Jump to content

  • Articles

    Show all categories
    Guest
    Introduction 
    CADS service with its premium entitlement has features like WAF and BOT to secure and protect your application from security threats. This guide will help you to deploy AWS firewall with CADS service. This is recommended if you have a CADS service Advance entitlement.  
     
    Requirements 
    Deploy a data center and create NetScaler infrastructure on AWS cloud. Configure network settings in this public cloud data center with AWS firewall in a way that is completely transparent to the application users. 
    Following are the key requirements:  
    Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC. 
    All end user, Nerscaler management, traffic should route through AWS network firewall.  
    Pre-Requisites 
    Following tasks are expected to be completed for using this solution and successful integration. 
    CADS Service Application delivery configuration  
    AWS console access with permission to configure AWS Network Firewall and network routes 
    Architecture 
    For the distributed deployment model, we deploy AWS Network Firewall into each VPC which requires protection. Each VPC is protected individually. Each VPC does not require connectivity to any other VPC or AWS Transit Gateway. Each AWS Network Firewall can have its own firewall policy or share a policy through common rule groups (reusable collections of rules) across multiple firewalls. This allows each AWS Network Firewall to be managed independently, which reduces the possibility of misconfiguration and limits the scope of impact. 
     
    Figure 1: AWS Network Firewall Distributed deployment in each protected VPC 
    Depending on the workload and traffic pattern, there are a number of AWS Network Firewall deployment models to consider. In the following section we will see a deployment model to protect traffic between NetScaler’s client subnet and IGW. 
     
    Figure2. AWS Network Firewall is deployed to inspect traffic between the internet and NetScaler/NAT gateway 
    Component 
    Location 
    Remarks 
    ADS service control plane 
    Citrix Cloud / PoP 
    Deployed in secure Citrix owned PoP network outside of customer VPC 
    ADS Service Agent 
    VPC-n AZ-n 
    For communication with NetScaler Service control plane 
    Autoscaling NetScaler 
    VPC-n AZ-n 
    NetScaler data plane  
    VPC Connectivity 
    Via AWS Firewall 
    Users 
    Via AWS Firewall 
    NATted External application users 
    Back end server group 
    AZ-n 
    Group of EC2 Instances forming Autonomous System (AS) 
    Configuration: 
    Create an AWS Firewall and share Firewall endpoint ENI (in this example: vpce-0aa4d4642c13726dc) 
    Point the ADS NetScaler route table to redirect client traffic to Firewall ENI 
     
    Add few rules on firewall policy and verify if the rules are being hit 
     
    Result: Request is being dropped as per the policy configured 
     
    Traffic Flows: 
    Client Traffic: 
    User access the application URL : http/s://<FQDN>/ 
    After DNS resolution, Client request lands on AWS Network firewall 
    From the firewall, user request is sent to internal NLB for Application Endpoint (Vserver) selection 
    Application request is sent to the Application Endpoint  
    After LB decision, request is forwarded to the EC2 instances and server response is sent back to the user  
    Server Traffic:  
    From NetScaler ASG traffic is load balanced across all the configured backend servers configured in the respective AZ. 
    This is a single VPC deployment, hence there are no inter VPC routing required for active traffic.  
    Return traffic goes via the AWS firewall to the client. 
      
    Bhalchandra Chaudhari
    For large organizations where NetScaler infrastructure is shared across many teams, and have 100s or 1000s of Apps delivered via NetScaler, maintaining NetScaler app centric configurations and the common/global configurations is big challenge and incurs maintenance overhead. Moreover, the NetScaler configurations need to be maintained for multiple environments such as dev, qa, and prod.
    Citrix ADC Terraform provider can help you to automate and manage the NetScaler configurations declaratively and, in an infrastructure-as-code fashion. Moreover, parent-child structure in Terraform can be employed to create 2 abstraction layers – the child layer containing the configurations of underlying NetScaler entities and the parent layer containing the app-centric configurations along with common NetScaler platform configurations. This approach provide multiple benefits as follows :-
    Avoid code duplication Abstracts the underlying NetScaler networking configurations Easier administration, config updates and troubleshooting Reduces time to release app updates In this article , we will see how this parent-child structure works in Terraform along with an example of ssl offloading 
    Parent-Child Architecture using Terraform Modules
    Parent-Child terraform terminology works at each terraform directory/module levels. The parent/root directory would be always as current working directory when you calling another terraform child module in that root directory which execute that child module configuration files (can be called as child configuration module). Similar way, organizations need to deal with shared resources which could been utilized by many entities( shared resource child module) which values can be simply pass to root module to be used as reference with root module entities such as SSL vServers, services etc.
    Modules – are containers for multiple resources that are used together consists of a collection of .tf files kept together in a directory. Root/Parent module- The main way to package and reuse resource configuration Containing all require .tf files in the main working directory Child modules- A submodule which can be called by root or parent modules Can be called multiple times within same root or different root modules  
    SSL Offloading using Terraform Modules
    Below is the SSL offloading created using terraform parent-child deployment –
    Child Modules prepared to call in root/parent module:
    SSL certificate keypair  SSL cipher group for frontend traffic SSL cipher group for backend traffic SSL virtual server configuration and parameters set SSL load balancing services Parent/Root modules:Application specific module e.g., example<.>com Below is the directory structure prepared for this deployment –├───citrixadc                                  - Citrix ADC terraform provider files
    ├───example.com                            - application root/parent directory/module
    ├───modules                                   - child module main directory
    │            ├───cipher_svc                               - child (shared) module backend cipher group
    │            ├───cipher_vs                                 - child (shared) module frontend cipher group
    │            ├───lbservice                                  - child (configuration) module load balancing services
    │            ├───lbvs-ssl                                    - child (configuration) module creates SSL vServer & parameters
    │            └───sslcertkeypair                           - child module add SSL certificate keypair
    └───sslcerts                                    - SSL files (cert and key) directory
     
    Above each directory module contain its own terraform files to prepare the configuration plan and helps root module to execute the configuration depends on variable attributes/parameters values.
     
    Below structure depicts each main directory module and sub-directory (child module) with respective terraform files –
     
     
     
    ├───citrixadc

    ├───example.com
    │             provider.tf
    │             resources.tf
    │             terraform.tfvars
    │              variables.tf
    │              versions.tf

    ├───modules
    │   ├───cipher_svc
    │   │                       output.tf
    │   │                       README.md
    │   │                      resources.tf
    │   │
    │   ├───cipher_vs
    │   │                      output.tf
    │   │                      README.md
    │   │                      resources.tf
    │   │
    │   ├───lbservice
    │   │                      output.tf
    │   │                      README.md
    │   │                      resources.tf
    │   │                      variables.tf
    │   │
    │   ├───lbvs-ssl
    │   │                      output.tf
    │   │                      README.md
    │   │                      resources.tf
    │   │                      variables.tf
    │   │
    │   └───sslcertkeypair
    │                           output.tf
    │                           README.md
    │                           resources.tf
    │                           variables.tf

    └───sslcerts
                   bkclab.cer.cert
                   bkclab.cer.key
                   terracert.cert
                   terracert.key
     
    You can find the terraform files of main root module “example”  here , where the resource block of each child module being called to configure require entity for load balancing.
     
    Executing Terraform to push SSL Offloading Configs
    On running terraform init, terraform plan and terraform apply, the module creates all the require entities and binding between them as shown below.
     
    You must run terraform init to initialize all child modules:
    PS C:\Users\bhalchandrac\ssloffload\example.com> terraform init                             
    Initializing modules...
    - ciphergroupname in ..\modules\cipher_svc
    - lbvserverssl in ..\modules\lbvs-ssl
    - loadbalancingservices in ..\modules\lbservice
    - sslcertkeyname in ..\modules\sslcertkeypair
    - vsciphergroupname in ..\modules\cipher_vs
     
    Initializing the backend...
     
    Initializing provider plugins...
    - Finding latest version of citrix/citrixadc...
    - Installing citrix/citrixadc v1.23.1...
    - Installed citrix/citrixadc v1.23.1
     
     
    Run terraform apply to push all the configs to ADC as shown below:
    PS C:\Users\bhalchandrac\article\example.com> terraform apply -var-file="../secret.tfvars" 
     
    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
      + create
    ……….
    ………
    ………
    Terraform will perform the following actions:
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
     
      Enter a value: yes
     
     module.sslcertkeyname.citrixadc_systemfile.sslkey: Creating...
    module.loadbalancingservices.citrixadc_server.tf_server["testserver12"]: Creating...
    module.sslcertkeyname.citrixadc_systemfile.sslcert: Creating...
    module.loadbalancingservices.citrixadc_server.tf_server["testserver11"]: Creating...
    module.lbvserverssl.citrixadc_lbvserver.tf_lbvserverssl: Creating...
    citrixadc_lbvserver.tf_lbvserverhttp: Creating...
    module.ciphergroupname.citrixadc_sslcipher.tf_sslcipher: Creating...
    module.vsciphergroupname.citrixadc_sslcipher.tf_sslcipher: Creating...
    module.loadbalancingservices.citrixadc_server.tf_server["testserver12"]: Creation complete after 4s [id=testserver12]
    module.sslcertkeyname.citrixadc_systemfile.sslcert: Creation complete after 5s [id=/flash/nsconfig/ssl/terracert.cert]
    module.loadbalancingservices.citrixadc_server.tf_server["testserver11"]: Creation complete after 5s [id=testserver11]
    module.loadbalancingservices.citrixadc_service.tf_service["testserver12"]: Creating...
    module.loadbalancingservices.citrixadc_service.tf_service["testserver11"]: Creating...
    module.sslcertkeyname.citrixadc_systemfile.sslkey: Creation complete after 5s [id=/flash/nsconfig/ssl/terracert.key]
    module.sslcertkeyname.citrixadc_sslcertkey.tf_certkeypair: Creating...
    module.lbvserverssl.citrixadc_lbvserver.tf_lbvserverssl: Still creating... [10s elapsed]
    citrixadc_lbvserver.tf_lbvserverhttp: Still creating... [10s elapsed]
    module.ciphergroupname.citrixadc_sslcipher.tf_sslcipher: Still creating... [10s elapsed]
    module.vsciphergroupname.citrixadc_sslcipher.tf_sslcipher: Still creating... [10s elapsed]
    module.loadbalancingservices.citrixadc_service.tf_service["testserver12"]: Creation complete after 6s [id=testserver12-18082]
    module.sslcertkeyname.citrixadc_sslcertkey.tf_certkeypair: Creation complete after 6s [id=terracert]
    citrixadc_lbvserver.tf_lbvserverhttp: Creation complete after 12s [id=example.com:80]
    module.loadbalancingservices.citrixadc_service.tf_service["testserver11"]: Creation complete after 10s [id=testserver11-18082]
    module.lbvserverssl.citrixadc_lbvserver.tf_lbvserverssl: Creation complete after 16s [id=example.com:443]
    citrixadc_lbvserver_service_binding.tf_binding["testserver12"]: Creating...
    citrixadc_lbvserver_service_binding.tf_binding["testserver11"]: Creating...
    module.lbvserverssl.citrixadc_sslvserver.tf_sslvserver: Creating...
    citrixadc_lbvserver_service_binding.tf_binding["testserver11"]: Creation complete after 3s [id=example.com:443,testserver11-18082]
    citrixadc_lbvserver_service_binding.tf_binding["testserver12"]: Creation complete after 3s [id=example.com:443,testserver12-18082]
    module.lbvserverssl.citrixadc_sslvserver.tf_sslvserver: Creation complete after 3s [id=example.com:443]
    citrixadc_sslvserver_sslcertkey_binding.cert_binding: Creating...
    module.ciphergroupname.citrixadc_sslcipher.tf_sslcipher: Still creating... [20s elapsed]
    module.vsciphergroupname.citrixadc_sslcipher.tf_sslcipher: Still creating... [20s elapsed]
    citrixadc_sslvserver_sslcertkey_binding.cert_binding: Creation complete after 3s [id=example.com:443,terracert]
    module.vsciphergroupname.citrixadc_sslcipher.tf_sslcipher: Creation complete after 22s [id=External]
    citrixadc_sslvserver_sslciphersuite_binding.tf_sslvserver_sslciphersuite_binding: Creating...
    citrixadc_sslvserver_sslciphersuite_binding.tf_sslvserver_sslciphersuite_binding: Creation complete after 1s [id=example.com:443,External]
    module.ciphergroupname.citrixadc_sslcipher.tf_sslcipher: Creation complete after 23s [id=Internal]
    citrixadc_sslservice_sslciphersuite_binding.tf_sslservice_sslcipher_binding["testserver12"]: Creating...
    citrixadc_sslservice_sslciphersuite_binding.tf_sslservice_sslcipher_binding["testserver11"]: Creating...
    citrixadc_sslservice_sslciphersuite_binding.tf_sslservice_sslcipher_binding["testserver11"]: Creation complete after 1s [id=testserver11-18082,Internal]
    citrixadc_sslservice_sslciphersuite_binding.tf_sslservice_sslcipher_binding["testserver12"]: Creation complete after 1s [id=testserver12-18082,Internal]
     
    Apply complete! Resources: 18 added, 0 changed, 0 destroyed.
     
    Outputs:
     
    lbservices = [
      "testserver11-18082",
      "testserver12-18082",
    ]
    showsvcciphergroup = "Internal"
    showvsciphergroup = "External"
     
     
    Other things to note
    The child shared modules as mentioned can be run as individual module. The output value of it can be called/referenced in root/parent module. Most of organization uses entities which are shared between multiple entity e.g. ciphergroup. During terraform destroy the shared module configuration should not get destroyed if that is shared with multiple entities, to avoid this type of false positive, run the shared child module individually and pass the value in root module.
     
     
     
        

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...