Advanced Concepts

Citrix ADC for Azure DNS Private Zone Deployment Guide

Introduction

Citrix ADC, formerly known as NetScaler, is a world-class product in the application delivery controller (ADC) space with the proven ability to load balance, manage global traffic, compression, and secure applications.

Azure DNS is a service on the Microsoft Azure infrastructure for hosting DNS domains and providing name resolution.

Azure DNS Private Zones is a service focused on resolving domain names in a private network. With Private Zones, customers can use their own custom domain names rather than the Azure-provided names available today.

Overview of Azure DNS

The Domain Name System, or DNS, is responsible for translating (or resolving) a service name to its IP address. A hosting service for DNS domains, Azure DNS provides name resolution by using the Microsoft Azure infrastructure. In addition to supporting internet-facing DNS domains, Azure DNS now also supports private DNS domains.

Azure DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without needing a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names available today. Using custom domain names helps you to tailor your virtual network architecture to best suit your organization’s needs. It provides name resolution for virtual machines (VMs) within a virtual network and between virtual networks. Also, customers can configure zones names with a split-horizon view, which allows a private and a public DNS zone to share a name.

Why Citrix GSLB for Azure DNS private zone?

In today’s world, businesses want to transition their workloads from on-premises to Azure cloud. The transition to cloud allows them to leverage time to market, capital expenses/price, ease of deployment and security. Azure DNS Private Zone service provides a unique proposition for the businesses that are transitioning part of their workloads to the Azure Cloud. These businesses can create their private DNS Name, which they had for years in on-premises deployments, when they use the private zone service. With this hybrid model of intranet application servers being in on-premises and Azure cloud connected via secure VPN tunnels, the one challenge is how a user can have seamless access to these intranet applications. Citrix ADC solves this unique use case with its global load balancing feature, which routes the application traffic to the most optimal distributed workloads/servers either on-premises or on Azure cloud and provides application server health status.

Use Case

Users in on-prem network and in different Azure VNETs should be able to connect to the most optimal servers in an internal network for accessing the required content. This ensures that the application is always available, optimized cost and user experience is good. Azure private traffic management (PTM) is the primary requirement here. Azure PTM ensures that users’ DNS queries resolve to an appropriate private IP address of the application server.

Use Case Solution

Citrix ADC includes the global server load balancing (GSLB) feature, which can help meet the Azure PTM requirement. GSLB acts like a DNS server, which gets the DNS requests and resolves the DNS request into an appropriate IP address to provide:

  • Seamless DNS based failover
  • Phased migration from on-premises to cloud
  • A/B Testing a new feature

Among many load balancing methods supported, following methods can be useful in this solution:

  1. Round Robin
  2. Static proximity (Location based server selection): It can be deployed in two ways

    1. EDNS Client Subnet (ECS) based GSLB on Citrix ADC
    2. Deploy a DNS forwarder for every Virtual network

Topology

  • The Citrix ADC GSLB deployment for Azure private DNS zone logically looks shown in Figure 1.

Figure 1: Citrix ADC GSLB for Azure DNS private zone

  • A user can access any application server either on Azure or on-prem based on Citrix ADC GSLB load balancing method in an Azure private DNS zone
  • All traffic between on-prem and Azure Virtual Network is through a secure VPN tunnel only
  • Application traffic, DNS traffic, and monitoring traffic are shown in the preceding topology.
  • Depending on the required redundancy, Citrix ADC and DNS forwarder can be deployed in the Virtual Networks and data centers. For simplicity purpose, only one Citrix ADC is shown here but we recommend at least one set of Citrix ADC and DNS forwarder for Azure region.
  • All user DNS queries first go to the DNS forwarder that has rules defined for forwarding the queries to appropriate DNS server.

Configuring Citrix ADC for Azure DNS Private Zone

Products and Versions tested

Product Version
Azure Cloud Subscription
Citrix ADC VPX BYOL (Bring your own license)

Note: The deployment is tested and remains same with Citrix ADC version 12.0 and above.

Prerequisites and configuration notes

The following are general prerequisites and configuration tested for this guide, please cross-check before configuring Citrix ADC:

Solution description

Let suppose Customer want to host one application Azure DNS private zone (rr.ptm.mysite.net) which runs on HTTPs and is deployed across Azure and On-premises with intranet access based on round robin GSLB load balancing method. To achieve this deployment by enabling GSLB for Azure private DNS zone with Citrix ADC consists of two parts – configuring the Azure, On-premises and the Citrix ADC appliance.

Part 1: Configure Azure, On-premises Setup

As shown in Topology, set up Azure Virtual Network (VNet A, VNet B in this case) and on-premises setup. Step 1: Create an Azure private DNS zone with domain name (mysite.net) Step 2: Create two Virtual Networks (VNet A, VNet B) in Hub and Spoke model in an Azure region
Step 3: Deploy App Server, DNS Forwarder, Windows 10 Pro client, Citrix ADC in VNet A Step 4: Deploy App Server and deploy a DNS Forwarder if any clients are in VNet B Step 5: Deploy App server, DNS Forwarder, and Windows 10 pro client on on-premises

Azure private DNS Zone

Log into the Azure Portal and select or create a dashboard. Now click create a resource and search for DNS zone to create one (mysite.net in this case) as shown in the following image.

Example of Azure portal DNS zone

Azure virtual Networks (VNet A, VNet B) in Hub and spoke Model

Select the same dashboard and click create a resource and search for virtual networks to create two virtual networks namely VNet A, VNet B in same region and peer them to form a Hub and Spoke model as shown in the following image. See Implement a hub-spoke network topology in Azure for information about how to set up a hub and spoke topology.

Virtual Network A (VNet A)

Virtual Network B (VNet B)

VNet A to VNet B peering

To peer VNet A and VNet B click peerings from settings menu of VNet A and peer VNet B, enable Allow forwarded traffic and Allow gateway transit as shown in the following image.

VNet A to B

After successful peering you see as shown in the following image:

Virtual Network A peerings

VNet B to VNet A peering

To peer VNet B and VNet A click peerings from settings menu of VNet B and peer VNet A, enable Allow forwarded traffic and Use remote gateways as shown in the following image.

VNet B to A

After successful peering you see as shown in the following image:

Virtual Network B peerings

Deploy App Server, DNS Forwarder, Windows 10 Pro client, Citrix ADC in VNet A

We discuss briefly about App server, DNS forwarder, Windows 10 pro client, and Citrix ADC on VNet A. Select the same dashboard, click create a resource, search for the respective instances and assign an IP from VNet A subnet

App Server

App server is nothing but the web server (HTTP server) where an Ubuntu server 16.04 is deployed as an instance on Azure or on-premises VM and run a CLI command: sudo apt install apache2 to make it as a web server

Windows 10 Pro Client

Launch Windows 10 pro instance as Client Machine on VNet A and on-premises too.

Citrix ADC

Citrix ADC compliments the Azure DNA private zone by health check and Analytics from Citrix MAS. Launch a Citrix ADC from Azure Marketplace based on your requirement, here we have used Citrix ADC (BYOL) for this deployment. Please refer below URL for detailed steps on How to deploy Citrix ADC on Microsoft Azure. After deployment, use Citrix ADC IP to configure Citrix ADC GSLB. See Deploy a NetScaler VPX Instance on Microsoft Azure

DNS Forwarder

It is used to forward the client requests of hosted domains bound to Citrix ADC GSLB (ADNS IP).Launch an Ubuntu server 16.04 as Linux instance (Ubuntu server 16.04) and refer below URL on how to set up it as a DNS forwarder.

Note: For Round Robin GSLB load balancing method one DNS forwarder for Azure Region is sufficient but for Static proximity we need one DNS forwarder per virtual Network.

After deploying forwarder change the DNS server settings of Virtual network A from default to custom with VNet A DNS forwarder IP as shown in the following image, and then modify the named.conf.options file in VNet A DNS forwarder to add forwarding rules for domain (mysite.net) and subdomain (ptm.mysite.net) to the ADNS IP of Citrix ADC GSLB. Now, restart the DNS forwarder to reflect the changes made in file named.conf.options.

VNet A DNS Forwarder Settings

zone "mysite.net" {
           type forward;
forwarders { 168.63.129.16; };
};
zone "ptm.mysite.net" {
    type forward;
    forwarders { 10.8.0.5; };
}; > **Note:** For the domain ("mysite.net") zone IP address, use the DNS IP of your Azure region. For the subdomain ("ptm.mysite.net") zone IP address, use all ADNS IP addresses of your GSLB instances.

Deploy App Server and deploy a DNS Forwarder if any clients are in VNet B

Now for Virtual Network B, select the same dashboard, click create a resource, then search for the respective instances, and assign an IP from VNet B subnet. Launch App server and DNS Forwarder if there is static proximity GSLB load balancing similar to VNet A. Edit the VNet B DNS Forwarder settings in named.conf.options as shown:

VNet B DNS Forwarder Settings:  
zone "ptm.mysite.net" {
    type forward;
    forwarders { 10.8.0.5; };
};

Virtual Network A DNS servers

Deploy app server, DNS Forwarder, and Windows 10 pro client on on-premises

Now for on-premises, launch the VMs on bare metal and bring App server, DNS Forwarder and Windows 10 pro client similar to VNet A. Edit the on-premises DNS Forwarder settings in the named.conf.options as shown in the following example.

On-Premises DNS Forwarder Settings

zone "mysite.net" {
           type forward;
           forwarders { 10.8.0.6; };
};
zone "ptm.mysite.net" {
    type forward;
    forwarders { 10.8.0.5; };
};

Here for mysite.net we have given DNS forwarder IP of VNet A instead of Azure private DNS zone server IP because it is a special IP not reachable from on-premises. Hence this change is required in the DNS forwarder setting of on-premises.

Part 2: Configure the Citrix ADC

As shown in Topology, deploy the Citrix ADC on Azure Virtual Network (VNet A in this case) and access it through Citrix ADC GUI.

Configuring Citrix ADC GSLB

Step 1: Create ADNS Service Step 2: Create sites – local and remote Step 3: Create services for the local virtual servers Step 4: Create virtual servers for the GSLB services

Add ADNS Service

Log into the Citrix ADC GUI. On the Configuration tab, navigate to Traffic Management>Load Balancing > Services. Add a service. It is recommended to configure ADNS service both in TCP and UDP as shown here:

Load balancing service existing server

Load balancing service new server

Traffic management services

Add GSLB Sites

Add local and remote sites between which GSLB will be configured. On the Configuration tab, navigate to Traffic Management > GSLB > GSLB Sites. Add a site as shown here and repeat the same procedure for other sites.

Create GSLB site

Cluster IP GSLB site

GSLB sites

Add GSLB Services

Add GSLB services for the local and remote virtual servers which load balances App servers. On the Configuration tab, navigate to Traffic Management>GSLB > GSLB Services. Add the services as shown in the following examples. Bind HTTP monitor to check server status.

GSLB Service settings 1

GSLB Service settings 2

After creating the service, go to the advanced settings tab inside the GSLB service and add Monitors tab to bind GSLB service with an HTTP monitor to bring up the state of service GSLB service load balancing monitor

Once you bind with HTTP monitor, the state of services are UP as shown here: GSLB Services

Add GSLB Virtual Server

Add GSLB virtual server through which App servers’ alias GSLB Services are accessible. On the Configuration tab, navigate to Traffic Management>GSLB > GSLB Virtual Servers. Add the virtual servers as shown in the following example. Bind GSLB services and domain name to it. GSLB virtual server

After creating the GSLB virtual server and selecting the appropriate load balancing method (Round Robin in this case), bind GSLB services and domains to complete the step

GSLB virtual server domain binding

Go to the advanced settings tab inside the virtual server and add Domains tab to bind a domain

Go to Advanced > Services and click the arrow to bind a GSLB service and bind all three services (VNet A, VNet B, On-premises) to virtual server

GSLB services and service group binding

After binding GSLB services and Domain to the virtual server it appears as shown here:

GSLB virtual server settings

Check if GSLB virtual server is up and 100% healthy. When the monitor shows that the server is up and healthy, it means that sites are in sync and back end services are available.

GSLB virtual servers load balancing

To test the deployment now access domain URL rr.ptm.mysite.net from either Cloud client machine or on-premises client machine. For suppose access it from cloud windows client machine see that even on-premises App server is accessed in a private DNS zone without any need for third party or custom DNS solutions.

Conclusion

Citrix ADC, the leading application delivery solution, is best suited to provide load balancing and GSLB capabilities for Azure DNS private zone. By subscribing to Azure DNS Private Zone, the business can rely on Citrix ADC Global Server Load Balancing’s (GSLB) power and intelligence to distribute intranet traffic across workloads located in multiple geographies and across data centers, connected via secure VPN tunnels. This collaboration guarantees businesses seamless access to part of their workload they want to move to Azure public cloud.

Citrix ADC for Azure DNS Private Zone Deployment Guide