Architecting Horizon 8 powered by Amazon WorkSpaces Core

Introduction

In the recent webinar, "Presidio x AWS x Omnissa: Horizon on WorkSpaces Core," I shared the architecture and design considerations for deploying Horizon 8 powered Amazon WorkSpaces Core. This article delves into the networking aspects of this deployment, providing insights into how organizations can optimize their virtual desktop infrastructure (VDI) for performance, security, and scalability.

Evolution of the Virtual Desktop

The evolution of virtual desktops has seen a shift from individual workstations to fully managed services like Amazon WorkSpaces Core. This transition offers improved security, reliability, and cost savings. Organizations can now leverage the security, performance, and rapid scalability of the AWS cloud while utilizing existing investment in Horizon 8 using WorkSpaces Core.

Omnissa Horizon 8 with Amazon WorkSpaces Core

Omnissa Horizon 8 on Amazon WorkSpaces Core is a fully managed service that simplifies management, enhances security, and reduces costs. It integrates with WorkSpaces Core APIs, providing a unified, hybrid VDI solution. This allows organizations to manage their VDI deployments more effectively, eliminating the need for expensive hardware and software.

Organizations have two options for running Horizon 8 on AWS: Amazon EC2 and Amazon WorkSpaces Core. WorkSpaces Core, being a fully managed service, simplifies capacity planning and infrastructure management, allowing IT staff to focus on more strategic tasks. This combination provides flexibility, pre-built and custom images, GPU-enabled desktops, and simplified instance types, all while maintaining security and compliance.

Architecture and Design Considerations

When designing and implementing Horizon 8 on Amazon WorkSpaces Core, several architectural and design considerations are crucial for ensuring optimal performance, security, and scalability.

Here are some guidelines:

Integration with AWS Infrastructure: Horizon 8 integrates seamlessly with AWS infrastructure, leveraging WorkSpaces Core APIs to provide a unified, hybrid VDI solution. The Horizon Connection Server leverages Amazon WorkSpaces Core API to automate capacity management, provisioning, and deprovisioning of infrastructure. This integration allows administrators to deploy virtual desktops to the AWS cloud directory from the Horizon 8 Console, enabling end users to securely access their desktops through the Horizon 8 client application
Network and Security: The architecture includes AWS Managed and Customer VPCs with private, transit, and public subnets, ensuring secure and efficient network traffic management. AWS Directory Service and AD Connector facilitate seamless integration with on-premises services, while Amazon Route 53 provides reliable DNS resolution.
Network Segmentation: Security groups and network ACLs should be used to control inbound and outbound traffic to and from the virtual desktops. Security groups act as virtual firewalls to control inbound and outbound traffic
Monitoring and Logging: Implement comprehensive monitoring and logging using AWS CloudTrail and Amazon CloudWatch. This provides visibility into user actions and helps detect and respond to potential security incidents
Leverage Amazon RDS (Relational Database Service): to host SQL databases to ease management, increase scalability and availability wit multi-az deployments.
Leverage Amazon FSx: to offload the storage of user profiles, create network file share, and provide network storage.
Operating System (OS) choice: Using BYOL (Bring Your Own License) Windows 11 OS images for Horizon 8 on Amazon WorkSpaces Core offers several benefits including cost savings, consistent user experience, flexibility to customize specific applications and settings. Using BYOL require compliance with Microsoft licensing requirements, the WorkSpaces must run on dedicated hardware and a /16 IP address CIDR for AWS management. This may require a minimum number of WorkSpaces per region.

Some Recommended Practices

Use Multiple Availability Zones: Distribute your Horizon 8 Connection Server and Unified Access Gateway resources across multiple Availability Zones to ensure high availability and fault tolerance. Load balance the server using AWS Application Load Balancer.
Implement Least Privilege Access: Use AWS Identity and Access Management (IAM) to control access to resources. Define fine-grained permissions to ensure that only authorized administrators can access the resources to perform their tasks
VPC Endpoints: Configure VPC endpoints to enable private connectivity to supported AWS services. VPC endpoints allow you to establish private connections to AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
Data Encryption: Ensure that all data in transit and at rest is encrypted using industry-standard encryption protocols. This protects sensitive information from unauthorized access
Enable VPC Flow Logs: Use VPC Flow Logs to monitor the pattern of IP traffic going to and from a VPC, subnet, or network interface. This helps in help in network troubleshooting by capturing detailed information about the IP traffic going to and from network interfaces in your VPC.
Patch Management: Regularly patch and update the environment to protect against known vulnerabilities. This includes both the underlying AWS infrastructure and the Horizon 8 software

Conclusion

In conclusion, deploying Omnissa Horizon 8 on Amazon WorkSpaces Core provides a secure, reliable, and cost-effective solution for virtual desktop infrastructure (VDI). By integrating with AWS infrastructure and following best practices in network and security management, organizations can achieve a scalable and flexible VDI environment. This approach simplifies VDI management and offers a unified, hybrid solution that meets the diverse needs of modern enterprises.

Site Terms, Privacy, and more.