity on the Azure portal, under Activity log for the Resource Group which is automatically created.  Any issues or errors with the provisioning will be populated here, as well as replicated to SD-WAN Center in the Activation Status.

    localized image

  6. In the Azure portal, the successfully launched instance will be available under Virtual Machines.  To obtain the assigned public IP, navigate to the Overview for the instance.  

    localized image

  7. After the VM is in a running state, give it a minute before the service will reach out and start the process of downloading the configuration, software and license.

    localized image

  8. After each of the SD-WAN Cloud service steps are automatically complicated, log in to the SD-WAN instances web interface using the public IP obtained from the Azure portal.

    localized image

  9. The Citrix SD-WAN Monitoring Statistics page will identify successful connectivity from the MCN to the SD-WAN instance in Azure.

    localized image

  10. Furthermore, the successful (or unsuccessful) provisioning attempt will be logged in the SD-WAN Center’s Activation History page.

    localized image

Azure