Cloud Pod Architecture with F5 LTM or NSX

In 2014, VMware announced a new feature in Horizon 6 called Cloud Pod Architecture. This feature can make sure that you can run Horizon based VDI/Remote Apps from multiple data centers and that the maximum number of desktops can exceed 10,000 per Horizon implementation (by setting up multiple POD’s with 10,000 desktops each). To use this feature, it is a best practice to set up load balancing as well. And in case of geographically separated data centers, a load balancer with support for a Global Traffic Manager as well. F5 has such a module next to their Local Traffic Manager (LTM) as well. But what about NSX, the network virtualization software that has a load balancer included in the solution? Can you use that in conjunction with Cloud Pod Architecture (CPA) as well? In this post I will explain the functionality of CPA and why/where you would like to add a load balancer with specific functions.

What is Cloud Pod Architecture?

Well, first watch these three short instruction videos so you know how what it is and how it should work.

To get CPA to work in a normal/common practice way, you need some prerequisites to be in place:

  • A minimum of 2 POD’s
  • Horizon 6 +
  • Redundant hardware in each POD (hosts, networking, storage, etc)
  • Local load balancing
  • Global load balancing
  • Session persistancy

And all of this is based on the fact you use Horizon 6+ in combination with security servers for external connections which are paired to connection servers.

Take a look at the following figure.

Cloud Pod Architecture F5
Figure 1: CPA with GTM

The toplevel Virtual IP (VIP) is used (with an FQDN) for every external device to connect to an available desktop. F5’s Global Traffic Management (GTM) is used to automatically balance the load between the two geographically separated POD’s. F5’s Access Policy Manager (APM) is used to create session persistency when users disconnect and reconnect their session (and so aren’t sent to the wrong POD and getting a new desktop while in the other POD there is a disconnected session. Both POD’s have F5’s Local Traffic Manager modules to locally load balance the security servers for external connections. Connection Servers can also be behind an F5 LTM to balance connections for internal users.

Take a look at the this blog post for more information around F5 and Cloud Pod Architecture:

Since Horizon 6, a lot happened. CPA got more mature, the Access Point appliance was born and Horizon 7 with a new protocol called Blast Extreme entered the game. Oh, and don’t forget NSX which we  see more and more at customers to implement micro segmentation on a Virtual Desktop level. Really cool stuff.

So what has changed in the architecture?

Take a look at the following figure.

CPA Before and After
Figure 2: Load balancing of a single POD

In this picture we see a single POD. On the left side it is configured with LTM load balancing and traditional Security Servers. Each Security Server is directly paired with a Connection Server. On the right side LTM load balancing in combination with Horizon AP’s are used. AP’s aren’t linked to a single Connection Server, but are linked to a FQDN. And that’s where the fun part starts. That FQDN could either be of a Connection Server or a couple of Connection Servers that are behind a LTM load balancer as well.

Because the AP’s aren’t paired to a Connection Server, the Connection Servers can be used for both internal and external connections (while dedicated Connection Servers we’re needed for internal connections before the AP was born).

The next great thing about Horizon 7 is the Blast Extreme protocol, which gives the user a great User Experience (almost comparable to PCoIP), but over the HTTPS protocol instead of a dedicated TCP/IP Port. This is an important part when looking at other possibilities for load balancing.

So how to use these new features with CPA?

No real  new documentation has been released around CPA and these new features. But a lot of new possibilities arose when these new features came out. And that includes new possibilities for CPA. F5’s BIG IP’s are a common practice wth CPA, but is that still necessary? The answer (of course) is: it depends. When all the right factors are in place, it will be possible to use only LTM or maybe even NSX with it’s load balancer.

To use only LTM, the following prerequisites must be met:

  • A minimum of 2 POD’s
  • Horizon 7 (although 6.2 might also work in certain situations)
  • Redundant hardware in each POD (hosts, networking, storage, etc)
  • A stretched VLAN (over both data centers)  in which load balancers can be connected (based on VXLAN or Cisco’s OTV)
  • F5 LTM with an external VIP and an internal VIP (or other LB that supports required features. Take a look at this post by Mark Benson for more info)
  • A stretched management cluster
  • Horizon 7 Access Points
  • Blast Extreme (so no PCoIP)

Take a look at the following figure.

Cloud Pod Architecture LTM
Figure 3: CPA with only LTM

As you can see in figure 3, the toplevel load balancers are placed in a stretched layer 2 DMZ network. You could either choose for active/passive or active/active load balancing. In my case I have chosen for active/passive to consolidate al incoming connections and avoid more cross-site connections.

For an assumed number of 2000 maximum connected sessions, we deployed 2 active AP’s and one passive AP. The load balancer is set up with a pool containing the 3 AP’s, where 1 and 2 have a higher priority. In case DC 1 fails, AP3 will accept disconnected sessions and redirect them to their desktop. AP1 and AP2 will be restarted by HA in DC2 and within a couple of minutes all AP’s will run from DC2. Make sure to add DRS anti-affinity groups in combination with DRS host groups. Also make sure to have storage DRS enabled with datastore groups and again, anti-affinity rules.

As mentioned earlier, Security Servers are paired with Connection Servers on a 1 to 1 basis. AP’s don’t do that. In case of an AP, it is linked to a namespace. And as you can see in figure 3, all AP’s are pointing to a VIP that is set on a secondary layer of load balancers that contain a pool with Connection Servers. This will mean that the AP’s will tunnel an incoming connection to the VIP, which in it’s case balance the connection over a single connection server in the pool. The connection server will first check in it’s own POD or eventually in the other POD(s) if there is an available (or existing) desktop. If there is a desktop available, the incoming connection will be tunneled to the desktop and the user is happy.

In this case, no APM module is needed because all sessions are virtually tunneled from one data center. And those sessions are known as long as they exist in either POD’s.

Please keep in mind that in the above situation only HTTPS (Blast Extreme) traffic is load balanced and tunneled.

The following figure outlines the steps that are described in the above section.

CPA Flow
Figure 4: Cloud Pod Architecture Flow
  1. A user requests a session and is pointed to the external VIP of the AP’s.
  2. The active LTM LB sends the session to either of the AP’s in the pool.
  3. The AP’s forward the session to the VIP of the internal URL.
  4. The LTM LB sends the session to either of the Horizon Connection Servers.
  5. The Connection Server returns a desktop to the user from one of both POD’s.

How would this situation work in a DC failure?

In case of a DC failure there are certain steps that are automatically taken so traffic is routed and availability to the service is retained.

First of all, if the secondary DC is down only active connections to the desktop will fail. If a user reconnects to Horizon, they will receive a desktop in the active DC.

But what happens if the primary DC fails? The following figures outline the steps that are automatically taken.

Step 1: The primary DC fails.
Cloud Pod Architecture DC Failure
Figure 5: The primary DC fails

If the primary DC fails, the passive load balancer becomes active and automatically picks up new sessions. The existing sessions from the load balancer in DC 1 are killed. The AP in DC 2 directs the connections to the new active load balancer in front of the connections servers and sends it to an available one.

Step 2: vSphere HA boots up AP’s.
Cloud Pod Architecture DC Faillure
Figure 6: vSphere HA boots AP’s in DC 2

As the management cluster is stretched, AP’s that were running in DC 1 are now booted in DC 2.  They will automatically pick up new connection as soon as the load balancer notices that they are online.

Step 3: Primary DC restores.
Cloud Pod Architecture DC Failure
Figure 7: Eventually DC 1 restores again

When the primary DC becomes available again, the POD in that DC boots up and will accept incoming connections from the active load balancer in the secondary DC.

How would NSX fit in this situation?

take a look at the following white paper: NSX-EUC Design Guide – v1.0.1.pdf

As you can see, NSX contains a load balancing function as well. And because only HTTPS traffic is tunneled and load balanced, there are more load balancers that could fulfill this requirement.

With blogpost I hope I gave you an idea on how to achieve Cloud Pod Architecture based on a single pair of Active/Passive or Active/Active load balancers.

If you have any questions, please let me know.

Review of VMworld 2016 in Las Vegas

2016 is a year full of highlights with stuff like the EUC Champion program and my road to VCDX. And the VMworld conference in Las Vegas is also one of them. This post is my review of this year’s US version of VMworld and I would like to explain why it’s one of my highlights.

This year’s VMworld US Edition was held in the Mandalay Bay Hotel in Las Vegas due to maintenance in the Moscone Center in San Francisco.  And Las Vegas alone is quite something. I’ve been there before at the 2012 VMware Partner Exchange, but back then I wasn’t really part of the community yet. So I didn’t visit any gatherings other than the appreciation party.

VMworld 2016

Break-out Sessions

To most people, a VMworld is all about gathering knowledge. And that is of course one of the reasons why the conference exists. With hundreds of speakers and sessions and more than 20,000 attendees, there is something for everyone to learn. For me, attending sessions was also one of the goals. And mostly to gather extensive knowledge on specific topics. The following sessions were my personal favorites:

Ask the Experts: Practical Tips and Tricks to Help You Succeed in EUC [EUC9992]

Our very own EUC Champion session at VMworld. Basically a panel that answered questions which were asked through an interactive website. Hundreds of attendees including Shawn Bass could ask everything they wanted to know and could earn beer by doing so. It was really awesome being part of this session and hopefully we will make it to Barcelona as well for a European re-run.

VMworld 2016

Architecting VSAN for Horizon the VCDX Way [EUC8648R]

The title says it all. When you are thinking of designing and deploying VSAN for Horizon, this is a must-see. In my case also for a second reason as I submitted my design for VCDX-DTM. I’m not using VSAN, but still it’s a great session to hear about the experience of Ray Heffer and Simon Long. Both VCDX-DTM’s and great speakers. This session will be available in Barcelona as well.

VMworld 2016

Advances in Remote Display Protocol Technology with VMware Blast Extreme [EUC7601R]

Blast Extreme is VMware’s new protocol for client endpoints that will connect to Horizon for both desktops and RDSH applications. What is Blast, how should I use it, tune it and what are the differences between PCoIP and Blast Extreme. A great session which will be available in Barcelona as well.

Beyond the Marketing: Horizon Instant Clones Deep Dive [EUC8203]

InstantCloning, VMfork, Project Fargo, Just-in-Time desktops. All names that are referring to VMware’s new technology that simplifies the creation of virtual desktops, reduces their lifecycle and thus makes sure that managing them is no longer challenging. Peter Björk and Jim Yanik explain how it works, what it’s capable of and what the downsides are. The session was recorded and will be placed on youtube. It will also be available in Barcelona.

vSphere 6.x Host Resource Deep Dive [INF8430]

One the true technical deep dives during this year’s VMworld. Frank Denneman and Niels Hagoort explain in detail how to configure both hardware and software to make your hosts run more efficient than before. Frank dives deep into the NUMA configuration and Niels talks about how to configure your network correctly in order to get the most out of it. Two of a lot more topics that will discussed in their upcoming book with the same title. The session will be held in Barcelona as well and is a must-see for every consultant, architect and administrator .

VMworld 2016

General Sessions

Besides the break-out sessions there were of course the two general sessions with a focus on strategy in the first session starring Pat Gelsinger. The second session was more about technology with some announcement around new features and functionality which were presented by Sanjay Poonen, Kit Colbert, Yanbing Li and Ray o’Farrell. As I am more technology-minded, I really enjoyed the second general session although no real big announcement has been made. Let’s hope that the general sessions in Barcelona will bring more news.

VMworld 2016

Solutions Exchange

One of the attractions during VMworld, is the solutions exchange: a giant room that contains booths of a wide variety of vendors that are operating in the ecosystem of VMware. Examples are storage vendors like Simplivity and NetApp, network vendors like Cisco and Arista and software solutions like Stacksware and LoginVSI. The solutions exchange is the place to be to talk to specialists that represent the vendor.

VMworld 2016

Meeting friends and making new friend

This is probably the funnest of all. In the Netherlands we have a strong community around VMware with lot’s of people who have an active role due to blogging, presenting and meet each other at regular vBeers, organized in places such as Amsterdam and The Hague. And when meeting each other at the other side of the atlantic in a city like Las Vegas is almost a guaranty for fun. And so it was 🙂 I would like to thank all of the dutchies that were at VMworld this week for a great week, but in particular Marco van Baggum, Frank Denneman and Niels Hagoort. And this makes a nice bridge to the next section.

VMworld 2016

Gatherings and parties

VMworld in general is a guaranty for great gatherings and parties. Most vendors organize something like a dinner or a party, and there are also nice events like the opening of the solutions exchange, the hall crawl and of course the VMworld Appreciation Party with nice music, drinks and food and stuff like video games. Some great parties we visited that are worth mentioning:

VMUG Party – By far the greatest party we had with lot’s of drinks, an air-guitar contest and a mystery-guest appearance by Michael Dell.

The VMware HCI-SDS party – Nice party with again lot’s of drinks, a great band and we got to meet people like Kit Colbert, Mike Foley and Lee Dilworth.

The CXI Party – One of the less-known parties, but still a nice one. Mostly because of one of the best places to check out Las Vegas: the 59th floor of the cosmopolitan hotel.

VMworld 2016

VMvillage (The Area Formerly Known As Hangspace)

Basically, the place to be if you would like to chill, meet people in a laid-back atmosphere and watch the general sessions in a more-horizontal position.

VMworld 2016

There are also other community-related booths like the VMUG booth, the vBrownbag sessions and the VMware Education booth. All nice places to gather information or just have a nice conversation  of stuff like the VCDX program 🙂

VMworld 2016

EUC Champions Program

The number one thing that I travelled 18 hours for, was the EUC Champions “Meet the Experts” session and the half-day meeting that was cramped with sessions including speakers like Mark Benson, Shawn Bass, Pat Lee, Harry Labana and many others. By far, the best day of VMworld (unfortunately I’m not allowed to share why :), but believe me, it was). Thanks again VMware and above all Cyndie Zikmund for arranging this!

VMworld 2016

Perks and swag

As I mentioned earlier, a lot of vendors are showing their products at the solutions exchange. Some of those vendors also bring nice goodies, especially if you are a vExpert or EUC Champ. I would like to thank Cohesity for their awesome VMworld-survival pack, nVIDIA for their great soft-shell jacket and Datrium for the Raspberry-Pi!

So, VMworld is over. Jetlag -mode is set to enabled and the normal life continues. Next Monday I will continue working on the most awesome project in my career. None of this wasn’t possible if I hadn’t made the choice of applying for a job at ITQ. So if you would like to live this crazy ITQ-life as well, maybe you should apply for a job.

VMworld 2016: What’s new in Horizon 7.0.2?

One of the two best weeks of the year is in progress. VMworld 2016 and this year’s US version is located in Las Vegas. traditionally, a lot of announcements were made around new features and new products. Let’s find out what’s new in Horizon 7.0.2.

Blast Extreme

  • Support for over 60 thin/zero clients by Dell, HP, Igel, 10ZIG, Fujitsu and Atrust
  • Grid GPU support for nVIDIA Grid K1, K2, M6, M10 and M60 cards including H.264 encoder option for lower CPU consumption and increased scalability (less latency, 4K support and 6-13% better FPS).
  • Bandwidth Optimization and controls (for stuff as bandwidth cap per user, H.264 encoder quality levels and audio level).
  • SteelHead support for application and networking optimization.
  • vRealize Operations support with session statistics (Round Trip Latency, encode frame rate, throughput and estimated bandwidth)
  • UEM SmartPolicies

UEM SmartPolicy

  • Intel vDGA Graphics support with Intel Skylake GPU

RDSH Hosted Apps

  • Realtime Audio/Video support for applications (webcam and audio support on HTML Access, Windows, Linux and MacOS).
  • Generic USB redirection support (windows client only).
  • Support parameter pass-through in RDSH apps (launch RDSH apps with dynamically generated parameters such as a SAML token).

Client improvements

  • URL content redirection for MacOS client.
  • Windows Media MMR is now supported for Linux-based Thin Clients

Horizon Linux Client

  • File upload and download for the HTML Access client
  • Windows 10 UWP client (supports client hardware like Raspberry Pi, several windows based thin clients and Hololens!)
  • The Android client will be ready for Nougat.
  • The iOS client will get iOS 10 support (including support for the Swiftpoint GT mouse, how cool is that!?)
  • Increased clipboard size for multiple clients
  • All clients have updated OpenSSL for enhanced security.


  • Official Windows Server 2016 and Windows 10 support for Virtual Desktops and RDSH servers.
  • Ability to map one certificate to multiple accounts so one smartcard could be used one one certificate on that smartcard can be mapped to multiple users.
  • DPI Synchronization so remote content can be displayed pixel-to-pixel in 4K.