Deploy a NetScaler VPX instance on Microsoft Azure
When you deploy a NetScaler VPX instance on Microsoft Azure Resource Manager (ARM), you can use both of the following feature sets to achieve your business needs:
- Azure cloud computing capabilities
- NetScaler load balancing and traffic management features
You can deploy NetScaler VPX instances on ARM either as standalone instances or as high availability pairs in active-standby modes.
You can deploy a NetScaler VPX instance on the Microsoft Azure in two ways:
-
Through Azure Marketplace. The NetScaler VPX virtual appliance is available as an image in the Microsoft Azure Marketplace.
-
Using the NetScaler Azure Resource Manager (ARM) json template available on GitHub. For more information, see the GitHub repository for NetScaler solution templates.
The Microsoft Azure stack is an integrated platform of hardware and software that delivers the Microsoft Azure public cloud services in a local data center to let organizations construct hybrid clouds. You can now deploy the NetScaler VPX instances on the Microsoft Azure stack.
Note:
Azure restricts access to traffic originating from outside Azure and blocks them. To provide access, enable the service or port by adding an inbound rule in the network security group attached to the NIC of the VM to which a public IP address is attached. For more information, see Azure documentation about Inbound NAT rules.
Prerequisite
You need some prerequisite knowledge before deploying a NetScaler VPX instance on Azure.
-
Familiarity with Azure terminology and network details. For information, see Azure terminology.
-
Knowledge of a NetScaler appliance. For detailed information the NetScaler appliance, see NetScaler
-
Knowledge of NetScaler networking. See the Networking topic.
How a NetScaler VPX instance works on Azure
In an on-premises deployment, a NetScaler VPX instance requires at least three IP addresses:
- Management IP address, called NSIP address
- Subnet IP (SNIP) address for communicating with the server farm
- Virtual server IP (VIP) address for accepting client requests
For more information, see Network architecture for NetScaler VPX instances on Microsoft Azure.
Note:
NetScaler VPX instance supports both the Intel and AMD processors. VPX virtual appliances can be deployed on any instance type that has two or more virtualized cores and more than 2 GB memory. For more information on system requirements, see NetScaler VPX data sheet.
In an Azure deployment, you can provision a NetScaler VPX instance on Azure in three ways:
- Multi-NIC multi-IP architecture
- Single NIC multi-IP architecture
- Single NIC single IP
Depending on your needs, you can use any of these supported architecture types.
Multi-NIC multi-IP architecture
In this deployment type, you can have more than one network interfaces (NICs) attached to a VPX instance. Any NIC can have one or more IP configurations - static or dynamic public and private IP addresses assigned to it.
For more information, see the following use cases:
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
Note:
To avoid MAC moves and interface mutes on Azure environments, we recommend you to create a VLAN per data interface (without tag) of NetScaler VPX instance and bind the primary IP of NIC in Azure. For more information, see CTX224626 article.
Single NIC multi-IP architecture
In this deployment type, one network interface (NIC) associated with multiple IP configurations - static or dynamic public and private IP addresses assigned to it. For more information, see the following use cases:
- Configure multiple IP addresses for a NetScaler VPX standalone instance
- Configure multiple IP addresses for a NetScaler VPX standalone instance by using PowerShell commands
Single NIC single IP
In this deployment type, one network interface (NIC) associated with a single IP address, which is used to perform the functions of NSIP, SNIP, and VIP.
For more information, see Configure a NetScaler VPX standalone instance.
Note:
The single IP mode is available only in Azure deployments. This mode isn’t available for a NetScaler VPX instance on your premises, on AWS, or in other types of deployment.
NetScaler VPX licensing
A NetScaler VPX instance on Azure requires a license. The following licensing options are available for NetScaler VPX instances running on Azure.
-
Subscription-based licensing: NetScaler VPX appliances are available as paid instances on Azure Marketplace. Subscription-based licensing is a pay-as-you-go option. Users are charged hourly.
Note:
For subscription-based license instances, your subscription billing applies throughout the license period for a particular license model. Due to cloud restrictions, Azure does not support changing or removing the license model applicable for your subscription. To change or remove a subscription license, delete the existing ADC VM, and recreate a new ADC VM with the required license.
NetScaler provides technical support for subscription-based license instances. To file a support case, see Support for NetScaler on Azure – Subscription license with hourly price.
-
Bring your own license (BYOL): If you bring your own license (BYOL), see the VPX Licensing Guide at http://support.citrix.com/article/CTX122426. You have to:
- Use the licensing portal within the NetScaler website to generate a valid license.
- Upload the license to the instance.
Note:
In an Azure stack environment, BYOL is the only available licensing option.
-
NetScaler VPX Check-In/Check-Out licensing: For more information, see NetScaler VPX Check-In/Check-Out Licensing.
Starting with NetScaler release 12.0 56.20, NetScaler VPX Express for on-premises and cloud deployments does not require a license file. For more information on NetScaler VPX Express, see the “NetScaler VPX Express license” section in NetScaler licensing overview.
The following VPX models and license types are available on Azure Marketplace.
VPX model | License type | Recommended instances | ||
---|---|---|---|---|
VPX 1 NIC/2 NIC | VPX 3 NIC | VPX upto 8 NIC | ||
VPX200 | Advanced | Standard_D2s_v4 | Standard_DS3_v2 | Standard_DS4_v2 |
VPX1000 | Premium | Standard_D4s_v4 | Standard_DS3_v2 | Standard_DS4_v2 |
VPX5000 | Premium | Standard_D8ds_v5 | Standard_D8ds_v5 | Standard_DS4_v2 |
VPX BYOL
|
Customer Licensed | -
|
-
|
-
|
FIPS - Customer Licensed |
Note:
The recommended instances for VPX BYOL depends on the VPX license that you have purchased.
Points to note:
- You must enable Azure accelerated networking on NetScaler VPX instances to get the optimal performance on the following VPX models:
- VPX1000
- VPX5000
For more information on configuring Accelerated networking, see Configure a NetScaler VPX instance to use Azure accelerated networking.
-
The VPX8000 and VPX10000 licenses are available only as BYOL.
-
Regardless of the subscription-based hourly license bought from Azure Marketplace, in rare cases, the NetScaler VPX instance deployed on Azure might come up with a default NetScaler license. This happens due to issues with the Azure Instance Metadata Service (IMDS).
- Do a warm restart, before making any configuration change on the NetScaler VPX instance, to enable the correct NetScaler VPX license.
IPv6 support for NetScaler VPX instance in Azure
From release 13.1-21.x onwards, NetScaler VPX standalone instance supports IPv6 addresses in Azure. You can configure the IPv6 addresses as VIP and SNIP addresses on NetScaler VPX standalone instance in Azure cloud.
For information on how to enable IPv6 on Azure, see the following Azure documentation:
For information on how the NetScaler appliance supports IPv6, see Internet Protocol version 6.
IPv6 Limitations:
- IPv6 deployments in NetScaler currently do not support Azure backend autoscaling.
- IPv6 is not supported for NetScaler VPX HA deployment.
Limitations
Running the NetScaler VPX load-balancing solution on ARM imposes the following limitations:
-
The Azure architecture does not accommodate support for the following NetScaler features:
- Gratuitous ARP (GARP)
- L2 Mode
- Tagged VLAN
- Dynamic Routing
- virtual MAC
- USIP
- Clustering
Note:
With the NetScaler Application Delivery Management (ADM) Autoscale feature (cloud deployment), the ADC instances support clustering on all licenses. For information, see Autoscaling of NetScaler VPX in Microsoft Azure using NetScaler ADM.
-
If you expect that you might have to shut down and temporarily deallocate the NetScaler VPX virtual machine at any time, assign a static Internal IP address while creating the virtual machine. If you do not assign a static internal IP address, Azure might assign the virtual machine a different IP address each time it restarts, and the virtual machine might become inaccessible.
-
In an Azure deployment, only the following NetScaler VPX models are supported: VPX 10, VPX 200, VPX 1000, VPX 3000, and VPX 5000. For more information, see the NetScaler VPX Data Sheet.
If you use a NetScaler VPX instance with a model number higher than VPX 3000, the network throughput might not be the same as specified by the instance’s license. However, other features such as SSL throughput and SSL transactions per second might improve.
-
The deployment ID that is generated by Azure during virtual machine provisioning isn’t visible to the user in ARM. You cannot use the deployment ID to deploy NetScaler VPX appliance on ARM.
-
The NetScaler VPX instance supports 20 Mbps throughput and standard edition features when it’s initialized.
-
The NetScaler VPX instances on Azure with accelerated networking enabled, provides better performance. Azure accelerated networking is supported on NetScaler VPX instances from release 13.0 build 76.x onwards. To enable accelerated networking on NetScaler VPX, we recommend you to use an Azure instance type which supports accelerated networking.
-
For Citrix Virtual Apps and Desktops deployment, a VPN virtual server on a VPX instance can be configured in the following modes:
- Basic mode, where the
ICAOnly
VPN virtual server parameter is set to ON. The Basic mode works fully on an unlicensed NetScaler VPX instance. - SmartAccess mode, where the
ICAOnly
VPN virtual server parameter is set to OFF. The SmartAccess mode works for only five NetScaler AAA session users on an unlicensed NetScaler VPX instance.
Note:
To configure the SmartControl feature, you must apply a Premium license to the NetScaler VPX instance.
- Basic mode, where the