NetScaler Active/Passive HA in Azure with multiple NICs/IPs

Update:

I’ve found out that there’s a much easier way of doing the below in Azure – take a look at the updated blog post:

Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP)

——

There are a lot of information out there about setting up NetScaler HA in Azure. One way is using a single NIC and a single IP for all traffic – which allows for active/passive but causes other limitations. Another way is to use multiple NICs/IPs and use active/active. Both cases uses Azure LB to provide high availability.

I want to use multiple NICs/IPs but in active/passive, and have found a hybrid of the two that seems to be working. I haven’t tested everything together with this configuration, but basic failover between the NetScalers seems to be working fine.

What are the requirements before following my instructions below?

  • Create a vnet and three subnets, as well as a resource group and availability set
  • Configure INC on the NetScalers / each get a unique SNIP on each subnet
  • Make sure to place the VIPs that are going to be used in a /31 (10.99.0.202 and 10.99.0.203 for example) – use the CIDR calculator if you are unsure
  • Place the Azure LBs on the same subnets as they are load balancing (the same subnets we have the VIPs)  and place the NetScalers on different subnets than resources using the Azure LBs. This may not be a requirement, but is how I’ve done it.

In my case, i have the following subnets:

  • management = 10.99.0.0/24
  • inside = 10.99.1.0/24
  • outside = 10.99.2.0/24
  • VIPs on inside:
    • NetScaler #1: 10.99.1.202
    • NetScaler #2: 10.99.1.203
    • Azure LB Frontend IP: 10.99.1.204
  • VIPs on outside:
    • NetScaler #1: 10.99.2.202
    • NetScaler #2: 10.99.2.203
    • Azure LB Frontend IP: 10.99.2.204

First of, create NetScaler #1:

Create NetScaler #2:

Configure Azure LB:

Please note: I’m only using internal LBs here, you need to modify the configuration to create a Public IP.

Now, configure IPs and HA (with INC) and disable MBF/configure PBR (not required).

Please note: I’m not configuring HA encryption or chaning the rpcNode password. Should always be done. Only showing what I think is the bare minimum to get it working.

Configure the most basic content switches for inside and outside:

Now you should be able to failover between the NetScalers. From a VM on the same vnet, you should be presented with the following when NetScaler #1 is active:

http://10.99.1.202 = NetScaler IP: 10.99.0.200 | VIP: 10.99.1.202

http://10.99.1.203 = Not responding

http://10.99.1.204 = NetScaler IP: 10.99.0.200 | VIP: 10.99.1.202

And the following when NetScaler #2 is active:

http://10.99.1.202 = Not responding

http://10.99.1.203 = NetScaler IP: 10.99.0.201 | VIP: 10.99.1.203

http://10.99.1.204 = NetScaler IP: 10.99.0.201 | VIP: 10.99.1.203

 

Good luck with the configuration and feel free to drop a comment if you have any feedback or questions!

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.