reference deployment

Citrix Web App Firewall (WAF) on AWS

Mitigate threats to your public or internal web assets

This Quick Start automatically deploys Citrix Web App Firewall (WAF) for high availability (HA) on the Amazon Web Services (AWS) Cloud. Citrix WAF is a firewall that protects web applications and sites from both known and unknown attacks, including application-layer and zero-day threats. Citrix WAF is positioned in front of a web server, monitoring web traffic before it reaches the web application.

This Quick Start is for users who want to mitigate threats to public or internal web assets running on AWS. Use this Quick Start to build and test a proof of concept or to create a highly available production-ready deployment of Citrix WAF as a front end for your web applications.

cisco logo

This Quick Start was developed by Citrix Systems in collaboration with AWS. Citrix Systems is an APN Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with two public and four private subnets, according to AWS best practices.*
    • An internet gateway attached to the VPC, and route tables associated with public subnets, to allow access to the internet. This gateway is used by the WAF host to send and receive traffic. (The VPN connection and VPN gateway shown here are not deployed as part of the Quick Start; they represent a way to connect to the VPC privately instead.)*
    • Two instances of Citrix WAF (primary and secondary), one in each Availability Zone. Together, these are called the Citrix WAF HA pair.
    • Three security groups (not shown), each spanning the two Availability Zones and acting as a virtual firewall to control the traffic for the WAF instances:
      • A security group for the client network interfaces.
      • A security group for the server network interfaces.
      • A security group for the management network interfaces.
    • In the public subnets:
      • Managed network address translation (NAT) gateways with associated Elastic IP addresses to allow outbound internet access for resources in the private subnets.*
      • An elastic network interface for the client network interface (VIP) of the Citrix WAF instance.
      • An optional Linux bastion host (not shown) in an Auto Scaling group to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in public and private subnets.*
      • An optional Elastic IP address (not shown) attached to the client network interface of the primary Citrix WAF instance.
    • In the private subnets (two per Availability Zone):
      • An elastic network interface with a private IP address for the management network interface (NSIP) of the Citrix WAF instance.
      • An elastic network interface with a private IP address for the server network interface (SNIP) of the Citrix WAF instance.
    • AWS Lambda functions to configure Citrix WAF high availability and load balancing.
    • An AWS Identity and Access Management (IAM) role to securely control access to AWS services and resources for your users. By default, the deployment creates the required IAM role. Alternatively, you can provide your own.

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy Citrix WAF, follow the instructions in the deployment guide. The deployment process takes about 15 minutes and includes these steps:

    1. If you don't already have an AWS account, sign up at https://aws.amazon.com, and sign in to your account.
    2. Subscribe to a Citrix WAF Amazon Machine Image (AMI) in AWS Marketplace. For available options, see the Software licenses section of the deployment guide.
    3. Launch the Quick Start. You can choose from two options:
    4. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start.  

    The AWS CloudFormation templates for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Reports to track costs associated with the Quick Start. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month and aggregates the data at the end of the month. For more information about the report, see  What are AWS Cost and Usage Reports?

    This Quick Start requires a subscription to a Citrix WAF AMI. There are two license models: pay-as-you-go and bring-your-own-license. For details, see the Software licenses section of the deployment guide.