Skip to content

Instantly share code, notes, and snippets.

@chiradeep

chiradeep/README_ref_arch.md

Last active December 15, 2017 17:40
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chiradeep/1479c317e9026f1f01776ff1ca186442 to your computer and use it in GitHub Desktop.
Save chiradeep/1479c317e9026f1f01776ff1ca186442 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README_ref_arch.md

Integrate a Next Gen Firewall with Citrix NetScaler VPX in AWS

Overview

Quickly deploy a single tier webserver farm solution integrating the Citrix NetScaler loadbalancer and a Next Generation firewall. Solution components include:

  • a CloudFormation template (vpc_2azs.json) to deploy a VPC across 2 zones. There are 2 subnets in each zone: a Public Subnet and a Private Subnet. Internet facing appliances such as the NetScaler and NG FW are deployed in the Public Subnet while the web server farm is deployed in the private subnet.
  • a CloudFormation template (ns.1nic.json) to deploy a single NetScaler VPX appliance in the Public Subnet in one zone
  • a CloudFormation template (webservers.json)to deploy 2 web servers in the Private Subnet in the same zone as the NetScaler VPX
  • a CloudFormation template (pa-fw.json) to deploy a single Next Gen Firewall (Palo Alto VM Series) in the Public Subnet with a network interface in the Private Subnet (same zone as above).
  • CLI Configuration scripts for the NetScaler and Palo Alto FW to ensure that traffic from the Internet flows from the VPX to the FW to the webserver farm.

Scripts have been provided to make the deployment of the Cloudformation templates easy.

Network Diagram

Network Diagram

  • the VPX is deployed with a single NIC in the public subnet with 3 IPs. The first IP is the NSIP (management IP) and is associated with a public IP. The second IP is the Virtual IP (VIP) that receives traffic destined to the webserver farm. The VIP is associated with an Elastic IP. The last IP is the Subnet IP - another private IP which is the source IP when sending traffic to the backend web servers.
  • The PA Firewall is deployed with 3 NICs. The first is a management NIC in the public subnet which also has an Elastic IP associated with it. The second is a data interface (ethernet1/1) which is attached to the public subnet. The third is another data interface (ethernet2/1) attached to to the private subnet. ethernet1/1 is designated as the Untrusted interface and ethernet2/1 is designated as the Trusted interface.
  • The webservers are standard Amazon Linux. They run a simple Python web server that only serves a single page which contains their hostname.

Pre-requisites

The solution is designed to be easy to deploy from a Linux machine with access to the AWS API servers. The Linux machine needs to have the AWS CLI installed with appropriate credentials configured. Before deploying the solution, you must visit the AWS marketplace page for the NetScaler (https://aws.amazon.com/marketplace/pp/B00A9ZNGJI) and the Palo Alto VM Series (https://aws.amazon.com/marketplace/pp/B00PJ2V04O) and accept the terms using the same account that will deploy the CloudFormation templates.

Deployment Steps

Get the code from this repository using git clone. Commands shown below are prefixed with $ to indicate that they should be run from a Linux machine in the directory where the code has been cloned. Pick an AWS region (e.g., us-west-2) and use it consistently in all the steps below.

  1. Create the VPC in a region using CloudFormation
$ ./001-create-vpc.sh us-west-2
  1. Deploy the NetScaler in the VPC created in step 1 using CloudFormation:
$ ./002-create-vpx.sh us-west-2

In the script output, you will see 2 lines of the form:

Login to the NetScaler using: ssh -i vpx-keypair-us-west-2.pem nsroot@35.182.208.43

Send traffic to the NetScaler using: curl  http://52.60.94.253/
  1. Deploy the web server farm in the VPC
$ ./003-create-webserver.sh us-west-2

  1. Using the output from step 2, you can now configure the VPX to loadbalance to the webserver farm.

    • Login to the NetScaler using ssh: $ ssh -i vpx-keypair-us-west-2.pem nsroot@35.182.208.43. You may have to re-try a few times as the NetScaler will reject login attempts while it is still booting up.
    • Copy paste the set of commands from the file appliance-conf/ns-conf0.txt into the NetScaler CLI prompt.
    • Use the NetScaler CLI command show lb vserver test-lb to verify that the configuration and the network plumbing is working as expected.
      > show lb vserver test-lb
test-lb (10.0.0.20:80) - HTTP	Type: ADDRESS 
  State: UP
  ...

  1) webserver1 (10.0.16.101: 80) - HTTP State: UP	Weight: 1
  2) webserver2 (10.0.16.102: 80) - HTTP State: UP	Weight: 1

  2. At this point the firewall is not in the picture and the NetScaler is communicating directly with the backend webserver farm. To test the traffic flow, use the output from step-2:

    $ curl  http://52.60.94.253/
    ip-10-0-16-101
    $ curl  http://52.60.94.253/
    ip-10-0-16-102
  1. Create the Palo Alto Firewall in the VPC using:
  $ ./004-create-fw.sh us-west-2
  Created PANW firewall
  SSH to the firewall: ssh -i vpx-keypair-us-west-2.pem admin@35.182.110.242

  1. Configure the Palo Alto FW using the CLI.

    • Login using the output from step 6 (ssh -i vpx-keypair-us-west-2.pem admin@35.182.110.242). You may have to re-try a few times as the PA FW will reject login attempts while it is still booting up.
    • Copy paste the set of commands from the file appliance-conf/pa-conf.txt into the firewall CLI prompt.
    • Verify that the ethernet1/1 and ethernet2/1 interfaces are up, from the firewall CLI:
      admin@PA-VM> show interface ethernet1/1
   ...
   ...
   Name: ethernet1/1, ID: 16
   Operation mode: layer3
   Virtual router default
   Interface MTU 1500
   Interface IP address (dynamic):         10.0.0.100/32

  2. Configure the NetScaler to send backend webserver traffic via the firewall.

    • login to the NetScaler CLI using the output of step 2: ssh -i vpx-keypair-us-west-2.pem nsroot@35.182.208.43

    • At the NetScaler CLI prompt, configure a route to point to the firewall:

      > add route 10.0.16.0 255.255.240.0 10.0.0.100
> commit
> show lb vserver test-lb

    • verify that the NetScaler is still able to send traffic to the backend webserver farm using the curl output from step 2

      $ curl http://52.60.94.253/
  ip-10-0-16-101
  $ curl  http://52.60.94.253/
  ip-10-0-16-102

  3. Login to the PA VM Series FW Web interface:

    • Login to the CLI using the output from step 6 (ssh -i vpx-keypair-us-west-2.pem admin@35.182.110.242).
    • Set an admin password at the CLI:
        admin@PA-VM> configure
    Entering configuration mode
    [edit] 
    admin@PA-VM> set mgt-config users admin password
    • Use the output of the step 6 to login to the web interface (GUI) (e.g., https://35.182.110.242)
    • Check the logs in the GUI to ensure that traffic is being filtered / monitored as desired.

  4. To tear down everything, use the cleanup.sh script at the Linux prompt:

    $ ./cleanup.sh us-west-2
    Deleting PA FW cloudformation stack
    Deleting webservers cloudformation stack
    Deleting VPX cloudformation stack
    Deleting VPC cloudformation stack
    Deleting keypair

Deploy using the AWS Console and Appliance CLI

  1. Launch the Cloudformation stack in the US-east-1 region:

    Do not customize any of the inputs and click 'Create'

  2. Create a keypair. The private key will be used to login to the NetScaler and PA Firewall:

    $ aws --region=us-east-1 ec2 create-key-pair --key-name vpx-keypair-us-east-1 --query 'KeyMaterial' --output text > vpx-keypair-us-east-1.pem
$ chmod 400 vpx-keypair-us-east-1.pem

  3. After the VPC stack has progressed to 'CREATE_COMPLETE' (visible in the console), create the VPX stack:

    Use the output values VPC and SubnetAPublic from the VPC stack. Do not change the keypair input. Click 'Create'

  4. Create the Webserver farm (you do not have to wait for the previous step to finish):

    Use the output values VPC and SubnetAPrivate from the VPC stack. Do not change the keypair input.

  5. Using the CloudFormation outputs from step 3, you can now configure the VPX to loadbalance to the webserver farm.

    • Login to the NetScaler using ssh and the PublicNSIp output of the VPX Cloudformation stack of step 3: $ ssh -i vpx-keypair-east-1.pem nsroot@35.182.208.43. You may have to re-try a few times as the NetScaler will reject login attempts while it is still booting up.
    • Copy-paste the set of commands from the file appliance-conf/ns-conf0.txt into the NetScaler CLI prompt.
    • Use the NetScaler CLI command show lb vserver test-lb to verify that the configuration and the network plumbing is working as expected.
      > show lb vserver test-lb
    test-lb (10.0.0.20:80) - HTTP	Type: ADDRESS 
    State: UP
    ...

    1) webserver1 (10.0.16.101: 80) - HTTP State: UP	Weight: 1
    2) webserver2 (10.0.16.102: 80) - HTTP State: UP	Weight: 1

  6. At this point the firewall is not in the picture and the NetScaler is communicating directly with the backend webserver farm. To test the traffic flow, use the output PublicIpVIP from step 3:

    $ curl  http://52.60.94.253/
    ip-10-0-16-101
    $ curl  http://52.60.94.253/
    ip-10-0-16-102

Alternatively, use a browser to navigate to the URL.

  1. Create the Palo Alto VM Series firewall(you do not have to wait for the previous stack to finish):

    Use the output values VPC, SubnetAPublic and SubnetAPrivate from the VPC stack. Do not change the keypair input. Click 'Create'.

  2. Configure the Palo Alto FW using the CLI.

    • Login using the FirewallManagementSSHIp output from step 7 ($ ssh -i vpx-keypair-us-east-1.pem admin@35.182.110.242). You may have to re-try a few times as the PA FW will reject login attempts while it is still booting up.
    • Copy paste the set of commands from the file appliance-conf/pa-conf.txt into the firewall CLI prompt.
    • Verify that the ethernet1/1 and ethernet2/1 interfaces are up, from the firewall CLI:
      admin@PA-VM> show interface ethernet1/1
   ...
   ...
   Name: ethernet1/1, ID: 16
   Operation mode: layer3
   Virtual router default
   Interface MTU 1500
   Interface IP address (dynamic):         10.0.0.100/32

  3. Configure the NetScaler to send backend webserver traffic via the firewall.

    • login to the NetScaler CLI using the PublicNSIp output of step 3: $ ssh -i vpx-keypair-us-east-1.pem nsroot@35.182.208.43

    • At the NetScaler CLI prompt, configure a route to point to the firewall:

      > add route 10.0.16.0 255.255.240.0 10.0.0.100
> commit
> show lb vserver test-lb

    • verify that the NetScaler is still able to send traffic to the backend webserver farm using the PublicIpVIP output from step 3

      $ curl http://52.60.94.253/
  ip-10-0-16-101
  $ curl  http://52.60.94.253/
  ip-10-0-16-102

  4. Login to the PA VM Series FW Web interface:

    • Login to the CLI using the FirewallManagementSSHIp output from step 76 (e.g.,ssh -i vpx-keypair-us-east-1.pem admin@35.182.110.242).
    • Set an admin password at the CLI:
        admin@PA-VM> configure
    Entering configuration mode
    [edit] 
    admin@PA-VM> set mgt-config users admin password
    • Use the FirewallManagementURL output of the step 6 to login to the web interface (GUI) (e.g., https://35.182.110.242)
    • Check the logs in the Firewall GUI to ensure that traffic is being filtered / monitored as desired.

  5. To tear down everything, use the cleanup.sh script at the Linux prompt:

    $ ./cleanup.sh us-west-2
    Deleting PA FW cloudformation stack
    Deleting webservers cloudformation stack
    Deleting VPX cloudformation stack
    Deleting VPC cloudformation stack
    Deleting keypair

Alternatively, use the Cloudformation Console to delete all the stacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment