VMware Horizon Cloud Service Next-Gen

Introduction

VMware announced a new Horizon Cloud Service Next-gen (aka Titan, Horizon Cloud V2) around the end of CY 2021 as a Limited availability (LA). Now it is generally available (GA) as of 11th August 2022. Next-gen is fully API driven and built with POD-less architecture, advanced automation, improved visibility and troubleshooting, unprecedented scalability and lower infrastructure cost for management components compared to current Horizon Cloud Service (V1).

Release Notes

Visit the Horizon Cloud Next-gen release notes page for the future updates and administrator guide.

Architecture

Horizon Edge Gateway

In Next-gen architecture, POD manager functionality is completely moved to Control Plane so the POD manager VMs (x2) will not be deployed in customer Azure subscription. A new management component called “Horizon Edge Gateway” is introduced which uses Azure Kubernetes Service (AKS) to host the Horizon Edge gateway which provides high availability. Horizon Edge Gateway is responsible for collecting monitoring data from the agent, deployment of Unified Access Gateway (UAG) and Single Sign On (SSO) functionalities.

Prerequisites for onboarding

At a high-level the prerequisites for the onboarding are similar like Horizon Cloud Service V1. But in addition, an identity provider for users authentication is mandatory in Next-gen. Whether it can be Azure Active Directory or VMware Workspace ONE Access SaaS or On-premises. Below are the prerequisites for the onboarding. Visit doc.vmware.com page for detail requirement checklist for Next-gen new deployment.

  • My VMware Account for VMware Cloud Server Platform (CSP) login
  • Microsoft Azure Subscription / Service principal Account (App registration)
  • Azure Capacity Requirement for Horizon Edge and Unified Access Gateway
  • User Managed Identity for Horizon Edge AKS deployment
  • Azure vNET /Subnets / DNS (Network Requirements)
  • Azure NAT Gateway for AKS Cluster (Network Requirements)
  • Identity Provider for user identity (Azure AD or Workspace ONE Access)
  • Windows Active Directory Domain Service for Machine identity
  • Domain bind and join accounts with proper permissions (2 accounts for each)
  • Active Directory Certificate Service (Certificate Authority) for SSO (optional)
  • Public/Private FQDN and Certificate for Unified Access Gateway (UAG)
  • DNS/Port Requirement

User Managed Identity Requirement for Horizon Edge AKS:

Horizon Edge using an AKS cluster requires a user managed identity with the Network Contributor role at the management VNet’s resource group scope and the Managed Identity Operator role at the Microsoft Azure subscription scope. Follow the below steps for user managed identity.

i) Login to https://portal.azure.com and search with key word “User Assigned Managed Identity” in search bar.

ii) Define your > [Subscription] and [Resource Group] where you vNET for Azure deployment is deployed. Select Azure [Region] and give a name of your choice for your “User Assigned Managed Identity”.

iii) Confirm that you have successfully created “User Assigned Managed Identity”. This need to be defined in Horizon Edge deployment wizard so worth note this down somewhere.

iv) Navigate to Azure Subscription where you are going to deploy your Horizon Edge.

v) Navigate to [Access Control (IAM)] in left pane of the Subscription page > [Add] > [Add Role Assignment] > search with keyword [Network Contributor] and select it > [Next] > select [Managed Identity] under Members > click [+select member] hyperlink next to [Member] >

vi) New “Select manage identity” pane will be displayed in right of the screen. Define your [Subscription] , [Managed identity] = user assigned managed identity > Select = user assigned manage identity which you created in step# iii) > click [Select] at the bottom of the pane > select [Review + Assign].

vii) Repeat the steps v) and vi) for “Managed Identity Operator” role as well.

vii) Verify that the roles have been assigned as below.

New parameters introduced in Next-gen

In Next-gen, there are couple of new parameter introduced which was not in Horizon Cloud v1.

  • Horizon Edge – Management component responsible for monitoring and SSO
  • Provider – Azure Subscription
  • Pool template – Group of the desktops
  • Pool – Logical grouping of pool templates
  • SSO- Single Sign On

Onboarding Workflow and Estimated Time

If all the above mentioned prerequisites are met, below will be the workflow and estimated time requires for the onboarding.

  1. Initial CSP onboarding – 3~5 minutes (one time task for the very first onboarding)
  2. Domain registration and Identity Provider – 2~3 minutes
  3. Horizon Edge and Unified Access Gateway onboarding – 15 minutes
  4. SSO configuration – 5 minutes (optional)
  5. Image import – 5 minutes
  6. Image publish -20 minutes
  7. Pool template / Pool/Entitlement – 5~7 minutes
  8. Accessing desktops – 1 minutes

Let`s onboard a very first Horizon Cloud Next-gen environment

In this section I will show the steps to onboard Horizon Cloud Next-gen from scratch. I have covered workflow #1 with the screenshots and descriptions and #2-8 in video clip.

Before you start the onboarding, either you have to purchase the Horizon Cloud Service Universal License or sign up for Horizon Cloud Next-gen evaluation program.

Note: I`m not including the WS1Access, Active Directory, Certificate Authority and Azure vNET/Subnet configuration in the workflow. These are considered as pre-configured.

Workflow#1: Initial CSP onboarding

1. 1 Access [https://console.cloud.vmware.com] and login with your myvmware account/password which is associated with Horizon Cloud Next-gen tenant.

1.2 You will be prompted to [Select or Create Organization] page. Here you will create your organization under your CSP account. Select [+Create Organization] and [Continue].

1.3 Give name of your choice and put the check in VMware Cloud Services Terms of Service and select [Create Organization and Complete Sign-up].

1.4 In next page, select [Active Users] under [Identity & Access Management] > select your user account > [Edit Roles].

1.5 Select [Organization Owner] or [Organization Member] as needed. I`m selecting [Organization Owner] in my case. In “Assign Service Roles” section, select [Workspace ONE] > click in drop down next to the “with roles”> select [Admin] > under “Horizon Cloud Service” select [Administrator] > [SELECT] > [Save].

Important: Under the “Horizon Cloud Service” section, at least you will need to select administrator role to be able to proceed the Next-gen onboarding. ofcourse you can select multiple roles as needed.

1.6 You will see “Workspace One” tile under [Services] section in next page. If you have Horizon Cloud tenant from the Limited Availability and the tenant is not integrated with Workspace ONE intelligence you will see “Horizon Cloud Service” tile under [Services] .

1.7 Click in [Launch Service] at the bottom of the service tile. You will redirected to Horizon Cloud Region selection page. Choose the region as per you location (Japan in my case). Put the check in Terms of Service and select [Save and Continue].

1.8 Next you will see Horizon Universal Console Welcome page. With this you are DONE!!! with the workflow #1.

Workflow #2 to 8 : Horizon Edge onboarding

Video Clip

Accessing Next-gen Desktop

As per initial GA announcement, to access the Next-gen desktops/applications you would need to access through URL https://cloud.vmwarehorizon.com. This URL is common for the all the Next-gen customers. Once you enter your Company Domain (“EUC” is my company domain in my example) you will get redirected to your identity provider (iDP). Provide your username and password for user authentication. Once you are authenticated with iDP, you can launch desktops/application either with Horizon Client or browser.

Note: Blast protocol is industry standard protocol in Horizon Next-gen. PCoIP protocol is no more supported.

1. Access https://cloud.vmwarehorizon.com and enter your company domain which you configured in Identity Provider during the onboarding.

While accessing via native Horizon Client, define https://cloud.vmwarehorizon.com as [Connection Server Name] > select [Connect]. The you will get redirected to Sign in with SSO page.

Enter [Company Domain] > [Select Continue].

2. You will get redirected to the iDP page, enter your username and password and select [Sign In].

3. You will see the desktops and application entitled to you.

4. Launch the desktop with Horizon Client or Browser.

5. You are now logged into the desktop!

Note: If you have not configured the SSO, you will be prompted to enter the username and password again while launching the desktop.