Jump to content
Welcome to our new Citrix community!
  • Managing external services traffic with NetScaler ADC

    • Validation Status: Validated
      Has Video?: No

    Managing external services traffic with NetScaler ADC

    Submitted April 25, 2022

    Author: Bharathi M


    Scenarios where services like external databases in cloud-native apps are deployed outside a Kubernetes cluster but services inside the cluster must access them are common. Kubernetes provides the ExternalName service to access these resources. However, this can bypass the proxy, which means features like traffic management, policy enforcement, and fail-over management might not be available.

    In this post, we take you through configuring NetScaler ADC to resolve the domain names so you can leverage these features and get the most out of your ADC.

    Using NetScaler ADC to Reach External Services

    The benefits of using NetScaler ADC to reach external services include:

    • Advanced Traffic Management: With features such as auth, rewrite, responder, and WAF, you can achieve advanced traffic management and comprehensive security for your services.
    • Hybrid deployment: This enables hybrid deployment of your services. You can integrate non-Kubernetes-based services with Kubernetes-based services for apps in the early phase of migration to Kubernetes environment.
    • Holistic Observability: This provides high visibility of external services on the NetScaler Application Delivery Management (ADM) service graph to ensure faster troubleshooting.

    Traffic Management of External Services with NetScaler ADC CPX

    The diagram below shows the access flow of a microservice to an external service with a NetScaler ADC CPX acting as the proxy.


    In this example, a microservice sends a DNS query for www.externalsvc.com, which would be resolved to the NetScaler ADC CPX service.

    Using the annotation ingress.citrix.com/external-service with Citrix Ingress Controller, we can configure a domain-based service group on NetScaler ADC to resolve the domain www.externalsvc.com. The value for ingress.netscaler.com/external-service is a list of external services with their corresponding domain names.

    When the client connects to NetScaler ADC CPX, it resolves the domain www.externalsvc.com and forwards the request to the external service.

    Configuring NetScaler ADC CPX to Load Balance External Services

    First, define the CPX service to reach the NetScaler ADC.

    apiversion: v1kind: Servicemetadata:  name: cpx-svcspec:  selector:    app: cpx  ports:       - protocol: TCP         port: 80

    Then, define an ingress and specify the external-service annotation as shown in the dbs-ingress.yaml file. When you specify this annotation, the Citrix Ingress Controller creates DNS servers on the NetScaler ADC and binds those servers to the corresponding service group.

    annotations: ingress.citrix.com/external-service: '{"cpx-svc": {"domain": "www.externalsvc.com"}}'

    Finally, add the IP address of the DNS server on NetScaler ADC using ConfigMap. Please note, this step is applicable only to NetScaler ADC VPX.

    apiversion: v1kind: ConfigMapmetadata:  name: nameserver-cmap  namespace: default data:  NS_DNS_NAMESERVER: '[]'

    In this blog post, we have explored how to use NetScaler ADC to provide a way for Kubernetes services to access external services so we can enforce advanced traffic management and security policies, all while communicating with external services. For detailed information on this feature, check out our Traffic Management for External Services product documentation.

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...