Enterprises have several options for deploying virtual desktops, and that’s good news. However, IT strategists and cloud architects face tradeoffs with each choice, and it’s critical to understand the implications of those tradeoffs to ensure a good fit for your requirements. In short, cloud desktop architecture matters. In this blog, I’ll discuss the architectural differences between the options, and what they mean for end-user computing in enterprise organizations. First, here’s some basic VDI terminology. The “control plane” is responsible for provisioning resources, policies, user entitlements, brokering and sometimes monitoring. The “data plane” is the path between the user and their virtual desktop or app, and the data plane can include a gateway that enables remote access. Figure 1 below highlights the five major approaches to virtual desktops and the architectural characteristics of each.
Figure 1: The five major approaches to virtual desktops. Each has tradeoffs to consider.
Here are the five approaches to virtual desktops defined:
- Legacy VDI (Integrator): The customer can buy software from the vendor and use an integrator to develop and deploy their solution. This is a single-tenant solution designed to be deployed in a single data center.
- Legacy VDI (Hoster): The customer can “rent” virtual desktops as a service from a hosting provider who runs the VDI stack on their behalf. This is a single-tenant solution designed for a single data center.
- Broker as a Service: The customer can use an integrator to take a vendor’s virtual desktop broker service and create an integrated solution. Many broker as a service solutions are multi-tenant. However, the service provided by the integrator may be limited to a single data center because the broker as a service is installed only in a single data center and is therefore performant only for that data center.
- Desktop as a Service: This is a turnkey service built on a multi-tenant architecture. However, there are limitations to enterprise customizability because of the integrated control/data plane.
- Cloud Desktop Fabric™: Workspot’s architecture innovation uniquely uses the globally distributed public cloud to create a global fabric of cloud desktops across cloud regions. The key architectural difference is that the control and data planes are separate in the Cloud Desktop Fabric.
So why is a separated control/data plane so critical to taking advantage of a globally distributed public cloud? Why does cloud desktop architecture matter?
Fundamental Change in Infrastructure
Legacy VDI architecture made sense in 2009, when most customers operated one or just a few data centers. During this time, IT’s focus was on vertical scalability problems, i.e. how does IT scale up to more users within a single data center?
But today the problem has changed entirely. Now with the public cloud, IT teams essentially have access to dozens, and in the future, hundreds, of data centers. This is what the public cloud affords them, and it’s this fundamental change in infrastructure that is driving the need for a new virtual desktop architecture.
Figure 2: Infrastructure changes drive the need for a new virtual desktop architecture
The Focus for IT has Shifted
Today the technology decisions IT teams make are absolutely fundamental to an enterprise’s ability to grow, and the key considerations have changed:
1) Instead of packing more users into a single data center, IT has the opportunity to deliver a cloud desktop service from dozens of data centers globally.
2) IT is evolving from an operator of a few data centers to a strategic, global service provider for internal business units.
3) Users can be anywhere now. Market pace and business drivers such as M&A and global enterprise footprints mean that IT can no longer plan on predictable and unchanging locations for users.
This is why the focus has shifted to horizontal scalability. Now IT teams need to ask: How can we take advantage of the massive scale of the global public cloud and easily deploy resources across dozens of data centers? Horizontal scalability becomes even more important as faster and more ubiquitous networks, such as 5G, are rolled out. By locating resources in the region closest to each end-user, IT can deliver much better performance.
So as IT evolves into a global service provider, the legacy VDI architecture, designed for a single data center, just doesn’t fit the requirements moving forward. What other architectures are available to IT?
Analogy: Control/Data Plane Separation in Software-Defined Networking
Figure 3: The evolution of Software-Defined Networking is analogous to VDI architecture evolution.
An analogous concept is how traditional networks evolved into the Software-Defined Network. In a traditional network, the control and data planes are tightly integrated. The whole stack (aka “control and data planes”) must be replicated in every location. Simple changes to the control plane become prohibitively difficult because upgrades to the control plane affect the data plane also. In layman’s terms, the network is impacted for every change made and each change has to be made to each office in the enterprise – independently.
Companies like Meraki (WLAN) and Nicira (Networking) revolutionized networking by separating the control and data planes. Access points became stateless physical devices that could be “programmed” from the cloud. No longer does IT have to manually configure each access point. They can create a configuration in the cloud, send an access point to an office and anyone can plug it in. Once plugged into the network, the access point dynamically configures itself. This simplifies deployment and ongoing IT operations on a global and distributed scale.
The same control/data plane separation needs to occur in the VDI architecture to take advantage of the public cloud’s massive scale without increasing load on IT operations. This is why we cannot emphasize enough the importance for IT decision-makers to understand the implications of different VDI architectures. Let’s review the currently available architectures and how they impact IT’s ability to manage a globally available service.
Legacy VDI: Control/Data Plane Integration
In legacy VDI, control/data planes are integrated. They are designed to run for a single-tenant, in a single data center environment (Figure 3 represents the customer domain). Because of this architecture, the implementation can meet the requirements of leveraging the existing corporate image, corporate tools, corporate authentication, and corporate IT processes. However, there are also serious drawbacks. An integrated control/data plane results in limited scalability and poorer availability. The typical VDI control/data plane stack cannot scale beyond a few thousand users. And if the control plane is unavailable for any reason, the entire system is unavailable.
Figure 4: Control and data planes are integrated in Legacy VDI
The entire stack – control and data plane – needs to be replicated (often within the data center) every time a few thousand users are added and must always be replicated in each additional data center. As a result, most IT organizations must have a dedicated team of specialists to constantly manage the complexity that comes with this level of deployment.
Figure 5: The entire stack must be replicated in each data center or cloud region.
DaaS Solutions: Control/Data Plane Integration
Figure 6: Traditional DaaS solutions continue to run on an integrated control/data plane architecture
Most DaaS vendors have implemented multi-tenancy, yet retained the integrated control/data plane architecture. With this type of solution, multiple customers can use the service, but they share both the control and data planes. This control/data plane integration makes it challenging for the DaaS provider to enable corporate images for desktops, corporate tools, corporate authentication, etc. In some cases, the DaaS provider’s change management process to update Windows may take weeks. If the DaaS provider has multiple global data centers with the service, then IT can run independent DaaS operations in each data center to achieve global reach. However, IT must then manage data centers independently, which introduces the complexity that comes from managing siloed operations. IT cannot manage their entire desktop infrastructure from a single console, and will face other issues like configuration drift, and siloed monitoring and troubleshooting.
So the typical DaaS solution is good for IT organizations that want a hosted service, do not need any customizations, and are open to a generic “one-size-fits-all” service in a single region.
Broker as a Service Solutions: Partially Separated Control/Data Plane
Figure 7: Newer Broker as a Service solutions support customization but may have security & performance drawbacks
Broker as a service solutions have partially split the control/data planes. Unlike traditional DaaS, with a modern broker as a service solution, IT can now use some of their corporate processes, corporate tools, and corporate images. There may be some limitations to security customizations because of the shared gateway that is used across tenants. Also, since brokers are installed in a single data center, performance is best if the desktops exist in the same data center as the broker. However, if the users are closer to another data center without the broker, then expect additional latency, as traffic must flow from the user to the broker’s data center to the desktop data center. This is also known as “tromboning.” Alternatively, the broker must be replicated in each data center to mitigate latency.
So the typical broker as a service solution is good for IT organizations that prefer using integrators for deployment, have desktops within the same data center as the broker or are ok with longer latencies impacting user experience, and for organizations that have flexible security requirements.
Workspot Cloud Desktop Fabric: Separate Control/Data Planes
Figure 8: Workspot’s unique architecture completely separates the control and data planes
In designing Workspot’s cloud desktop platform, we made a fundamental architectural decision to separate the control and data planes. The data plane (red box) runs in each data center in the customer’s cloud instance. The data plane inherits customer environments – corporate image, corporate authentication, security stack, corporate tools, and corporate processes. A single control plane (shared by all customers) allows IT to control all the data planes from a single pane of glass and without having to manage the vertical scalability of a legacy VDI architecture.
So with Workspot, IT has maximum customizability within a single data center. But what about horizontal scalability? How does it enable IT to become the global service provider to internal business units?
The Cloud Desktop Fabric is a New Paradigm for DaaS
Built on the separate control/data plane foundation, the Workspot Cloud Desktop Fabric provides a single pane of glass that can control cloud desktop provisioning, policies, entitlements, and brokering across the globe for multiple customers in multiple cloud regions. IT can deliver the service from a single data center or 100 data centers; deliver desktops to a single business unit with a global footprint of 10s of data centers; or even multiple business units leveraging any number of data centers, each with 100s of unique images and heterogenous security requirements. The Workspot Cloud Desktop Fabric solves the vertical and horizontal scaling issues faced by IT. Key benefits of the fabric architecture include:
- Respond to business opportunities with fast & easy horizontal scalability
- Customer data never crosses the control plane for Zero Trust Security
- Global cloud desktop management via a single pane of glass dramatically simplifies IT
- Cloud desktops placed in the closest cloud region deliver phenomenal performance
The Workspot Cloud Desktop Fabric is designed for IT organizations that have evolved into strategic, global service providers that enable enterprise growth.
Figure 9: Strategic IT is now a business growth-enabler
Learn More About Workspot Cloud Desktops on Azure
Let’s find 30 minutes to discuss your cloud-first initiative, why moving desktop workloads to the cloud is a high-return activity, and how easy it is to implement. Request a demo here and we’ll coordinate a discussion with one of our product experts.
Cloud Native Architecture