{"id":7241,"date":"2021-12-06T02:30:12","date_gmt":"2021-12-06T02:30:12","guid":{"rendered":"https:\/\/www.insentragroup.com\/au\/insights\/uncategorized\/deploying-citrix-adcs-in-microsoft-azure-adc-ha-availability-set\/"},"modified":"2024-09-17T08:15:49","modified_gmt":"2024-09-17T08:15:49","slug":"deploying-citrix-adcs-in-microsoft-azure-adc-ha-availability-set","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/cloud-and-modern-data-center\/deploying-citrix-adcs-in-microsoft-azure-adc-ha-availability-set\/","title":{"rendered":"Deploying Citrix ADCs in Microsoft Azure \u2013 ADC HA Availability Set"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"287\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_featured_2-1024x287.png\" alt=\"\" class=\"wp-image-7242\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_featured_2-1024x287.png 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_featured_2-300x84.png 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_featured_2-768x215.png 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_featured_2.png 1063w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In this blog, we deploy <a href=\"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/modern-workplace\/moving-citrix-adc-as-easy-as-abc\/\" target=\"_blank\" rel=\"noreferrer noopener\">Citrix ADCs<\/a> in a more advanced fashion for Azure.<\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>ADC HA AVAILABILITY SET TEMPLATE<\/span><\/h3>\n\n\n.elementor-widget-theme-post-featured-image {\n display: none !important;\n}\n\n\n\n\n<p>This post will focus on deploying <a href=\"https:\/\/www.insentragroup.com\/au\/services\/managed-services\/citrix-adc-as-a-service\/\" target=\"_blank\" rel=\"noreferrer noopener\">Citrix Application Delivery Controllers (ADCs)<\/a> in Microsoft Azure using the pre-defined&nbsp;<strong>Availability Set<\/strong>&nbsp;deployment using a&nbsp;<a href=\"https:\/\/docs.citrix.com\/en-us\/advanced-concepts\/implementation-guides\/citrix-adc-vpx-on-azure-disaster-recovery-deployment-guide.html#multi-nic-multi-ip-architecture-three-nic\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">3 Network Interface (NIC), 3 IP model.<\/a><\/p>\n\n\n\n<p>To address a load of frowning ADC people before they get grumpy, I do not for a second claim to be an ADC guy, nor do I typically think HA for ADC deployments are a good use of the appliances (GSLB is much nicer), however I am a consultant who has been through a few of these, so here are my learnings should customers wants to deploy a HA pair in Microsoft Azure.<\/p>\n\n\n\n<p>One of the challenges with base template currently is it deploys all public IP and Azure ALB components at the&nbsp;<strong>basic<\/strong>&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/load-balancer\/skus\" rel=\"nofollow noopener\" target=\"_blank\">Sku<\/a>, which quite frankly is nasty to work with. Basic load balancers are limited in their connectivity and reachability capability in advanced networking configurations are slow and do not offer the monitoring capability you are likely wanting. As such, you are best off switching to a&nbsp;<strong>standard<\/strong>&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/load-balancer\/skus\" rel=\"nofollow noopener\" target=\"_blank\">Sku<\/a>&nbsp;load balancer.<\/p>\n\n\n\n<p>The Availability Zone template already includes some of the relevant changes (such as deploying the Azure Load Balancer (ALB) and public IP addresses at the appropriate Sku).<\/p>\n\n\n\n<p>Default output of the ADC HA Availability Set Template:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>1 x Availability Set<\/li><li>2 x VMs (ADC Appliances)<\/li><li>2 x OS Disks<\/li><li>1 x Azure Public Load Balancer (basic)<\/li><li>6 x Network Interfaces across three unique subnets (Management, Frontend, Backend)<\/li><li>6 x Network Security Groups, 1 per interface<\/li><li>3 x Public IP Address (2 of these are for management and need to be killed asap)<\/li><li>1 x Storage Account for diagnostics<\/li><\/ul>\n\n\n\n<p>Each ADC is configured with the defaults below:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>1 x Management (NSIP) interface (with a public IP attached)<\/li><li>1 x SNIP for Frontend traffic<\/li><li>1 x SNIP for Backend traffic<\/li><li>1 x VIP for the public IP that is housed on the Azure LB (the ADC owns this IP; the ALB activates it on the fabric)<\/li><li>HA using Independent Network Configuration (INC) mode<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1377\" height=\"133\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1.jpg\" alt=\"\" class=\"wp-image-7244\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1.jpg 1377w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1-300x29.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1-1024x99.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1-768x74.jpg 768w\" sizes=\"(max-width: 1377px) 100vw, 1377px\" \/><\/figure>\n\n\n\n<p>Out of the box, the template caters for a single load balanced public facing VIP. Given most use cases require additional load balancing internally, you typically need an additional internal Azure Load Balancer.&nbsp;<\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>WHY THE AZURE LOAD BALANCER?<\/span><\/h3>\n\n\n\n<p>There are only two ways of making an IP address \u201clive\u201d on the Azure fabric. Either assigning the IP address onto a network interface itself, or by assigning to an Azure Load Balancer. The challenge with assigning an IP address onto a NIC, is&nbsp;it can only live on one NIC and as such, we lose the ability to float the&nbsp;IP across two ADC\u2019s.&nbsp;This is why&nbsp;we utilise an Azure LB, and specifically, we configure its rules with floating IP enabled, also known as Direct Server Return.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"989\" height=\"227\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_2.jpg\" alt=\"\" class=\"wp-image-7246\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_2.jpg 989w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_2-300x69.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_2-768x176.jpg 768w\" sizes=\"(max-width: 989px) 100vw, 989px\" \/><\/figure>\n\n\n\n<p>There is a custom probe configured on the Azure Load Balancer to probe the SNIP of the ADC on TCP port 9000. Only the active node will respond on TCP 9000, and as such, the ALB forwards traffic to the active node of the ADC pair. Should the ADC failover, the secondary SNIP will respond, and traffic is redirected accordingly.<\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>WHY ANOTHER AZURE LOAD BALANCER?<\/span><\/h3>\n\n\n\n<p>Well, this one is simple. The rules of public inbound (such as a Gateway) are the same for internal inbound to the ADC for services such as StoreFront, or callback Gateways etc. We want to deploy an Internal Azure LB and probe the backend SNIP to find out who is active and who is not, we then create rules to allow traffic to pass accordingly. <\/p>\n\n\n\n<p>This typically results in a model like below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"578\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_3_1.jpg\" alt=\"\" class=\"wp-image-7248\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_3_1.jpg 669w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_3_1-300x259.jpg 300w\" sizes=\"(max-width: 669px) 100vw, 669px\" \/><\/figure>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>ADC INDEPENDENT NETWORK CONFIGURATION (INC) MODE<\/span><\/h3>\n\n\n\n<p>INC mode for the HA pair is critical for ADC operations in Azure. The following snippet from Citrix docs describes the why:<em>In the HA-INC mode, the SNIP address of the ADC-VPX-0 and ADC-VPX-1 VMs are different while in the same subnet, unlike with the classic on-premises ADC HA deployment where both are the same. To support deployments when the VPX pair SNIP is in different subnets, or anytime the VIP is not in the same subnet as a SNIP, you must either enable Mac-Based Forwarding (MBF) or add a static host route for each VIP to each VPX node.<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"99\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1-1024x99.jpg\" alt=\"\" class=\"wp-image-7244\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1-1024x99.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1-300x29.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1-768x74.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_1.jpg 1377w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>If you rebuild the HA for any reason and forget to configure INC mode, your probes from the ALB will fail.<\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>ADC ROUTING<\/span><\/h3>\n\n\n\n<p>ADC routing in Azure tends to be unique in each deployment, however there are a basic set of rules and considerations to watch for. By default, ADCs in Azure are configured with Mac Based Forwarding (MBF), a feature most of us would typically be used to ignoring outside of explicit scenarios. Additionally, you will find the default route is configured to use that of the gateway associated with the&nbsp;<strong>management interface<\/strong>, or in ADC terms, NIC01-0 and NIC01-1 accordingly.<\/p>\n\n\n\n<p>You will quickly want to be aligning your ADC routing for internal subnets to that of your Azure methodology. Typically, we tend to send the default APIPA ranges back to a firewall<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>10.0.0.0, 255.0.0.0,&nbsp;<strong>GatewayIP<\/strong><\/li><li>172.16.0.0, 255.240.0.0,&nbsp;<strong>GatewayIP<\/strong><\/li><li>192.168.0.0, 255.255.0.0,&nbsp;<strong>GatewayIP<\/strong><\/li><\/ul>\n\n\n\n<p>Do not forget the rules of Azure route tables! Many deployments will be utilising multiple vnets, vnet peering, BGP and all sorts of route propagation controls. Using the effective routes view on each NIC, can quickly identify where routing challenges lay and why things may not quite be what you expect. The golden rule in Azure: a user defined route will always override a system defined route. In simple terms, you will need to tell Azure exactly what to do, if you want ADC backend traffic traversing a firewall (NVA).<\/p>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>NETWORK SECURITY GROUPS (NSG\u2019S)<\/span><\/h3>\n\n\n\n<p>The majority of Azure work I do consist of assigning NSG\u2019s to the subnet level. ADC deployments differ in that with the default template, you get 6 interfaces and 6 corresponding NSG\u2019s, assigned at the interface level.<\/p>\n\n\n\n<p>The ADCs are going to receive traffic inbound from the internet via the Azure Public Load Balancer. This will be the second network interface or nic11-0 and nic11-1 for the respective ADC. This NIC needs to have the appropriate inbound port rules defined to allow traffic to flow to the ADC. These configurations are unique to each interface, so you will need to ensure you make these changes on both, to cater for a failover.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"192\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_4-1024x192.jpg\" alt=\"\" class=\"wp-image-7250\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_4-1024x192.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_4-300x56.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_4-768x144.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_4.jpg 1495w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The end-to-end flow of opening up a flow to the ADC tends to look like this:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Associate an IP Address with the Frontend load balancer (make it live on the fabric)<\/li><li>Create a rule on the Azure Load Balancer defining a frontend port and a backend port. This effectively opens up the port on the Azure Load Balancer and sends it to the backend port which is the ADC VIP. This must have floating IP enabled<\/li><li>Add the IP address to the ADC and define it as a VIP (vip, gateway, content switch etc). Normal rules of ADC configurations apply<\/li><li>Define your inbound rules on the appropriate NSG for the appropriate interface to let the traffic pass<\/li><li>Test open ports and throw through traffic&nbsp;<a href=\"https:\/\/www.yougetsignal.com\/tools\/open-ports\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Open Port Check Tool \u2013 Test Port Forwarding on Your Router (yougetsignal.com)<\/a><\/li><\/ul>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>ARM TEMPLATE<\/span><\/h3>\n\n\n\n<p>The default arm template does not support (as at time of writing) deploying a standard Azure Load Balancer, it deploys a basic. Conversely, the Availability Zone template deploys a standard to support AZ requirements, so a bit of hacking and cracking, and I have altered the default Citrix Availability Set ARM template to use a standard Azure LB. I am also requesting Citrix make this change, or at least make it an option.<\/p>\n\n\n\n<p>To support this change, I needed to alter a few things. In the parameters file, I needed to alter the IP address SKU to be standard rather than basic (you cannot mix and match these things).<\/p>\n\n\n\n\n\ncode {\n  padding: 0.125rem 0.25rem;\n  color: #c7254e;\n  background-color: #f9f2f4;\n  border-radius: 0.25rem;\n}\n\npre code {\n  padding: 0;\n  background-color: transparent;\n  border-radius: 0;\n}\n\npre {\n  font-size: 0.875rem;\n  line-height: 1.5em;\n  border-radius: 0.25rem;\n  padding: 0.59375rem;\n}\n.highlight pre {\n  border: none;\n  background: none;\n  margin: 0;\n}\n.highlight &gt; pre {\n  background-image: linear-gradient(\n    rgba(0,0,0,0.03), rgba(0,0,0,0.03) 1.5em, rgba(0,0,0,0.02) 1.5em, rgba(0,0,0,0.02) 3em);\n  background-size: auto 3em;\n  background-position-y: 0.625rem;\n  border: 1px solid rgba(0,0,0,0.1);\n  border-left: 0.4375rem solid #444;\n}\n.highlight &gt; pre:not([class~=&#8221;highlight&#8221;]) { \/* code block with line number *\/\n  padding: 0;\n}\n.highlight table,\n.highlight tr,\n.highlight td { \/* to be removed after fixing table styles *\/\n  border: none;\n  background: none;\n  padding: 0;\n  margin: 0;\n}\n.highlight pre.lineno {\n  color: rgba(0,0,0,0.3);\n  border-radius: 0;\n  border-right: 2px solid #444;\n}\n\n\n\n\n\n<div class=\"language-plaintext highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>        \"lbsku\": {\n        \"type\": \"string\"\n    },\n    \"lbtier\": {\n        \"type\": \"string\"\n    },\n    \"publicIpsku\": {\n        \"allowedValues\": [\n            \"Basic\",\n            \"Standard\"\n        ],\n        \"type\": \"string\",\n        \"metadata\": {\n            \"description\": \"Sku for Public IP Address\"\n        }\n    }\n<\/code><\/pre><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>I also needed to alter the Public IP Sku to use the parameter<\/p>\n\n\n\n<div class=\"language-plaintext highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>    \"sku\": {\n        \"name\": \"[parameters('publicIpsku')]\"\n    } Additionally, I needed to add the load balancer Sku and Tier into the ALB block\n\n    \"sku\": {\n        \"name\": \"[parameters('lbsku')]\",\n        \"tier\": \"[parameters('lbtier')]\"\n    }, In my parameters file, I needed to add the new params we defined\n\n \"lbsku\": {\n        \"value\": \"Standard\"\n    },\n    \"lbtier\": {\n        \"value\": \"Regional\"\n    },\n    \"publicIpsku\": {\n        \"value\": \"Standard\"\n    } The ARM template is [available here](https:\/\/github.com\/JamesKindon\/Citrix\/tree\/master\/Azure\/ADC%20ARM%20Template%20-%20HA%20AS%20-%20Standard%20ALB) if you would like to use it\n<\/code><\/pre><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>Before you can deploy the template, you will need to accept the marketplace terms via PowerShell. The below should take of this for you<\/p>\n\n\n\n<div class=\"language-plaintext highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>Get-AzMarketplaceTerms -Publisher \"citrix\" -Product \"netscalervpx-130-byol\" -Name \"netscalervpx-130-byol\" | Set-AzMarketplaceTerms -Accept\nGet-AzMarketplaceTerms -Publisher \"citrix\" -Product \"netscalervpx-130\" -Name \"netscalervpx-130\" | Set-AzMarketplaceTerms -Accept\nGet-AzMarketplaceTerms -Publisher \"citrix\" -Product \"netscalervpx-130\" -Name \"netscalervpx-130-byol\" |Set-MarketplaceTerms -Accept\nGet-AzMarketplaceTerms -Publisher \"citrix\" -Product \"netscalervpx-130-byol\" -Name \"netscalervpx-130\" | Set-AzMarketplaceTerms -Accept\nGet-AzMarketplaceTerms -Publisher \"citrix\" -Product \"netscalervpx-130\" -Name \"netscalerbyol\" | Set-AzMarketplaceTerms -Accept\n<\/code><\/pre><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>For your ARM deployment, it\u2019s pretty simple<\/p>\n\n\n\n<div class=\"language-plaintext highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>New-AzResourceGroupDeployment -ResourceGroupName RG-AE-ADC -TemplateFile \"C:UsersJames KindonOneDriveAzureADCARM Template ADCtemplate_std.json\" -TemplateParameterFile \"C:UsersJames KindonOneDriveAzureADCARM Template ADCparameters.json\"\n<\/code><\/pre><\/div><\/div>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>MONITORING<\/span><\/h3>\n\n\n\n<p>One of the benefits of using a standard Azure ALB, is the monitoring which comes with it. You can view almost real time metrics on traffic flows and probe health etc all from within Azure Monitor.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"288\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_9-1024x288.jpg\" alt=\"\" class=\"wp-image-7252\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_9-1024x288.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_9-300x84.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_9-768x216.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_9.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The below image outlines my Azure Load Balancers:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"288\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_10-1024x288.jpg\" alt=\"\" class=\"wp-image-7254\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_10-1024x288.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_10-300x84.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_10-768x216.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_10.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Along with a nice view of how traffic will flow based on probe status:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"336\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_11-1024x336.jpg\" alt=\"\" class=\"wp-image-7256\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_11-1024x336.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_11-300x99.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_11-768x252.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_11.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Observe in the below image, my VPX-1 appliance is active and responding:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"372\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_12-1024x372.jpg\" alt=\"\" class=\"wp-image-7258\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_12-1024x372.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_12-300x109.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_12-768x279.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_12.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"117\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_13-1024x117.jpg\" alt=\"\" class=\"wp-image-7260\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_13-1024x117.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_13-300x34.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_13-768x88.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_13.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>When I fail the ADC over there will be an interim delay (the data doesn\u2019t update in real-time)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"253\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_14-1024x253.jpg\" alt=\"\" class=\"wp-image-7262\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_14-1024x253.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_14-300x74.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_14-768x190.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_14.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"132\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_15-1024x132.jpg\" alt=\"\" class=\"wp-image-7264\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_15-1024x132.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_15-300x39.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_15-768x99.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_15.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"260\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_16-1024x260.jpg\" alt=\"\" class=\"wp-image-7266\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_16-1024x260.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_16-300x76.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_16-768x195.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_16.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We can also drill down to see specific config flows and status:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"356\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_17-1024x356.jpg\" alt=\"\" class=\"wp-image-7268\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_17-1024x356.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_17-300x104.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_17-768x267.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_17.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Over time we can start trending the availability and behaviours of the ADC and view the traffic flow distribution. We always expect to see one node taking the majority of traffic.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"441\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_18-1024x441.jpg\" alt=\"\" class=\"wp-image-7270\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_18-1024x441.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_18-300x129.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_18-768x331.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_18.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Under our detailed metric overview, we will always only ever see a single node available also \u2013 these statistics are aggregated log analytics data.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"517\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_19-1024x517.jpg\" alt=\"\" class=\"wp-image-7272\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_19-1024x517.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_19-300x152.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_19-768x388.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_19.jpg 1429w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Network Virtual Appliances (ADC\u2019s) also show up nicely in Azure Monitor, however it is not supported to push the more advanced monitoring agents onto them, unfortunately.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"303\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_20-1024x303.jpg\" alt=\"\" class=\"wp-image-7274\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_20-1024x303.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_20-300x89.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_20-768x227.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_20.jpg 1429w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>And of course, for the best solution around, you can always integrate your ADC\u2019s with ControlUp and gain some insight into what\u2019s going on within the appliances themselves:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"113\" src=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_21-1024x113.jpg\" alt=\"\" class=\"wp-image-7276\" title=\"\" srcset=\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_21-1024x113.jpg 1024w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_21-300x33.jpg 300w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_21-768x85.jpg 768w, https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2021\/12\/james_kinden_blog_12062021_img_21.jpg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 style=\"padding-bottom: 15px;margin-bottom: 30px;margin-top: 40px;border-bottom: 1px solid #f16020;color: #f16020\"><span>SUMMARY AND KEY TAKEAWAYS<\/span><\/h3>\n\n\n\n<p>Deploying ADCs into Microsoft Azure is always a fun adventure. The first time you do it, it can be overwhelmingly complex.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>It is important to leverage the tools available in Azure to gain an insight into how your ADCs are performing and how related components are interacting<\/li><li>By simply deploying the correct Sku types, you get the above information and detail automatically along with a far more management capability and speed of execution<\/li><li>For those of us dealing with customer facing environments, engage the networking teams who manage the Azure landscape early, you will be thankful you did<\/li><li>HA INC mode is critical in Azure \u2013 if you misconfigure it, goodnight<\/li><li>NSG configurations will trick you at least once, check them with a fine tooth comb<\/li><li>Azure Routing is key \u2013 the normal rules apply to ADC interfaces and not all is always as it seems<\/li><li>MBF is enabled by default<\/li><\/ul>\n\n\n\n<p>Good luck<\/p>\n\n\n\n<p>Note: This blog was originally published on <a href=\"https:\/\/jkindon.com\/deploying-citrix-adcs-in-microsoft-azure\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">jkindon.com<\/a> and reposted here with permission.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post will focus on deploying Citrix Application Delivery Controllers (ADCs) in Microsoft Azure using the pre-defined\u00a0Availability Set\u00a0deployment using a\u00a03 Network Interface (NIC), 3 IP model.<\/p>\n","protected":false},"author":86,"featured_media":7278,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[148,149,150,76,46,79,59,151],"class_list":["post-7241","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-and-modern-data-center","tag-adc","tag-arm","tag-automation","tag-azure","tag-citrix","tag-cloud","tag-microsoft","tag-netscaler","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/7241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/users\/86"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/comments?post=7241"}],"version-history":[{"count":19,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/7241\/revisions"}],"predecessor-version":[{"id":8912,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/7241\/revisions\/8912"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media\/7278"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media?parent=7241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/categories?post=7241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/tags?post=7241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}