Project Contributions by:
HPE – Deepak Ashwath, Doug Hart, Sandeep Goli
VMware – Bhumik Patel, Pranay Bakre, Prashant Bhushan
HPE & VMware have a number of joint customers running large scale virtual desktops and applications to enable wide range of digital workspace initiatives. Some of these initiatives include traditional use cases such as providing remote access to employees, enabling task users to access virtualized applications efficiently, providing developers access to multiple desktop profiles and so on. It also includes use cases that enable power users and designers to leverage GPU based virtual desktops or have field users access desktops over low bandwidth and high latency scenarios, and leverage VDI as a service.
In majority of these use case deployments, the top two design considerations we come across are around security and performance:
- How do I securely deliver my virtual desktops and applications to support these varying number of use cases within my organization?
- How should I design and implement the end-to-end solution so that the performance exceeds end user requirements?
In this joint HPE and VMware reference architecture, we are providing design guidance and architecture for delivering secure and scalable VMware Horizon based virtual desktops and applications with VMware NSX on HPE Synergy and 3PAR platform.
First, let’s look at security with virtual desktops. When you have hundreds or thousands of VDI instances deployed in the data center, there are new security considerations to be made that are not handled by traditional networking devices efficiently. This includes securing east-west traffic amongst these VDI and Remote Desktop Session Host (RDSH) instances and ensuring that these VDI and RDSH instances are not compromised and used as a launch pad into attacking other parts of the infrastructure. Leverage ACLs, and VLAN based isolation on top of the rack switches to secure these east-west flows becomes complicated, ineffective and costly very quickly.
With VMware NSX, multiple security services can be provided for virtual desktops. This includes micro-segmentation policies for protecting VDI infrastructure, securing desktop to desktop & desktop to enterprise application traffic and providing user-based access control. In addition, load balancing for Horizon connection servers is provided by NSX Edge Gateway. These use cases are documented in VMware product documentation here.
The figure below showcases the solution architecture layout as implemented at HPE labs. In this architecture, VMware Horizon is hosted on HPE Synergy compute platform and HPE 3PAR storage. One of the key benefits of leveraging HPE Synergy composable architecture for hosting VDI desktops is the ability to compose compute nodes dynamically. With HPE Image streamer, new compute nodes are readily available to add to the VDI cluster as the environment needs to grow. In addition, HPE OneView provides consolidated management and ties the physical infrastructure insights into the virtual environment by means of the OneView vCenter plugin.
Below figure showcases NSX logical design which consists of two blocks – Horizon Management block hosting all infrastructure components and a Resource block hosting VDI and RDSH desktops. VMs in both the blocks are deployed on respective VXLAN based logical switches. VM communication within each block happens via their respective Distributed Logical Router (DLR) which has an uplink to their respective VMware NSX Edge Services Gateways (ESGs) for north-south communication using Border Gateway Protocol (BGP).
Following NSX security policies are designed and implemented to provide comprehensive security to an enterprise grade VDI and RDSH environment:
Name | Source | Destination | Service | Action | AppliedTo |
External Horizon client to Unified Access Gateway (UAG)
|
Any | Unified Access Gateway (UAG)
|
Security Group (SG)-Horizon7-UAG (TCP:443)
|
Allow
|
Distributed Firewall
|
Internal Horizon Client to View Connection Server
|
Any | View Connection Server
|
Horizon 7 HTTP/HTTPS Horizon Client to View Connection Server (TCP: 80, 443)
|
Allow
|
Distributed Firewall
|
Infrastructure – View Connection Server to View Connection Server
|
View Connection Server | View Connection Server | Horizon View 7 Connection Server (TCP: 4100, 4101)
|
Allow
|
Distributed Firewall
|
Internal – Horizon Client to Horizon Agent
|
Any | Horizon 7 VDI
Horizon 7 RDSH |
Horizon 7 Blast Extreme TCP Horizon Client to Horizon Agent (TCP: 22443)
Horizon 7 Blast Extreme UDP Horizon Client to Horizon Agent (UDP: 22443) Horizon 7 RDP Horizon Client to Horizon Agent (TCP: 3389)
|
Allow
|
Distributed Firewall
|
Internal – Browser to Horizon Agent HTML
|
Any | Horizon 7 VDI
Horizon 7 RDSH |
Horizon 7 Browser to Horizon Agent HTML Access (TCP: 443) | Allow
|
Distributed Firewall
|
Desktops – Horizon Agent to View Connection Server
|
Horizon 7 VDI
Horizon 7 RDSH |
View Connection Server
|
Horizon 7 Horizon Agent to View Connection Server (TCP: 4001)
|
Allow
|
Distributed Firewall
|
Desktops – Block VDI to VDI
|
Horizon 7 VDI
Horizon 7 RDSH
|
Horizon 7 VDI
Horizon 7 RDSH |
Any
|
Block
|
Distributed Firewall
|
In addition to the above micro-segmentation policies, VMware NSX enables identity based micro-segmentation for desktops via active directory memberships. In addition, RDSH context-aware micro-segmentation enables filtering of users logging into the same RDSH host and to configure granular security policies. These use cases are documented here for further details.
Now let’s look at scalability and performance of VDI and RDSH instances. As shown in the chart below, customers can achieve linear scalability while hosting VMware Horizon on HPE Synergy 480 Gen10 servers with 3PAR storage. In this reference architecture, single server and six node scalability is conducted using Login VSI simulating realistic end-user applications. These sessions are achieved while keeping the end user performance exceptional as measured by the Login VSI testing methodology.
For more details on the security design policies, performance results and methodologies used and details on the hardware and software BOM, please refer to this reference architecture
Follow me @bhumikp