NetScaler VPX

Deploy a NetScaler VPX instance on Microsoft Azure

When you deploy a NetScaler VPX instance on Microsoft Azure Resource Manager (ARM), you can use both of the following feature sets to achieve your business needs:

  • Azure cloud computing capabilities
  • NetScaler load balancing and traffic management features

You can deploy NetScaler VPX instances on ARM either as standalone instances or as high availability pairs in active-standby modes.

You can deploy a NetScaler VPX instance on the Microsoft Azure in two ways:

  • Through Azure Marketplace. The NetScaler VPX virtual appliance is available as an image in the Microsoft Azure Marketplace.

  • Using the NetScaler Azure Resource Manager (ARM) json template available on GitHub. For more information, see the GitHub repository for NetScaler solution templates.

Note:

Azure restricts access to traffic originating from outside Azure and blocks them. To provide access, enable the service or port by adding an inbound rule in the network security group attached to the NIC of the VM to which a public IP address is attached. For more information, see Azure documentation about Inbound NAT rules.

Prerequisite

You need some prerequisite knowledge before deploying a NetScaler VPX instance on Azure.

  • Familiarity with Azure terminology and network details. For information, see Azure terminology.

  • Knowledge of a NetScaler appliance. For detailed information the NetScaler appliance, see NetScaler

  • Knowledge of NetScaler networking. See the Networking topic.

How a NetScaler VPX instance works on Azure

In an on-premises deployment, a NetScaler VPX instance requires at least three IP addresses:

  • Management IP address, called NSIP address
  • Subnet IP (SNIP) address for communicating with the server farm
  • Virtual server IP (VIP) address for accepting client requests

For more information, see Network architecture for NetScaler VPX instances on Microsoft Azure.

Note:

NetScaler VPX instance supports both the Intel and AMD processors. VPX virtual appliances can be deployed on any instance type that has two or more virtualized cores and more than 2 GB memory. For more information on system requirements, see NetScaler VPX data sheet.

In an Azure deployment, you can provision a NetScaler VPX instance on Azure in three ways:

  • Multi-NIC multi-IP architecture
  • Single NIC multi-IP architecture
  • Single NIC single IP

Depending on your needs, you can use any of these supported architecture types.

Multi-NIC multi-IP architecture

In this deployment type, you can have more than one network interfaces (NICs) attached to a VPX instance. Any NIC can have one or more IP configurations - static or dynamic public and private IP addresses assigned to it.

For more information, see the following use cases:

Note:

To avoid MAC moves and interface mutes on Azure environments, Citrix recommends you to create a VLAN per data interface (without tag) of NetScaler VPX instance and bind the primary IP of NIC in Azure. For more information, see CTX224626 article.

Single NIC multi-IP architecture

In this deployment type, one network interfaces (NIC) associated with multiple IP configurations - static or dynamic public and private IP addresses assigned to it. For more information, see the following use cases:

Single NIC single IP

In this deployment type, one network interfaces (NIC) associated with a single IP address, which is used to perform the functions of NSIP, SNIP, and VIP.

For more information, see Configure a NetScaler VPX standalone instance.

Note:

The single IP mode is available only in Azure deployments. This mode isn’t available for a NetScaler VPX instance on your premises, on AWS, or in other types of deployment.

NetScaler VPX licensing

A NetScaler VPX instance on Azure requires a valid license. The licensing options available for NetScaler VPX instances running on Azure are:

  • Bring your own license (BYOL): To use the BYOL option, follow these steps:

    • Use the licensing portal on the NetScaler website to generate a valid license.
    • Upload the generated license to the instance.
  • NetScaler VPX Check-in and Check-out license: This licensing model allows you to check out a license from a pool of available licenses and check it back in when no longer needed. For more information and detailed instructions, see NetScaler VPX Check-in and Check-out License.

Note:

  • Subscription-based licensing is no longer supported for NetScaler VPX instances on Azure.

  • Do a warm restart before making any configuration changes on the NetScaler VPX instance to enable the correct NetScaler VPX license.

For the desired VPX performance, the following Azure instance types are recommended.

VPX performance
Azure instance types
VPX 1 NIC/2 NIC VPX 3 NIC VPX up to 8 NIC
Up to 200 Mbps Standard_D2s_v5 Standard_D8s_v5 Standard_D16_v5
Up to 1 Gbps Standard_D4s_v5 Standard_D8s_v5 Standard_D16_v5
Up to 5 Gbps Standard_D8ds_v5 Standard_D8ds_v5 Standard_D16_v5
Up to 10 Gbps Standard_D2_v5 Standard_D8_v5 Standard_D16_v5

Points to note

  • Azure supports VPX throughput up to 10 Gbps. For more information, see the NetScaler VPX Data Sheet.

  • To achieve optimal performance on NetScaler VPX instances with throughput over 1 Gbps, you must enable Azure accelerated networking. It is recommended to use an Azure instance type that supports accelerated networking for this purpose. For more information on configuring Accelerated networking, see Configure a NetScaler VPX instance to use Azure accelerated networking.

  • If you expect that you might have to shut down and temporarily deallocate the NetScaler VPX virtual machine at any time, assign a static Internal IP address while creating the virtual machine. If you do not assign a static internal IP address, Azure might assign the virtual machine a different IP address each time it restarts, and the virtual machine might become inaccessible.

  • For Citrix Virtual Apps and Desktops deployment, a VPN virtual server on a VPX instance can be configured in the following modes:

    • Basic mode, where the ICAOnly VPN virtual server parameter is set to ON. The Basic mode works fully on an unlicensed NetScaler VPX instance.
    • SmartAccess mode, where the ICAOnly VPN virtual server parameter is set to OFF. The SmartAccess mode works for only five NetScaler AAA session users on an unlicensed NetScaler VPX instance.

    Note:

    To configure the SmartControl feature, you must apply a Premium license to the NetScaler VPX instance.

IPv6 support for NetScaler VPX instance in Azure

NetScaler VPX standalone instance supports IPv6 addresses in Azure. You can configure the IPv6 addresses as VIP and SNIP addresses on NetScaler VPX standalone instance in Azure cloud.

For information on how to enable IPv6 on Azure, see the following Azure documentation:

For information on how the NetScaler appliance supports IPv6, see Internet Protocol version 6.

IPv6 Limitations:

  • IPv6 deployments in NetScaler currently do not support Azure backend autoscaling.
  • IPv6 is not supported for NetScaler VPX HA deployment.

Limitations

Running the NetScaler VPX load-balancing solution on ARM imposes the following limitations:

  • The Azure architecture does not accommodate support for the following NetScaler features:

    • Gratuitous ARP (GARP)
    • L2 Mode
    • Tagged VLAN
    • Dynamic Routing
    • virtual MAC
    • USIP
    • Clustering
  • When using a NetScaler VPX instance with a throughput exceeding 3 Gbps, the actual network throughput may not align with the throughput specified in the instance’s license. However, other features such as SSL throughput and SSL transactions per second might improve.

  • The deployment ID that is generated by Azure during virtual machine provisioning isn’t visible to the user in ARM. You can’t use the deployment ID to deploy NetScaler VPX appliance on ARM.

Deploy a NetScaler VPX instance on Microsoft Azure