How to set up dual-tier deployment
In a dual-tier deployment, NetScaler VPX or MPX is deployed outside the Kubernetes cluster (Tier-1) and NetScaler CPXs are deployed inside the Kubernetes cluster (Tier-2).
NetScaler MPX or VPX devices in Tier-1 proxy the traffic (North-South) from the client to NetScaler CPXs in Tier-2. The Tier-2 NetScaler CPX then routes the traffic to the microservices in the Kubernetes cluster. The NetScaler Ingress Controller deployed as a standalone pod configures the Tier-1 NetScaler. And, the sidecar NetScaler Ingress Controller in one or more NetScaler CPX pods configures the associated NetScaler CPX in the same pod.
The Dual-Tier deployment can be set up on Kubernetes in bare metal environment or on public clouds such as, AWS, GCP, or Azure.
The following diagram shows a Dual-Tier deployment:
Setup process
The NetScaler Ingress Controller repo provides a sample Apache microservice and manifests for NetScaler CPX for Tier-2, ingress object for Tier-2 NetScaler CPX, NetScaler Ingress Controller, and an ingress object for Tier-1 NetScaler for demonstration purpose. These samples are used in the setup process to deploy a dual-tier topology.
Perform the following:
-
Create a Kubernetes cluster in cloud or on-premises. The Kubernetes cluster in cloud can be a managed Kubernetes (for example: GKE, EKS, or AKS) or a custom created Kubernetes deployment.
-
Deploy NetScaler MPX or VPX on a multi-NIC deployment mode outside the Kubernetes cluster.
-
For instructions to deploy NetScaler MPX, see NetScaler documentation.
-
For instructions to deploy NetScaler VPX, see Deploy a NetScaler VPX instance.
Perform the following after you deploy NetScaler VPX or MPX:
-
Configure an IP address from the subnet of the Kubernetes cluster as SNIP on the NetScaler. For information on configuring SNIPs in NetScaler, see Configuring Subnet IP Addresses (SNIPs).
-
Enable management access for the SNIP that is the same subnet of the Kubernetes cluster. The SNIP should be used as
NS_IP
variable in the NetScaler Ingress Controller YAML file to enable NetScaler Ingress Controller to configure the Tier-1 NetScaler.Note:
It is not mandatory to use SNIP as
NS_IP
. If the management IP address of the NetScaler is reachable from NetScaler Ingress Controller then you can use the management IP address asNS_IP
. -
In cloud deployments, enable MAC-Based Forwarding mode on the Tier-1 NetScaler VPX. As NetScaler VPX is deployed in multi-NIC mode, it would not have the return route to reach the POD CNI network or the Client network. Hence, you need to enable MAC-Based Forwarding mode on the Tier-1 NetScaler VPX to handle this scenario.
-
Create a NetScaler system user account specific to NetScaler Ingress Controller. NetScaler Ingress Controller uses the system user account to automatically configure the Tier-1 NetScaler.
-
Configure your on-premises firewall or security groups on your cloud to allow inbound traffic to the ports required for NetScaler. The Setup process uses port 80 and port 443, you can modify these ports based on your requirement.
-
-
Deploy a sample microservice. Use the following command:
kubectl create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/dual-tier/manifest/apache.yaml
-
Deploy NetScaler CPX as Tier-2 ingress. Use the following command:
kubectl create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/dual-tier/manifest/tier-2-cpx.yaml
-
Create an ingress object for the Tier-2 NetScaler CPX. Use the following command:
kubectl create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/dual-tier/manifest/ingress-tier-2-cpx.yaml
-
Deploy the NetScaler Ingress Controller for Tier-1 NetScaler. Perform the following:
-
Download the NetScaler Ingress Controller manifest file. Use the following command:
wget https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/dual-tier/manifest/tier-1-vpx-cic.yaml
-
Edit the NetScaler Ingress Controller manifest file and enter the values for the following environmental variables:
Environment Variable Mandatory or Optional Description NS_IP Mandatory The IP address of the NetScaler appliance. For more details, see Prerequisites. NS_USER and NS_PASSWORD Mandatory The user name and password of the NetScaler VPX or MPX appliance used as the Ingress device. For more details, see Prerequisites. EULA Mandatory The End User License Agreement. Specify the value as Yes
.LOGLEVEL Optional The log levels to control the logs generated by NetScaler Ingress Controller. By default, the value is set to DEBUG. The supported values are: CRITICAL, ERROR, WARNING, INFO, and DEBUG. For more information, see Log Levels NS_PROTOCOL and NS_PORT Optional Defines the protocol and port that must be used by NetScaler Ingress Controller to communicate with NetScaler. By default, NetScaler Ingress Controller uses HTTPS on port 443. You can also use HTTP on port 80. ingress-classes Optional If multiple ingress load balancers are used to load balance different ingress resources. You can use this environment variable to specify NetScaler Ingress Controller to configure NetScaler associated with specific ingress class. For information on Ingress classes, see Ingress class support NS_VIP Optional NetScaler Ingress Controller uses the IP address provided in this environment variable to configure a virtual IP address to the NetScaler that receives Ingress traffic. -
Deploy the updated NetScaler Ingress Controller manifest file. Use the following command:
kubectl create -f tier-1-vpx-cic.yaml
-
-
Create an ingress object for the Tier-1 NetScaler. Use the following command:
kubectl create -f https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/dual-tier/manifest/ingress-tier-1-vpx.yaml
-
Update DNS server details in the cloud or on-premises to point your website to the VIP of the Tier-1 NetScaler.
For example:
citrix-ingress.com 192.250.9.1
Where
192.250.9.1
is the VIP of the Tier-1 NetScaler andcitrix-ingress.com
is the microservice running in your Kubernetes cluster. -
Access the URL of the microservice to verify the deployment.
Set up dual-tier deployment using one step deployment manifest file
For easy deployment, the NetScaler Ingress Controller repo includes an all-in-one deployment manifest. You can download the file and update it with values for the following environmental variables and deploy the manifest file.
Note:
Ensure that you have completed step 1–2 in the Setup process.
Perform the following:
-
Download the all-in-one deployment manifest file. Use the following command:
wget https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/deployment/dual-tier/manifest/all-in-one-dual-tier-demo.yaml
-
Edit the all-in-one deployment manifest file and enter the values for the following environmental variables:
Environment Variable Mandatory or Optional Description NS_IP Mandatory The IP address of the NetScaler appliance. For more details, see Prerequisites. NS_USER and NS_PASSWORD Mandatory The user name and password of the NetScaler VPX or MPX appliance used as the Ingress device. For more details, see Prerequisites. EULA Mandatory The End User License Agreement. Specify the value as Yes
.LOGLEVEL Optional The log levels to control the logs generated by NetScaler Ingress Controller. By default, the value is set to DEBUG. The supported values are: CRITICAL, ERROR, WARNING, INFO, and DEBUG. For more information, see Log Levels NS_PROTOCOL and NS_PORT Optional Defines the protocol and port that must be used by NetScaler Ingress Controller to communicate with NetScaler. By default, NetScaler Ingress Controller uses HTTPS on port 443. You can also use HTTP on port 80. ingress-classes Optional If multiple ingress load balancers are used to load balance different ingress resources. You can use this environment variable to specify NetScaler Ingress Controller to configure NetScaler associated with specific ingress class. For information on Ingress classes, see [Ingress class support](/en-us/netscaler-k8s-ingress-controller/configure/ingress-classes.html NS_VIP Optional NetScaler Ingress Controller uses the IP address provided in this environment variable to configure a virtual IP address to the NetScaler that receives Ingress traffic. Note: NS_VIP acts as a fallback when the frontend-ip annotation is not provided in Ingress yaml. Not supported for Type Loadbalancer service. -
Deploy the updated all-in-one deployment manifest file. Use the following command:
kubectl create -f all-in-one-dual-tier-demo.yaml