This is the second blog post in the Azure Cloud Networking series. In blog-post-1 of this series we looked at different types of Azure load balancers. There are certain advanced load balancing features that are not available currently with Azure load balancer such as Content Switching, Rewrite and Responder Policies and granular load balancing methods for which a 3rd party load balancer is needed. There is a large ecosystem of third-party network virtual appliances in Azure. In Part-1 of this blog post we will take a closer look at deploying a Citrix VPX Load Balancer in one-arm mode followed by Part-2 where we deploy a Cisco ASAv firewall.
Azure Network Virtual Appliances- Citrix VPX Deployment in Azure
Before we start, let’s test drive:
1. Test Drive (Click the link for real time experience)
Connect to Citrix Load Balancer VIP and hit refresh! This load balancer VIP sits behind the Cisco ASAv (The Blue Path in the diagram below). When you hit refresh the Citrix VPX will round robin between Red, Green and Blue servers
2. Reference Architecture with Citrix VPX Load Balancer and Cisco ASAv
3. Network Appliance Appliances – Vendor Ecosystem
Microsoft supports a large ecosystem of third party network appliance vendors.
These vendor appliances are available in Azure Market place as VM Images that you could readily deploy. This facilitates migration to Azure and organizations can continue to use the skills the team already has.
4. Current Limitations and Guidelines
You can configure additional inbound and outbound rules in NSG while creating the NetScaler virtual machine or after the virtual machine is provisioned. Each inbound and outbound rule is associated with a public port and a private port.
Before configuring NSG rules note that the following ports are reserved by the NetScaler virtual machine. You cannot define these as private ports when using the Public IP address for requests from the Internet. Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000
Routing Configuration for VMs in the Virtual Network
Azure VM ARP tables will show the same MAC address (1234.5678.9abc) for all known hosts. This ensures that all packets leaving an Azure VM will reach the Azure gateway where the Effective Routing Table will be used to determine the path of the packet.
nehali@nn-east-web-red:~$ ip -4 add show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 10.5.2.4/24 brd 10.5.2.255 scope global eth0
valid_lft forever preferred_lft forever
nehali@nn-east-web-red:~$ arp -an
? (10.5.2.7) at 12:34:56:78:9a:bc [ether] on eth0
? (10.5.2.8) at 12:34:56:78:9a:bc [ether] on eth0
? (10.5.2.1) at 12:34:56:78:9a:bc [ether] on eth0
5. Bastion Host
In the post-1 of this blog series we created management network and created a linux virtual machine as our Bastion host. We will use this bastion host to ssh into the VPX and ASAv management interface.
6. Citrix VPX Deployment in One-Arm Mode
This Citrix VPX deployment in Azure link explains the Citrix VPX deployment in Azure in detail and the differences with on-prem deployment. Before we deploy the VPX, let’s have a plan on what the interfaces are going to look like and the purpose. In a one-arm deployment in Azure, the Citrix VPX uses a single IP address that functions as a SNIP, VIP and VIP using different port numbers.
- High Level Configuration Steps:
- Deploy the VPX VM using Azure Market Place
- Choose “NetScaler 11.1 VPX Bring Your Own License”. It will install VPX-5 (Good for testing, does not require a license)
- The default NSG only allows tcp/22. Need to add tcp/443 and tcp/8081 later
- VPX will require a Public IP that will map to the internal IP 10.5.2.7 (SNIP, NSIP and VIP). After the VPX is provisioned, make sure this IP is static under Interface -> IP Configuration
- To configure the Citrix VPX via SSH to the 10.5.2.7 IP from the Bastion Host
- To configure Citrix VPX via GUI https://<PIP1>. Note: Disassociate the Public IP later when you put the VPX behind the NAT on the Cisco ASA
- Use the configuration Snipett below to configure the load balancer VIP
- Test VIP https://PIP1:8081
- Azure Screen Captures
VPX VM Networking
Citrix VPX Configuration for LB VIP:
Citrix VPX : Load Balancer Configuration
enable ns feature LB
add server red-sever 10.5.2.4
add server green-sever 10.5.2.5
add server blue-server 10.5.2.6
add service red-server-tcp-80 red-sever HTTP 80
add service green-server-tcp-80 green-sever HTTP 80
add service blue-server-tcp-80 blue-server HTTP 80
add lb vserver east-rgb-vserver HTTP 10.5.2.7 8081 -persistenceType NONE -cltTimeout 180
bind lb vserver east-rgb-vserver red-server-tcp-80
> sh ns ip
Ipaddress Traffic Domain Type Mode Arp Icmp Vserver State
--------- -------------- ---- ---- --- ---- ------- ------
1) 10.5.2.7 0 NetScaler IP|VIP Active Enabled Enabled NA Enabled
- Putting it all together: Create another Citrix VPX in the SE Asia Region. Configure the VPX as endpoints in Azure Traffic Manager as shown Part-1 of this blog series