NetScaler® ingress controller

Deploy the NetScaler Ingress Controller in Anthos

September 27, 2025

Contributed by:

C S

Anthos is a hybrid and multi cloud platform that lets you run your applications on existing on-prem hardware or in the public cloud. It provides a consistent development and operation experience for cloud and on-premises environments.

NetScaler Ingress Controller can be deployed in Anthos GKE on-premises using the following deployment modes:

Exposing NetScaler CPX with the sidecar ingress controller as a service of type LoadBalancer.
Dual-tier Ingress deployment

Expose NetScaler CPX as a service of type `LoadBalancer` in Anthos GKE on-prem

In this deployment, NetScaler VPX or MPX is deployed outside the cluster at Tier-1 and NetScaler CPX at Tier-2 inside the Anthos cluster similar to a dual-tier deployment. However instead of using Ingress, the NetScaler CPX is exposed using the Kubernetes service of type LoadBalancer. The NetScaler Ingress Controller automates the process of configuring the IP address provided in the LoadBalancerIP field of the service specification.

Prerequisites

You must deploy a Tier-1 NetScaler VPX or MPX in the same subnet as the Anthos GKE on-prem user cluster.
You must configure a subnet IP address (SNIP) on the Tier-1 NetScaler and Anthos GKE on-prem cluster nodes should be reachable using the IP address.
To use a NetScaler VPX or MPX from a different network, use node controller to enable communication between the NetScaler and the Anthos GKE on-prem cluster.
You must set aside a virtual IP address (VIP) to be used as a Load Balancer IP address.

Deploy NetScaler CPX as service of type `LoadBalancer` in Anthos GKE on-premises

Perform the following steps to deploy NetScaler CPX as a service of type LoadBalancer in Anthos GKE on-premises.

Deploy the required application in your Kubernetes cluster and expose it as a service in your cluster using the following command.
```
kubectl --kubeconfig user-cluster-1-kubeconfig create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/anthos/manifest/service-type-lb/apache.yaml
```
Note:

In this example, apache.yaml is used. You should use the specific YAML file for your application.

Deploy NetScaler CPX with the sidecar NetScaler Ingress Controller as Tier-2 Ingress device using the cpx-cic.yaml file.

kubectl --kubeconfig user-cluster-1-kubeconfig create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/anthos/manifest/service-type-lb/cpx-cic.yaml

(Optional) Create a self-signed SSL certificate and a key to be used with the Ingress for TLS configuration.
```
openssl req -subj '/CN=anthos-citrix-ingress.com/O=Citrix Systems Inc/C=IN' -new -newkey rsa:2048 -days 5794 -nodes -x509 -keyout $PWD/anthos-citrix-certificate.key -out $PWD/anthos-citrix-certificate.crt;openssl rsa -in $PWD/anthos-citrix-certificate.key -out $PWD/anthos-citrix-certificate.key
```
Note:

If you already have an SSL certificate, you can create a Kubernetes secret using the same. This is just an example command to create a self-signed certificate and also this command assumes the host name of the application to be anthos-citrix-ingress.com.

Create a Kubernetes secret with the created SSL cert-key pair.

kubectl --kubeconfig user-cluster-1-kubeconfig create secret tls anthos-citrix --cert=$PWD/anthos-citrix-certificate.crt --key=$PWD/anthos-citrix-certificate.key

Create an Ingress resource for Tier-2 using the tier-2-ingress.yaml file.

kubectl --kubeconfig user-cluster-1-kubeconfig create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/anthos/manifest/service-type-lb/tier-2-ingress.yaml

Create a Kubernetes secret for the Tier-1 NetScaler.

kubectl --kubeconfig user-cluster-1-kubeconfig create secret  generic nslogin --from-literal=username='citrix-adc-username' --from-literal=password='citrix-adc-password'

Deploy the NetScaler Ingress Controller as a Tier-1 ingress controller.
1. Download the cic.yaml file.
2. Enter the management IP address of NetScaler. Update the Tier-1 NetScaler’s management IP address in the placeholder Tier-1-Citrix-ADC-IP specified in the cic.yaml file.
3. Save and deploy the cic.yaml using the following command.
```
    kubectl --kubeconfig user-cluster-1-kubeconfig create -f cic.yaml
```
Expose NetScaler CPX as a Kubernetes service of type LoadBalancer.
1. Download the cpx-service-type-lb.yaml file.
2. Edit the YAML file and specify the value of VIP-for-accessing-microservices as the VIP address which is to be used for accessing the applications inside the cluster. This VIP address is the one set aside to be used as a Load Balancer IP address.
3. Save and deploy the cpx-service-type-lb.yaml file using the following command.
```
    kubectl --kubeconfig user-cluster-1-kubeconfig create -f cpx-service-type-lb.yaml
```
Update the DNS records with the IP address of VIP-for-accessing-microservices for accessing the microservice. In this example, to access the Apache microservice, you must have the following DNS entry.
```
`<VIP-for-accessing-microservices> anthos-citrix-ingress.com`
```
Use the following command to access the application.
```
       curl -k --resolve anthos-citrix-ingress.com:443:<VIP-for-accessing-microservices> https://anthos-citrix-ingress.com/ <html><body><h1>It works!</h1></body></html>
```
Note:

In this command, --resolve anthos-citrix-ingress.com:443:<VIP-for-accessing-microservices> is used to override the DNS configuration part in step 9 for demonstration purpose.

Clean up the installation: Expose NetScaler CPX as service of type `LoadBalancer`

To clean up the installation, use the kubectl --kubeconfig delete command to delete each deployment.

To delete the NetScaler CPX service deployment (CPX+CIC service) use the following command:

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f cpx-service-type-lb.yaml

To delete the Tier-2 Ingress object, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f tier-2-ingress.yaml

To delete the NetScaler CPX deployment along with the sidecar NetScaler Ingress Controller, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f cpx-cic.yaml

To delete the stand-alone NetScaler Ingress Controller, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f cic.yaml

To delete the Apache microservice, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f apache.yaml

To delete the Kubernetes secret, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete secret anthos-citrix

To delete the nslogin secret, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete secret nslogin

Dual tier Ingress deployment

In a dual-tier Ingress deployment, NetScaler VPX or MPX is deployed outside the Kubernetes cluster (Tier-1) and NetScaler CPXs are deployed inside the Kubernetes cluster (Tier-2).

NetScaler MPX or VPX devices in Tier-1 proxy the traffic (North-South) from the client to NetScaler CPXs in Tier-2. The Tier-2 NetScaler CPX then routes the traffic to the microservices in the Kubernetes cluster. The NetScaler Ingress Controller deployed as a standalone pod configures the Tier-1 NetScaler. The sidecar NetScaler Ingress Controller in one or more NetScaler CPX pods configures the associated NetScaler CPX in the same pod.

Prerequisites

You must deploy a Tier-1 NetScaler VPX or MPX in the same subnet as the Anthos GKE on-prem user cluster.
You must configure a subnet IP address (SNIP) on the Tier-1 NetScaler and Anthos GKE on-prem cluster nodes should be reachable using the IP address.
To use a NetScaler VPX or MPX from a different network, use the node controller to enable communication between the NetScaler and the Anthos GKE on-prem cluster.
You must set aside a virtual IP address to be used as a front-end IP address in the Tier-1 Ingress manifest.

Dual-tier Ingress deployment in Anthos GKE on-prem

Perform the following steps to deploy a dual-tier Ingress deployment of NetScaler in Anthos GKE on-prem.

Deploy the required application in your Kubernetes cluster and expose it as a service in your cluster using the following command.
```
kubectl --kubeconfig user-cluster-1-kubeconfig create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/anthos/manifest/dual-tiered-ingress/apache.yaml
```
Note:

In this example, apache.yaml is used. You should use the specific YAML file for your application.

Deploy NetScaler CPX with the NetScaler Ingress Controller as Tier-2 Ingress using the cpx-cic.yaml file.

kubectl --kubeconfig user-cluster-1-kubeconfig create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/anthos/manifest/dual-tiered-ingress/cpx-cic.yaml

Expose NetScaler CPX as a Kubernetes service using the cpx-service.yaml file.

kubectl --kubeconfig user-cluster-1-kubeconfig create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/anthos/manifest/dual-tiered-ingress/cpx-service.yaml

(Optional) Create a self-signed SSL certificate and a key to be used with the Ingress for TLS configuration.

Note:

If you already have an SSL certificate, you can create a Kubernetes secret using the same.
```
openssl req -subj '/CN=anthos-citrix-ingress.com/O=Citrix Systems Inc/C=IN' -new -newkey rsa:2048 -days 5794 -nodes -x509 -keyout $PWD/anthos-citrix-certificate.key -out $PWD/anthos-citrix-certificate.crt;openssl rsa -in $PWD/anthos-citrix-certificate.key -out $PWD/anthos-citrix-certificate.key
```
Note:

This is just an example command to create a self-signed certificate and also this command assumes that the hostname of the application to be anthos-citrix-ingress.com.

Create a Kubernetes secret with the created SSL cert-key pair.

kubectl --kubeconfig user-cluster-1-kubeconfig create secret tls anthos-citrix --cert=$PWD/anthos-citrix-certificate.crt --key=$PWD/anthos-citrix-certificate.key

Create an Ingress resource for Tier-2 using the tier-2-ingress.yaml file.

kubectl --kubeconfig user-cluster-1-kubeconfig create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/anthos/manifest/dual-tiered-ingress/tier-2-ingress.yaml

Create a Kubernetes secret for the Tier-1 NetScaler.

kubectl --kubeconfig user-cluster-1-kubeconfig create secret  generic nslogin --from-literal=username='citrix-adc-username' --from-literal=password='citrix-adc-password'

Deploy the NetScaler Ingress Controller as a Tier-1 ingress controller.
1. Download the cic.yaml file.
2. Enter the management IP address of NetScaler. Update the Tier-1 NetScaler’s management IP address in the placeholder Tier-1-Citrix-ADC-IP specified in the cic.yaml file.
3. Save and deploy the cic.yaml using the following command.
```
    kubectl --kubeconfig user-cluster-1-kubeconfig create -f cic.yaml
```
Create an Ingress resource for Tier-1 using the tier-1-ingress.yaml file.
1. Download the tier-1-ingress.yaml file.
2. Edit the YAML file and replace VIP-Citrix-ADC with the VIP address which was set aside.
3. Save and deploy the tier-1-ingress.yaml file using the following command.
```
    kubectl --kubeconfig user-cluster-1-kubeconfig create -f tier-1-ingress.yaml
```
Update the DNS records with the IP address of VIP-Citrix-ADC for accessing the microservice. In this example, to access the Apache microservice, you must have the following DNS entry.
```
       <VIP-Citrix-ADC> anthos-citrix-ingress.com
```
Use the following command to access the application.
```
   curl -k --resolve anthos-citrix-ingress.com:443:<VIP-Citrix-ADC>   https://anthos-citrix-ingress.com/
   <html><body><h1>It works!</h1></body></html>
```
Note:

In this command, --resolve anthos-citrix-ingress.com:443:<VIP-for-accessing-microservices> is used to override the DNS configuration part.

Clean up the installation: Dual tier Ingress

To clean up the installation, use the kubectl --kubeconfig delete command to delete each deployment.

To delete the Tier-1 Ingress object, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f tier-1-ingress.yaml

To delete the Tier-2 Ingress object, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f tier-2-ingress.yaml`

To delete the NetScaler CPX deployment along with the sidecar NetScaler Ingress Controller, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f cpx-cic.yaml

To delete the NetScaler CPX service deployment, use the following command:

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f cpx-service.yaml

To delete the stand-alone NetScaler Ingress Controller use the following command:

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f cic.yaml

To delete the Apache microservice, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete -f apache.yaml

To delete the Kubernetes secret, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete secret anthos-citrix

To delete the nslogin secret, use the following command.

    kubectl --kubeconfig user-cluster-1-kubeconfig delete secret nslogin`

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Deploy the NetScaler Ingress Controller in Anthos

September 27, 2025

Contributed by:

C S

September 27, 2025

Contributed by:

C S

Deploy the NetScaler Ingress Controller in Anthos

Expose NetScaler CPX as a service of type LoadBalancer in Anthos GKE on-prem

Prerequisites

Deploy NetScaler CPX as service of type LoadBalancer in Anthos GKE on-premises

Clean up the installation: Expose NetScaler CPX as service of type LoadBalancer

Dual tier Ingress deployment

Prerequisites

Dual-tier Ingress deployment in Anthos GKE on-prem

Clean up the installation: Dual tier Ingress

In this article

Expose NetScaler CPX as a service of type `LoadBalancer` in Anthos GKE on-prem

Deploy NetScaler CPX as service of type `LoadBalancer` in Anthos GKE on-premises

Clean up the installation: Expose NetScaler CPX as service of type `LoadBalancer`