Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP)

I wrote a blog post for NetScaler active/passive HA in Azure with multiple NICs two days ago, and I’ve been trying to figure out if this was the best way to do it. In the other post, I was using IPPattern in NetScaler to set the vServers to a /31 – which does work but that’s just because of how the underlying Azure infrastrucuture works (where machines outside of the VM – for example Azure LB – can only access the IP that has been assigned to the VM).

There is another way of doing this, which doesn’t require you to use a /31. The key is in configuring DSR (Direct Server Return) in Azure LB (also known as Floating IP). This will make it possible to use the same VIP on the NetScalers as the Frontend IP of the Azure LB – which saves IP-addresses and is easier to configure. This is the way Citrix has documented it and this is how their HA template does it.

What are the requirements before following my instructions below?

  • Create a vnet and three subnets, as well as a resource group and availability set
  • Configure INC on the NetScalers / each get a unique SNIP on each subnet
  • Place the Azure LBs on the same subnets as they are load balancing (the same subnets we have the VIPs)  and place the NetScalers on different subnets than resources using the Azure LBs. This may not be a requirement, but is how I’ve done it.

In my case, i have the following subnets:

  • management =
  • inside =
  • outside =
  • Azure LB Frontend IP & VIP on inside:
  • Azure LB Frontend IP & VIP on outside:

First of, create NetScaler #1:

Create NetScaler #2:

Configure Azure LB:

Please note: I’m only using internal LBs here, you need to modify the configuration to create a Public IP.

Now, configure IPs and HA (with INC) and disable MBF/configure PBR (not required).

Please note: I’m not configuring HA encryption or chaning the rpcNode password. Should always be done. Only showing what I think is the bare minimum to get it working.

Configure the most basic content switches for inside and outside:

Now you should be able to failover between the NetScalers. From a VM on the same vnet, you should be presented with the following when NetScaler #1 is active: = NetScaler IP: | VIP:

And the following when NetScaler #2 is active: = NetScaler IP: | VIP:

Good luck with the configuration and feel free to drop a comment if you have any feedback or questions!

Update: If you are experiencing issues with failover where heartbeats are only seen on one interface – see the following post.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.