Jump to content
Welcome to our new Citrix community!

[Design Question] - CitrixADC on AWS / Different AZ, same VPC / H.A in INC mode


Recommended Posts

Hello,

 

 

We are planning a new deployment, following this design pattern:

 

AWS AZ1 (Subnet1)

MGMT ENI: 192.168.1.108/24

Client ENI: 192.168.2.129/24

Servers ENI: 192.168.3.82/24

--

AWS AZ2 (Subnet2)

 

MGMT ENI: 192.168.6.82/24

Client ENI: 192.168.7.68/24

Servers ENI: 192.168.8.203/24

 

Citrix has this documentation that support this scenario: https://docs.citrix.com/en-us/citrix-adc/current-release/deploying-vpx/deploy-aws/vpx-ha-eip-different-aws-zones.html

 

The step 1 of the procedure it configures the HA in INC mode and,

The step 2 of the procedure it says to add ipset123 on both nodes.

 

On primary vpx, ipset123 has as member, the IP 192.168.7.68.

On secondary, ipset123 has as member, the IP 192.168.7.68.

 

"image.png"

 

IPSet requires that the IP must be added as VIP in Network > IPs, and it added a route at the first appliance as DIRECT CONNECTED. It breaks the HA communication between the appliances; we are expecting that INC mode works using L3 routing.

 

Any thought on how can I fix this scenario to config HA in AWS?

 

Thank you in advance!

 

 

Link to comment
Share on other sites

Hi Alessandro,

 

Can you elaborate on why would adding VIP for ip in second subnet breaks the HA communication?

HA communication happens on MGMT interface. MGMT and VIP are on different subnet (and interface). So its not clear how it can break HA communication.

 

It can break HA communication if we have single interface/subnet in both primary and secondary. In which case we can add explicit static routes for ns-ip. But I think this is not same as what is being discussed here.

 

Let us know how we can help here.

 

Regards,

Ravi

Link to comment
Share on other sites

Hello Ravi,

I agree with you.

Customer reported to me that his implementation were according to the scenario posted in the documentation pinned on my last message.. but analyzing his environment I would see that he had only 2 network interfaces (like you mentioned, he was trying to use mgmt). This was the issue. There is no error in the documentation, it was a lack of requirements needed.

Thank you for you message.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...