Extending VMware Horizon to Amazon WorkSpaces Core

Updated June 2023

Customers want to use desktop services to deliver business-critical application and desktops to their end users at scale. Customers who have deployed a VMware Horizon 8 or newer ask how Amazon Web Services (AWS) can extend capabilities, without having to buy additional hardware.

The use cases might be temporary workers, extending an existing data center to AWS or how to set up disaster recovery environment. Organizations can use VMware Horizon 8 with Amazon WorkSpaces Core to extend your Horizon deployment with the latest versions of VMware Horizon. In this blog we explore how to extend and expand your VMware Horizon deployment using Amazon WorkSpaces Core.

VMware Horizon 8 2209 or newer on AWS can be deployed as you would deploy in an on-premises environment. The deployment, and management experiences are the same. The user experience can remain the same depending on the architecture. Consult your VMware Horizon license agreement to confirm if your license allows to run anywhere including AWS.

Recently released features of WorkSpaces including WorkSpaces Core gives customer more flexibility. Customers can manage Amazon WorkSpaces programmatically while using VMware Horizon protocols like Blast or PCoIP. This includes programmatically adding desktops to Amazon WorkSpaces that have Horizon agents in it. When deployed the agents will add the desktop to the Connection Servers.

Requirements before starting

• An AWS account.
• A Amazon Virtual Private Cloud (VPC). You can create a new VPC in the Region that you are deploying your VMware Horizon resources to.
• Access to Microsoft Active Directory resources in the AWS account.
  • VMware Horizon requires Microsoft Active Directory for user authentication.
  • Amazon WorkSpaces also requires AWS Directory Services (DS) as well.
• When using Amazon WorkSpaces with VMware Horizon
  • There is a requirement to have 120-ms or less latency from on-premises Connection Servers to the WorkSpaces desktops when extending your Horizon pod deployment.
  • Windows desktop licenses support Amazon WorkSpaces Bring Your Own License (BYOL) model. For more information, review the Administration Guide for WorkSpaces bring your own Windows desktop licenses.
• VMware Horizon 8 build 2209 or newer installation files
• VMware Horizon licenses to support deploying on AWS Cloud
• Deploy VMware Horizon Cloud Connector when you are using Horizon Universal license subscription
• Decide if your organization is going to expand with new or extend existing VMware Horizon infrastructure servers into AWS, see below section for details on each method.

Expanding VMware Horizon on AWS

One option would be to expand an existing Horizon deployment for a hybrid Horizon deployment. Launch Amazon Elastic Compute Cloud (EC2) to deploy Horizon infrastructure servers on. The Horizon deployment would be an additional pod using Horizon Cloud Pod Architecture (CPA) or a standalone deployment in AWS. Use the latest VMware Horizon deployment guides to deploy the Horizon management servers and components on AWS using federated architecture. Join the VMware Horizon Connection Servers to AWS Directory Services (DS) that was previously setup from the requirements section.

Once the AWS VPC is deployed, you configure each component. This can include tasks such as:

• Deploy Horizon management servers through partner or using the VMware Horizon deployment guide
• Adding licenses to Connection Servers
• Adding Microsoft Active Directory to the Horizon Connection Server console
• Adding the Active Directory Security Groups in Connection Server console
• Configuring database for Events database logging

Figure 1 – Expanding VMware Horizon deployment to AWS

Figure 1 shows an example of how to build a new VMware Horizon to AWS and connect it to Amazon WorkSpaces. Figure 1 also shows the Unified Access Gateway (UAG) is deployed in Public Subnet. Use Elastic Load Balancer (ELB) to connect the UAG appliance to an external facing Fully Qualified Domain Name (FQDN). For more information, review the VMware documentation on deploying UAG to Amazon EC2. The ELB you choose is based on the ports that you must open. If you are using HTTPS or Blast protocol, you can use an Application Load Balancer. For other protocols, you can use a combination of Network Load Balancer and Application Load Balancer.

Extending VMware Horizon with Amazon WorkSpaces

Another option is to extend your existing VMware Horizon pod to AWS Cloud and Amazon WorkSpaces. One of the requirements is to insure you have 120-ms or less latency from on-premises Connection Servers to Amazon WorkSpaces desktops over a private connection.

Figure 2 – Extending VMware Horizon pod to AWS.

Figure 2 shows an example of how to extend the VMware Horizon pod to AWS and connect to Amazon WorkSpaces desktops. The connection can either be a Virtual Private Network (VPN), or AWS Direct Connect to your Amazon VPC.

Amazon WorkSpaces configuration
Once you have determined how you want to deploy (expanding or extending) VMware Horizon infrastructure, you deploy and configure Amazon WorkSpaces.

1. 1. To use Amazon WorkSpaces with VMware Horizon and Windows desktops, you must configure Amazon WorkSpaces BYOL through AWS support and Bring Your Own Protocol (BYOP) must also be enabled with your account. Work with your AWS account team to help setup BYOP.
   2. Configure Security Groups for network traffic between your end users, your Connection Servers, and Amazon WorkSpaces desktops.
      1. Add the ports to the AWS Security Groups that you will need opened between the different computer. Review the VMware Horizon documentation for the TCP and UDP ports to open like 443, 8443, 4172.
   3. Create the base image by following the steps 1 to 5 from Bring Your Own Windows desktop license.
   4. Import the image from EC2 to Amazon WorkSpaces using Command Line Interface (CLI) found in the reference documentation. This method ensures Amazon WorkSpaces agents do not get installed during the import process.
      • You can log into AWS Management Console, switch to the Region you have WorkSpaces in, and enter the CLI options using AWS CloudShell or method you can run the AWS CLI with.
        Example CLI:
        aws workspaces import-workspace-image --ec2-image-id ami-xxxxxxxxxx --ingestion-process BYOL_REGULAR_BYOP --image-name win10-ent-img01 --image-description “Windows 10 Enterprise”
        • Select the options available for –ingestion-process on the AWS import-workspace-image documentation that meet your needs.
   5. Capture the image and then create a WorkSpaces custom bundle.
      • The custom bundle is used to deploy WorkSpaces. You can create the custom bundle through the AWS Management Console or using CLI.
        Example CLI:
        aws workspaces create-workspace-bundle --bundle-name win10-bundle-wsp --bundle-description “Windows 10” --image-id "wsi-7xxxxxxxx” --compute-type “Name=STANDARD” --user-storage “Capacity=10”
        • Select the options available for –compute-type on the AWS create-workspace-bundle documentation that meets your needs.
   6. Deploy new WorkSpaces instances from the custom bundle. Be sure to assign a user to the desktop during deployment.
   7. Once a WorkSpaces desktop is in a healthy state, remote desktop into the desktop to setup the Horizon Agent on the new base image.
      1. Download the latest version of Horizon Agent for Windows from VMware’s download website. Do not execute the Horizon Agent installation file.
      2. Go to the VMware Knowledge Base (KB) article 92550, download the PowerShell script on the site to the desktop that will be your new base image. Read all of the requirements for using the PowerShell on the base image before proceeding.
      3. Store both files in a location other than Windows User profile.
      4. Open PowerShell on the Desktop in Administrator mode (“Run as Administrator)
         • Run the command to Set-ExecutionPolicy to unrestricted or based on your organizations policy
           Example: Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
      5. Change to the folder containing the Horizon Agent and the PowerShell script from the VMware website.
      6. If you have not already done so, rename the VMwre-Horizon-Agent-xxxx.exe file to just VMware-Horizon-Agent.exe. This is a requirement for the PowerShell script.
      7. Once both the PowerShell script and the VMware-Horizon-Agent.exe file are in the same direct then run the Setup_AWSHznAgent.ps1 script.
      8. Enter the correct information as prompted. Refer back to the VMware KB Article 92550 for more information.
      9. Once script has executed successfully, verify that it shows in the Windows Task Scheduler. When verified it is in Task Scheduler, Logoff (not Power Off or Shutdown) from the desktop.
   8. Create a Image of the desktop with PowerShell script setup to install the Horizon Agent by going to the Amazon WorkSpaces console, locate and open the desktop in the console, and then select Create Image button.
      

      Create Image from a WorkSpaces desktop

   9. Once the image is finished create a Bundle using Capture a Bundle CLI step above or go into the Amazon WorkSpaces console and locate the image in the Image section of the console, then Create Bundle
   10. Deploy new WorkSpaces instances from the custom bundle be sure to assign the user to the desktop during deployment.
   11. Once the new WorkSpaces desktop is in a healthy state, it appears in the Connection Server administrator console under the Registered Machines/Others section.Make sure you create Desktop Pool first and then add the unmanaged desktop to the new Desktop Pool in the Connection Server.

Customers want to use desktop services to deliver business-critical application and desktops to their end users at scale. Customers that are even looking for a hybrid deployment of VMware Horizon. Customers can use VMware Horizon with Amazon WorkSpaces to extend your Horizon standalone deployment or Horizon Cloud Pod Architecture (CPA) using the latest VMware Horizon 8 build 2209 or newer.

With this capability, you can add automation from existing business logic workflows. For example, use your information technology service management (ITSM), such as Service Now, to create a new virtual desktop when a new employee on-boards. You can use the Cost Optimizer for Amazon WorkSpaces solution to analyze your Amazon WorkSpaces usage data. The solution automatically converts the WorkSpaces to the most cost-effective billing option (hourly or monthly).

For more information, or to begin working with VMware Horizon with Amazon WorkSpaces, contact our sales support team.

The following resources can also be useful to learn more about VMware Horizon with Amazon WorkSpaces:

• VMware Explore 2022 presentation from Angela Ge and Kristina De Nike on What’s New with Horizon 8?
• AWS End User Computing (EUC) innovation day 2022 from Andrew Kloman Amazon WorkSpaces Core technical deep dive