Network Virtual Appliances in Azure: Citrix VPX – Part-1

This is the second blog post in the Azure Cloud Networking series. In blog-post-1 of this series we looked at different types of Azure load balancers. There are certain advanced  load balancing  features that are not available currently with Azure load balancer such as Content Switching, Rewrite and Responder Policies and granular load balancing methods for which a 3rd party load balancer is needed. There is a large ecosystem of third-party network virtual appliances in Azure.  In Part-1 of this blog post we will take a closer look at deploying a Citrix VPX Load Balancer in one-arm mode followed by Part-2 where we deploy a Cisco ASAv firewall.

Azure Network Virtual Appliances- Citrix VPX Deployment in Azure

Before we start, let’s test drive: 

1. Test Drive (Click the link for real time experience)

Connect to Citrix Load  Balancer VIP and hit refresh!  This load balancer VIP sits behind the Cisco ASAv (The Blue Path in the diagram below). When you hit refresh the Citrix VPX will round robin between Red, Green and Blue servers

2. Reference Architecture with Citrix VPX Load Balancer and Cisco ASAv

Citrix VPX Load balancer and Cisco ASAv firewall in Azure - Reference Architecture
Reference Architecture


Azure Citrix and Cisco Reference Architecture
Traffic Flow with One-Arm Load Balancer and Cisco ASAv

3. Network Appliance Appliances – Vendor Ecosystem

Microsoft supports a large ecosystem of third party network appliance vendors.

Azure Network Virtual Appliances Vendor Ecosystem
Third Party Vendors in Azure

These vendor appliances are available in Azure Market place as VM Images that you could readily deploy. This facilitates migration to Azure and organizations can continue to use the skills the team already has.

4. Current Limitations and Guidelines

Citrix VPX Port Usage Guidelines

You can configure additional inbound and outbound rules in NSG while creating the NetScaler virtual machine or after the virtual machine is provisioned. Each inbound and outbound rule is associated with a public port and a private port.

Before configuring NSG rules note that the following ports are reserved by the NetScaler virtual machine. You cannot define these as private ports when using the Public IP address for requests from the Internet.  Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000

Routing Configuration for VMs in the Virtual Network

Azure VM ARP tables will show the same MAC address (1234.5678.9abc) for all known hosts. This ensures that all packets leaving an Azure VM will reach the Azure gateway where the Effective Routing Table will be used to determine the path of the packet.

5. Bastion Host

In the post-1 of this blog series we created management network and created a linux virtual machine as our Bastion host.  We will use this bastion host to ssh into the VPX and ASAv management interface.

6. Citrix VPX Deployment in One-Arm Mode

This Citrix VPX deployment in Azure link explains the Citrix VPX deployment in Azure in detail and the differences with on-prem deployment.  Before we deploy the VPX, let’s have a plan on what the interfaces are going to look like and the purpose.  In a one-arm deployment in Azure, the Citrix VPX uses a single IP address that functions as a SNIP, VIP and VIP using different port numbers.

Citrix Load Balancer Diagram

  • High Level Configuration Steps:
  1. Deploy the VPX VM using Azure Market Place
  2. Choose “NetScaler 11.1 VPX Bring Your Own License”. It will install VPX-5 (Good for testing, does not require a license)
  3. The default NSG only allows tcp/22. Need to add tcp/443 and tcp/8081 later
  4. VPX will require a Public IP that will map to the internal IP (SNIP, NSIP and VIP). After the VPX is provisioned, make sure this IP is static under Interface -> IP Configuration
  5. To configure the Citrix VPX via SSH to the IP from the Bastion Host
  6. To configure Citrix VPX via GUI https://<PIP1>. Note: Disassociate the Public IP later when you put the VPX behind the NAT on the Cisco ASA
  7. Use the configuration Snipett below to configure the load balancer VIP
  8. Test VIP https://PIP1:8081
  • Azure Screen Captures

VPX VM Networking

Azure VM Networking Panel

Citrix VPX Configuration for LB VIP:

  • Putting it all together: Create another Citrix VPX in the SE Asia Region. Configure the VPX as endpoints in Azure Traffic Manager as shown Part-1 of this blog series
Cisco ASAv Deployment
Citrix VPX behind Azure Traffic Manager
Nehali Neogi

Nehali Neogi

Principal Cloud Architect at Navisite
Nehali Neogi is a Principal Cloud Architect at Navisite, leading many of their global initiatives on building the next generation of hybrid cloud services. She enjoys designing and architecting reliable and highly available solutions for Navisite’s clients. She is a Cisco, VMware NSX and Azure certified Cloud Architect leading Hybrid Cloud offerings. Her interests are cloud technologies, Software Defined Networking, full stack engineering, and realizing the transition to DevOps and system Automation.Nehali holds an Expert Level Certification in VMware NSX(VCIX-NV) and Microsoft Certified Azure Cloud Architect.She holds Masters in Computer Engineering from UMass, Lowell.
Nehali Neogi

Latest posts by Nehali Neogi