[FEATURE REQUEST] Target the primary node in a HA setup by default

[alpha69dk]

Feature Request

Is your feature request related to a problem? Please describe.
When creating HA setup then it is needed to (mostly) target the primary node.
If the secondary node is targetted then deployment will fail (by design).
So - if the primary node changes (for some reason) during deployment then the deployment will fail.

Describe the solution you'd like
Just like a human operator would do - the Primary node should always be targetted (unless parameter set to specifically target the secondary node). NetScaler ADM already does this.

Describe alternatives you've considered
Workaround is to set primary node (or query for primary) multiple times in the script (using dependencies)

Additional context
This issue is specifically seen during initial configuration of HA and licensing. This is since initial licensing reboots the nodes.

[HS1542]

You can target the primary by addressing the SNIP instead of the NSIP.

[alpha69dk]

Hi HS1542,
Thanks for your suggestion!
Unfortunately we are using INC mode in our Azure deployment of NetScalers which means that also the SNIP is different between the 2 nodes.
Using an LBVS VIP (with 127.0.0.1 as backend) could work, but then we need an ALB or ARS in front to steer traffic. This gets a bit complicated.

[rohit-myali]

Hi @alpha69dk ,
As a best practice, It is recommended to divide your terraform scripts into two terraform blocks, one to configure HA and the other for further configuration, which usually goes to Primary NSIP.

We have the same video available in the youtube: https://www.youtube.com/watch?v=VoQDR6bQUVQ
Note: You can start watching the terraform demo from the 17th minute of the video

Thanks,
Rohit

And the same sample terraform scripts are available here: https://github.com/citrix/terraform-cloud-scripts/tree/master/on_prem/configure_on_prem_netscaler_adcs_in_high_availability

[andrewhadam]

We run the same sort of setup w/ different SNIPs between nodes. We solved the problem by creating a service in our Consul cluster that has the two Netscalers in an HA pair registered to it. Then there is a script that queries the Netscaler to figure out who is primary and whichever one is primary becomes active on that service. You're right, it is extra work but the work to setup it will save you a lot of headaches later.

[HS1542]

I guess you could just add a VIP, disable virtual server and enable mgmt services on that one?
That is how the F5s in traffic groups operate, as they are in "INC" mode by default.

[ksashokumar]

Hi @alpha69dk ,

The recommended way to deploy an HA pair in Azure is to use the ALB in front of your backend pools which are your primary and secondary Netscaler. In this setup, we need to create a load balancing rule in the ALB with the Frontend IP, Backend pools and the health probe. Once we configure the HA pair on the Netscaler, always the primary node responds to the health probe in such case, you can do SSH of your Frontend IP which lands into the primary node always.

It is not recommended to have an HA pair in Azure without ALB.