Jump to content
Welcome to our new Citrix community!
  • Deploy AWS Network Firewall with CADS infrastructure in a public subnet.

    • Validation Status: Work In Progress
      Summary: Configure and deploy AWS Network Firewall
      Has Video?: No


    CADS service with its premium entitlement has features like WAF and BOT to secure and protect your application from security threats. This guide will help you to deploy AWS firewall with CADS service. This is recommended if you have a CADS service Advance entitlement.  



    Deploy a data center and create NetScaler infrastructure on AWS cloud. Configure network settings in this public cloud data center with AWS firewall in a way that is completely transparent to the application users. 

    Following are the key requirements:  

    • Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC. 

    • All end user, Nerscaler management, traffic should route through AWS network firewall.  


    Following tasks are expected to be completed for using this solution and successful integration. 


    For the distributed deployment model, we deploy AWS Network Firewall into each VPC which requires protection. Each VPC is protected individually. Each VPC does not require connectivity to any other VPC or AWS Transit Gateway. Each AWS Network Firewall can have its own firewall policy or share a policy through common rule groups (reusable collections of rules) across multiple firewalls. This allows each AWS Network Firewall to be managed independently, which reduces the possibility of misconfiguration and limits the scope of impact. 


    Figure 1: AWS Network Firewall Distributed deployment in each protected VPC 

    Depending on the workload and traffic pattern, there are a number of AWS Network Firewall deployment models to consider. In the following section we will see a deployment model to protect traffic between NetScaler’s client subnet and IGW. 


    Figure2. AWS Network Firewall is deployed to inspect traffic between the internet and NetScaler/NAT gateway 




    ADS service control plane 

    Citrix Cloud / PoP 

    Deployed in secure Citrix owned PoP network outside of customer VPC 

    ADS Service Agent 

    VPC-n AZ-n 

    For communication with NetScaler Service control plane 

    Autoscaling NetScaler 

    VPC-n AZ-n 

    NetScaler data plane  

    VPC Connectivity 

    Via AWS Firewall 


    Via AWS Firewall 

    NATted External application users 

    Back end server group 


    Group of EC2 Instances forming Autonomous System (AS) 


    1. Create an AWS Firewall and share Firewall endpoint ENI (in this example: vpce-0aa4d4642c13726dc) 

    1. Point the ADS NetScaler route table to redirect client traffic to Firewall ENI 


    1. Add few rules on firewall policy and verify if the rules are being hit 


    1. Result: Request is being dropped as per the policy configured 


    Traffic Flows: 

    Client Traffic: 

    1. User access the application URL : http/s://<FQDN>/ 

    1. After DNS resolution, Client request lands on AWS Network firewall 

    1. From the firewall, user request is sent to internal NLB for Application Endpoint (Vserver) selection 

    1. Application request is sent to the Application Endpoint  

    1. After LB decision, request is forwarded to the EC2 instances and server response is sent back to the user  

    Server Traffic:  

    1. From NetScaler ASG traffic is load balanced across all the configured backend servers configured in the respective AZ. 

    1. This is a single VPC deployment, hence there are no inter VPC routing required for active traffic.  

    1. Return traffic goes via the AWS firewall to the client. 


    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...