VMware Horizon Cloud Service on Microsoft Azure –Technical Walkthrough (Part 1)
VMware Horizon Cloud Service on Microsoft Azure provides a single platform for delivering virtualized Windows applications and desktops running in Microsoft Azure. Microsoft Azure is a very flexible and scalable cloud platform offering high reliability across its more than 40 global data centers. It allows customers to easily deploy and manage infrastructure across a global footprint.
With the Horizon Cloud Service, you can publish business-critical Windows apps alongside Software-as-a-Service (SaaS) and mobile apps and desktops in a single, digital workspace. Users can easily access the digital workspace with single sign-on from any authenticated device or operating system. Today, this can be done by leveraging Windows Server instances using Remote Desktop Services (RDS) to deliver shared desktop sessions. Soon, we will be launching support for Windows 10 desktop OS to provide a rich virtual desktop infrastructure (VDI) experience too. (this feature is currently in beta)
Horizon Cloud provides a simple way, from any browser, to create and manage desktop and application environments running on Microsoft Azure. The published applications and desktops support a wealth of features to ensure a really great end-user experience, including:
- HTML Access web client
- Access to locally connected USB devices
- Client-drive redirection
- File type association
- Windows Media redirection
- Content redirection
- Printer redirection
- Location-based printing
- 3D rendering
- Smart card authentication
- and much more
The desktops and application experienced delivered by Horizon Cloud Service on Microsoft Azure leverage both Blast Extreme Adaptive Transport (BEAT) and PCoIP display protocols from VMware, providing a rich user experience using zero, thin, laptop (OSx, Linux, Windows), PC or mobile clients over LAN, WAN or bandwidth-limited connections.
This multi-part blog is intended to give you a really in-depth look at what it is like to build and manage desktops and applications using Horizon Cloud Service on Microsoft Azure. The blogs will take you through the initial setup, image creation, RDS Farm creation, VDI management (when it goes live soon!) and then finally Day 2 operations such as monitoring usage, supporting your end users and maintaining images and apps. I’m the engineering lead for the service, and have worked with many customers helping them get started and helping them get the most out of the service. I really wanted to write this blog series to help share some of this experience with you.
In this first blog, I wanted to make sure we establish a good understanding of the main components, and to take time to explain the terminology I will often use throughout the blog series.
Horizon Cloud Service on Microsoft Azure consists of the Cloud Control Plane which is managed, and updated frequently (often several times per week) by VMware. There is also the Azure capacity that you provide, and in this. we run desktop and application capacity, which securely connects to and is managed by the Cloud Control Plane. The following sections identify the main components in more detail. Optionally, you can connect the Azure capacity back to your local environments running on-premise, allowing you to any local servers or applications.
Horizon Cloud Administration Console – all management operations are performed from a single administrative graphical user interface—from initial build-out and configuration of the environment, to image creation and farm configuration and entitlements. It also provides a convenient management portal for ongoing monitoring and reporting purposes. This administration console runs inside the VMware managed Horizon Cloud Service. We (currently) have two regions available for use: USA and Europe (Germany), with more to be available in due course. By selecting a specific Cloud Control Plane region, you ensure data sovereignty within your region of choice. Any data stored within this region will NOT move to any other geographical control plane region. It’s important to note that you are not limited to those regions for your desktop and application capacity location. You can still choose to deploy your node capacity into any of the 40+ Global Microsoft Azure datacenters. You pay VMware for a subscription to access this Horizon Cloud Service administration console.
Microsoft Azure Capacity – this is owned and paid for by you. You bring your own Microsoft Azure Subscription(s) for use in hosting the desktop and applications. The advantage is you can control what policy and access you have around your desktops and apps, as well as leveraging your corporate agreements with Microsoft. If you don’t already have an enterprise agreement with Microsoft Azure, then not to worry–you can also use Horizon Cloud Service with Microsoft Azure using a pay-as you-go-type model. This gives you ultimate flexibility; for example, to start small, and then grow as your budget and use case demands.
Using the Administration console, you can simply deploy one (or more) Horizon Cloud Nodes into the Microsoft Azure Subscription(s) of choice, in the Microsoft Azure data center(s) you require. This node provides local creation, management and entitlement to the desktops and applications running in that region. The node integrates with Windows Active Directory, and optionally Radius/2FA schemes to provide secure access to entitled desktops and apps for end users.
The VMware Unified Access Gateway™ [Optional] – Provides secure access from the WAN without needing to route user sessions across a VPN/ExpressRoute connection. This will be automatically deployed and managed along with the node if required and is exposed to a public fully qualified domain name allowing end users to access their desktops from anywhere with public internet access.
VMware Workspace One™ [Optional] – Provides a convenient way to manage all your global SaaS application entitlements, and desktop and app entitlements, from a single portal. This can be paired with your Horizon Cloud Service Nodes if required to allow all entitlements (including those from Horizon Cloud Service) to be available in the Workspace One catalog. It is highly recommended to use the Identity Manager to give your end users the best seamless experience regardless of the type of work they need to perform.
Horizon Clients – Client software is available from app stores or from VMware for iOS, Android, Chrome, Windows, Linux, and Mac OS so that end users can access applications and desktops from any device. The HTML Access web client is also available (providing you use the VMware Unified Access Gateway) allowing access from any browser without the need for additional software to be installed. The clients support multiple Display Protocols – Blast Extreme featuring BEAT technology provides a highly-optimized display protocol that works over LAN, WAN, and highly lossy mobile networks, while still delivering a fantastic user experience. HTML Access, and PCoIP are also supported.
VMware User Environment Manager™ [Optional] – Offers the capability to provide a user experience customized to each user’s preferences, enabling each user to have their own desktop or app look, feel, and functionality.
Application catalog – Each application that you select to publish becomes an application definition. These applications can then be entitled to users in an Application Assignment. Assignments can include apps from multiple farms on the same Horizon Cloud node.
Agents – Horizon Cloud automatically installs the Horizon Agent, DaaS agents, and User Environment Manager FlexEngine service on the master images for Microsoft RDSH servers and VDI desktops. The agents are also provided for download from https://my.vmware.com so that you can manually download them and install into your own images if required. The Horizon Agent communicates with Horizon Client to provide features such as connection monitoring, virtual printing, folder sharing (client-drive redirection), and access to locally connected USB devices. FlexEngine is the User Environment Manager agent which starts at login and imports policy settings, including application and user environment settings, from a configuration share. This agent also optionally loads personalization settings from a user profile archives share. You use the provided Group Policy Object (GPO) administrative templates (.admx files) to enable and configure FlexEngine.
RDSH application farms and VMs – The server VMs for use as RDS are grouped (and managed) by RDSH farms. One or more RDSH servers make up a farm, and from that farm you create application and shared session-based desktop pools. Once Assignments have been created, end users can access desktops and apps from any device, anywhere.
RDSH desktop farms and VMs – These farms are similar to the RDSH application farms above, but provide session-based desktops, where several users share the same server to deliver a rich desktop experience.
VDI desktops (currently in beta) – provide Windows 10 based desktops to end users, using either a Floating or Dedicated experience. With VDI it is only a single user connecting to a single desktop machine, rather than the shared RDS experience as identified above. A floating desktop is non-persistent; meaning that each time you login, you get the same experience – there is no persistence of the user data, or settings. Dedicated desktops provide a persistent experience, where you always login to the same VM, and your changes, settings and data are preserved.
Power Management – Microsoft Azure charges for capacity usage per second of use. A VM left running overnight (even if only lightly loaded) will cost the same as the VM left overnight being heavily used. As a result, it is much better to ensure that resources that are not needed are powered down and stopped (deallocated). This results in you paying only for the persistent storage for the disk (which is comparatively cheap) and then you only pay for the VM whilst it is running. Power Management schemes in Horizon Cloud Service allow for a variety of different methods to effectively automatically manage your resources to ensure your monthly bills are as low as possible by powering them off when not needed.
Documentation – who reads the manuals? Not me!… but, you probably should! There’s some really good information in them. Split into three main parts; there is the Requirements Checklist, the Getting Started Guide and the Administration Guide. If you hit a speed bump, and you have an active paid license for Horizon Cloud Service on Microsoft Azure, then you can file support requests via the MyVmware Portal here: https://my.vmware.com where we have 24×7 support available waiting to help with any issues. Outside of this, we’d love to hear from you; whether for general questions, comments or feedback, or for more technical challenges you might be facing. Please make use of our vibrant community here: https://communities.vmware.com/community/vmtn/horizon-cloud-service/horizon-cloud-on-azure/.
I hope that was a good introduction to the basic terminology and the service. In part two of this blog series, I will go through the initial getting started steps, and help identify some of the things that can be done to ensure this is smooth and successful.