Thursday, March 26, 2020

A Primer On NSX Advanced Load Balancer (Avi Vantage) For Horizon And Workspace ONE

NSX Advanced Load Balancer, formerly called Avi Vantage, is a solution VMware secured through the acquisition of Avi Networks.  A fully software defined load balancing solution/application delivery controller, Avi Vantage adds L4 - L7 server load balancing to NSX, rounding out an already impressive SDN solution.  Overall, the Avi Vantage offering is a natural progression for VMware, a continuation of what the company has always been good at: replacing beefy, unwieldy hardware bound solutions with agile and efficient virtualization.

While the acquisition has been cause for VMware network geeks to rejoice, it's also a particularly exciting development for VMware's end user computing products, Horizon and Workspace ONE.  Traditionally these solutions have required the use of third party load balancers, which has been fine, though it does introduce a bit of complexity and another vendor to deal with. So to start with the Avi acquisition offers an opportunity to simplify the VMware EUC stack, along with the promise of a more tightly integrated load balancing solution.  In mid March the release of UAG 3.9 added, "Qualified support for the AVI Networks load balancer used in front-ending Unified Access Gateway for Horizon."   Earlier in the year, a Reference Architecture For Horizon leveraging Avi Networks was released.  Further, there's this step by step configuration guide, Configure Avi Vantage For VMware Horizon. While these documents are quite exhaustive, I put together this post as a primer on Avi Vantage for Horizon Admins.  The idea is to give folks a high level overview of how Avi Vantage plugs into the Horizon/WS1 stack and why it's relevant.

Why I'm So Giddy About Avi Vantage And Horizon

When it comes to VDI and App Publishing it's essentially a 2 company game: VMware vs Citrix.  The competition and rivalry is intense to say the least.  Large fortunes and entire careers fuel fierce debate, endless FUD, mud slinging, hyper bake offs and neurotic excel spreadsheets filled with feature by feature comparisons.  Fear and loathing abounds with otherwise genteel engineers staring out through dead shark eyes, broken half bottles in hand, ready to cut ya!  At times it feels more akin to identity politics, fanatical sports rivalry or a down right Hatfiled vs McCoys family feud.   As someone in the middle of this conflict I've always had to admit that Netscaler sounded like a pretty solid product.  For awhile, the worst thing you heard about it was it's too expensive and offers more functionality than Citrix customers actually need.  However, with it's latest vulnerability Netscaler's stature as unquestionably awesome has come under scrutiny.  Combined with the notoriously bad treatment and support customers receive from Citrix, folks are really starting to wonder if it's worth the trouble to rely on them for this critical functionality.

More notably, both Citrix and VMware customers, being techies, are always looking for more innovative and smarter ways of handling things.   In the field of load balancing there hasn't been a lot of innovation or change, so in that regard Avi Vantage really stands out.  We're not talking about just P2V-ing a load balancer and patting ourselves on the back. With Avi Vantage we're talking about an elastic fabric that allows you to take advantage of the virtualization infrastructure you already have in place, whether it's across multiple data centers or even different cloud vendors.  Accordingly, Avi Vantage is a real shot in the arm for VMware's EUC stack in a couple major ways.   First, by adding load balancing and application controller capabilities to VMware's arsenal, it brings it's EUC stack much closer to parity with what Netscaler and Citrix offers. Two, while Avi Vantage might not be at complete parity with Netscaler, it does a lot that Netscaler can't.   In light of the current pandemic and associated challenges this differentiator has some real teeth.  When firing up a new data center in the middle of a crisis do you want to wait on the purchase and shipment of new hardware?  Do you want to limp along with a virtual appliance that's a sub par version of the load balancer you normally work with? Or would you rather prefer walking through a few left clicks and right clicks on your Avi Controller, simply extending a fabric you already have in place?

No doubt, there will be plenty of debate over Netscaler + Citrix vs Avi Vantage + Horizon.  If reason and cooler heads prevail it wont be a simple debate, but instead a thought provoking and interesting one.

Avi Vantage Overview

At a high level, Avi Vantage is a software defined load balancing solution/application delivery controller that functions across an entire enterprise, including separate cloud environments like AWS, Azure or Google Cloud.  Most relevant for typical Horizon shops, it integrates quite impressively with traditional on-premisses vSphere environments.   It all begins with a software based Avi Controller, the brains of the operation where all load balancing policies are defined.   The Controller, or controller cluster, essentially binds to your vSphere environment(s).  In turn, the Avi Controller manages and controls the placement of virtual services across your vSphere infrastructure, what are referred to as Avi Service Engines.  Based on instructions received from the Avi Controller, the Service Engines, "perform load balancing and all client- and server-facing network interactions." They also collect,  "real-time application telemetry from application traffic flows." The controller can automagically control the setup and distribution of these service engines across the ESXi host within your vSphere environment, ensuring proper redundancy, capacity and work load distribution.

These different Service Engines laid out across the vSphere infrastructure are what endpoint clients actually connect to and interface with.  They're associated with the VIPs and handle traffic based on the virtual services and pools defined on the Avi Controller.  So essentially, you define the load balancing logic on the controller, then these Service Engines act as minions that execute the logic for incoming client connections.

The end result is an elastic load balancing solution that avoids the challenges with efficiency that plagued traditional hardware based load balancing solutions.  The ability to automatically spin up Services Engines on the fly, scaling out VIPs horizontally as needed, allows for right sizing.   Service Engines can be spun up or spun down in increments as small as 1 vCPU, 2 gigs of RAM and 10 GB of storage.  Contrast this to redundant pairs of active/stand by hardware based appliances and this benefit of Avi Vantage becomes pretty compelling.

For more info check out this Architectural Overview for Avi Vantage.

Avi Vantage For UAG Appliances

The Reference Architecture for Horizon reviews 3 different methods for load balancing external traffic to UAGs. Factors such as the need for HIPAA compliance or whether you’ll have multiple clients behind a single NAT, at a remote site, determine which method is most appropriate. For this post, I’m going to review the first option, Single VIP with two virtual services.

Regardless of which option you go with, it all begins with a Horizon client communicating with a virtual service supported on Avi Service Engines.  Virtual services are comprised of IP and port combinations defined on the Avi Controllers.  The client traffic is passed by these services to the optimal UAG appliance based on pools that have also been defined on the Avi Controller. Pools determine the ideal server to pass traffic to based off configurations like server lists, health monitoring, load balancing algorithms, etc... 

To illustrate, below is a graphic detailing the anatomy of a typical Horizon Blast session through a UAG appliance.  Initially you have the primary Horizon protocol handling authentication through XML structured messages over port 443.   Then you have the secondary Horizon protocol, Blast in this example, operating over 8443.  (For an excellent primer on UAG load balancing and Horizon protocols check out this amazing post by Mark Benson.)

Accordingly, we have two virtual services to configure on Avi Vantage, one for the primary protocol and one for the secondary protocol.  Below is a screen shot from my own lab.   The virtual service Horizon_UAG_L7 is configured to accommodate the primary Horizon protocol operating over TCP 443, while Horizon_UAG_L4 is configured for both the PCoIP and Blast extreme secondary protocols that operate over TCP/UDP 4172 and 8443 respectively.

These virtual services in turn are associated with a pool that determines server selection for incoming traffic based off configurations such as load balancing algorithms, health monitoring and persistence profiles.  

Finally, below is a screenshot of a custom Health Monitor that's created for Horizon.  The Health Monitor is associated with a pool and helps, "validate whether servers are working correctly and are able to accommodate additional workloads."

One of the key requirements of this entire setup is ensuring that users are routed to the same UAG appliance for both the primary and secondary protocols.  In a nutshell, we have to ensure the same UAG appliance that authenticates a user is used for the display protocol traffic as well.  For a single Horizon connection, you can't have authentication against one UAG appliance then display traffic flow over a separate UAG appliance.

This has been a very basic high level overview of what's involved in load balancing UAG appliances through Avi Vantage.  For more details and step-by-step guidance, check out the Reference Architecture For Horizon along with Configure Avi Vantage For VMware Horizon.   Again, three different methods to choose from, based off the specifics of your use case, are detailed in this documentation.

Horizon Connection Server 

Traditionally load balancers have always been a requirement for Horizon Connection servers, with at least two Connection servers needed to ensure redundancy for a production caliber deployment.  So for a typical Horizon deployment with UAG appliances you'll need load balancing in front of both the the UAG appliances as well as in front of the Connection servers.  Below is a helpful image to illustrate:

As you might imagine, accommodating this model is pretty much a slam dunk for Avi Vantage.  Setting up load balancing for the Horizon Connection Servers is very similar to that for the UAG appliances.  As with UAG appliances, you'll configure a virtual service(s), a pool and health monitor, then you're off to the races.  For detailed step by step instructions on configuring Avi Vantage for Horizon Connection servers, check out this section of the Reference Architecture For Horizon.

For those familiar with UAG's built in load balancing-ish capability referred to as High Availability, note that HA for UAG doesn't include load balancing for the Horizon Connection servers, just rudimentary load balancing for the UAG appliances.  This is a major advantage Avi Vantage offers over HA, though certainly not the only one.

Global Load Balancing For Always On Point Of Care Architecture

Always On Point Of Care is an architecture that's been around for about 9 years now.  The basic idea is to provide a fully redundant, bullet-proof Horizon deployment.  Essentially, you stand up two separate Horizon environments that share no interdependencies, so that theoretically you could loose an entire site but still have Horizon services available.   Key to this model is a global load balancing solution that sits in front of the two sites, routing the client connections to the separate Horizon environments.   Historically, this functionality has been handled by our load balancing partners. 

Nowadays, rather than leaning on a partner, we can leverage Avi Vantage for global load balancing.  The documentation refers to this global load balancing feature as Avi GSLB.  For more details on configuring leveraging Avi GSLB for Horizon, check out GSLB In Avi Vantage For Horizon.  Here's an awesome looking graphic on this deployment model for APOC that I stole from the Avi Networks website:

App Volumes

Avi Vantage also supports the Always On Point Of Care model by providing load balancing for App Volumes.  Load balancing has always been a requirement for App Volumes redundancy and scaling. You have multiple, essentially stateless App Volume managers that share a common database, sitting in front of a load balancer.  Load balancing for App Volumes is briefly covered in the Avi Reference Architecture for Horizon .  For reference you can also check out the F5 guide, Load Balancing VMware App Volumes.

Client Connection Breakdown 

Depending on the deployment method you go with, Avi Vantage can offer a nifty little break down of the session health for individual connections. It can distinguish between latency between the remote client and the Avi Service Engine versus latency between the service engine and the back end server. It can also account for fast or slow app server response time. This promises to come in handy when trying to get to the bottom of latency encountered by your Blast connections through UAG.

WS1 Use Cases

With official support for Horizon access already, it seems like only a matter of time before there's official support for WS1 UEM services on UAG like Secure Email Gateway (SEG), VMware Tunnel and Content Gateway.    Further the resources these services provide access to - email, intranet sites, SharePoint, etc... - are the more typical types of servers Avi Vantage has always been able to accommodate.   So just as for the Horizon use case, you'll have front-ending for the UAG appliances along with load balancing for on premises resources.

vIDM Connector 

While it's kind of a niche scenario, there are situations that require load balancing for vIDM Connector, such as when it's used for kerberos authentication.  I'm not aware of any official support but there's no reason to believe Avi Vantage can't provide load balancing for vIDM Connectors.


This is the most excited I've been about a VMware acquisition since AirWatch.  Along with all the practical capabilities that Avi Vantage brings to the EUC stack in the here and now, there's all the speculation about what it might be built to do in the future.  There's about 2 or 3 different scenarios that consistently pop up when I speculate with old timers over what VMware might do with Avi Vantage to further enhance the EUC experience.  I'm not going to go into that here, but I'm confident I'll be writing about such enhancements in the future.