Quickly deploy a single tier webserver farm solution integrating the Citrix NetScaler loadbalancer and a Next Generation firewall. Solution components include:
- a CloudFormation template (
vpc_2azs.json
) to deploy a VPC across 2 zones. There are 2 subnets in each zone: a Public Subnet and a Private Subnet. Internet facing appliances such as the NetScaler and NG FW are deployed in the Public Subnet while the web server farm is deployed in the private subnet. - a CloudFormation template (
ns.1nic.json
) to deploy a single NetScaler VPX appliance in the Public Subnet in one zone - a CloudFormation template (
webservers.json
)to deploy 2 web servers in the Private Subnet in the same zone as the NetScaler VPX - a CloudFormation template (
pa-fw.json
) to deploy a single Next Gen Firewall (Palo Alto VM Series) in the Public Subnet with a network interface in the Private Subnet (same zone as above). - CLI Configuration scripts for the NetScaler and Palo Alto FW to ensure that traffic from the Internet flows from the VPX to the FW to the webserver farm.
Scripts have been provided to make the deployment of the Cloudformation templates easy.
- the VPX is deployed with a single NIC in the public subnet with 3 IPs. The first IP is the NSIP (management IP) and is associated with a public IP. The second IP is the Virtual IP (VIP) that receives traffic destined to the webserver farm. The VIP is associated with an Elastic IP. The last IP is the Subnet IP - another private IP which is the source IP when sending traffic to the backend web servers.
- The PA Firewall is deployed with 3 NICs. The first is a management NIC in the public subnet which also has an Elastic IP associated with it. The second is a data interface (
ethernet1/1
) which is attached to the public subnet. The third is another data interface (ethernet2/1
) attached to to the private subnet.ethernet1/1
is designated as the Untrusted interface andethernet2/1
is designated as the Trusted interface. - The webservers are standard Amazon Linux. They run a simple Python web server that only serves a single page which contains their hostname.
The solution is designed to be easy to deploy from a Linux machine with access to the AWS API servers. The Linux machine needs to have the AWS CLI installed with appropriate credentials configured. Before deploying the solution, you must visit the AWS marketplace page for the NetScaler (https://aws.amazon.com/marketplace/pp/B00A9ZNGJI) and the Palo Alto VM Series (https://aws.amazon.com/marketplace/pp/B00PJ2V04O) and accept the terms using the same account that will deploy the CloudFormation templates.
Get the code from this repository using git clone
. Commands shown below are prefixed with $
to indicate that they should be run from a Linux machine in the directory where the code has been cloned. Pick an AWS region (e.g., us-west-2
) and use it consistently in all the steps below.
- Create the VPC in a region using CloudFormation
$ ./001-create-vpc.sh us-west-2
- Deploy the NetScaler in the VPC created in step 1 using CloudFormation:
$ ./002-create-vpx.sh us-west-2
In the script output, you will see 2 lines of the form:
Login to the NetScaler using: ssh -i vpx-keypair-us-west-2.pem nsroot@35.182.208.43
Send traffic to the NetScaler using: curl http://52.60.94.253/
- Deploy the web server farm in the VPC
$ ./003-create-webserver.sh us-west-2
-
Using the output from step 2, you can now configure the VPX to loadbalance to the webserver farm.
- Login to the NetScaler using ssh:
$ ssh -i vpx-keypair-us-west-2.pem nsroot@35.182.208.43
. You may have to re-try a few times as the NetScaler will reject login attempts while it is still booting up. - Copy paste the set of commands from the file
appliance-conf/ns-conf0.txt
into the NetScaler CLI prompt. - Use the NetScaler CLI command
show lb vserver test-lb
to verify that the configuration and the network plumbing is working as expected.
> show lb vserver test-lb test-lb (10.0.0.20:80) - HTTP Type: ADDRESS State: UP ... 1) webserver1 (10.0.16.101: 80) - HTTP State: UP Weight: 1 2) webserver2 (10.0.16.102: 80) - HTTP State: UP Weight: 1
- Login to the NetScaler using ssh:
-
At this point the firewall is not in the picture and the NetScaler is communicating directly with the backend webserver farm. To test the traffic flow, use the output from step-2:
$ curl http://52.60.94.253/
ip-10-0-16-101
$ curl http://52.60.94.253/
ip-10-0-16-102
- Create the Palo Alto Firewall in the VPC using:
$ ./004-create-fw.sh us-west-2
Created PANW firewall
SSH to the firewall: ssh -i vpx-keypair-us-west-2.pem admin@35.182.110.242
-
Configure the Palo Alto FW using the CLI.
- Login using the output from step 6 (
ssh -i vpx-keypair-us-west-2.pem admin@35.182.110.242
). You may have to re-try a few times as the PA FW will reject login attempts while it is still booting up. - Copy paste the set of commands from the file
appliance-conf/pa-conf.txt
into the firewall CLI prompt. - Verify that the
ethernet1/1
andethernet2/1
interfaces are up, from the firewall CLI:
admin@PA-VM> show interface ethernet1/1 ... ... Name: ethernet1/1, ID: 16 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address (dynamic): 10.0.0.100/32
- Login using the output from step 6 (
-
Configure the NetScaler to send backend webserver traffic via the firewall.
-
login to the NetScaler CLI using the output of step 2:
ssh -i vpx-keypair-us-west-2.pem nsroot@35.182.208.43
-
At the NetScaler CLI prompt, configure a route to point to the firewall:
> add route 10.0.16.0 255.255.240.0 10.0.0.100 > commit > show lb vserver test-lb
-
verify that the NetScaler is still able to send traffic to the backend webserver farm using the
curl
output from step 2
$ curl http://52.60.94.253/ ip-10-0-16-101 $ curl http://52.60.94.253/ ip-10-0-16-102
-
-
Login to the PA VM Series FW Web interface:
- Login to the CLI using the output from step 6 (
ssh -i vpx-keypair-us-west-2.pem admin@35.182.110.242
). - Set an admin password at the CLI:
admin@PA-VM> configure Entering configuration mode [edit] admin@PA-VM> set mgt-config users admin password
- Use the output of the step 6 to login to the web interface (GUI) (e.g., https://35.182.110.242)
- Check the logs in the GUI to ensure that traffic is being filtered / monitored as desired.
- Login to the CLI using the output from step 6 (
-
To tear down everything, use the
cleanup.sh
script at the Linux prompt:
$ ./cleanup.sh us-west-2
Deleting PA FW cloudformation stack
Deleting webservers cloudformation stack
Deleting VPX cloudformation stack
Deleting VPC cloudformation stack
Deleting keypair
-
Launch the Cloudformation stack in the US-east-1 region:
Do not customize any of the inputs and click 'Create'
-
Create a keypair. The private key will be used to login to the NetScaler and PA Firewall:
$ aws --region=us-east-1 ec2 create-key-pair --key-name vpx-keypair-us-east-1 --query 'KeyMaterial' --output text > vpx-keypair-us-east-1.pem $ chmod 400 vpx-keypair-us-east-1.pem
-
After the VPC stack has progressed to 'CREATE_COMPLETE' (visible in the console), create the VPX stack:
Use the output values
VPC
andSubnetAPublic
from the VPC stack. Do not change the keypair input. Click 'Create' -
Create the Webserver farm (you do not have to wait for the previous step to finish):
Use the output values
VPC
andSubnetAPrivate
from the VPC stack. Do not change the keypair input. -
Using the CloudFormation outputs from step 3, you can now configure the VPX to loadbalance to the webserver farm.
- Login to the NetScaler using ssh and the
PublicNSIp
output of the VPX Cloudformation stack of step 3:$ ssh -i vpx-keypair-east-1.pem nsroot@35.182.208.43
. You may have to re-try a few times as the NetScaler will reject login attempts while it is still booting up. - Copy-paste the set of commands from the file
appliance-conf/ns-conf0.txt
into the NetScaler CLI prompt. - Use the NetScaler CLI command
show lb vserver test-lb
to verify that the configuration and the network plumbing is working as expected.
> show lb vserver test-lb test-lb (10.0.0.20:80) - HTTP Type: ADDRESS State: UP ... 1) webserver1 (10.0.16.101: 80) - HTTP State: UP Weight: 1 2) webserver2 (10.0.16.102: 80) - HTTP State: UP Weight: 1
- Login to the NetScaler using ssh and the
-
At this point the firewall is not in the picture and the NetScaler is communicating directly with the backend webserver farm. To test the traffic flow, use the output
PublicIpVIP
from step 3:
$ curl http://52.60.94.253/
ip-10-0-16-101
$ curl http://52.60.94.253/
ip-10-0-16-102
Alternatively, use a browser to navigate to the URL.
-
Create the Palo Alto VM Series firewall(you do not have to wait for the previous stack to finish):
Use the output values
VPC
,SubnetAPublic
andSubnetAPrivate
from the VPC stack. Do not change the keypair input. Click 'Create'. -
Configure the Palo Alto FW using the CLI.
- Login using the
FirewallManagementSSHIp
output from step 7 ($ ssh -i vpx-keypair-us-east-1.pem admin@35.182.110.242
). You may have to re-try a few times as the PA FW will reject login attempts while it is still booting up. - Copy paste the set of commands from the file
appliance-conf/pa-conf.txt
into the firewall CLI prompt. - Verify that the
ethernet1/1
andethernet2/1
interfaces are up, from the firewall CLI:
admin@PA-VM> show interface ethernet1/1 ... ... Name: ethernet1/1, ID: 16 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address (dynamic): 10.0.0.100/32
- Login using the
-
Configure the NetScaler to send backend webserver traffic via the firewall.
-
login to the NetScaler CLI using the
PublicNSIp
output of step 3:$ ssh -i vpx-keypair-us-east-1.pem nsroot@35.182.208.43
-
At the NetScaler CLI prompt, configure a route to point to the firewall:
> add route 10.0.16.0 255.255.240.0 10.0.0.100 > commit > show lb vserver test-lb
-
verify that the NetScaler is still able to send traffic to the backend webserver farm using the
PublicIpVIP
output from step 3
$ curl http://52.60.94.253/ ip-10-0-16-101 $ curl http://52.60.94.253/ ip-10-0-16-102
-
-
Login to the PA VM Series FW Web interface:
- Login to the CLI using the
FirewallManagementSSHIp
output from step 76 (e.g.,ssh -i vpx-keypair-us-east-1.pem admin@35.182.110.242
). - Set an admin password at the CLI:
admin@PA-VM> configure Entering configuration mode [edit] admin@PA-VM> set mgt-config users admin password
- Use the
FirewallManagementURL
output of the step 6 to login to the web interface (GUI) (e.g., https://35.182.110.242) - Check the logs in the Firewall GUI to ensure that traffic is being filtered / monitored as desired.
- Login to the CLI using the
-
To tear down everything, use the
cleanup.sh
script at the Linux prompt:
$ ./cleanup.sh us-west-2
Deleting PA FW cloudformation stack
Deleting webservers cloudformation stack
Deleting VPX cloudformation stack
Deleting VPC cloudformation stack
Deleting keypair
Alternatively, use the Cloudformation Console to delete all the stacks.