Using Elastic Load Balancing for Horizon 7 on VMware Cloud on AWS Deployments
By Andrew Kloman, Partner Solutions Architect at AWS
VMware Cloud on AWS provides the enterprise capabilities of VMware’s Software-Defined Data Center (SDDC), including compute, storage, and networking, delivered as a service on Amazon Web Services (AWS). Horizon 7 securely delivers desktops and applications through a single platform.
With Horizon 7 on VMware Cloud on AWS, customers can enjoy the agile, flexible consumption models and management of the AWS Cloud. This is great for temporary desktop and application capacity, application locality, data center expansions, proof of concept (POC), and disaster recovery (DR) use cases.
In this post, I’ll provide guidance on how customers looking to deploy Horizon 7 on VMware Cloud on AWS can make use of Amazon Route 53 and Elastic Load Balancing to provide greater scalability, availability, and fault tolerance.
Figure 1 – Diagram of a hybrid VMware Horizon 7 CPA using AWS services.
In the diagram above, it’s important to note the following items:
- A hybrid cloud environment with a single or multiple on-premises data center and AWS Region(s).
- A Horizon 7 environment, leveraging Cloud Pod Architecture (CPA) across the on-premises data center(s) and the VMware Cloud on AWS Region(s).
- VMware Cloud on AWS is connected to the customers’ AWS account via a VMware Cloud Embedded Networking Interface (ENI).
- Microsoft Active Directory deployed within VMware Cloud on AWS and/or Amazon Elastic Compute Cloud (Amazon EC2) and/or using AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD).
- Amazon Route 53 directing user traffic to resources on-premises, or different AWS regions.
- Elastic Load Balancing directing user traffic to the multiple Unified Access Gateways (UAGs) within a single or multiple Availability Zones (AZs).
Update: Alternate Amazon EC2 Deployment Architecture
Customers looking to deploy Horizon 7 to more than one SDDC on VMware Cloud on AWS can use the Alternate Amazon EC2 deployment architecture.
Given that each SDDC has a single compute gateway, customers are seeing ~2,000 VMs or user connections per SDDC. To learn more, check out this blog post on Connectivity Options for VMware Cloud on AWS Software Defined Data Centers.
The Alternate Amazon EC2 deployment architecture keeps the desktop images running on VMware Cloud on AWS to keep a consistent desktop image between on premises and within AWS using VMware’s ESXi Hypervisor, but moves the Unified Access Gateway and connection servers to Amazon EC2.
Having these deployed on Amazon EC2 provides scalability to multiple SDDCs. With multiple SDDCs, customers are able to deploy more than ~2,000 VMs or user sessions with a deployment.
Connection servers are deployed and configured the same way, just deployed on Amazon EC2. Customers can now also deploy the UAG using this deployment guide created by VMware.
Figure 2 – Hybrid VMware Horizon 7 CPA using the Alternate Amazon EC2 deployment architecture.
In the diagram above, it’s important to note the following differences from Figure 1:
- Unified Access Gateways and connection servers have been moved to Amazon EC2 instances within the customer’s Virtual Private Cloud (VPC).
- UAG deployment guide.
- Connection server guide.
- Connection server configuration will be the same, except the communication flow to the management gateway (vCenter servers) will flow from the customer VPC. Please make sure the firewall configuration for the management gateway is configured correctly to support this.
Configuring a Horizon 7 Pod
To get started with deploying Horizon 7 with VMware Cloud on AWS, see Deploying Horizon 7 on VMware Cloud on AWS. Within this guide, you can learn about and deploy Horizon 7 Pod on VMware Cloud on AWS.
Once you have deployed and installed the Horizon 7 Pod into your VMware Cloud on AWS SDDC, you will need to configure Horizon 7 to communicate with VMware Cloud on AWS.
VMware Cloud on AWS provides customers with access to the vSphere web client, vCenter Server, API Explorer, PowerCLI Connect, and the vCenter FQDN.
Configuring Horizon 7 to deploy desktop pools on VMware Cloud on AWS is as simple as configuring the vCenter Servers with the connection servers, and doing so for the VMware Cloud on AWS-provided vCenter FQDN. The step-by-step configuration can be found in section 14 of the deployment guide from VMware.
Figure 3 – Familiar Horizon 7 vCenter server configuration.
Elastic Load Balancing
AWS has three different types of Elastic Load Balancing products: Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer. For this deployment, you will need to use an ALB.
The ALB runs at layer 7 of the Open Systems Interconnection (OSI) model, meaning it can base routing on content within the incoming application traffic. It also allows for non-Amazon EC2 target routing, so that we can route traffic to the UAG within the VMware Cloud on AWS environment.
Amazon Certificate Manager (AMC)
For HTTPS connections, like with the one we’ll need for our deployment, the ALB must have a certificate. Amazon Certificate Manager (AMC) integrates with Elastic Load Balancing so you can deploy the certificate on your load balancer. For more information, see the AWS Certificate Manager User Guide.
You will not be able to generate the certificate needed for the UAGs from the ACM, since this certificate must also be imported into the UAGs. Please follow the instructions in the Deploying and Configuring VMware Unified Access Gateway Guide to import a certificate into the UAGs, as well as the instructions in this guide on Importing Certificates into AWS Certificate Manager.
Configuring Your Application Load Balancer (ALB)
Assuming you have completed the process above and have imported a certificate to AMC, you can now follow these steps to configure your ALB for your Horizon 7 on VMware Cloud deployment.
Within the AWS console, open the Amazon EC2 dashboard for the region you have Horizon 7 deployed. On the left side, click Load Balancers and click Create Load Balancer. Select the Application Load Balancer and click Create.
Figure 4 – Application Load Balancer creation wizard.
Next, you will be guided though a step-by step-wizard:
- Step 1: Give your ALB a Name, and then select Internet Facing, IPv4, and a HTTPS listener on port 443. Also, select the VPC that can communicate with the SDDC, AZ, and subnet your UAG’s are deployed within. Update: If you’re using the Alternate Amazon EC2 architecture, select the VPC in which your UAG and connection server are located.
- Step 2: Select the certificate you have imported into the AMC.
- Step 3: Select or create a Security Group for inbound traffic to the ALB.
- Step 4: Select a new Target Group, provide a Name, Protocol HTTPS, and Target Type IP. Also for Health Checks, as described in Deploying and Configuring VMware Unified Access Gateway, use HTTPS and /favicon.ico.
Figure 5 – Target Group confirmation.
- Step 5: Select “Other Private IP Address,” and then provide the IP addresses of the UAG within the VMware Cloud on AWS SDDC. Update: If you’re using the Alternate Amazon EC2 architecture, you can select the UAG instances and add to registered targets.
Figure 6 – Targets registration.
Once completed, navigate to the target group you created, right-click, and choose Edit Attributes. Next, choose Enable Stickiness and set the values that are appropriate for your environment.
Figure 7 – Stickiness configuration.
In the Description tab of your newly-created load balancer, remember to note the Domain Name System (DNS) Name under Basic Configuration.
Amazon Route 53
For customers looking to deploy Horizon 7 between multiple AWS Regions, or between AWS and on-premises data centers, Amazon Route 53 can help with managing DNS failover between these locations. You can see in the architectural diagram in Figure 1 that Amazon Route 53 can direct users to these targets.
Amazon Route 53 is a highly-available and scalable cloud DNS web service. It’s designed to give developers and businesses an extremely reliable and cost-effective way to route end users to, in this case, Horizon 7 deployments, but also to internet applications on or outside of AWS.
For more information on this topic, check out the article Leveraging Amazon Route 53 for VMware Horizon Global Remote Access from Andrew Morgan, a staff engineer at VMware’s End User Computing Office of the CTO.
Configuring Amazon Route 53
Next, you will need to create an A Record set within your hosted zone. Here’s how to do it:
- Within the Amazon Route 53 dashboard, click Create Record Set.
- Provide the external FQDN that matches your certificates used earlier.
- Select the type as an A – IPv4 address
- Select Alias: Yes and enter the DNS name from your ALB created earlier. This is found in the Description tab of your newly-created ALB; the DNS Name is under Basic Configuration.
- Configure the routing policy that makes sense for your environment. In our example, I only need a simple routing policy. To learn more, check out these articles on Choosing a Routing Policy and Health Checks and DNS Failover.
Figure 8 – A – Record set configuration.
Check out the session recording and deck I presented at VMworld Americas 2018—Horizon 7 on VMware Cloud on AWS: What You Need to Know—where I speak with Angela Ge, Product Line Manager for Horizon 7, about the capabilities of Horizon 7 on VMware Cloud on AWS.
You can also check out these great deep dives from VMworld Americas 2018:
- Building Hybrid Cloud with Horizon 7 on VMware Cloud on AWS – Play Video | Deck
- Design Deep Dive: Cloud Burst with Horizon 7 on VMware Cloud on AWS – Play Video | Deck
AWS and VMware are constantly working to improve VMware Cloud on AWS for customers. We would love to hear from you what other enterprise capabilities and innovations we should be working on. Please contact us at firstname.lastname@example.org.