VMware Horizon on Azure - steps to take
Updated: May 5, 2020
It sounds easy doesn't it? Just consume some resources from Microsoft's Azure stack, put a VMware Horizon control plane op top of it and you're off! Well, in theory, this is exactly what the solution looks like, but in reality, there's a lot more to it.
The solution itself is a genuinely easy concept, consisting of two parts, just like in the picture above: Horizon Cloud and Microsoft Azure.
You essentially buy a VMware Horizon control plane, consisting of all the moving parts you would need to be able to roll out a desktop workload, hosted for you on Azure. There's no servers to install, no parts to manage, everything is done for you. You just need to be at the helm, managing everything in it through the web interface of the control plane.
You need an infrastructure to let this workload land on, in this case Microsoft Azure. This will provide all the compute you need, so CPU, memory, storage and even GPU's, should you require these. As a bonus, you can now even keep using Windows 7 for a longer period in a supported configuration, as well as consume the new Windows 10 Multi-session through the new Windows Virtual Desktop program.
If you want to make it even easier, get in touch with a VMware/Microsoft partner that can to this for you!
From a practical standpoint, there's many things that you will have to arrange to get this up and running in such a way that your end users can actually do the things they need to do. This post is aimed at helping you gather a list of things you have to both think about and actually arrange before pressing that magic Deploy button.
Just to make sure that you know what we're talking about, this is VMware's description of the service, taken from the official Horizon Cloud on Microsoft Azure - FAQ. I will be referring to the solution as "HoA" in the remainder of the blog post.
What is Horizon Cloud on Microsoft Azure?
Horizon Cloud on Microsoft Azure provides customers with the ability to pair their existing Microsoft Azure infrastructure with the VMware Horizon® Cloud Service™. Horizon Cloud delivers feature-rich virtual desktops and applications using a purpose-built cloud platform that is scalable across multiple deployment options, including fully managed infrastructure from VMware and public cloud infrastructure from Microsoft Azure. The service supports a cloud-scale architecture that makes it easy to deliver virtualized Windows desktops and applications to any device, anytime. And, with a flexible subscription model, organizations can easily get up and running quickly.
For more information, please check out this YouTube video:
VMware Horizon Cloud on Microsoft Azure: Technical Overview
Most cloud solutions will let you choose where you want your workload to be running. Make sure this choice is very well looked at, the impact on performance could be huge. Azure datacenters are spread across the globe, so a choice should be made based on optimal performance across all applications and resources that need to be accessed from within the cloud solution.
Your infrastructure needs to be able to communicate. When this is contained within your locally hosted data centers, this is reasonably easy to maintain and manage. When a public cloud is added to the mix, things suddenly become a bit more complicated.
The desktops and other resources that are going to be hosted in the cloud, may need to be able to access resources that are still in your local data center. People will probably need a way of connecting from your local sites to the cloud hosted infrastructure.
Is this traffic going to be routed over the internet? Is this secure enough? Do you want this traffic to be private? Are they allowed to contact the cloud resources over the public internet?
You might need to implement site-to-site VPNs or other means of connecting the cloud to your local data center and vice versa, and don't forget the network segments and configuration of the cloud solution itself. You might also need some form of WAN acceleration if you are faced with increasing latency or are facing redundancy issues.
Consider that your network is the backbone of all infrastructure, cloud and local.
Make sure you understand the requirements for the entire solution and design this part first.
Applications and data
A virtual desktop is centered around getting the right applications and data to your end users. The first thing you will have to get a good grip on is a good understanding of what the environment is actually going to have to deliver. This has very much to do with those apps and data, so the first step in this process is to get an actual list of resources that people need to be able to use.
For each application, you will have to think about who actually needs to access it, where it's going to be hosted, how it's going to be installed, whether it needs to connect to a back end or not and if it needs to access other resources or has other requirements for it to be up and running. Also check any licensing issues you might run into, and if you'll remain compliant when moving to a Cloud based desktop hosting solution, such as HoA.
The HoA solution consists of a number of licensed parts. One part is the VMware solution, which is a subscription based license called the Horizon Universal License. This license allows your desktops and apps to be run from any supported public cloud AND on-premises solution combined.
The other part is the bring your own infrastructure. This can be any of the supported public cloud options, each with its own costs. On-premises will need a certain amount of infrastructure along with the costs of operating and managing it.
Besides the infrastructure parts, also think of licenses you will need for your operating systems. There are many combinations possible with Microsoft licensing. Do yourself a favor and talk to a Microsoft licensing specialist, there are too many options that change way too often, especially now that Microsoft has entered the VDI space themselves, introducing their new Windows Virtual Desktop.
Be very mindful of your application licenses too. There are a lot of applications that use very old ways of licensing their software. These can be attached to specific computer names, MAC addresses or even hardware dongles that need to be physically attached to the system that you are running the software on. These options do not fit a virtual environment, especially if your desktops are going to be stateless.
As stated before, amend the list of all the software your users will need, and check how they are licensed to make sure they fit your cloud strategy.
Something often forgotten, mainly because of all sorts of marketing, is the endpoint, or the device and situation from which the user will be connecting to the environment. Although they will tell you that the environment can be accessed from anywhere, anytime and from any device, it is very important to understand from what kind of situation the users will be connecting. Will this be from within a closed infrastructure, or from the other side of the globe? From a tablet, a home pc or a thin client? A good understanding of the requirements in between will need to be a part of the inventory you complete before going further and actually designing your new cloud solution. You might also have to think about providing your users actual manuals and guides on how to connect to this new environment.
Primarily, there are two ways of connecting to any Horizon environment:
Use a HTML5 compatible web browser
Use a native VMware Horizon client for a supported operating system
Since there are limitations on the browser based connection, you will have to think about what the users will actually need. If they need real time audio/video from this environment, then a browser based session might not be the right decision. If they only need a way to access a simple application, HTML5 might be the easiest solution.
Your users will need a way to prove their identity to the system, and preferably allow for what we call a single sign-on experience. Enter your credentials once, and be able to access all necessary resources without having to re-authenticate. Not all applications and resources allow for this, but it is being adopted more and more.
You will have to think about where your primary Identity Provider is being hosted. Most often thought of is a Microsoft Active Directory, but this system is quite limited. Examples of IDP's you might know are Okta, Ping, ADFS, OneLogin, but there are many more. If you plan to stick with Active Directory, you will have to think of a way in which your new cloud system can access this directory to validate the user. Think of network access between the two, security (e.g. firewall), name resolving and routing.
Also, make sure your cloud system actually supports your way of authenticating.
If your company already uses a form of multifactor authentication, like the well known token, this can also be used with most cloud platforms. The main 2 options are RSA, which is a well known brand of tokens, or a system that allows the use of the Radius protocol.
If you are trying to combine multiple identity systems into one cloud solution, you might need to consider putting an Identity Manager in front of it, to provide yourself with more options. VMware Workspace ONE Access is one of those options It allows you to connect more than one IDP, to facilitate migration options, or allow a combination of them. This will provide you with a single portal of entry for your users, and a single portal of administration for your IT personnel.
Make sure that you choose the way your users will be authenticating to the system and make sure it fits their needs.
Functionality, Ease of Use and Security don't go hand in hand, but you do need to think about it. Since the entire solution is very dependent on communication between all components, securing them is equally important. There will be a lot of new network flows of communication when implementing a move to the public cloud. Horizon on Azure itself provides excellent documentation about the moving parts in the HoA solution, but there are many more components to a solution like this. Think of authentication flows like ldap and radius, but also applications, network services such as DNS, DHCP, NTP, KMS.
Create a network architecture and accompanying list that shows all communication flows. Based on this, any firewall in the picture can be easily configured to allow the correct access.
The network security is just one part, there's also the user to consider. They will access the system from an endpoint that might not be part of your infrastructure. Are you going to allow this? If so, what services are you going to provide to it, or not? How secure is this endpoint? What do they actually need to do? Just access the remote system and view information? Do they need USB access? File redirection? Remote printing?
For all these options you might need to think about when and in what kind of situation to allow it, since most of these are a potential risk for data loss.
There are solutions that can help with this. You can choose to use a secure endpoint, by leveraging solutions like Igel or 10zig, that can provide a multiboot scenario for most x86 based endpoints. You boot from the USB stick? You have a safe environment, primarily capable of connecting to your cloud infrastructure. You take it out? Your endpoint is yours again.
Using your device natively to connect to the cloud infrastructure can also be managed. Enrolling it into your companies Mobile Device Management is a way of establishing trust, especially when combining it with products such as Lookout or Carbon Black, both very innovative and new ways of securing endpoints.
Security is a very difficult thing to manage. It can easily hamper productivity, but is becoming more and more needed, as "malevolent forces" on the internet are getting more and more creative every day in finding ways to break into your private space.
Design it carefully.
Do yourself a favor and make sure all your components are being supplied of a way to be managed. Like security, management is something that is an overarching thing to think about. It's all about responsibility, so make sure you know who is responsible for what part and if they can actually manage it is very important. Create a matrix showing who manages what, and make sure this reflects the new situation. If you do not, you'll risk people not being able to manage what they need to.
The list of all those parts:
Applications and Data
The actual deployment
When all is designed and taken care of, comes the actual deployment. Almost everything is done frome the Horizon control plane in the form of a wizard. This sounds like an easy button, but needs a bit of work in advance. Everything you need to know and enter into the wizard has to be prepared and be correctly available, otherwise the deployment will fail and force you to start over again.
A checklist is provided for this, which needs to be completed before starting the actual deployment. This provides a way of making sure you literally ticked all the boxes
VMware Horizon 7 with Horizon Cloud Requirements Checklist
Once you complete the wizard, you will have a genuine VMware Horizon Cloud desktop environment at your disposal! Now the real work begins....
If you want to know more about the actual process of onboarding a VMware Horizon Cloud and the newest developments in v3.0, make sure you read these thoroughly:
Onboarding to Horizon Cloud for Microsoft Azure, Horizon 7 On-Premises, and Horizon 7 on VMware Cloud on AWS
Horizon Cloud on Microsoft Azure Support for Windows Virtual Desktop is Here