Admittedly, VDI is not an area of expertise for me. I’ve spent the abundance of time during our pandemic on trying to grow my VDI experience. Recently, I built my first Horizon on Azure environment. Numerous clients have been asking their VDI firms about the new Azure solution and its validity. We are going to travel down my build with a few videos that I crafted to give some insight and some tips that I picked up on. Anyone can read the VMware walkthrough, but seeing it live is something else.
Preparing Azure for Horizon
Hitting on the Pre-requisites is the first part of your build. There’s a bunch to consider. I built my DC inside of Azure instead of paying $1500 per month for Azure ExpressRoute. You will be doing all sorts of stuff, like setting up your virtual networks (VNETs) inside of Azure, generating secrets/principals and more.
A few of the tips in this section I’ll throw out there is:
- Separate the DC and Horizon environment into separate vNets
- Carve the Horizon vNet into subnets for the DMZ, Management Network, and VDI network
Building your Horizon Pod
Building out the Horizon Pod inside of the Horizon Console isn’t too bad. The main thing is making sure you configured/built your networks and have your certificate ready to go. The certificate are done in a very unique way that you likely haven’t seen before. The structure looks like this.
-----BEGIN CERTIFICATE----- Server Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root Certificate -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- Private Key Certificate -----END PRIVATE KEY-----
It’s a bit different, but pretty easy to solve. Anyways, enjoy the video. Remember to be patient and don’t be like me and stare at the build… Oh wait there’s more!
There’s a current bug that it is very likely if you enable HA for the Pod Manager that it will bomb out and fail. It’s a known issue, but unsure what they will have that fixed.
Integrating your VMware Horizon Pod with Active Directory
What do I say about this??? I FREAKING HATED THIS. It literally kept me up till about 3 AM trying to get it working. My experience was basically that Domain Controllers hosted in Azure are really difficult. My experience was a ton of disconnects/timeouts. I also realized that I have to account for firewall rules between the Pod Manager and my DC. I put in rules inbound to the DC and outbound from the Pod Managers like this below for LDAP, DNS, and NTP (ignore the typo on the label for the DNS rule).
You also have a lengthy bit of work to do before setting up Active Directory (AD). Horizon requires 4 AD accounts: 2 x LDAP bind accounts and 2 x DJoin accounts. The bind accounts require the following permissions, which they may get by default in some environments:
- List Contents
- Read All Properties, Permissions, and tokenGroupsGlobalAndUniversal (implied by Read All Properties)
I strongly suggest this prep article from VMware which is very useful. You will also want to remember to set the DNS servers for your vNets and bounce the servers to minimize the frustration.
Building your VMware Horizon Gold Image
For all of you Horizon veterans, you know this all too well. I do love the fact that in Azure you can click a few buttons and you have your image. It’s pretty simple overall to achieve. A few pieces of information to throw out there. Firstly, make sure you pick the right OS. The new “Multi-Session” VMs are for RDSH farms (Apps or VMs) and the others will be for your floating pools aka Instant Clones.
They do most of the optimization for you through this process, which uses the Windows Virtual Desktop (WVD) images. You will want to run your friend the VMware OS Optimization Tool and install your apps. It should excite you to learn that you don’t need KMS anymore. You can leverage the WVD licensing, which many of you already qualify for.
|Virtualize Windows 10 and Windows 7||Access Windows 10 Enterprise and Windows 7 Enterprise desktops and apps at no additional cost if you have an eligible Windows or Microsoft 365 license. Get free Extended Security Updates until January 2023 for your Windows 7 virtual desktop—offering more options to support legacy apps while you transition to Windows 10.||You are eligible to access Windows 10 and Windows 7 with Windows Virtual Desktop if you have one of the following per user licenses*:|
Microsoft 365 E3/E5
Windows 10 Enterprise E3/E5
Microsoft 365 A3/A5/Student Use Benefits
Windows 10 Education A3/A5
Microsoft 365 F3
Windows 10 VDA per user
Microsoft 365 Business Premium**
|Virtualize Windows Server||Access desktops powered by Windows Server Remote Desktop Services desktops and apps at no additional cost if you are an eligible Microsoft Remote Desktop Services (RDS) Client Access License (CAL) customer.||You are eligible to access Windows Server 2012 R2 and newer desktops and apps if you have a per-user or per-device RDS CAL license with active Software Assurance (SA).|
Building the VMware Horizon RDSH Farm
I’ll be focusing on one type of farm. You can build an App Farm or VM Farm, my focus will be on VMs. I’ll focus more on the apps at a later time with my article covering DEM and AppVolumes in Azure. You might be surprised in my video that I show a simple mistake that I made, but I think it’s useful seeing things in the real world.
One thing that is surprising is the location of your computer accounts is hidden in the “advanced” section when building your farm. One other really good piece of knowledge that I didn’t realize when you are building your gold image, you may need to power it off and change the sizing on it if you want to build a specific farm. It’s a common theme that the “Import VM” function will pick an ill-conceived option.
Assigning the RDSH Pool
Once your farm is done, you just need to assign it out. It’s sort of weird that they decoupled it like this, but it’s not the end of the world (because assignments are how you create Instant Clone Pools). It’s pretty basic, but you will notice at the start you have the 3 options for dedicated pools, instant pools, or assigning out the RDSH farm.
Seeing VMware Horizon on Azure LIVE!
I will admit the most pleasant surprise about this entire venture is how they self-configure the UAGs. Once I built everything out, I was able to test it pretty easily. Just a little hosts file entry to the public IP of the Azure Load Balancer and magic! You will want to add a nice little security rule to allow your ISP’s public IP to hit the load balancer just to do things safely, but otherwise simple.
Building VMware Horizon Instant Clone Pools
I wasn’t going to finalize this article without mentioning Horizon’s darling “Instant Clones” What’s not to like really? They’re clean and fast and work smoothly. As I mentioned earlier, IC Pools are all about choosing the right VMs to import. Overall, it’s very simple to build the instant clone pools and as you will see it’s not too rough to build them out. One thing to call out is if you have any issues with your pools, you can’t requeue things up. You end up having to delete and re-issue the pools.
Final thoughts on VMware Horizon on Azure
I have to say that overall it was a really great experience building their VDI solution. My biggest criticism is they need to get all of the Horizon components into this clean solution. Luckily AppVolumes is now part of this, but we need VMware Dynamic Environment Manager built into this solution.
I love how easy overall it is to deploy, but I have serious concerns over running Azure DCs given the performance. Bumping the DC up to a monstrous-sized VM still had issues. I suppose if you have a strong collection of 5-6 DCs it may be irrelevant. As they say #testenvironmentproblems. This has come a long way from my initial lab that I built and wrote about. In my next installment, we will cover AppVolumes once I get the entitlements that I need to test/build that out. I hope my experience will help you build your first VDI environment in Azure.