AWS hybrid Citrix DaaS environment, any non‑Citrix EC2 instance powered off or rebooted every night after a Reboot Schedule was configured for a Citrix Delivery Group.
Article ID: CTX696600
Updated On:
Description
In an AWS hybrid Citrix DaaS environment, administrators may observe that non‑Citrix EC2 instances, are unexpectedly powered off on a recurring schedule (for example, nightly).
This behavior typically occurs after configuring Reboot Schedules for one or more Citrix Delivery Groups.
In an AWS‑hosted Citrix DaaS environment, administrators may observe that non‑Citrix EC2 instances are unexpectedly powered off or rebooted when Reboot Schedules are configured for one or more Delivery Groups.
The issue typically occurs when:
- Citrix VDAs and other EC2 instances reside in the same AWS VPC
- A Reboot Schedule is enabled
- Instances are visible to the Citrix AWS hosting connection
Environment
"The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code."
Cause
The Hosting layer enumerates all EC2 instances visible in the VPC using HostedMachineId.
No validation is performed to confirm whether an instance is Citrix‑managed.
Because the non‑Citrix EC2 instance reside in the same VPC and are visible to the hosting connection, they are unintentionally included in the reboot workflow.
This is a design‑level behavior, not a misconfiguration.
Resolution
Use AWS resource tagging combined with IAM policy enforcement to explicitly restrict Citrix power actions to Citrix‑managed EC2 instances only.
Add the following tag to all Citrix‑managed VDAs:
CitrixManaged = True
any non‑Citrix EC2 instances:
CitrixManaged = False
Update AWS IAM Policy:
Modify the IAM policy used by the Citrix Hosting Connection to deny power actions on non‑Citrix instances.
Replace Existing Statement: "DenyStartStopRebootOnProtectedInstances"
To the Following Policy Statement:
{
"Sid": "DenyPowerActionsOnNonCitrixInstances",
"Effect": "Deny",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:ResourceTag/CitrixManaged": "True"
}
}
}
Even if Citrix enumerates the VPC and attempts power actions, AWS blocks the request at the IAM level.
Issue/Introduction
After configuring Reboot Schedules for a Citrix DaaS Delivery Group in an AWS environment, non‑Citrix EC2 instances located in the same VPC may be unexpectedly powered off or rebooted.
This can affect any EC2 instance visible to the Citrix AWS hosting connection, not only Citrix VDAs.
