Host virtual desktop infrastructure with Horizon

You can use your Google Cloud VMware Engine private cloud site to host a virtual desktop infrastructure (VDI) using VMware Horizon 7.x.

With this solution, you have complete control over Horizon View Manager and App Volume. The familiar Google Cloud console, Google Cloud CLI, and Compute Engine API interfaces enable you to use your existing scripts and tools.

The solution requires you to do the following:

  • Install, configure, and manage VMware Horizon 7.x in your private cloud.
  • Provide your own Horizon licenses.

Deploy a VDI solution using Horizon in your private cloud

Verify that VMware product versions are compatible

Verify that your current and planned versions of Horizon, App Volumes, Unified Access Gateway, and User Environment Manager are compatible with each other and with vCenter and PSC in the private cloud. For more information, see VMware Compatibility Matrix for Horizon 7.5.

To find out the current versions of vCenter and PSC in your private cloud, go to Resources in the VMware Engine portal, select your private cloud, and click the vSphere Management Network tab.

Estimate the size of your desktop environment

Verify that your identified configuration is within VMware operational limits.

Estimate the resources that are needed for all of your desktops and your Horizon management components.

Set up a private cloud for your environment

To create a private cloud from the VMware Engine portal, follow the instructions in Configure a private cloud environment. Google creates a default vCenter user named CloudOwner in every newly created private cloud. For information about the default private cloud user and permission model, see Learn the private cloud permissions model.

To further set up your private cloud environment for use with VMware Horizon 7.x, complete the following steps:

  1. In your private cloud, create a subnet in your NSX-T for the Horizon management plane, and assign it a subnet CIDR. For more information, see Create and manage subnets. This is the network where all the solution components (Unified Access Gateway, Connection Server, App Volume Server, and User Environment Manager servers) are installed.
  2. If you want to use an external identity provider with your private cloud vCenter, choose one of these options:
  3. Configure DNS forwarding on the DNS server installed in the private cloud. For instructions, seeCreate a Conditional Forwarder.

Install VMware Horizon in your private cloud

The following figure shows a Horizon solution deployed in a private cloud. Unified Access Gateway, AD/DC, View, and App Volume Server are installed in user-created VLAN 234. Unified Access Gateway has an assigned public IP address that is reachable from the internet. To provide additional isolation and security, you can deploy Horizon desktop pool VMs in VLAN 235.

The following sections outline the instructions to set up a deployment similar to the one that is depicted in the figure. Before you begin, verify that you have the following:

  • A private cloud created using the VMware Engine portal with sufficient capacity to run your desktop pools.
  • Sufficient bandwidth between your on-premises environment and the private cloud environment to support the network traffic for your desktops.
  • A site-to-site VPN tunnel set up between your on-premises data center and the private cloud.
  • IP access from end-user subnets in your on-premises environment to the private cloud subnets.
  • AD/DHCP/DNS installed for your private cloud.

VMware Engine portal: Create a dedicated VLAN/subnet for desktop pools

Create a subnet for the Horizon desktop pools and assign it a subnet CIDR. For more information, see Create and manage subnets. This is the network where all the desktop VMs will run.

Follow standard security best practices to secure your Horizon deployment:

  • Allow only desktop RDP traffic/SSH traffic to your desktop VMs.
  • Allow only management traffic between the Horizon management plane VLAN and the desktop pool VLAN.
  • Allow only management traffic from your on-premises network.

You can enforce these best practices by configuring firewall rules from the VMware Engine portal.

VMware Engine portal: Configure firewall rules to secure Horizon management plane

Set up the following rules in the portal. For more information, see Firewall tables.

  1. Configure firewall rules in the N-S firewall to only allow communication between on-premises subnets and the Horizon management VLAN, so that only the network ports listed in the VMware document Horizon port list are allowed.
  2. Create E-W firewall rules between the Horizon management VLAN and the desktop pool VLAN in the private cloud.

VMware Engine portal: Create a public IP address for Unified Access Gateway

Create a public IP address for the Unified Access Gateway appliance to enable desktop client connections from the internet. For more information, see Public IP addresses.

When the setup is complete, the public IP address is assigned and listed on the Public IPs page.

VMware Engine portal: Elevate privileges

The default CloudOwner user doesn't have sufficient privileges in the private cloud vCenter to install Horizon, so the user's vCenter privileges must be elevated. For more information, see Elevate privileges.

vCenter UI: Create a user in private cloud for Horizon installation

  1. Sign in to vCenter using the CloudOwner user credentials.
  2. Create a new user, horizon-soln-admin, in vCenter, and add the user to the administrators group in vCenter.
  3. Sign out of vCenter as the CloudOwner user and sign in as the horizon-soln-admin user.

vCenter UI: Install Horizon

As mentioned in the earlier logical architecture section, the Horizon solution has the following components:

  • VMware Horizon View
  • VMware Unified Access Gateway
  • VMware App Volume Manager
  • VMware User Environment Manager

Install the components as follows:

  1. Install and configure Unified Access Gateway.
  2. Install Horizon View in the private cloud.
  3. Install App Volume Manager.
  4. Install and configure User Environment Manager.

File a support request to upload VMware Horizon pre-packaged app volumes

As a part of the installation process, App Volume Manager uses pre-packaged volumes to provision app stacks and writable volumes. These volumes serve as templates for app stacks and writable volumes.

VMware Engine portal: Restore privileges

You can now restore the privileges of the CloudOwner user.

Ongoing management of your Horizon solution

You have full control over Horizon and App Volume Manager software in your private cloud environment and can perform all necessary software lifecycle management. Before you update or upgrade Horizon or App Volume, ensure that any new versions of software are compatible with the private cloud vCenter and PSC.

What's next