Citrix ADC Deployment using Bicep

Citrix ADC (formerly NetSceler) is, without doubt, one of the top enterprise Application Delivery Controllers on the market and the preferred solution for many organizations. It is offered in many different form factors, from physical to virtual appliances and even containers.

Citrix ADC is also available on Azure, which makes it ideal not only for experimenting and getting to know it better but also for using it to publish applications and services.

I've created a bicep template to serve as a starting point so that you can easily create an instance and get to know the resources required. The main template creates a subscription-level deployment that separates the resources into different resource groups.

The resources to be deployed include:

  • virtual network
  • network security group
  • network card
  • public IP
  • virtual machine
Going through the bicep files, we have a main template file (main.bicep) that uses two separate modules to deploy the vNet (vnet.bicep) and the ADC (adc.bicep) respectively. All the ADC-related resources - such as the NIC, NSG, etc. - are part of the ADC module. If you already have a vNet, you can just deploy the adc bicep file using just the id of the subnet to connect to.
To make the process easier, I've also created a script that creates the deployment via Azure CLI. Just make sure you're logged in and using the right subscription.

The ADC is deployed with a public IP address so that you can reach it over the internet. The rules on the NSG allow HTTPS and SSH traffic so as soon the deployment completes, update them with your source IPs to increase security!

The bicep files are available on my Github account over here. To deploy, use the Deploy to Azure button below or download a copy of the files and submit the deployment using Azure CLI.


The first step of the deployment process using the above button is to provide values for the deployment. From that point on, the only thing left to do is to create the deployment:
play

When the deployment is completed, two resource groups should have been created. The networking one that will contain the vNet:

and the ADC resource group:

If we open the adc virtual machine, we can see that the public IP that has been assigned to it on the right:

You can login to the management interface of the ADC using a browser and its public IP. There will be a security warning since the appliance will be using self-signed certificates, but you should block internet access anyway:
You can now proceed with the configuration on the appliance!

Popular posts from this blog

Domain Controller Machine Password Reset

Image
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources. This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute:  repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline. First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4. There may be some tickets in the cache so we should also clear them using klist purge Now it's time to change the machine password of the domain controller using the command netdom resetpwd /s:dc3 /ud:lab\administrator /pd:* Replace the "lab\administrator" with an account on your
Keep reading

Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates. Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate. In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector. We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet: [PS] C:\> Get-ExchangeCertificate Thumbprint                               Subject ----------                               ------- 241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ... D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A 960171662EB261162F9C8CBE12E0B75D6F06ABB0 CN=Microsoft Exchange Server Auth Certificate 2690324B827A9F2B75D59104F81CAAA57CDD627B CN=WMSvc-Exchange2013A [PS]
Keep reading

Running Multiple NGINX Ingress Controllers in AKS

Image
In some of the previous articles of this blog, we went through the process of installing NGINX as the Ingress Controller in AKS clusters. Either for applications that should be available directly from the public internet, or for applications that should only be accessed from networks considered internal. In the majority of the cases, however, and given that an AKS cluster is an environment that is designed to host multiple applications and provide economy at scale, additional ingress controllers may be required. In this post, we're going to go through the process of deploying an additional NGINX ingress controller that is going to be used for internal applications. The below diagram depicts the desired outcome: The Angular application is published via the public NGINX through the Azure Load Balancer that has been assigned a public IP. The .NET app is published by a different set of NGINX pods that are deployed in a different namespace and their ingress controller service is connect
Keep reading