This article, Horizon Cloud Service Next-Generation DaaS Architecture, was originally published at the VMware Digital Workspace Tech Zone Blog.
VMware recently announced Limited Availability for the Horizon Cloud next-generation DaaS architecture platform. After three years of development, the new platform is ready for customers to use. This multi-part blog series explains some of the new components we’ve built and why we built them.
Comparing Current with New Deployment Architecture
Historically, customers were responsible for hosting all the Horizon infrastructure components. With the introduction of the Horizon Control Plane – a VMware hosted and managed service – we began moving certain components away from the customer’s responsibility. This shift makes it easier to upgrade to newer releases and enhances the user experience while fulfilling our hybrid and multi-cloud vision.
Horizon Cloud on Microsoft Azure – current architecture
Horizon Cloud on Microsoft Azure was built to automatically deploy all the critical Horizon components from a SaaS platform into your own Microsoft Azure subscription. In this design, you give the Horizon Cloud Control Plane the ability to deploy a Horizon Cloud on Microsoft Azure pod on your behalf into your Microsoft Azure subscription.
Horizon Cloud provides a single cloud control plane, run by VMware. This enables the central orchestration and management of remote desktops and applications in your Microsoft Azure capacity, in the form of one or multiple subscriptions in Microsoft Azure.
VMware hosts the Horizon Cloud control plane and provides feature updates and enhancements for a software-as-a-service experience. The cloud control plane also hosts a common management user interface called the Horizon Universal Console, also known as the Administration Console. The Administration Console provides a single location for management tasks involving user assignments, virtual desktops, RDSH-published desktop sessions, and applications. This service is currently hosted in multiple Azure regions. The Administration Console is accessible from anywhere at any time, providing maximum flexibility.
Expanding capacity
Expanding capacity with Horizon Cloud on Microsoft Azure today is straightforward. Each Horizon Cloud on Microsoft Azure pod supports up to 2,000 VMs. To handle larger user environments, you can deploy multiple Horizon Cloud pods.
While this architecture is a similar model to a Horizon 7 or Horizon 8 deployment, it requires duplication of infrastructure components. This required customers with larger environments to monitor and manage the configuration state for multiple pods.
New architecture for Horizon Cloud on Microsoft Azure
Horizon Cloud on Microsoft Azure has changed a lot since its introduction in 2017. When Horizon Cloud on Microsoft Azure was first introduced, we had a very strict definition of what a “pod” looked like. This was based on the idea that simplicity would reduce complexity and make upgrading of Horizon infrastructure components simpler. Over the years, pod deployments have become more complex to accommodate modern infrastructure architectures that our customers typically implement in Microsoft Azure.
The new platform is built on four foundational components:
- Simplified Management – The new UI offers improved administrative workflows, built around larger scale deployments. Search as a function is now front and center. Guided workflows are built into the UI, and entitlements have been reworked to be inventory-based.
- Rapid Scale – A top-down, simplified architecture that reduces the amount of Horizon infrastructure components running in customer environments to a minimum.
- Advanced Automation – This is an API-based platform designed to allow for automation and customization. The new platform was built from the start to leverage a public API that allows for more automation and customization. Those API’s are published on the new VMware Developer Documentation site.
- Multi-cloud experience – We have built the ability to mix and match infrastructure-based capacities in the same Horizon pools. We are starting with support for native Microsoft Azure capacity first and will add others afterwards.
- Improved visibility and troubleshooting – Telemetry and user experience data aggregated at the edge and made available through Workspace ONE Intelligence.
Horizon Cloud – next-gen constructs
The new platform architecture takes a more modern approach, while incorporating lessons learned over the past few years. It allows us to abstract more functional components from the Horizon pod and transform them into shared services running in a cloud platform.
A Horizon Edge is where the product’s cloud-based infrastructure ends, and the customer capacity infrastructure begins. A Horizon Edge is a deployment into a single region or physical location that contains the necessary resources required to deliver desktops and applications to end users.
The Horizon Gateway Appliances – the Horizon Edge Gateway and the Unified Access Gateways (UAG) – deploy as part of the Horizon Edge Deployment and reside in the customer’s environment. The Gateway Appliances are considered VMware Managed Service Components, in which VMware is responsible for the overall management and delivery of the components as part of the service offering.
Providers are a list of capacities for different hypervisor platforms that Horizon Cloud next-gen can leverage to fulfill capacity expansion. In the case of Microsoft Azure, that is a Microsoft Azure Subscription. Customers leverage their own Providers for use with the service (BYO). Eventually, you will be able to choose different infrastructure provider types to provide the necessary resource capacity to provision and deliver desktops and applications to end users.
A Site is a logical construct that assumes a single location for user capacity. You can set up pools of capacity in a single site for users to consume from.
A single Horizon Edge can support multiple Providers to scale the number of supported VMs by using “Scalable Building Blocks.” However, the Providers must all be of the same Provider Type, such as Native Azure and VMware SDDC.
We moved critical functions like brokering, application database services, along with the configuration state and metadata of the appliance into the Horizon Control Plane. We also moved components that allow for App Volumes and Workspace ONE functionality, into the cloud service. This allowed us to make this simplified, thin-edge architecture, that demands less customer-based infrastructure to operate and manage.
Horizon Edge Components
A Horizon Edge Deployment contains multiple virtual components:
- Microsoft Azure VNet – Deploy Horizon Edge components into this Network location
- Microsoft Azure Load Balancer(s) – Use to balance user traffic to capacity via the Unified Access Gateways
- Unified Access Gateways (VM) – Manages user access to Horizon
- Horizon Edge Gateway (VM) – Manages Horizon user capacity and SSO
The Horizon Edge Gateway appliance has multiple features:
- Uses Kubernetes as its OS with containers
- Allows VMware to Manage UAGs in customer capacity on behalf of the customer, along with monitoring of the UAG’s
- Provides capacity resource monitoring and management along with monitoring of single-session VDI desktops and multi-session application and desktop session hosts
- Handles end-user authentication services (Embedded True SSO module) – This allows the service to communicate with a customer’s Active Directory instance for single sign-on to Windows and handles the domain join operations for the VMs machine identity
Unified Access Gateways appliances are also a part of each Horizon Edge:
- Single group of UAGs that support both internal and or external users
- Provides for secure protocol proxy and end-user authorization to access their desktop and apps
That leaves user capacity, which is composed of pools of single-session VDI desktops and multi-session application and desktop session hosts. Pools can be made up of multiple providers of the same provider.
Each Horizon Edge can manage up to 20,000 virtual machines, and larger or multi-site deployments can leverage multiple Horizon Edges.
Identity Handling
Many organizations have adopted modern identity architectures, and the Horizon Cloud next-gen platform was built to support them out of the box. Instead of requiring Active Directory for user identity, we have separated the User Identity component of the service from Machine Identity. You can leverage Azure Active Directory or Workspace ONE Access for Active Directory as your user Identity Provider. Each of these IDPs allow for integration with third-party products and solutions to provide multi-factor authentication (MFA) and SSO capabilities.
More to come!
Horizon Cloud Service next-gen is currently in Limited Availability. Stay tuned for more details on this new platform by keeping an eye on the VMware End-User Computing Blog and Tech Zone over the next few months.
Additional Resources
Check out these VMware blogs for more information: