reference deployment

Citrix Web Application Firewall on AWS

Mitigate threats to your public or internal web assets

This Partner Solution automatically deploys Citrix Web Application Firewall (WAF) for high availability (HA) to the Amazon Web Services (AWS) Cloud. Citrix WAF is a firewall that protects web applications and sites from attacks, including application-layer and zero-day threats. Citrix WAF is positioned in front of a web server that monitors web traffic before it reaches the web application.

This Partner Solution is for users who want to mitigate threats to public or internal web assets running on AWS. Use this Partner Solution to build and test a proof of concept or to create a highly available production-ready deployment of Citrix WAF as a front end for web applications.

cisco logo

This Partner Solution was developed by Citrix Systems in collaboration with AWS. Citrix Systems is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  • The Partner Solution sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with two public and four private subnets, according to AWS best practices.*
    • An internet gateway attached to the VPC, and route tables associated with public subnets, to allow access to the internet. This gateway is used by the WAF host to send and receive traffic. (The VPN connection and VPN gateway shown here are not deployed as part of the Partner Solution; they represent a way to connect to the VPC privately instead.)*
    • Two instances of Citrix WAF (primary and secondary), one in each Availability Zone. Together, these are called the Citrix WAF HA pair.
    • Three security groups (not shown), each spanning the two Availability Zones and acting as a virtual firewall to control the traffic for the WAF instances:
      • A security group for the client network interfaces.
      • A security group for the server network interfaces.
      • A security group for the management network interfaces.
    • In the public subnets:
      • Managed network address translation (NAT) gateways with associated Elastic IP addresses to allow outbound internet access for resources in the private subnets.*
      • An elastic network interface for the client network interface (VIP) of the Citrix WAF instance.
      • An optional Linux bastion host (not shown) in an Auto Scaling group to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in public and private subnets.*
      • An optional Elastic IP address (not shown) attached to the client network interface of the primary Citrix WAF instance.
    • In the private subnets (two per Availability Zone):
      • An elastic network interface with a private IP address for the management network interface (NSIP) of the Citrix WAF instance.
      • An elastic network interface with a private IP address for the server network interface (SNIP) of the Citrix WAF instance.
    • AWS Lambda functions to configure Citrix WAF high availability and load balancing.
    • An AWS Identity and Access Management (IAM) role to securely control access to AWS services and resources for your users. By default, the deployment creates the required IAM role. Alternatively, you can provide your own.

    * The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy Citrix WAF, follow the instructions in the deployment guide. The deployment process takes about 15 minutes and includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Subscribe to a Citrix WAF Amazon Machine Image (AMI) in AWS Marketplace. For available options, refer to the Software licenses section of the deployment guide.
    3. Launch the Partner Solution. You can choose from two options:
    4. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • This Partner Solution requires a subscription to the Citrix WAF AMI. There are two license models: pay-as-you-go and bring-your-own-license. For more information, refer to the deployment guide.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?