Horizon on Google Cloud VMware Engine Configuration


This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of VMware Workspace ONE® and VMware Horizon® solutions. This chapter provides information about common configuration and deployment tasks for VMware Horizon on Google Cloud VMware® Engine. A companion chapter, Horizon on Google Cloud VMware Engine Architecture, provides design guidance.

Prerequisites

Before you begin, you must install and configure the following components:

  • Google Cloud VMware Engine resources assigned to you
  • Google Cloud login
  • VMware Horizon Universal Licensing with access to myvmare.com, required to set up licensing on the Horizon Cloud Connector
  • If deploying Horizon with the All-in-SDDC Architecture:

You should also review the following documentation:

Google Cloud Platform Configuration

This section covers configuration of the Google Cloud Platform (GCP) to prepare for Horizon installation. This information is provided as reference and the official Google docs should be used for your actual configuration.

See the following guides to help you get started with Google Cloud Platform and Google Cloud VMware Engine:

Following are the steps we went through when creating the Reference Architecture environment. Your configuration might vary, this information is provided as reference. Rely on the official Google quick-start guides referenced previously for your actual configuration.

Google Cloud Console

To get to the Google cloud console, where both Google Cloud Platform and GCVE are managed, go to https://console.cloud.google.com/

Create VPC Network

The first step is to create a Virtual Private Cloud which will contain the networks for your implementation. See Google Cloud VPC Networking Overview for more information.

  1. On the GCP Menu, in the Networking section, select VPC Network > VPC Networks.
  2. Click Create VPC Network on the top.
  3. Enter the subnet details to create the VPC network:

Field

Value

Name

**name of network**

Description

**description**

Subnet Creation Mode

Custom

New Subnet > Name

**name of subnet**

New Subnet > Region

**GCP region**

New Subnet > IP Address Range

Example: 10.20.0.0/24 (GW: 10.20.0.1)

New Subnet > Private Google Access

Off

New Subnet > Flow Logs

Off

Dynamic Routing Mode

Regional

Configure VPC / GCVE Private Service Connection

A private service connection must be established between any VPC network that needs access to GCVE (for example, Internal DMZ VPC). Additionally, any subnets created inside of GCVE must be manually allocated to allow communication between the GCP and GCVE environments.

See the following documents for more details:

Graphical user interface, text, application

Description automatically generated

Figure 1: VPC Network Private Service Connection

Important: After you create segments in NSX for the Horizon infrastructure, you must come back to this section and add those subnets for them to communicate with GCP.

Create Firewall Rules in GCP

Note that by default, they are set to deny all. Make sure to set the ports required for Horizon on both the GCVE Firewall and the VPC Firewall.

  1. Navigate to VPC Network > VPC Networks > **VPC network you created**.
  2. Select the Firewall rules tab.
  3. Click Add firewall rule and add a rule for each subnet created in GCVE to allow traffic to flow in and out of GCP. After segments are created in GCVE, new firewall rules in GCP must be added.
  4. Refer to Network Ports in VMware Horizon for required Horizon ports.

Note:  Depending on setup and network requirements, we also recommend creating a firewall rule for the entire range assigned to GCVE. For example, instead of creating multiple /24 rules, create a /22 rule.

See the Google Cloud Platform documentation on setting firewall rules in GCP.

Enable Cloud NAT for Internet Access

Enable Cloud NAT for your VPC to allow internet access. See Using Cloud NAT for details.

Deploy Unified Access Gateway in GCP

In the Federated Architecture of Horizon on GCVE, the Unified Access Gateways (UAG) are in GCP. This prevents Horizon protocol hair-pinning which could happen when the UAG is placed inside the SDDC. This is supported as of UAG 2103. See Deploying Unified Access Gateway on Google Cloud for guidance.

Deploy the Horizon Cloud Connector into GCP

As of Horizon 2103, the Horizon Cloud Connector is supported for installation into GCP using version 1.10 or later. There is a disk.raw version zipped as a tar.gz file. This is a requirement for importing an existing image into GCP. See the Google documentation on importing existing image.

For the latest guidance on sizing the Horizon Cloud Connector when deploying on GCVE, see VMware Horizon Pods with Horizon Cloud Control Plane - Requirements Checklist.

Note: VMware recommends you use the latest version of the Horizon Cloud Connector. Version 2.1.1 or later address a critical vulnerability in Apache Log4j identified by CVE-2021-44228. Please review VMSA-2021-0028 for more details.

After you deploy the cloud connector image, and before you start it up the first time, you will need to create a startup script on the VM to update the hosts files with the names of your connection servers and virtual centers. It should look like the image below. After you have started up the system and bound your cloud connector to the Horizon Control Plane, you can delete the startup script.

Graphical user interface, text, application

Description automatically generated

Figure 2: GCP Startup Script used on first startup of Horizon Cloud Connector

VPC Peering

When a Virtual Private Cloud (VPC) network is created, it is essentially an island. There is no connectivity by default to other VPC networks. We need to use VPC Peering to connect two separate VPC networks and allow them to communicate internally. See the Google documentation on VPC Peering for an overview and Using VCP Network Peering for directions on configuration. We need to use VPC peering in the Federated Architecture to connect the Internal DMZ network used for UAG to the VPC network where the Horizon management components are located. A private service connection between the Internal DMZ VPC and each GCVE SDDC where desktop and RDS capacity will be used. See the networking section of the Horizon on GCVE Architecture document for more details on networking requirements.

Diagram

Description automatically generated with low confidence

Figure 3: Horizon on GCVE Federated Architecture Networking

Google Cloud VMware Engine Configuration

This section covers configuration of the Google Cloud VMware Engine (GCVE) environment to prepare for Horizon installation. This information is provided as reference and the official Google docs should be used for your actual configuration.

To get to the GCVE console:

  1. In the Google Cloud VMware Engine console, browse to Compute in the GCP menu and select VMware Engine.

    Graphical user interface, application

Description automatically generated 
  2. In the GCVE console, select Resources and then select the name of your private cloud.

    Graphical user interface, application

Description automatically generated 
  3. Now, select Summary and make note of the Private Cloud DNS Server addresses, which are required for setting up conditional forwarding.
    Graphical user interface, application

Description automatically generated 

Deploying Multiple GCVE SDDCs

When you deploy additional SDDCs in GCVE make sure to use unique CIDR ranges (a method for IP addresses and routing) for the VMware Management Network. Otherwise with the default settings, each vSphere / NSX server will have the same IP address and you will not be able to use them with Horizon. See How to Create a Private Cloud for details.

Configure DNS

You must define settings on your DNS server for gve.goog pointing to the IP addresses of the Private Cloud DNS servers captured in the previous step, or create a forward lookup zone for gve.goog. This will allow name resolution for the vCenter and NSX appliances.

Single GCVE SDDC:

For this design, you can use a conditional forwarder to have your local DNS server use the DNS servers in the SDDC to do name lookup of management appliances. See Create a Conditional Forwarder for details.

Multiple GCVE SDDCs:

When multiple SDDCs are deployed, you cannot use a conditional forwarder. One way to accomplish the name resolution needed by Horizon is to create a forward lookup zone for gve.goog in the DNS server you are using for your Horizon infrastructure.

 

Figure 4: vCenter and NSX Manager FQDNs in GCVE Admin Console

You would add A records for the fully qualified names and IPs of each vCenter and NSX appliance.

Graphical user interface, application

Description automatically generated

Figure 5: gve.goog forward lookup zone in DNS

See Configuring DNS for vCenter access for more details on the process.

NSX

Networking for your SDDC must be created in the NSX admin console. When you are in the GCVE management console, select vSphere Management Network, and then click the link for the NSX Manager under FQDN.

Graphical user interface, text, application, email

Description automatically generated

Figure 6: NSX Manager FQDN in GCVE Admin Console

  1. Log in to the NSX Manager using the default login credentials:
  • Username: admin
  • Password: VMwareEngine123!
  1. Create segments for Desktops, Management, and Internal and External DMZ.
  2. Enable DHCP on the desktops segment and optionally the management segment.
  3. See the NSX-T Data Center Installation Guide for more information on how this is done.
  4. Update the GCVE Firewall for communication to/from GCP for newly created segments.

vSphere Console

In the same section that the NSX console was launched, you can launch the vSphere console. This is where the Horizon infrastructure is created and managed.

  1. Click the link under FQDN for the VMware vCenter Server® Appliance.

    Graphical user interface, application

Description automatically generated 
  2. Log in to vCenter using the default login:

External Access

Optionally, set up VPN or Cloud Interconnect for backhaul to on-premises. In this reference architecture, we created a VPN connection from GCP back to our on-premises data center. This allowed us to extend our domain into the GCVE environment and provide file server replication via DFS-R for Dynamic Environment Manager.

See the following documents for configuring external access into GCP:

Load Balancing in the All-In-SDDC Architecture

If deploying the All-in-SDDC architecture where all Horizon resources, including the Unified Access Gateways, are located in the GCVE SDDC, there is no way to directly route Horizon protocol traffic from GCP into the SDDC. We need a load balancer in native GCP to forward the protocol traffic from the Internet to the UAGs inside of the GCVE SDDC.

One option is to use the VMware NSX Advanced Load Balancer (Avi) on GCP. The NSX Advanced Load Balancer can integrate with GCP via a cloud integration and perform all these configurations automatically.

See Load Balancing Unified Access Gateway in Horizon Architecture.

Forwarding Traffic to Third-Party Load Balancer in GCP

A third-party load balancer is required inside of GCP to route protocol traffic into the SDDC. It can be any type of load balancer which does HTTP, Layer 4, and Layer 7 load balancing. If the load balancer does not have integration with GCP like the NSX Advanced load balancer does, some manual steps are required to forward the external IP address into the load balancer. The GCP Load Balancer needs to be configured to forward TCP and UDP from the public IP address that is tied to your FQDN to the third-party load balancer. These steps are detailed below.

Create Static External IP Address

First, we will create a static external IP address inside the GCP VPC networking. This IP will be used by the load balancer and should be assigned a public DNS entry for users to connect to desktop resources. For example, gcve-horizon.vmweuc.com.

  1. Go to VPC network > External IP Addresses.

    Graphical user interface, application

Description automatically generated 
  2. Note the External IP address. You will need it in the next steps.

Create Load Balancer in GCP

We will now create a load balancer in GCP that will be used to forward external traffic (TCP/UDP) from the external IP address to our third-party load balancer. We cannot use the GCP load balancer for systems inside GCVE, so we need to use the third-party load balancer.

Before you perform this step, your third-party load balancer should be installed into native GCP.

  1. Navigate to Networking > Network Services in the GCP Console.
  2. Select Load Balancing.
  3. Navigate to the Advanced Menu.

    Graphical user interface, text, application, email

Description automatically generated 

Create Target Pool

  1. Create a target pool to put the third-party load balancer into.

    A screenshot of a computer

Description automatically generated with medium confidence 
  2. Configure the target pool by providing the following information:
    Graphical user interface, text, application, email

Description automatically generated 
  • Provide a name and description.
  • Select the GCP region where your load balancer is located.
  • Select No health check.
  • Select None for session affinity.
  • Add your existing load balancer instances from GCP into the pool (can be multiple).
  • Select None for Backup pool.
  • Click Create.

Create TCP Forwarding Rule

We will now create forwarding rules, to forward TCP and UDP traffic from the external IP address to the pool we just created.

  1. Click Create Forwarding Rule to start creating the TCP forwarding rule.

     
  2. Configure the TCP forwarding rule by providing the following information:

    Graphical user interface, text, application, email

Description automatically generated 
  • Enter a name and description (add the protocol being forwarded).
  • Select the region where your load balancers are.
  • Select the external IP you created earlier.
  • Select the protocol as TCP.
  • Leave Port/range blank to forward all rules.
  • Select the target pool you created in the previous step containing your load balancer(s).

Create UDP Forwarding Rule

  1. Create a second forwarding rule for UDP.
  2. Enter a name and description and include UDP in the name.
  3. Select the region where your load balancers are located.
  4. Select the external IP you created earlier.
  5. Select UDP as the protocol.
  6. Leave the Port range blank to forward all UDP traffic.
  7. Select the pool you created earlier containing your load balancers.
     
  8. Review the load balancer forwarding rules that were created.

Review Load Balancer and External IP

If you select Load Balancing, you will see a new TCP/UDP load balancer created to forward external traffic to your load balancers.

  1. Navigate to VPC network > External IP Addresses.

    Graphical user interface, text, application, email

Description automatically generated 
  2. Review the External IP Address you just created for the load balancer created in GCP. It will now have the forwarding rules attached to it for TCP and UDP.

     

Load Balancing in the Federated Architecture

In the Federated Architecture, the Google Load Balancer can be used to load balance the Unified Access Gateway appliances. There is no need for a third-party load balancer like in the All-in-SDDC Architecture.

Create Static External IP Address

First, we will create a static external IP address inside the GCP VPC networking. This IP will be used by the load balancer and should be assigned a public DNS entry for users to connect to desktop resources. For example, desktops.company.com.

  1. Go to VPC network > External IP Addresses.

    Graphical user interface, application

Description automatically generated 
  1. Note the External IP address. You will need it in the next steps.

Create Load Balancer in GCP

We will now create a load balancer in GCP that will be used to forward external traffic (TCP/UDP) from the external IP address to our third-party load balancer.

Before you perform this step, your third-party load balancer should be installed into native GCP.

  1. Navigate to Networking > Network Services in the GCP Console.
  2. Select Load Balancing.
  3. Navigate to the Advanced Menu.

    Graphical user interface, text, application, email

Description automatically generated 

Create Target Pool

We now need to create a target pool to put the Unified Access Gateways into.

  1. Click Create Target Pool.

    A screenshot of a computer

Description automatically generated with medium confidence 
  2. Configure the target pool by providing the following information:
     
  • Provide a name and description.
  • Select the GCP region where your load balancer is located.
  • Select Create Another Health Check (See Create Health Check).
  • Select Client IP for session affinity.
  • Add your existing Unified Access Gateway appliances from GCP into the pool.
  • Select None for Backup pool.
  • Click Create.

Create Health Check

To create a Health Check for Unified Access Gateways:

  1. Provide the following information:

  • Enter a name and optional description.
  • Select HTTP for the Protocol.
  • Set the Port as 80.
  • Set the Request Path as /favicon.ico.
  • Leave the defaults for Heath criteria.

Important:  You will need to update each UAG appliance to use the http health check under System Configuration.
Graphical user interface, application

Description automatically generated 

Figure 7: Health Check Configuration on Unified Access Gateway

Create TCP Forwarding Rule

We will now create forwarding rules to forward TCP and UDP traffic from the external IP address to the pool we just created.

  1. Click Create Forwarding Rule to create the TCP forwarding rule in GCP.

    A screenshot of a computer

Description automatically generated with medium confidence 
  2. Configure the forwarding rule in GCP by providing the following information:

    Graphical user interface, text, application, email

Description automatically generated 
  • Enter a name and description (add the protocol being forwarded).
  • Select the GCP region where your UAG appliances are located.
  • Select the external IP you created earlier.
  • Select the protocol as TCP.
  • Leave Port/range blank to forward all rules.
  • Select the target pool you created in the previous step containing your UAG appliances.

Create UDP Forwarding Rule

  1. Create a second forwarding rule for UDP.
  2. Enter a name and description and include UDP in the name.
  3. Select the GCP region where your UAG appliances are located.
  4. Select the external IP you created earlier.
  5. Select UDP as the protocol.
  6. Leave the Port range blank to forward all UDP traffic.
  7. Select the pool you created earlier containing your UAG appliances.
  8. Review the load balancer forwarding rules that were created.

     

Review Load Balancer and External IP

If you select Load Balancing, you will see a new TCP/UDP load balancer created to forward external traffic to your UAG appliances.

  1. Navigate to VPC network > External IP Addresses and review the External IP Address you just created.

    A screenshot of a computer

Description automatically generated with medium confidence 
  2. It will now have the forwarding rules attached to it for TCP and UDP.

     

Inventory

This section includes the inventory of the All-in-SDDC architecture and Federated architecture.

All-In-SDDC Architecture

This section provides the inventory of infrastructure installed in the Reference Architecture lab, deployed both inside native Google Cloud Platform and inside GCVE SDDC, for All-in SDDC architecture.

Deployed inside native Google Cloud Platform:

Component

Version

Operating System

Number Deployed

NSX Advanced Load Balancer (Avi)

Controller

20.1.2

CentOS 7.5 (Docker)

1

NSX Advanced Load Balancer (Avi)

Service Engine

20.1.2

Appliance

2

Deployed inside GCVE SDDC:

Component

Version

Operating System

Number Deployed

Horizon Connection Server

Version 8 (2006)

Windows Server 2019

2

Unified Access Gateway

2006

Appliance

2

App Volumes Managers

Version 4.1 (2006)

Windows Server 2019

2

Horizon Cloud Connector

1.8

Appliance

1

Workspace ONE Access Connector

19.03

Windows Server 2019

1

Microsoft SQL Server

2016

Windows Server 2019

1

File Server

-

Windows Server 2019

1

Domain Controller

-

Windows Server 2019

1

Federated Architecture

This section provides the inventory of infrastructure installed in the Reference Architecture Lab deployed inside native Google Cloud Platform for federated architecture.

For instruction on deploying Windows Server VMs into Google Cloud Platform see Create a Windows Server VM instance in Compute Engine.

Deployed inside native Google Cloud Platform:

Component

Version

Operating System

Number Deployed

Horizon Connection Server

Version 8 (2103)

Windows Server 2019

3

Unified Access Gateway

2103

Appliance

3

App Volumes Managers

Version 4.4 (2103)

Windows Server 2019

3

Horizon Cloud Connector

1.10

Appliance

2

Workspace ONE Access Connector

19.03

Windows Server 2019

1

Microsoft SQL Server
(App Volumes)

2016

Windows Server 2019

1

PostgreSQL Server
(Horizon Events Database)

12.6

Windows Server 2019

1

File Server

-

Windows Server 2019

1

Summary and Additional Resources

Now that you have come to the end of this configuration chapter on Horizon on Google Cloud VMware Engine, you can return to the landing page and use the tabs, search, or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters give design guidance on the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of products, components, and services you need to create the platform capable of delivering the services that you want to deliver to your users.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Workspace ONE, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Management, and more.

Additional Resources

For more information about VMware Horizon on Google Cloud VMware Engine, you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2023-07-25

  • Added this Summary and Additional Resources section to list changelog, authors, and contributors within each design chapter.

Author and Contributors

This chapter was written by:

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Horizon Horizon Document Reference Architecture Advanced Deploy Windows Delivery