On the AWS management console, launch the firewalls, launch the load balancer, and edit the route tables you added when you created the VPC.
Launch the VM-Series Firewalls
Launch the firewalls and perform initial configuration.
Launch the firewalls. See Deploy the VM-Series Firewall in AWS
for system requirements and step-by-step instructions for launching the firewall and performing initial configuration. For this use case, you deploy four VM-Series firewalls on each AZ.
The IP address assigned to the management interfaces (eth0) of each firewall is as follows:Mgmt-FW—192.168.0.10AZ1-FW1—192.168.0.11AZ1-FW2—192.168.0.12AZ1-DB—192.168.0.13
Establish an SSH connection to the IP address assigned to the management interface and perform initial configuration on the command line interface (CLI) of the VM-Series firewall.
Create and attach two ENIs to each firewall; these interfaces will serve as the dataplane interfaces on each firewall. Connect each ENI to the appropriate subnet and security group.Mgmt-FW—The dataplane interface IP addresses are:
192.168.2.254 (to web farm)
192.168.0.254 (external connectivity for internet access)AZ1-FW1—The dataplane interface IP addresses are:
192.168.1.11 (to NetScaler)
192.168.2.11 (to web farm)AZ1-FW2—The dataplane interface IP addresses are:
192.168.1.12 (to NetScaler)
192.168.2.12 (to web farm)AZ1-DB—The dataplane interface IP addresses are:
192.168.2.13 (to web farm)
192.168.3.13 (to RDS)
Launch the NetScaler VPX.
Refer to the Citrix NetScaler
documentation for instructions.
Choose the Amazon Machine Image (AMI) from the AWS Marketplace and launch the NetScaler VPX. In this example, the NetScaler IP address used for management access is 192.168.0.14.
To log in to the NetScaler management console, you must assign an Elastic IP Address on the management interface.
Attach two ENIs to the NetScaler VPX. Later in this example,
Configure the Citrix NetScaler VPX interface IP addresses as:
192.168.0.50—Virtual IP address that will be used for external access
192.168.1.50—Subnet IP address that will be used for connecting to the web farm within the VPC
Allocate and associate Elastic IP Addresses for the firewall and the NetScaler VPX.
Assign Elastic IP Addresses to the interfaces that provide access from the internet. In this example, the Elastic IP Addresses are as follows:
One EIP address maps to the management interface of each of the four VM-Series firewalls.
With the exception of the VM-Series firewall that secures management access, the Elastic IP address that maps to the management interface of each VM-Series firewall will be used for out-of-band management.
One EIP address maps to the public-facing interface on the VM-Series firewall that manages outbound access from the VPC.
Two EIP addresses map to the NetScaler VPX: one is associated with the NetScaler IP address and the other is bound to the Virtual IP address.
Edit the route tables.
Add a new route table, if you did not add one when setting up the VPC.
Add a new route that directs all traffic from the web farm to the ENI that is attached to the web server subnet on the VM-Series firewall (Mgmt-FW).
Create and attach the internet gateway to the main router on the VPC to allow outbound internet access from the VPC.