A few months back, I setup a Horizon Environment running in our VMC environment used for lab purposes. Since then, I’ve been asked by several people to go through the setup. So, I’ve also decided to create a blog post on the matter.
This blog post will cover the considerations for running VMware Horizon on VMC, and the technical setup itself of the lab environment I created.
- Horizon 7 on VMware Cloud on AWS is not DaaS
- Horizon 7 on VMware Cloud on AWS Deployment Guide and Supportability
- Feature Support
- Horizon on VMC architecture
- Platform Considerations
- Identity Management
- File Shares
- Image management
- Network Service
- VMC Network Segments
- Load Balancing
- Firewall Rules
- Horizon Connection Broker Configuration
Horizon 7 on VMware Cloud on AWS is not DaaS
I will not cover the details of VMware Cloud on AWS (VMC) in this post, but you can read about it here.
Horizon 7 (or later), running on top of VMC, is not a Desktop-as-a-Service offering. For this, we have our Horizon Cloud offering, which currently supports Azure and IBM Cloud.
Horizon on VMC, acts the same as the on-prem offering, i.e. the same considerations and configurations as you would take, if you deployed Horizon in your own private datacentre.
You can stretch existing Horizon environments to also make use of the compute and storage in VMC, and setup Cloud Pod Architecture between the locations as well. Alternatively, you can run a full Horizon environment solely within VMC itself. By running within VMC, you also ensure your desktops are near in proximity to native AWS services, such as file services, global load balancing services to name some examples.
Horizon 7 on VMware Cloud on AWS Deployment Guide and Supportability
To build our Horizon on VMC lab, I simply read the documentation, so I won’t hide it from you, you can ignore this blog post if you want and simply look at the posts below. However now I’ve written about the high level, the rest of this blog post will cover the technical information, considerations and nuances.
- Deploying Horizon 7 on VMware Cloud on AWS (PDF deployment guide)
- Horizon 7 on VMware Cloud on AWS Support (58539)
- HOL-2052-01-ISM – VMware Horizon on VMware Cloud on AWS
You can use the KB article (58539) above to see the up to date information on full feature support, however below I have called out some of the more necessary considerations;
Not Supported Feature
View Composer Linked Clones
Use Instant Clone instead
Content Based Read Cache (CBRC)
Not needed for performance on VMware vCloud on AWS
Use Unified Access Gateway (UAG) instead
Horizon Persona Management
Use Dyanmic Environment Manager
vRealize for Horizon (Monitoring)
Support can be granted on individual basis
JMP Server (On-Premise)
Use JMP on Horizon Cloud Console instead
Horizon on VMC architecture
Below is VMware’s simplified recommended pod architecture when setting up VMC, where cloud pod architecture is not configured.
Essentially if you are scaling out across multiple VMC SDDCs, then a single SDDC will be a single “pod”.
Below is a basic diagram of the architecture setup for the lab environment. As this is environment is not production based. there are a number of components missing, such as load balancing, and HA/Replica of UAG and Connection brokers. For the below configuration, we expect to support only a limited number of users, and have no ability to recover from an outage of the UAG or connection broker.
Typically, you are going to be using a Microsoft Active Directory, I haven’t seen any environment myself where this is not the case. However it is possible to use AWS Directory Service if you so wanted to.
The top three things you need to think about, (which aren’t specific to VMC on AWS);
- Proximity to active directory is key
- Consider at least Read-Only Domain Controller if stretching from private cloud
- Configure sites and services correctly
Again, the proximity of a user’s documents is key to the users experience.
If using Windows File Services on-prem, consider using Distributed File Systems for replication, and replicate a copy of the data to be local to the Horizon desktops in VMC. There are also options such as FSLogix from Microsoft to manage certain user file environments, but this could make your environment more complex than it needs to be. Finally, as you are running an SDDC in AWS, why not consider native services such as Amazon Fx For Windows Server.
Consider the cost requirements, not only is the cost of storage a factor, but so is network traffic. If the data is outside of your VMC SDDC, then ingress is free, but egress will cost you (If you have a AWS Direct Connect connection, egress will cost you a little less). So, options like using Microsoft DFS to replicate between on-prem and VMC SDDC, may work the best, but any data replicated back to your on-prem datacentre will probably incur a network data transfer cost.
Currently Horizon 7.11 is the latest release, and there is no support for content library. Therefore, you have to make careful considerations for your image management strategy, especially if you are extending your on-prem Horizon environment to VMC.
Horizon will build its desktop pools from the snapshots of powered off Virtual Machines (even VM templates are not supported). If you have a single image in use, then you could easily just have a second image located in SDDC, and you build your standard operating procedure to update and push out the two images in lock step. But if you have serveral images, then this becomes more complicated.
You could look at using solutions like Veeam Backup and Replication, to copy your VM images between on-prem and VMC.
For me, the biggest differences between deploying Horizon on-prem to deploying Horizon on VMC, is the networking and security aspects.
VMC Network Segments
- At minimum you will need two
- Internal LAN
See below for the firewall setup.
Although VMC uses NSX for networking and security, the load balancing features found in an on-prem setup of NSX-T, are not available.
Hence, this is a bring your own load balancer situation. Example options;
- NSX Advance Load Balancer (formerly AVI Networks)
- Kemp virtual appliance
- F5 virtual appliance
- AWS Route53 global LB
As per the limitations above, Horizon in VMC uses on Instant Clone technology, which means your images will boot and use DHCP.
The DHCP functionality in VMC is quite limited, you are unable to set lease times, or expire DHCP allocations when troubleshooting.
I would say it is mandatory you setup a DHCP server for use in your environment, even if it is just used for your Horizon desktops.
In the lab environment, I achieved this by setting up a second network adapter on the Domain Controller, configured for the logical switch used for my Horizon desktops, and binding the DHCP service to this single adapter/network range.
This is the critical piece to get right. VMC offers two kinds of Firewall;
- North/South traffic
- Everything leaving the clusters to the outside world
- East / West Traffic
- Rule set for VM to VM traffic
- You need this to create your DMZ for the UAG
If you do not setup the distributed firewall, you just have internal network segments that can talk to one another so long as they are routed. From a security point of view, this is not what you want.
When creating Distributed Firewall Rules, there are a couple of items you should be aware of;
- Like a normal firewall, rules are processed top down, so placement of the rule matters!
- You can create rule sections (Red), and then the rules themselves (Yellow) within each section
- Distributed Firewall has a default allow all
- If the traffic is not matched to an existing rule, your traffic is allowed!
Based on the above, if we just look at created a DMZ for the Unified Appliance Gateway component, then we need to end our firewall section for this component with two Deny rules. One for all traffic leaving the UAG (Purple), and one for all traffic going to the UAG (Blue).
This ensures that if the traffic is specified in a previous rule, the traffic is blocked.
Firewall rule logging
As you can see in the above image, I have enabled logging for any traffic going to the UAG that is not allowed by the previous rules.
There are limitations with the Log Insight instance you get as part of your VMC on AWS subscription versus paying for the full subscription, such as 1GB of logs per day ingestion, lack of content packs, and only 7 days historical logs.
To view the logged firewall rules, you can simple filter by;
- Log_Type = nsxt-firewall
Horizon Connection Broker Configuration
I’ve left this piece until last, simply because when we get into Horizon itself, pretty much everything remains the same as you know and love (or hate) from an on-prem deployment.
When adding in your vCenter connection details, you simply tick the box stating that the vCenter is part of a VMware Cloud on AWS setup. You will find when using the interface, certain options will not be available for deploying desktop pools to this vCenter, as per the limitations listed earlier in this blog.