Horizon on VMware Cloud on AWS Configuration


This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of VMware Workspace ONE® and VMware Horizon® solutions. This chapter provides information about deployment and configuration of VMware Horizon on VMware Cloud on AWS. It is not intended to replace the product documentation, but to reference and supplement it with additional guidance.

Deploying Horizon on VMware Cloud on AWS

This chapter covers specific information for deploying and configuring Horizon on VMware Cloud on AWS. For more general information on deploying and configuring Horizon, see Horizon Configuration.

The recommendation for a production environment is to use a minimum of three hosts in a cluster. Using a single host is recommended only for testing because with a single host, there is no HA. By default, a single-node SDDC gets deleted after 30 days.

To deploy Horizon on VMware Cloud on AWS:

  1. Create an SDDC instance on VMware Cloud on AWS. See the VMware Cloud on AWS documentation.
  2. Deploy Horizon 8 or Horizon 7.5 or later on VMware Cloud on AWS.
  3. Set up the Horizon environment on VMware Cloud on AWS.

SDDC Preparation

Create an SDDC instance on VMware Cloud on AWS and set up the required networking. See the VMware Cloud on AWS documentation for more details.

Provision an SDDC

  1. Using a browser, go to https://vmc.vmware.com.
  2. Select Create SDDC and choose the region, deployment model, SDDC name, and number of hosts.
  3. When prompted, select your AWS account and the VPC and subnet to use with this SDDC.
  4. Define a management subnet for the vCenter Server, NSX Manager, and ESXi hosts.
  5. Finish by selecting Deploy SDDC.

Create Network Segments

Network segments can be added using the VMware Cloud admin console:

  1. View Details of the SDDC.
  2. Select Networking & Security > Network > Segments.
  3. Under Segment List, select Add Segment.
  4. Add segments for the following networks, defining a Segment Name and Subnet. The Type should be left as the default Routed.
  • Add segments for External-DMZ, Internal-DMZ, Horizon-Management, VDI, and RDSH.
  • For the VDI and RDSH segments, also launch and complete the Set DHCP Config wizard.

Other Networking Configuration

  • Create security groups.
  • Set firewall rules.
  • Configure DNS.
  • Request public IP addresses.

Create Resource Pools

Two vSphere resource groups are automatically created when the SDDC is created. It is recommended that the Compute-Resource Pool has child resource pools created in it to allow prioritization of the management servers and desktops/ RDS Hosts.

In the vSphere Client:

  1. Click Menu and select Hosts and Clusters.
  2. Browse to and expand vCenter > SDDC-Datacenter > Cluster-1 > Compute-ResourcePool.
  3. Right-click and select New Resource Pool.
  4. Create two new resource pools for Horizon-Management and Horizon-User.

See Managing Resource Pools for more information.

Window Server Template

To facilitate the creation of Windows servers for the various Horizon management components, either import an existing vSphere VM template or create a new VM and convert it to a template.

  • Upload VM template or Windows Server ISO.
  • Import customization specifications.

Horizon Deployment

When you set up the Horizon environment on VMware Cloud on AWS, you must install and configure the following components:

  • Install Active Directory, DNS, DHCP, and KMS servers.
  • Optionally, install RDS license servers.
  • Install Horizon Connection Servers.
  • Register the SDDC vCenter Server.
  • Install Unified Access Gateway appliances.

Connection Server

With Horizon 8, when deploying the first Connection Server in the SDDC, make sure to choose AWS as the deployment type. This sets the proper configuration and permissions on the Connection Server and Virtual Center.

Figure 1: Choose the Horizon Deployment Location

Deploy the Connection Servers to the following locations:

  • Folder = Workloads
  • Compute resource = SDDC-Datacenter > Cluster-1 > Compute-ResourcePool > Horizon-Management
  • Storage = WorkloadDatastore

Horizon 8 and Horizon 7.5 and later are supported on VMware Cloud on AWS. For details, see the Knowledge Base article: Horizon on VMware Cloud on AWS Support (58539).

vCenter Server

When registering the vCenter Server with the Horizon Connection Servers, use cloudadmin@vmc.local for the vCenter Server credential username.

If using a single-node vSphere cluster (usually for a proof of concept), you will need to modify the vSAN VM storage policies to “No data redundancy.” These policies are automatically created when the first desktop pool or RDS Farm is deployed.

Figure 2: vSAN Storage Policies for Horizon

Unified Access Gateway

Deploy the Unified Access Gateway appliances and register them with the Connection Servers if your deployment supports remote users.

Deploy the Unified Access Gateway appliance to the following locations:

  • Folder = Workloads
  • Compute resource = SDDC-Datacenter > Cluster-1 > Compute-ResourcePool > Horizon-Management
  • Storage = WorkloadDatastore

Use Unified Access Gateway version 3.3 or later.

Instant Clones

When you install and configure Horizon for instant clone for deployment on VMware Cloud on AWS, do the following:

  • CBRC is not supported or needed on VMware Cloud on AWS. CBRC has been turned off by default.
  • On the golden image VM, add the domain’s DNS to avoid customization failures.

When creating Horizon instant-clone pools on VMware Cloud on AWS, use the following settings in the provisioning wizard:

  • Folder = Workloads
  • Compute resource = SDDC-Datacenter > Cluster-1 > Compute-ResourcePool > Horizon-User
  • Storage = WorkloadDatastore

Firewall Rules

The firewall service on VMware Cloud on AWS is based on NSX-T and provides both Distributed (Micro-segmentation) and Gateway Firewall Services.

To simplify the management of Gateway Firewall VMware recommend using Groups (located under Networking & Security -- Inventory) both for Compute and Management.

  • Pre-create groups for your on-premises vSphere managements components, VDI components, and applications to be accessible from VMware Cloud on AWS.
  • Do the same for VDI components deployed on VMware Cloud on AWS. Groups for vSphere management components are already pre-created by VMware. While creating a group, you need to specify IP addresses using CIDR notation.
  • You can include a single host as a member by specifying /32 mask or a continuous range of IPs using relevant CIDR (such as /24 to include all IPs within a 24-bit subnet).

Note: Default behavior of both Management and Gateway Firewall is set to deny all traffic not explicitly enabled.

You can run the Firewall Rule Accelerator in VMware Cloud on AWS for all VPNs to create all the required firewall rules.

Management Gateway Firewall Rules

At minimum, you need to enable the traffic flow between the Horizon management components, such as the Connection Servers, and the SDDC provided vCenter and ESXi hosts in VMware Cloud on AWS.

Note: There are a predefined set of services that you can use while configuring rules for the Management Gateway Firewall. You cannot add or modify theses services. Each group (ESXi hosts, vCenter, and so on) has its own set of services.

You can achieve this by creating the following rules:

Table 1: Management Gateway Firewall Rules for Horizon Connectivity to vSphere

Name

Sources

Destinations

Services

Action

ESXi Inbound

Horizon Management Servers

ESXi

Provisioning & Remote Console

ICMP All

VMware VMotion

HTTPS

Allow

vCenter Inbound

Horizon Management Servers

vCenter

SSO

ICMP ALL

HTTPS

Allow

Compute Gateway Firewall Rules

The Compute Gateway Firewall runs on the SDDC router (Tier 0) and provides firewalling for the Compute Gateway and the network segments defined on it. You will need a rule to allow Horizon connections into the External DMZ network segment and the Unified Access Gateways. You will also probably want to add a rule to allow the virtual desktops or published applications to access the internet.

Table 2: Compute Gateway Firewall Rules

Name

Sources

Destinations

Services

Applied To

Action

External DMZ Inbound

Any

External-DMZ-Segment

HTTP

HTTPS

Blast

PCoIP

Internet Interface

Allow

Outbound Internet Access

VDI-Segment

Horizon Management-Segment

Any

HTTP

HTTPS

DNS

DNS-UDP

Internet Interface

Allow

What’s Next?

Now that you have come to the end of this chapter, you can return to the landing page and search or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters explore the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon, App Volumes Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of components and services you need to create the platform capable of delivering what you want.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Horizon, App Volumes, Dynamic Environment Management, and more.

Associated Content

From the action bar MORE button.

Filter Tags

Horizon Horizon Document Reference Architecture Advanced Deploy Windows Delivery