AWS Consulting Sydney : Fixing VPC issues with Citrix XenApp

During a recent AWS migration project in Sydney for a customers Citrix XenApp services, our Citrix Consulting and Cloud Migration Practice  came across an apparently undocumented requirement regarding the configuration of Amazon VPC’s.

AWS and MCS

We covered the process of taking advantage of the scale and elasticity of AWS by using Citrix MCS to quickly spawn new machines on the AWS Cloud in an earlier blog.  See Citrix MCS Provisioning in AWS for a rundown of the rationale and setup details.  This blog focuses on a specific issue we found.

MCS Provisioning fails in AWS

Unfortunately much of the documentation of using Citrix MCS on AWS is outdated, or not particularly thorough.  During the recent deployment of XenApp 7.12 into AWS, our team observed long delays in the creation of new machines, followed by failure and a nondescript error within Citrix Studio.  An inspection of the Action logs provided these details:

DesktopStudio_ErrorId : ProvisioningTaskError
 ErrorCategory : NotSpecified
 ErrorID : NoDiskContentTransferService
 TaskErrorInformation : Terminated
 InternalErrorMessage : No facility available for disk upload. No facility available for disk upload. Unable to create any functioning volume service VMs.

Why MCS Provisioning in AWS was failing

Like most customers, they are very security conscious.  Dedicated VPC’s and Networks had been created and locked down prior to the engagement of our AWS consulting team.  As part of the normal clean up activities, the customer’s security team had removed the Internet Gateway from the default VPC subnet.

Why does the default VPC matter with Citrix MCS?

XenApp and XenDesktop require the Default VPC to be in place, including its internet gateway.  If the default VPC has been removed or the Internet Gateway is missing, MCS will fail with the error shown above. There does not need to be AWS security groups that would enable access from the default VPC to the VPC where the VM’s are to be created.  This is because Citrix MCS creates a temporary EC2 instance during the machine creation process that needs to download a software package from a Citrix Systems Inc. managed S3 bucket.  The temporary instance gets deleted, but it is an essential part of the MCS process.  Here is a quote from the Citrix forums from this link:

….the default VPC will be used for the “XenDesktop Temp” instance. This is because this instance needs to download a Citrix software package from S3, and the default VPC is pre-configured by Amazon with a default subnet and security group that will allow straightforward access to the S3 service, which is why it is briefly used. The fact that it doesn’t route to any of your other infrastructure should not matter, provided that it still has its default subnet and can see S3…………

What to do if the Internet Gateway has been removed from the Default VPC

You can add a new internet gateway to the default VPC with just a few clicks within the AWS VPC console.  This should resolve the MCS build issue.

What to do if the Default VPC has been removed?

Contact Amazon Web Services support and ask them to reinstate your Default VPC.