Cloud computing is about making it easier to get the services – both application services and the infrastructure services supporting those apps – we need.

“Easy” of course means different things to us in different situations. Sometimes easier means faster. Sometimes easier means less bureaucracy. Sometimes easier means lower cost.  Sometimes easier means simpler.

Today, Amazon Web Services made things easier by bringing the simplicity of 1-Click® to AWS Virtual Private Cloud (VPC).  This makes it even easier to launch NetScaler VPX into an AWS VPC.

The power of AWS VPC is that it lets us create private networks in the AWS cloud.  We can manage our own IP spaces, create multiple subnets, create AMIs with multiple interfaces attached to different subnets, etc. However, with power comes the potential for additional complexity.

This is where 1-Click for AWS VPC makes things easier. When we go to launch NetScaler into a VPC from the AWS Marketplace, we see a “1-Click Launch” tab. It prompts us to select:

  1. NetScaler version
  2. Region
  3. VPC settings
  4. EC2 instance type
  5. Key pair

For NetScaler, we worked with AWS so 1-Click sets up and attaches three elastic network interfaces (ENIs):

  • one for management,
  • one for the VIP (the “public interface”), and
  • one for the MIP/SNIP (“the private interface”).
Note that you need to make sure that each interface is attached to a different subnet. If you attach two different NetScaler interfaces to the same subnet in AWS, you may see packet loss. 

1-Click also attaches each ENI to whichever VPC subnet we choose.

Then AWS launches the AMI.

When launch completes, we get a running NetScaler AMI with three ENIs attached, and three IPs (one for each ENI). At this point, we can login (the NetScaler IP is the IP on the management ENI) and begin creating virtual servers, configuring load balancing, etc.

For security reasons, we’ve done the following:

  1. We did NOT attach EIPs to any IPs. This means that the NetScaler AMI – including the management IP – is not reachable from outside the VPC. If your VPC uses a Virtual Gateway or other method to provide a VPN access to your VPC you can administer the instance using the IP address of the network interface in the Management subnet. If you do not have VPN access to your VPC, best practice is to set up a “jump box” instance within the VPC, and then use this as the source for access to any/all management of other instances within the VPC.   If you do not have an existing method for reaching instances inside the VPC you can get instructions on creating a SSH jump box at the following link: https://s3.amazonaws.com/awsmp-usageinstructions/Creating_and_using_VPC.txt
  2. We did create a security group that is applied to the management ENI. This security group is configured to allow any/all management traffic to/from NetScaler.
  3. The Security groups defined for the public and private interfaces are set to “deny all.” The thinking here is that the security group policy on these interfaces is dependent upon the type of traffic being load balanced, which neither Citrix or AWS knows when launching the AMI. Therefore, we locked these interfaces down so that if someone adds an EIP to one of these interfaces, no traffic can be passed until the security group is also modified to allow this traffic. We thought about setting the security group to “allow all”. However, that would mean that if someone attached an EIP but forgot to change the security group, any/all traffic could be sent to the interface.

Also, there are situations where we might not need three interfaces, or might need more than three interfaces. Here we have a couple of options:

  1. We can always continue to launch using either the AWS CLI or the EC2 console. 1-Click is an option, not an obligation.
  2. Any NetScaler AMI set up via 1-click can be modified/changed via either the CLI or the EC2 console. We can always launch via 1-click, and the add/delete interfaces at a later time.

In most cases, it will be easiest to launch via 1-click, and then make any adjustments once the instance is up and running. However, there is always the option to by-pass 1-click altogether and launch via the console or CLI.