Deploying a Dedicated Citrix VPX Environment in a Multi-tenant Fashion

Updated by Chris Little on Apr 20, 2014
Article Code: kb/989


While the CenturyLink Cloud platform provides a self-service load balancing service for public facing web applications there may be times in which this model does not meet a customers use case or technical requirements. CenturyLink Cloud customers can license Citrix VPX dedicated virtual load balancers on a monthly use basis. Internal IT personnel, partners, resellers and other ISV's may wish to deploy dedicated Citrix VPX load balancers for consumption across their application portfolio or client base in a multi-tenant fashion. Using the Citrix VPX platform in a multi-tenant fashion can avoid costs of deploying devices for every application or customer and reduce administrative overhead.

Use Case

This KB will provide a sample use case in which a highly available pair of Citrix VPX dedicated load balancers are deployed into multi-tier account hierarchy using CenturyLink Cloud Parent and Sub-accounts. The end state will deliver load balancing services to a sub-account of the parent providing account isolation while delivering secure load balancing services.


  • A CenturyLink Cloud Account
  • Hands-On experience deploying Dedicated VPX Appliances and configuration
  • Hands-On experience working with Parent-Sub-Account hierarchies and Firewall self-service

Building a Parent and Sub-Account Hierarchy

Each CenturyLink Cloud client will receive an initial account, this is the Parent Account. This is the top level of a larger account hierarchy that can be created based on business needs. In this sample we will construct a simple set of 'Client' sub-accounts to the parent to simulate delivery of services to various unique customers of an ISV using CenturyLink Cloud to deliver their own unique service portfolio. The Account Structure will be as follows:

account hierarchy tree

Deploy the Dedicated Citrix VPX Appliances

Follow the Deploy a dedicated Citrix VPX Appliance Knowledge Base article and for additional information refer to the Load Balancing Comparison Matrix

For this use case the following information was used.

  • The Management IP of the VPX(s) is
  • The RNAT IP of the VPX is
  • The VIP's reserved for the VPX are through

Deploy Sub-Account Virtual Instances

With a sub-account named 'Client A' deployed under the Parent Account, its now time to deploy virtual instances you wish to load balance in this sub-account. In this example, we are going to deploy (2) Windows 2012 R2 Data Center Web Servers running IIS. We will also build a test HTML page to show the load balancing services are functional at the end of configuration.

  1. Deploy a Web VLAN in the 'Client A' sub-account within the appropriate data center. Costs for VLANs can be found in our Pricing Catalog or your CenturyLink Cloud MSA. Once this job completes we recommend you apply a friendly name to this VLAN. In this sample we used WEB_10.100.187.0/24.

    web vlan

  2. Create (2) Windows 2012 R2 Data Center Virtual Servers into a Group called Web Servers. These VM's should be placed in the WEB_10.100.187.0/24 VLAN.

    windows servers in group

  3. Install IIS using the Install IIS for Windows blueprint

  4. Use Client VPN to RDP into the (2) newly created Web Servers and create a test page named default.htm in the IIS root folder (C:\inetpub\wwwroot). Sample basic HTML code is below:

    Web Server 1 default.htm file:

    <header>Client A NLB</header>
    <body>Client A NLB Node #1</body>

    Web Server 2 default.htm file:

    <header>Client A NLB</header>
    <body>Client A NLB Node #2</body>

    Validate the pages load locally on the Web Servers

Configure Intra Data Center Firewall Policies

Next, we must configure the parent account firewall in which the VPX(s) reside (NLB_10.100.97.0/24) to permit the appropriate HTTP(s) traffic and VPX Service Group health checks into the network in which the (2) Web Servers reside (WEB_10.100.187.0/24).

  1. Navigate to the Firewall portion of Control on the 'Parent' Account.

    • Select the Source Account to be the 'Parent' Account.
    • Select the Destination Account to be 'Client A' Sub-Account.
  2. Add a Firewall Rule as follows:

    • Source Address network: NLB_10.100.97.0/24

    • Subnet Size: 1

    • Starting IP: RNAT IP of NLB Provided by the Service Task team. As provided earlier the RNAT IP is

      source address

    • Destination Address Network: WEB_10.100.187.0/24

    • Subnet Size: 1 (or use another size depending on the number of web servers)

    • Starting IP: Private IP address of your web servers in Client A sub-account. Our (2) web servers were issued and in this example.

      TIP: Select Add Destination Address a 2nd time to add both Web Server private IPs to the same rule

      destination address

    • Select HTTP(80) and PING. Optionally select HTTPS(443) if you plan to implement SSL

      tcp ports

  3. Validate your new Firewall Rule and save it. We now have a Firewall Rule in place permitting tcp/80 and PING from the VPX RNAT IP (in a parent account) to (2) Virtual Web Servers in the Client A sub-account.

    completed firewall rule

Configure Citrix VPX Load Balancers

We now need to configure the VPX load balancer(s) to deliver services to 'Client A' web servers. In this phase we will build service groups, virtual servers (VIP) and update the VPX routes to appropriately route traffic to the networks in 'Client A' sub-account. NOTE: This is not meant to be an all encompassing guide to configuring a Citrix VPX but just a basic sample use case to balance (2) web servers over HTTP in another sub-account and network.

  1. Create a Service Group

    • Service Group Name: CLIENT_A

    • IP Members: and on Port 80

      new service group

    • Monitors: TCP and PING

      service group monitors

      service group completed

  2. Create a Virtual Server

    • Virtual Server Name: CLIENT_A_PROD_WEBSITE

    • IP Address: IP from the reserved VIP list during the setup of the Citrix VPX. We used from the reserved pool in this example.

    • Service Groups: CLIENT_A

      virtual server service group

    • LB Method: Least Connection

    • Persistence: None

      virtual server persistence

      virtual server completed

  3. Create a route to the 'Client A' sub-account WEB_10.100.187.0/24 VLAN. Navigate to Network, Routes in the VPX management UI. TIP: The gateway IP will be the same gateway IP as the existing route In this use case we used the following configuration:

    • Network:

    • Netmask:

    • Gateway: (Gateway of the NLB_10.100.97.0/24 VLAN in which VPX Resides)

      create route on vpx

      route added

  4. Configure RNAT on the newly created route using the RNAT IP

    select configure rnat

    add rnat ip address

Add Public IP to VIP for External Access

Finally, as this use case is a public facing website we will use the Add Public IP function of Control to perform a 1 to 1 NAT public IP to the VIP (Virtual Server) created previously on

  1. Navigate to the VPX in Control (TIP: if you have an HA pair the VIPs will be assigned to the primary VPX). Choose Add Public IP, select the VIP (the virtual server created previously) and finally select HTTP(80).

    add public ip

  2. The Public IP for this new NAT can be found in the Servers Portion of the Control UI. In this example the Public IP is

    public ip in control

  3. Validate the (2) Virtual Web Servers for Client-A sub-account are delivering the Test Page created previously. Use the refresh button a few times to see the page is being delivered by a unique web server and the services are functional.

    public ip in control

    public ip in control