Desktop and Application Streaming

Extending VMware Horizon to Amazon WorkSpaces Core

Customers want to use desktop services to deliver business-critical application and desktops to their end users at scale. Customers who have deployed a VMware Horizon 8 or newer ask how Amazon Web Services (AWS) can extend capabilities, without having to buy additional hardware.

The use cases might be temporary workers, extending an existing data center to AWS or how to set up disaster recovery environment. Organizations can use VMware Horizon 8 with Amazon WorkSpaces Core to extend your Horizon deployment with the latest versions of VMware Horizon. In this blog we explore how to extend and expand your VMware Horizon deployment using Amazon WorkSpaces Core.

VMware Horizon 8 2209 or newer on AWS can be deployed as you would deploy in an on-premises environment. The deployment, and management experiences are the same. The user experience can remain the same depending on the architecture. Consult your VMware Horizon license agreement to confirm if your license allows to run anywhere including AWS.

Recently released features of WorkSpaces including WorkSpaces Core gives customer more flexibility. Customers can manage Amazon WorkSpaces programmatically while using VMware Horizon protocols like Blast or PCoIP. This includes programmatically adding desktops to Amazon WorkSpaces that have Horizon agents in it. When deployed the agents will add the desktop to the Connection Servers.

Requirements before starting

  • An AWS account.
  • A Amazon Virtual Private Cloud (VPC). You can create a new VPC in the Region that you are deploying your VMware Horizon resources to.
  • Access to Microsoft Active Directory resources in the AWS account.
    • VMware Horizon requires Microsoft Active Directory for user authentication.
    • Amazon WorkSpaces also requires AWS Directory Services (DS) as well.
  • When using Amazon WorkSpaces with VMware Horizon
  • VMware Horizon 8 build 2209 or newer installation files
  • VMware Horizon licenses to support deploying on AWS Cloud
  • Deploy VMware Horizon Cloud Connector when you are using Horizon Universal license subscription
  • Decide if your organization is going to expand with new or extend existing VMware Horizon infrastructure servers into AWS, see below section for details on each method.

Expanding VMware Horizon on AWS

One option would be to expand an existing Horizon deployment for a hybrid Horizon deployment. Launch Amazon Elastic Compute Cloud (EC2) to deploy Horizon infrastructure servers on. The Horizon deployment would be an additional pod using Horizon Cloud Pod Architecture (CPA) or a standalone deployment in AWS. Use the latest VMware Horizon deployment guides to deploy the Horizon management servers and components on AWS using federated architecture. Join the VMware Horizon Connection Servers to AWS Directory Services (DS) that was previously setup from the requirements section.

Once the AWS VPC is deployed, you configure each component. This can include tasks such as:

  • Deploy Horizon management servers through partner or using the VMware Horizon deployment guide
  • Adding licenses to Connection Servers
  • Adding Microsoft Active Directory to the Horizon Connection Server console
  • Adding the Active Directory Security Groups in Connection Server console
  • Configuring database for Events database logging
Expanding Horizon CPA to AWS and Amazon WorkSpaces

Figure 1 – Expanding VMware Horizon deployment to AWS

Figure 1 shows an example of how to build a new VMware Horizon to AWS and connect it to Amazon WorkSpaces. Figure 1 also shows the Unified Access Gateway (UAG) is deployed in Public Subnet. Use Elastic Load Balancer (ELB) to connect the UAG appliance to an external facing Fully Qualified Domain Name (FQDN). For more information, review the VMware documentation on deploying UAG to Amazon EC2. The ELB you choose is based on the ports that you must open. If you are using HTTPS or Blast protocol, you can use an Application Load Balancer. For other protocols, you can use a combination of Network Load Balancer and Application Load Balancer.

Extending VMware Horizon with Amazon WorkSpaces

Another option is to extend your existing VMware Horizon pod to AWS Cloud and Amazon WorkSpaces. One of the requirements is to insure you have 120-ms or less latency from on-premises Connection Servers to Amazon WorkSpaces desktops over a private connection.

Extend existing Horizon CPA to Amazon WorkSpaces

Figure 2 – Extending VMware Horizon pod to AWS.

Figure 2 shows an example of how to extend the VMware Horizon pod to AWS and connect to Amazon WorkSpaces desktops. The connection can either be a Virtual Private Network (VPN), or AWS Direct Connect to your Amazon VPC.

Amazon WorkSpaces configuration
Once you have determined how you want to deploy (expanding or extending) VMware Horizon infrastructure, you deploy and configure Amazon WorkSpaces.

  1. To use Amazon WorkSpaces with VMware Horizon and Windows 10 desktops, you must configure Amazon WorkSpaces BYOL and Bring Your Own Protocol (BYOP) through AWS Support. See BYOL document on when to request BYOL and BYOP.
  2. Configure Security Groups for communication between your end users, your Connection Servers, and Amazon WorkSpaces.
    • Add the ports to the AWS Security Groups that you will need opened between the different computer.
    • Review the VMware Horizon documentation for the TCP and UDP ports to open like 443, 8443, 4172.
  3. Create the base image by following the steps on Bring Your Own Windows desktop license steps 1 to 5
  4. Once the image is in EC2 you will then create an instance based on the imported Amazon Machine Image (AMI) from the proceeding steps. Power the desktop up and connect into the desktop.
  5. You will download VMware Horizon Deployment Service (VMDS) and the latest version of Horizon Agent for Windows from VMware to the desktop.
    • Store the files in a location other then Windows User profile
    • During the installation, enter a domain user or domain service account that has local Windows Logon as a Service privileges on the desktop and has rights to add the new desktops to the VMware Horizon Connection server. When using a domain user account the base image desktop will have to be added to the domain.
    • When you install VMDS, you will be prompted to browse () to your copy of Horizon Agent installation file. Do not install the Horizon Agent as VMDS will install the agent later on.
    • By default VMDS will add the connection server you entered during the VMDS installation and “ADDLOCAL=Core,PrintRedir,USB”. You can add additional Agent install file syntax in the Installer Arguments field as well if needed by your organization.
    • Enter the SHA256SUM hash information into the Installer Hash from the Horizon agent download page, under the Read More section.

      VMware Horizon Deployment Service

      Example of VMDS+Horizon Agent installation on a WorkSpaces desktop image

  6. Remove the from the desktop from the domain and power down the desktop
    • Capture an Amazon Machine Image (AMI) in the Amazon EC2 console.
    • Use the AMI Identification(ID) in the following steps.
  7. Import the image into Amazon WorkSpaces using Command Line Interface (CLI) found in the reference documentation.
    • This method ensures Amazon WorkSpaces agents do not get installed during the import process.
    • You can log into AWS Management Console, switch to the Region you have WorkSpaces in, and enter the CLI options using AWS CloudShell or method you can run the AWS CLI with.
    • Example CLI:
      aws workspaces import-workspace-image --ec2-image-id ami-xxxxxxxxxx --ingestion-process BYOL_REGULAR_BYOP --image-name win10-ent-img01 --image-description “Windows 10 Enterprise”
  8. Capture the image and then create a WorkSpaces custom bundle.
    • The custom bundle is used to deploy WorkSpaces. You can create the custom bundle through the AWS Management Console or using CLI.
    • Example CLI:
      aws workspaces create-workspace-bundle --bundle-name win10-bundle-wsp --bundle-description “Windows 10” --image-id "wsi-7xxxxxxxx” --compute-type “Name=STANDARD” --user-storage “Capacity=10”
  9. Deploy new WorkSpaces instances from the custom bundle be sure to assign the user to the desktop during deployment.
  10. Once a WorkSpaces is in a healthy state, it appears in the Connection Server administrator console.
  11. Make sure you create Desktop Pool first and then add the unmanaged desktop to the new Desktop Pool.


Customers want to use desktop services to deliver business-critical application and desktops to their end users at scale. Customers that are even looking for a hybrid deployment of VMware Horizon. Customers can use VMware Horizon with Amazon WorkSpaces to extend your Horizon standalone deployment or Horizon Cloud Pod Architecture (CPA) using the latest VMware Horizon 8 build 2209 or newer.

With this capability, you can add automation from existing business logic workflows. For example, use your information technology service management (ITSM), such as Service Now, to create a new virtual desktop when a new employee on-boards. You can use the Cost Optimizer for Amazon WorkSpaces solution to analyze your Amazon WorkSpaces usage data. The solution automatically converts the WorkSpaces to the most cost-effective billing option (hourly or monthly).

For more information, or to begin working with VMware Horizon with Amazon WorkSpaces, contact our sales support team.

The following resources can also be useful to learn more about VMware Horizon with Amazon WorkSpaces: