As more and more customers pivot toward the cloud, the Citrix Consulting team has had the benefit of collaborating with Microsoft on a wide list of projects to help organizations deliver workspaces from Microsoft Azure Resource Manager (Azure). From these successes, we have found that with Azure as the foundation for your Citrix Cloud deployment, understanding the key principles for Azure design is critical to success.
Jeff Mitchell, Microsoft Cloud Solution Architect, and I want to consolidate and share lessons learned through five architecture principles:
Operations – Operations encompasses a wide variety of topics, image management, service monitoring, business continuity, support, etc. A variety of tools are available to assist with automation of operations including Azure PowerShell, Azure CLI, ARM Templates, and Azure API.
For this blog post, we will focus on the business continuity aspect of operations. Customers should architect their Azure deployments in a way that accommodates the criticality of their workload and maintenance cycles that come with consuming a cloud service. Architecting availability in cloud can be broken into three different levels: component, datacenter, and regional. Component level availability starts by having a N+1 configuration for each system tier, paired with the appropriate service level monitoring. Datacenter availability is facilitated using Azure Availability Sets, designed to protect customers from datacenter failures. Availability Sets can be used to separate Azure VMs into separate fault and update domains within a datacenter to reduce the risk of an outage during planned and unplanned maintenance. Each tier of a Citrix deployment should be in its own Availability Set. For example, one should be made for Cloud Connectors, another for NetScalers, and so on. Please note at the time of this blog the Azure Availability Zones feature is in preview only. Regional availability can be accomplished by deploying a secondary Resource Location in the appropriate Azure region pair, for example East US 2 and US Central Regions. Using NetScaler Global Server Load Balancing or Azure Traffic Manager can manage the routing requests between regions.
Identity – Azure identity is managed through Azure Active Directory (Azure AD). With Azure AD, customers can enable single sign-on (SSON) with cloud applications and easy integration with the Azure AD App Marketplace. In addition, Azure AD provides the identity model for user workspaces on Office 365. Azure AD authentication with SSON can by implemented for Citrix workloads using a combination of NetScaler and Citrix Federated Authentication Services.
Governance – Governance is establishing the policies, processes, and procedures associated with the planning, architecture, acquisition, deployment, operation and management of Azure resources. One initial consideration when establishing your Azure governance is creating policies for Azure subscriptions. Azure subscriptions are how resource usage is reported and billed. Additionally, they control scalability through subscription limits. Subscription governance policies can impact how you manage and grow your Citrix environment. For example, if the Citrix environment shares a subscription with other departments there is a risk they may compete with one another against Azure’s predefined subscription limits. For this reason (and billing), Microsoft typically recommends establishing a separate subscription per department. Therefore, at times it can require the creation of a dedicated subscription to host the Citrix environment.
Using Azure AD customers can implement their governance policies using Role Based Access Control (RBAC) of Azure resources. One of the primary tools for application of these permissions is the concept of a Resource Group. Think of a Resource Group as a bundle of Azure resources that share the same lifecycle and administrative ownership. In the context of a Citrix environment these should be organized in a way that will allow for proper delegation between teams and promote the concept of least privilege. A good example is when a Citrix Cloud deployment uses a NetScaler VPX provisioned from the Azure marketplace for external access. Although a core piece of Citrix infrastructure, the NetScalers could have a separate update cycle, set of admins, etc. This would call for separating the NetScalers from the other Citrix components into separate Resource Groups so the Azure RBAC permissions can be applied through the administrative zones of tenant, subscription, and resources.
Security – Encryption, firewall configuration, least privilege, data loss prevention, compliance, and threat detection are all key security concepts typically discussed in Citrix design. Azure Virtual Network design contributes to the security conversation through the application of Network Security Groups (NSGs) and User Defined Routes (UDRs). These tools allow for granular network access controls and control of traffic flow respectively (for example routing traffic through a firewall appliance). NSGs and UDRs are applied at the subnet-level within a Virtual Network. When designing a Citrix Virtual Network in Azure it is recommended to design the virtual network with this in mind, creating subnets for like components, allowing for the granular application of NSGs and UDRs as needed. An example of this would be segmenting Citrix infrastructure into its own subnet, with a corresponding subnet for each use case. Azure provides a lot of flexibility in the creation and construction of virtual networks. This will serve as a key foundational item for your Citrix environment and is a key prerequisite before any build activities can be completed. Check out the Azure Virtual Network Planning Guide as you start this conversation within your organization.
Azure also provides security tools, such as Azure Security Center to manage centralized and continuous security assessment of hybrid cloud workloads. Policies can be applied using 12 different policy definitions including system updates, security configurations, encryption, and just in time administrative access to cloud resources during maintenance windows or support incidents. Security Center can integrate with third party solutions like Trend Micro and Symantec for endpoint monitoring. Common Event Format (CEF) is supported with other security solutions. Microsoft recommends the use of Azure Key Vault for protecting cryptographic keys and secrets across deployment configuration tools like PowerShell and Azure. Azure has many specific security features across compute, network, database, and storage resources — check out this Introduction to Azure Security.
Connectivity – There are two options to connect your datacenter to Azure: VPN and Express Route. Planning the type of connection (or connections) is based on several factors including bandwidth and latency. Typically these connections are shared across multiple services (database replication, domain traffic, application traffic, etc.) In a hybrid cloud deployment there may be scenarios where internal users will require their ICA traffic to go through this connection to get to their Citrix apps in Azure, therefore monitoring its bandwidth is critical. With NetScaler and traditional StoreFront optimal gateway routing may also be used to direct a user’s connection to a NetScaler using an office’s ISP rather than the Express Route or VPN to Azure.
If you want to learn more, please join Jeff Mitchell, Microsoft Cloud Solution Architect and me as we discuss the ins and outs of deploying Citrix Cloud with Microsoft Azure – including a live Q&A session!
We will cover these key architecture practices, considerations, and lessons learned in a free technical deep dive webinar on Thursday, February 1st at 9AM and 2PM EST.