Setting up Netscaler VPX on AWS with a backend NodeJS server

Photo by Jordan Harrison on Unsplash

There are a few guides I found online explaining how to setup a Netscaler VPX instance on AWS (the most notable one is https://github.com/MayankTahil/NetScaler-in-AWS-101/), but none of them managed to answer my exact needs, so I decided to create my own.

The end result of this guide will be a Netscaler instance, running on AWS that load balance a NodeJS web server running on an Ubuntu EC2 instance.

Setting up the Network Components

Create a VPC

1. Under Services -> Networking & Content Delivery click on VPC.
2. On the left side menu click on Your VPCs and then Create VPC.
3. Fill in the following items:

• Name tag— give the VPC a name you’ll recognize later (i.e Netscaler-VPC).
• IPv4 CIDR block — 172.16.0.0/16

4. Click Create.

Create Subnets

We now need to create three subnets for our setup to work:

• Management — used for traffic to the Netscaler instance itself.
• Server — used for private backend server traffic (NodeJS in our case).
• Internet — used for external traffic.

On the left side menu, click on Subnets and create our three subnets using the following parameters:

Management Subnet

• Name tag — NS-MGMT
• VPC — Netscaler-VPC (or if you used a different name in the Create VPC step — use that name)
• IPv4 CIDR block — 172.16.10.0/24

Server Subnet

• Name tag — NS-Server
• VPC — Netscaler-VPC
• IPv4 CIDR block — 172.16.20.0/24

Internet Subnet

• Name tag — NS-Internet
• VPC — Netscaler-VPC
• IPv4 CIDR block — 172.16.30.0/24

Create an Internet Gateway

In order for our network resources to communicate with the Internet, the VPC needs to have an Internet gateway attached. By itself, the Internet gateway does nothing — it simply gives the VPC the option to communicate with the outside world when needed.

To create an Internet gateway follow these steps:

1. On the left side menu click on Internet Gateways.
2. Click on Create internet gateway.
3. Give it a name you’ll recognize later, for example, Netscaler-IGW.
4. Click Create.

5. Select the Internet Gateway you just created and click Actions -> Attach to VPC.

6. Select Netscaler-VPC and click Attach. The end result should look like this:

Create a NAT Gateway

A NAT gateway, as its name suggests, is used to route traffic from/to internal network resources (such as the NodeJS server in our case) to/from other networks. The NAT gateway exists on a specific subnet, and when paired with an Internet gateway, allows resources on the subnet to access the Internet.

To create a NAT gateway:

1. On the left side menu click on NAT Gateways.
2. Click on Create NAT Gateway.
3. Select the NS-Internet subnet.
4. Click on Create New EIP and then Create a NAT Gateway.
5. Wait for the status to change to available.

EIP stands for elastic IP, which is basically a public static IP. This IP will be bound to the NAT gateway, allowing it to route requests from resources behind the NAT to the Internet.

Create Route Tables

Subnets use route tables to define the routes in and out of them. Since we have three subnets, we will define three route tables, each defining a specific set of routes and associated subnets.

Management Route Table

The management route will allow Internet access to the Netscaler instance, allowing us to manage it from any connected device. It’s important to note that this route alone will not give the Netscaler itself access to the internet.

1. On the left side menu click on Route Tables. You should see a default route table already created for you.
2. Name this route MGMT-RT.
3. Click the Subnet Associations tab and then Edit subnet associations.
4. Select the NS-MGMT subnet and click Save.
5. Click the Routes tab and then Edit routes.
6. Click Add route.
7. Set the destination to 0.0.0.0/0 and the target to Internet Gateway -> Netscaler-IGW.
8. Click Save routes.

Server Route Table

The server route will allow instances of the private server subnet (and the Netscaler itself) to access the internet. The gateway we created is attached to the Netscaler-VPC which itself has an Internet Gateway attached — allowing it to access resources on the internet.

1. Click Create route table.
2. Name the route Server-RT and select the Netscaler-VPC from the VPC dropdown.
3. Click the Subnet Associations tab and then Edit subnet associations.
4. Select the NS-Server subnet and click Save.
5. Click the Routes tab and then Edit routes.
6. Click Add route.
7. Set the destination to 0.0.0.0/0 and the target to NAT Gateway -> the gateway we created earlier.
8. Click Save routes.

Internet Route Table

The Internet route will allow traffic from the internet to instances behind the Netscaler private subnet (i.e server subnet). We will use this route when we define the load balancing functionality later.

1. Click Create route table.
2. Name the route Internet-RT and select the Netscaler-VPC from the VPC dropdown.
3. Click the Subnet Associations tab and then Edit subnet associations.
4. Select the NS-Internet subnet and click Save.
5. Click the Routes tab and then Edit routes.
6. Click Add route.
7. Set the destination to 0.0.0.0/0 and the target to Internet Gateway -> Netscaler-IGW
8. Click Save routes.

Setting up the Backend Server

Now that the network components are all set up, let’s create the backend webserver we will load balance using Netscaler. For the purpose of this guide, we will use a micro Ubuntu server running NodeJS.

Create the Ubuntu EC2 Instance

1. Under Services -> Compute click on EC2.
2. Click on Launch Instance.
3. Search for Ubuntu and select Ubuntu Server 18.04 LTS (HVM), SSD Volume Type.
4. Keep the selection on t2.micro and click Next: Configure Instance Details
5. In the configuration screen change:

Network:
Select the Netscaler-VPC we created in the previous section.

Subnet:
Select the NS-Server subnet.

6. Under Network Interfaces give the network adapter a static primary IP of 172.16.20.150

7. Click Next: Add Storage, leave the default settings, and click Next: Add Tags.

8. Click Next: Configure Security Group.

9. Open port 8080. This port will be used by NodeJS to display web content.

10. Click Review and Launch and then Launch.

At this point you will have a running Ubuntu server, however, you cannot connect to it as it has no public-facing IP. Next, we will create the Netscaler instance which we will use to connect to this instance and install NodeJS on.

Setting up Netscaler

Create the Netscaler VPX EC2 Instance

1. Under EC2 launch a new instance.
2. Search for Netscaler and under AWS Marketplace select the Netscaler VPX that suits your licensing needs (I'm using Citrix ADC (formerly NetScaler) VPX Premium — 10 Mbps for this guide).
3. Choose m4.xlarge as the instance type and click Next: Configure Instance Details.
4. In the configuration screen change the following:

Network:
Select the Netscaler-VPC we created in the previous section.

Subnet:
Select the NS-MGMT subnet.

5. Under Network Interfaces give the network adapter a static primary IP of 172.16.10.100

6. Click on Add Device. On the new device change the Subnet to the NS-Server and give it a static primary IP of 172.16.20.100.

7. Click Next: Add Storage, leave the default settings, and click Next: Add Tags.

8. Click Next: Configure Security Group.

9. Leave the default security groups and click Review and Launch and then Launch.

We now have a running Netscaler instance, however, we cannot access it as it doesn't have any public-facing IP address.

Add a public-facing IP address to the Netscaler instance

1. Go back to the EC2 Instances screen and find the new Netscaler instance. Click on the new instance and scroll down to the Networking interfaces section.

2. Click on the first network interface (eth0) and copy the Interface ID.

3. On the left side menu click Elastic IPs.

4. Click Allocate new address and then Allocate.

5. Select the new IP address that was allocated and click Actions->Associate address.

6. Select Network instance as the network type. Paste the address we copied earlier into the Network interface box, and select the private ip associated with it (172.16.10.100). To save the new setting click Associate.

Setup the Ubuntu Server

In order to setup the webserver, we need to connect to the Ubuntu instance. The Ubuntu server has no external IP, however, it does has an internal one that is part of the Server subnet. Since our Netscaler instance has a network interface that is part of the Server subnet and a network interface that is configured with a public IP for external access, we will SSH to the Netscaler instance, and from there SSH to the Ubuntu server for setup.

1. SSH to the Netscaler instance using the public IP we associated with it on the previous step. (user name is nsroot and password is the EC2’s instance id)
2. Type shell and press enter.
3. SSH to the Ubuntu server using its internal IP (172.16.20.150).
4. Start by updating all the packages by running sudo apt-get update && sudo apt-get upgrade.
5. Add the NodeJS LTS PPA (Node 10.x at the time of this writing) by running curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
6. Install NodeJS by running sudo apt-get install nodejs.

You are now at the point where you should have NodeJS installed on your Ubuntu server. To validate the install run node -v. If you get a version response starting with 10.x then everything is installed correctly.

Next, lets setup a simple ExpressJS webserver to show some content when we browse to the server:

1. Create a folder for the new server, i.e. mkdir server.
2. Inside the new folder run npm init while accepting all the default values.
3. Install ExpressJS by running npm i — save express . (note the space and the double dash before save).
4. Create a new app.js file as follows:

Few things to notice about this file:

• We set the static patch to public (line 5). This basically means that any static HTTP resource (i.e HTML page) will be served from a folder called Public which we will create next.
• We set the port to 8080 (line 6). This means that when trying to reach this webserver we will have to use port 8080 as well.

5. Create a new folder, public, and cd into it. This will be the folder that will hold our static content, i.e: HTML files.

6. Create a new index.html file with whatever content you wish, for example:

7. Run the server by cd back to the previous folder and run node app.js. NodeJS should now be listening on port 8080 and serve our test page when hitting on that port.

Configuring Networking Features

Before we can load balance the traffic to our Ubuntu server, we have to configure all the networking features required for the load balancing to work. We start by adding a subnet IP, then create a new route for it, and finish off with adding a public-facing network interface.

Adding a New Subnet IP

1. Browse to your Netscaler instance using the elastic IP we associated with it earlier, and login using the same credentials we used to SSH it earlier.
2. In the left-hand panel navigate to System > Network > IPs and click on Add.
3. In the configuration screen add the following:

IP Address:
172.16.20.100

Subnet:
255.255.255.0

IP Type:
Subnet IP

4. Make sure Enable Management Access control to support the below listed applications is checked along with Telnet, SSH, GUI, FTP and SNMP and click Create.

Routing Traffic Trough the New Subnet

Now that the Subnet IP is added, let’s route all the traffic through it. Since this Subnet is also associated with a Gateway and Internet Gateway, it will be used for routing traffic from the internal Netscaler network to other components on the internal network and, as you probably guessed, the Internet.

1. In the left-hand panel navigate to System > Network > Routes.
2. Check the Static route checkbox and then Delete.
3. Click Add and fill in the following:

Network:
0.0.0.0

Netmask:
0.0.0.0

Gateway:
172.16.20.1

4. Click Create.

Adding a Public-Facing Network Interface

What good is a web server if it can’t be accessed from the Internet? To add this support for our Ubuntu server we will create a new network interface which will be associated with the Internet subnet and attach it to the Netscaler instance.

1. In AWS, navigate to Services -> Compute and click on EC2.
2. Under Network & Security click on Network Interfaces.
3. Click Create Network Interface and add the following:

Description:
NI-Internet

Subnet:
NS-Internet

Security Group:
Choose the security group associated with your Netscaler instance

4. Click Create.

5. Once created, select the new network interface and click Actions -> Attach.

6. Select the Netscaler instance and click Attach.

7. Once the new interface is attached, make sure to restart the Netscaler EC2 instance. If you don’t restart the instance, it won't be able to use the newly attached network device.

Setting the Load Balancing Feature

The final step in this tutorial is to get the load balancing feature of our Netscaler working so it will load balance the traffic to our Ubuntu server.

Adding the Server

1. In the left-hand panel navigate to Traffic managemenet> Load Balancing> Servers.
2. Click Add and add the following:

Name:
Webserver

IP Address:
172.16.20.150 (the internal IP address of our Ubuntu server)

3. Click Create.

With the server created we can now move forward and create the service which will be bound for this server.

Adding the Service

1. In the left-hand panel navigate to Traffic managemenet> Load Balancing> Services.
2. Click Add and add the following:

Service Name:
Webserver-service

IP Address:
172.16.20.150

Protocol:
HTTP

Port:
8080 (the port we configured our NodeJS server to listen to).

3. Click Create.

If everything is setup correctly you should see the Service State showing as UP:

Adding the Virtual Server

The last step in the load balancing configuration is to add a virtual server that will handle the requests coming from the Internet. In addition, we need to assign a public IP to our public-facing network interface.

1. In the left-hand panel navigate to Traffic managemenet> Load Balancing> Virtual Servers.
2. Click Add and add the following:

Name:
Webserver-VS

Protocol:
HTTP

IP Address Type:
IP Address

IP Address:
172.16.30.153 (This is the IP address assigned to the public-facing network interface we added in a previous step. It might be different for you. You can find your IP by logging to AWS, navigate to Network Interfaces and select the NI-Internet interface we created earlier.)

Port:
80

These settings practically direct all the traffic the Netscaler will see on port 80 to the public-facing network interface.

3. Click OK.

4. Once created, click on the line that reads No Load Balancing Virtual Service Binding.

5. Check the box next to Webserver-service and click Select.

6. Click Bind.

After refresh, you should see the virtual service state shows up as UP.

Associate IP To the Public Facing Network Instance

1. In AWS, navigate to Services -> Compute and click on EC2.
2. Under Network & Security click on Network Interfaces.
3. Select the NI-internet network interface and copy its Network interface ID.
4. Under Network & Security click on Elastic IPs.
5. Click Allocate new address and then Allocate.
6. Select the new Elastic IP and click Actions > Associate address.
7. Set the Resource type to Network interface, and paste the Network interface ID you copied in step 3 in the Network interface text box.
8. Select the private IP from the drop-down menu.
9. Click Associate.

If you survived up to this point then congratulations! 🎉 🎊
You can now use the new external IP to browse to the webserver load-balanced by Netscaler!

As usual, I would love to hear your comments and suggestions either here or on Twitter!