Recently, it has become apparant to me that there is still a misconception as to what Citrix Cloud is, and what it isn’t.
Hopefully, in this post, I can clear up some of those misconceptions once and for all 🙂
Citrix Cloud: What it isn’t
OK, so let’s start with what Citrix Cloud isn’t as this seems to be where the majority of misconceptions.
Citrix Cloud isn’t actually a product, there is no SKU for Citrix Cloud. Citrix Cloud is how Citrix refer’s to a collection of Citrix Services delivered from the Citrix Cloud Platform. Some of the services available are (This list is growing extremely quickly):
- Citrix Virtual Apps and Desktops Service
- Citrix Content Collaboration Service
- Citrix Secure Browser Service
- Citrix Endpoint Management Service
- Citrix Analytics Service
- Citrix Managed Desktops Service
- Citrix Gateway Service
- Citrix Applicatin Delivery Management Service
- Citrix SD-WAN Orchestrator Service
- Citrix MicroApps Service
These services can be subscribed to individually or as part of the Workspace Service bundle offerings where applicable.
(For this blog we will concentrate on the Virtual Apps and Desktops Service).
Citrix Cloud isn’t a public cloud service. Citrix Cloud has no ability to store customer data. Citrix are not asking you to store any of your data in Citrix Cloud and there is no capability to do so even if that’s what you wanted Citrix to do. In fact, only the metadata needed for the brokering and monitoring of the customer’s applications and desktops is stored in Citrix Cloud.
Citrix Cloud is operated in a “Shared reponsibility model”. In this model, responsibility is shared between Citrix and the customer. The Control and Access Elements reside in the Citrix Control Plane, which is the responsbility of Citrix, while the “Resource Location”, which is where the customers assets (Applications, Data and Desktops) reside, is the responsibility of the customer.
Citrix Cloud is not IaaS (Infrastrcuture as a Service) or SaaS (Software as a Service).
Citrix Cloud: What it is
Think of Citrix Cloud as a PaaS (Platform as a Service). PaaS is a good thing, as core cloud computing features such as scalability, high availability, multi-tenancy, and resiliency can be taken advantage of. Citrix takes care of the underlying infrastructure, manages the OS, development tools, DB tools, and analytics associated with the control layer. Management of the access layer is optional with Citrix Gateway Service. However, as mentioned in this blog – Citrix Workspace with on-premises Citrix Gateway as Idp – the customer may have various reasons for sticking with on-premises Citrix Gateway or Citrix ADC.
In a traditional on-premises Citrix environment, all of the Citrix infrastructure elements reside within the on-premises infrastructure, which is all the customers responsibility (See image below). These elements are implemented in pairs for redundancy and they reside on IaaS VM’s (Unless Gateway or ADC Appliances), which consist of the OS, the Citrix Software for that particular servers role etc etc etc.
The Citrix infrastructure usually consists of the following elements in a typical on-premises single site Citrix FMA set up (obviously double everything except the License server, Director and Studio if a dual site setup):
- 2 x Delivery Controllers
- 2 x StoreFront Servers
- 2 x ADC / Gateways
- 1 x License Server
- 1 x Director
- 1 x Studio
- Plus redundant SQL Databases.
Diagram showing a traditional on-premises Virtual Apps and Desktops deployment, the elements and the responsibility.
As with any traditional IaaS deployment, all of these elements require design, planning, implementation, testing, managing, maintaining and updating ….. plus they all sit on an underlying operating system’s which need to be set up, tested, managed, maintained and updated ….. further to this, they all take up resources on underlying physical infrastructure which again needs to be designed, planned, set up, tested, managed, maintained and updated (see where this is going?).
There are also other considerations of physical infrastructure that need to be taken into account, such as power consumption, cooling, occupying expensive datacentre real estate etc etc etc..
Now, with the Citrix Cloud shared responsibility model, the Access and Control elements of the Virtul Apps and Desktops infrastructure are delivered as a service from Citrix Cloud (PaaS). As you can see in the diagram below, this includes the SQL requirements, and the Citrix Gateway.
Diagram showing a Vitual Apps and Desktops Service deployment, the elements and the responsibility.
You may notice a new element that has been introduced into the customers Resource Location called “Citrix Cloud Connector”.
What is a Citrix Cloud Connector?
A Citrix Cloud Connector is basically a communications proxy betwen the Citrix Cloud platform, and the Customers Resource Location. The Cloud Connector is a set of self-updating micro-services that are installed on a domain-joined IaaS VM. This is another good example of the Shared Responsibility Model, Citrix take care of the Cloud Connector software, while the customer supplies and takes care of the VM that the Cloud Connector software is installed on.
- 2vCPU + 4GB RAM for sites with 2,500 VDA or less
- 4vCPU + 4GB RAM for sites with 5,000 VDA or less
Cloud Connectors cannot load balance, therefore load through a particular Cloud Connector cannot be predicted or controlled ultimately leading to unequal load on a HA pair of Cloud Connectors.
4vCPU + 4GB RAM is recommended wherever possible, as VDA registrations will be faster and more reliable than with a 2vCPU + 4GB RAM option.
The following operating systems are supported with Citrix Cloud Connector:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
(The Cloud Connector is not supported with Windows Server Core.)
The minimum Forest and Domain Functional Level supported with Citrix Cloud Connectors is:
- Windows Server 2008 R2
Cloud Connectors support the following example AD configurations:
- Single Forest / Single Domain.
- Single Forest / 1 Parent Domain / 1 Child Domain.
- Single Forest / Single Domain with an Azure Express Route.
- Two Forests with 2-Way Trust
- Requires On-Premesis StoreFront.
- Single Forest / 2 Domains with External / Domain-Level Trust.
Cloud Connectors cannot traverse Domain-Level Trusts.
The Micro-Services are:
- Provisioning micro-service which manages VM workloads on Hypervisors.
- Proxy micro-service which is used for VDA registration and communications.
- Identity micro-service which supports domain discovery and access.
- Authenication micro-service for user logon and application launch.
- Gateway micro-service enabling access externally via Citrix Gateway Service.
Diagram showing Citrix Cloud Connector micro-services.
Cloud Connector facts:
- Must be installed on a domain-joined machine.
- All traffic is outbound over HTTPS (443).
- They work behind NAT’s and HTTP Proxies.
- Installed on the LAN, not the DMZ.
- Secured by RSA Key Pair.
- Self-updating software.
- Cloud Connector Active Directory access is Read Only, unless creating a Machine Account.
- You should deploy Cloud Connectors in pairs for HA.
- VDAs have failover logic built into them. If a Cloud Connector fails, the VDA will re-register with a different one.
Citrix Cloud Connector needs access to the following for the Citrix Virtual Apps and Desktops service:
- VDAs (port 80, both inbound and outbound) plus 1494 and 2598 inbound if using Citrix Gateway service
- Customer managed StoreFront servers (port 80 inbound)
- Customer managed Citrix Gateways, if configured as a STA (port 80 inbound).
- Active Directory domain controllers.
Cloud Connectors have a one to one relationship with a Resource Location and communicate with the components within that Resource Location and Citrix Cloud only. This means that for each Resource Location, there must be at least two Cloud Connectors for HA (n+1) and there is no inter Resource Location communication between Cloud Connectors located in different Resource Locations.
However, you can utilise a VPN such as ExpressRoute that connects your public cloud Resource Location to your on-premises Resource Location for things like Active Directory, or if your applications have databases or file shares that they need to talk to in a different Resource Location.
But you don’t need any sort of VPN between your Resource Locations and the Citrix Cloud Service.
Resource Locations can be located on private cloud, public cloud (or a hybrid mixture of the two) and a customer can have many Resource Locations (All managed from the same Citrix Cloud tenant).
Diagram showing a multi-Resource Location Citrix Cloud infrastructure.
How resiliant is Citrix Cloud?
This is a very popular question and there are 3 areas to take into consideration when talking about Citrix Cloud resiliancy.
The answer is yes btw, but it does come back to the Shared Responsibility Model we discussed earlier.
Firstly, the Citrix Cloud control plane (Citrix Responsibility). Everything in the Citrix Cloud control plane is deployed in active/active pairs, spanning over different datacenters. All of the components are load balanced and sit behind HA pair’s of Citrix ADC.
Secondly, is the network connectivity (Customer Responsibility). Like any cloud service, the Citrix Virtual Apps and Desktops Service requires an Internet connection. It is up to customers to make sure their ISP is providing an SLA to ensure they always have network connectivity to the cloud service.
and finally……. are the components within the customers Resource Location (Shared Responsibility). Citrix Cloud Connectors should always be deployed in pairs for HA. Citrix VDAs have failover logic built into them. What this means is, if a Citrix Cloud Connector fails, the VDA will re-register with another, healthy connector.
Updates to Citrix Cloud Connectors are automatic, and the responsibility of Citrix. However, we all know that automatic updates don’t always take place when it is convinient for the customer. The good thing is, customers can choose and schedule the time that these updates take place, so that any Citrix Cloud Connector updates now take place when the customer is prepared for them.
But …. is Citrix Cloud Secure?
I hear this question a lot!
The good news is, yes. Citrix Cloud is extremely secure.
As I mentiond previously, Citrix Cloud only stores metadata needed for the brokering and monitoring of the customer’s applications and desktops, and has no access to any customer assets or IP. Further to this, the customers assets are located in a Resource Location, where the security is totally controlled by the customer.
All user credentials are encrypted using AES 256 and a random one-time key is generated for each launch. Data in transit between Citrix Cloud and the customers Resource Locations use TLS 1.2 over HTTPS. Internal traffic between the VDAs and Cloud Connectors is also encrypted using Kerberos message-level security.