-
The Citrix Cloud Connector and the Network
April 5, 2019
This article was posted originally at https//mycugc.com/…
Let’s talk Citrix Cloud. More specifically, the Citrix Cloud Connector and its relationship with your network.
So, what is the Cloud Connector?
Docs.citrix.com tells us:“Citrix Cloud Connector: Provides communication between the resources in the resource location and the Citrix Cloud.”
In other words, it’s a vital component. It’s the bridge between the resources your users do their work on, and the management plane for you as an admin, in the (Citrix) cloud.
Citrix recommends deploying two Cloud Connectors per resource location to provide high availability. What is a resource location you may ask?
Again, docs.citrix.com tells us:“Resource locations contain the resources required to deliver cloud services to your subscribers.”
“Your resource location is wherever your resources reside, whether that’s a public or private cloud, a branch office, or a data center. “So, let’s say you have a “classic” two datacenter setup, with actively used resources in both of them. They are interconnected and share a common Active Directory. Should you deploy this as one resource location or create a resource location for each datacenter? The latter would look something like this:
As with any Cloud-based service, don’t forget about the network. What if the Cloud Connector in datacenter A uses the Internet connection in datacenter B to connect to Citrix Cloud instead of the “local” connection? This would obviously add some latency to the connection.
Remember that the Cloud Connector can also be used as an HDX Proxy for your user sessions. To make matters more complicated, let’s assume that the same Cloud Connector in datacenter A connects the user with his workload in datacenter B. It will work, authentication will be just fine, and the session will connect.
As I was reminded of on Twitter (by Martyn Dews, @Yorkie71), starting with (CVADS and) VDA 7.18, there’s an option for a Direct connection from the VDA -> Citrix Cloud. In that scenario, it’s every single VDA that will need a path to the Citrix Cloud. Not just the Cloud Connectors anymore. It’s using the Rendezvous protocol, as described in more detail in this blogpost on Citrix.Com: https://www.citrix.com/blogs/2020/03/10/ica-and-the-gateway-service-have-a-new-rendezvous/
It will all work, authentication will be just fine, and the sessions will connect. But is it ideal? Probably not, would be my guess. Why? It’s a working path, but not the ideal path. Take into consideration that Citrix manages the Cloud Connector. Which means that Citrix has the technological means to optimize the connection all the way to the Cloud Connector. After that, it’s basically just ICA/HDX traffic on your own network to your VDA endpoint. Deploy your Cloud Connectors and their connectivity to Citrix Cloud accordingly.
So, to wrap this up, what’s the key takeaway? In every Cloud deployment, Citrix Cloud or otherwise, always consider your network.
Thanks
Bart Jacobs
Citrix CTA
2 Responses to “The Citrix Cloud Connector and the Network”
May 8, 2019 at 6:06 am
A really interesting article on the critix cloud. I just was wondering how secure are these connectors. Is there any data breach possible when information is being transferred.
May 21, 2019 at 7:32 am
Hi,
these connectors don’t have an attack surface to start with. The connections initiate an outgoing connection to the Citrix POP’s. There is no incoming port to be opened.
In my opinion, this makes it extremely difficult to breach those connections.