Horizon – Brokering
Horizon Golden Master – Best practice
Horizon Cloud on Azure
Horizon Cloud on Azure – How to start with subscription
App Volumes – Prepare provisioning machine / VM
Horizon Cloud on Azure – Onboarding
SAML SSO Okta Org2Org
Oktane 21 – Oktas Identity vision
Workspace ONE – ISO, compliance, security
App Volumes – Microsoft restriction an example

Horizon – Brokering

You use VMware Horizon and wants to expand to a high availability (HA) architecture or you think about Horizon and wants to start with the planning and design phase. Great!

You are on the right way because planning and design is key! In case of an Multi-site architecture you have to understand the differences between the possible or better available brokering capabilities with Horizon.

In general you have two options for the brokering of user sessions and to deliver the VDI / Desktop sessions to your users in a HA architecture; the Cloud Pod architecture (CPA) or Universal Brokering. But when choose what and what is the difference. Therefore let is take a look at the architecture on High Level.

The Cloud Pod architecture (CPA)

The Cloud Pod architecture is the usual way from the past times to make a VMware Horizon infrastructure highly available through two sites for instance. You can have Global entitlements for your environment and of course the HA functionality.

Some things you have to consider with that kind of implementation and architecture. First of all, you need a Global Load Balancer (GSLB). That comes not from VMware, you have to invest in such a Load Balancer additionally and check which is compatible. In such environments I´ve seen some examples like Kemp or F5. That means an additional component to operate and administer but increasing complexity in the same time.

The next really important point in times of Cloud, Multi- or Hybrid Cloud and Hybrid environments in general is, the Cloud Pod architecture is not built for Hybrid and Multi-Cloud deployments. Additionally, it works only for Horizon Enterprise Pods.

Regarding the availability or brokering itself, that kind of architecture creates East-West traffic overhead because all included Horizon Enterprise Pods have to have line of sight to each other (Inter-Pod WAN). WAN network required.

If we take a look at the authentication piece, the user will be authenticated in one site and the brokering will be on behalf of that same side.

Universal Brokering

The universal brokering is the next generation of brokering sessions in such environments. Its designed and built for Hybrid and Multi-Cloud deployments. That means you will have a multi-tenant cloud based brokering capability included in Horizon. To be exact, in the Horizon Cloud Control Plane (Management Console). This approach brings a lot of advantages. A single FQDN for the users to access their desktop sessions and applications across all included environments. Doesn´t matter where the environments are on-premise or in the Cloud.

No Inter-Pod WAN is required which means the East-West traffic will be avoided.

If you have a multi-site brokering included in the solution itself you can imagine that the Global load balancer is simply no longer necessary. That functionality is integrated and will be provided by VMware. Great isn´t it. That will decrease the complexity and operational effort. Another important point if you have trouble with such a functionality the VMware Support will be you contact to go for and you haven´t to handle it by yourself.

The solution is not only for Cloud and Multi-Cloud you can integrate your on-premise environment(s) as well. Finally you can administer and handle Horizon Pods and Horizon Cloud Pods from one single console. With that said, entitlements for Multi-Pods and Multi-Sites for Desktops and applications are possible.

How the authentication or user session brokering works in this scenario.

The user authenticates against the Horizon Control Plane / Universal Broker. Then the Cloud Connector looks for the best available site / Pod. It goes to the Unified Access Gateway (UAG) in case you have them infront of the Connection Server, the request will be validated and the desktop session prepared. The user will be connected.

As you can see there is a huge difference which you have to consider in your planning and design phase for such a virtual desktop infrastructure.

113 Total Views 1 Views Today
twitterlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *