Product Documentation
NetScaler VPX
14.1-Current Release 13.1 12.1
View PDF

Deploy a NetScaler VPX HA pair in Azure using the secondary IP configurations

March 4, 2025
Contributed by: 
C

You can deploy a NetScaler VPX high availability pair in Azure with both NetScaler VPX instances on the same virtual network (VNet), using the secondary IP configurations of the network interfaces (NICs). This HA deployment eliminates the need for the Azure Load Balancer (ALB). During failover, the secondary private IP addresses assigned to the client-side and server-side NICs of the primary node are migrated to the secondary node. All the public IP addresses associated with these secondary private IP addresses are also moved accordingly.

Important:

Before starting the deployment, ensure that your Azure environment meets the prerequisites to avoid any issues during the setup.

The following are some of the benefits of using secondary IP configurations:

  • Simplified failover: Secondary IP addresses enable automatic migration of virtual IP addresses (VIPs) and subnet IP addresses (SNIPs) between HA nodes, ensuring seamless failover without the need for external load balancing.
  • Scalability: Multiple IP addresses can be assigned to a single NIC, allowing flexible traffic routing and scaling of services within the same VM.
  • Resilience: The ability to move secondary private IP addresses between nodes enhances network availability and provides quick recovery during node failure.
  • Cost efficiency: By eliminating the need for an ALB, you reduce infrastructure costs while maintaining high availability and traffic management within the same subnet.

The following illustration depicts an HA failover scenario by migrating secondary private IP addresses.

Azure HA pip migration

Prerequisites to deploy a NetScaler VPX HA pair using Azure secondary IP configurations

  • Use NetScaler version 14.1–34.42 or later.

  • Ensure that your subscription has the new Azure control plane enabled.

Note:

If the new Azure control plane is not enabled for your subscription, high-availability deployments might experience a longer failover duration. In such cases, contact Azure support for assistance in enabling the new control plane.

How to deploy a NetScaler VPX HA pair using Azure secondary IP configurations

To deploy a NetScaler VPX HA pair using the secondary IP configurations in Azure, follow these steps:

  1. Deploy two NetScaler VPX instances in Azure, each with three network interfaces in the same resource group and VNet.
  2. Assign a managed identity to both the NetScaler VPX instances.
  3. Assign Azure secondary IP configurations to the client and server network interfaces of the primary node.
  4. Configure the VIP and SNIP on the primary node using the Azure private IP address from the secondary IP configuration.
  5. Configure the primary private IP addresses of the server network interfaces on both the primary and secondary NetScaler instances to be the VIP, on the primary node.
  6. Configure HA on both the nodes.

Step 1. Deploy two NetScaler VPX instances (primary and secondary nodes) in the same resource group and VNet. Ensure that each NetScaler VPX instance has three NICs: Ethernet 0, Ethernet 1, and Ethernet 2.

For detailed steps, see Deploy two VPX instances on Azure.

Step 2. Apply either a system-assigned or a user-assigned managed identity to both the NetScaler VPX instances.

Note:

The Azure service principal is not supported for this feature.

For details, see Managed identities for Azure resources.

For instructions on configuring a managed identity on NetScaler VPX, see Configure a managed identity on a virtual machine.

Step 3. Add one of the following Azure role assignments to the managed identity associated with the NetScaler VPX instances.

  • Reader and Network Contributor: Grants read-only access to Azure resources and the permissions required to manage networking resources.
  • Contributor: Provides full access to Azure resources.

Step 4. On the primary node, assign private IP addresses to Ethernet 1 (client IP or VIP) and Ethernet 2 (back-end server IP or SNIP).

The Azure portal automatically assigns primary private IP addresses to the configured NICs. To assign more private IP addresses for the VIP and SNIP network interfaces, use secondary IP configurations.

To assign a secondary IP configuration to a network interface in Azure, follow these steps:

  1. Log in to the Azure Portal and navigate to Virtual Machines.
  2. Select the virtual machine associated with the network interface.
  3. In the virtual machine settings, go to Network settings and select the NIC to which you want to add a secondary private IP address.
  4. In the Network Interface settings, click the IP configurations tab.

  5. Click Add to assign an IP configuration of type Secondary.

    • If you choose a static allocation method, enter a specific IPv4 address within the subnet range for the instance.
    • If you choose a dynamic allocation method, Azure automatically assigns an IP address.
  6. Click Add or Save to apply the changes.

Step 5. Configure VIP and SNIP on the primary node using the private IP addresses from the secondary IP configuration.

  1. Access the primary node using SSH. Open an SSH client and run the following command:

    ssh -i <location of your private key> nsroot@<public DNS of the instance>

  2. Configure the VIP and SNIP addresses.

    For configuring the VIP address, run the following command:

    add ns ip <IPAddress> <netmask> -type VIP

    Example:

    add ns ip 192.0.2.11 255.255.255.0 -type VIP

    For configuring the SNIP address, run the following command:

    add ns ip <IPAddress> <netmask> -type SNIP

    Example:

    add ns ip 192.0.3.11 255.255.255.0 -type SNIP

  3. Save the configuration by running the save config command.

  4. Verify the configured IP addresses using the following command:

    show ns ip

Step 6. Configure the primary private IP addresses of the server network interfaces on both the primary and secondary NetScaler instances to be the VIP, on the primary node.

  1. Access the primary node using SSH. Open an SSH client and run the following command:

    ssh -i <location of your private key> nsroot@<public DNS of the instance>

    Example:

    ssh -i ~/.ssh/mykey.pem nsroot@primary-instance.eastus.cloudapp.azure.com

  2. On the primary node, configure the primary private IP address of Ethernet 2 (back-end server NIC) of both the primary and secondary NetScaler instances to be the VIP:

    add ns ip <private IPaddress of primary instance> <netmask> -type VIP

add ns ip <private IPaddress of secondary instance> <netmask> -type VIP

    Example:

    add ns ip 192.0.3.10 255.255.255.0 -type VIP

add ns ip 192.0.3.20 255.255.255.0 -type VIP

Step 7. Configure HA on both nodes.

  1. On the primary node, open a Shell client and run the following command:

    add ha node <peer node id> <private IP address of the management NIC of the secondary node>

    Example:

    add ha node 1 192.0.1.20

  2. On the secondary node, run the following command:

    add ha node <peer node id> <private IP address of the management NIC of the primary node>

    Example:

    add ha node 1 192.0.1.10

  3. Save the configuration by running the save config command.

  4. Verify the configured HA nodes by running the show ha node command.

    During failover, the secondary IP configurations for the VIP and SNIP network interfaces are moved from the previous primary node to the new primary node.

Deploy a NetScaler VPX HA pair in Azure using the secondary IP configurations
March 4, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-2025 Cloud Software Group, Inc. All rights reserved.