When AWS WorkSpaces was first announced, Entisys360 began having many conversations with clients concerning Desktops as a Service (DaaS) offerings. These included the pros/cons, total cost, “cloud first” business initiatives, and handling of legacy applications in the Modern IT infrastructure.  Now, with the recent announcement of Microsoft Windows Virtual Desktop (WVD), along with Citrix/VMware updating their solutions to extend and leverage AWS/Azure, the conversations have started again concerning where is the correct location for the desktop to reside (whether it be DaaS offering or extending an existing solution into the public cloud to host desktops/applications).

While there are many differences between a DaaS and the cloud hosted desktop in terms how you get billed, and what level of control you have when it is delivered “as a Service”, both have the same very critical decision of leveraging a public cloud to host the desktop/application virtualization OS versus hosting desktops/applications virtualization on-premises.

Note: If you already have a VDI broker in place but want to understand all the workload locations by that product or another product, click HERE for a chart that summarizes where workloads can be located based on products.

This critical decision is really what client should be asking themselves. This blog will review the critical questions you should ask yourself and your organization before making this decision (and thus for the sake of simplicity we will refer to “cloud hosted desktop” to represent both DaaS offerings and deploying a desktop in the public cloud).

There are many benefits to a cloud hosted desktop such as being quick to deploy, just needing a credit card to acquire, migrating from CAPEX to OPEX, enhancing security or mobility with public cloud services, and multiple data centers ready and waiting for use just to name a few.

Additionally there are also ideal use cases for cloud hosted desktops such as:

  • Seasonal workloads with 100% SaaS or cloud-based applications
  • Users/contractors who do not need access to the corporate network and leverage 100% SaaS or cloud-based applications
  • IT shops that want to hand off desktop administration to a business unit
  • IT shops needing to quickly get desktops in multiple data centers where corporate IT currently has no data centers

However, that doesn’t mean that all use cases can benefit from cloud hosted desktops. It also means that for a one benefit gained you might lose a capability you have had for years.

Entisys360 would like to share critical questions (some business related and some technical related) and our (hopefully) thought provoking explanations of why these questions must be answered when deciding on the location of virtual desktops/applications.

Business questions

Sometimes without doing the analysis to understand the Total Cost of the solution, you can be paying just as much or more to deliver a virtual desktop 40+ hours a week in the public cloud versus on-prem virtual desktop. There are always use cases for cloud hosted desktops but you need to make sure you understand the use case. Also remember that you still need an end point to connect… what are the plans to manage these devices (e.g. BYOD, CYOD, COPE, COBO)?

You might be losing capabilities to administer the system which can result in fewer administrative choices/troubleshooting capabilities. Additional costs may be incurred acquiring 3rd-party solutions to address limitations. Because of the way public cloud works, you may also be limited in your choices based on the service or offerings by that cloud provider (e.g. to run Windows 10 – not Windows Server OS skinned to look like Windows 10 – in AWS WorkSpaces you have a commitment of 200 per region, or to leverage Windows 10 Multi-User you have to run it in Azure).

You might be making a short term decision to reduce costs without fully understanding the impact of handing off IT decisions to another company.

As mentioned early, the cost of running of desktop (or server) 24x7x365 in the public cloud can be more expensive than you think.

Have you included costs for the Operating System (if not included), the network egress or additional storage that might be needed for user data? Will you need to deploy services in the public cloud that are not currently there (e.g. Domain Controllers, File Servers, application services, etc.)?

And, as some companies have migrated back to on-prem for any number of reasons, what is the backup plan if costs get too high, or the public cloud provider decides to deprecate a feature/service you are utilizing? And while you might be thinking your organization only has one cloud partnership, whether it be through mergers & acquisitions or changes in cost (Is it cheaper to run Windows in Azure or AWS this month?)… the core question here is “What are your backup plans?”

Moving to a cloud hosted desktop,  you still need to account for the OPEX of managing the OS and applications. While this might be apparent for organizations extending into the public cloud, it seems to be something most DaaS customers overlook.

DaaS offerings often suggest that app owners should be able to do this, but the tools/experience are not intuitive. This model of shifting application management to app owners has not been proven out in the real world to be successful. The cloud team at most organizations isn’t interested in managing desktops while the desktop team doesn’t have the skill set to log into the public cloud consoles to manage the service. This results in confusion with “Who supports what?” as app owners are expected to do more with less support.

DaaS offerings and cloud hosted desktops tend to lock you into a specific public cloud. So what happens when you are using desktops in AWS but the company you just bought has everything in Azure or has everything on-prem? Will IT be able to move fast enough when dealing with a scenario?

Technical questions

Background: Location, Location, Location.

To address the issue of desktops being further and further away from data centers (AKA latency), VDI solutions are most optimally deployed in the same data center as the data attempting to be accessed.

    1. Is the data the users will be accessing SaaS applications (e.g. WorkDay, Office365, SalesForce) or cloud based applications in the same cloud provider as the cloud hosted desktops?
    2. Will the users need to connect back to on-prem databases, file shares and applications to do their job?
    3. Will a desktop in AWS US West work with a database in Los Angeles? Yes… but will it perform well? Probably not. You need to test. Then what happens when you have to build some new desktops in AWS US East. Will they perform as well when data is located in Los Angeles? Or in Azure because of acquisition of an organization that has everything hosted in Azure? Hybrid cloud architectures are still the most common architecture because they give the most flexibility for IT and the business. So, it makes sense to understand that even if you plan for single cloud architecture, a hybrid and multi-cloud architecture will most likely be the end result.
    4. Will you be deploying network optimizations (increased cost for AWS Direct Connect or Azure Express Route) to attempt to address latency and does it have any effect on performance of the cloud hosted desktop to the on-prem data/database?

Background: The security/InfoSec teams may have a policy for addressing what types of data can be cloud and how it can be stored. They also may have a policy for access/authentication/authorization to corporate systems that you don’t want to ignore when delivering cloud hosting desktops.

    1. Have you worked with the security/InfoSec team to determine the requirements for if/what data can and cannot be stored in the public cloud? And much like on-prem, are they aware of any impact when users decide where data resides to make it easier for them even if it means going against corporate policy?
    2. Have you reviewed client device capabilities and the level of controls do you have?
    3. How will the access be configured to allow remote access to these systems? Options include public access through gateways in the public cloud or requiring all users go through a corporate data center to access the cloud hosted desktops. This decision has implications on security and end user experience.
    4. How will on-prem applications be accessed? Options like VPNs or network optimization (AWS Direct Connect/Azure ExpressRoute) will incur additional cost and complexity of the deployment.
    5. What kind of data can be stored in the public cloud? and how will data be stored/encrypted/backed up/replicated? Data can be stored in SaaS data sources (e.g. Microsoft OneDrive), Windows File Servers, virtual disk drives (Microsoft’s FSlogix acquisition) or public cloud storage but each has security implications or complexity in deployment decisions based on the public cloud provider.
    6. DaaS specific : what level of security control do you have today (if you have existing virtual desktop/virtual application delivery solution) that may not exist in the DaaS offering?
      • Can you disable printing/client drive mapping/USB device mapping?
      • If you can disable them, how granular can you get? Is it on or off? Group membership? based on location? based on authentication method? based on the results of a scan of their device (e.g. registry watermark, domain joined device, AV enabled and up to date)?

Background: Not all cloud hosted desktops offerings have the same capabilities as existing solutions you might be used to requiring you to buy additional products or modify your expectations/procedures.

    1. Most of the virtual desktops solutions have been developing or acquiring solutions to address enterprise issues, so what is required by the cloud hosted desktop to have the same admin experience?
      • Domain joined versus non-domain joined? What are the requirements for a domain joined from networking requirements or deploying Domain Controllers?
      • Image management?
      • Application packaging/delivery options?
      • Profile management?
      • Environment management (GPO replacement for registry key/drive mapping/application configuration settings)?
      • Integrated with single sign on (SSO) solutions (OKTA/MS AD Federated Services/SAML, etc.) for authentication? What about SSO for applications within the DaaS offering?
      • Is there a help desk tool to offload common issues such as profile issues, session connection issues, networking performance issues, shadowing, session resets, etc.?
      • Cost of GPUs in the cloud and impact on user experience not having GPUs?
      • Are 3rd party solutions required to address these concerns thus increasing costs and complexity such multiple management consoles or upgrade cycles?
    2. What are you able to customize? (Example: Company logo/color scheme on the landing page, add legal/security agreements before the user logs in, integrate with an existing solution you have for desktop management).
    3. Do you have the same monitoring and troubleshooting capabilities (probably not since the public cloud is trying to take these responsibilities away)?
      Cloud hosted desktops do not allow you to see hypervisor issues, network utilization, server utilization, storage utilization, etc.  Your management is used to contacting IT when things are “slow” but who do you or the end user contact when you think a VM is slow? Do you just double VM resources (and costs) to attempt to address the issue? Can you easily move the VM to another region to see if it runs better? What impact does that move have on communication to the backend of the application/user experience?
      Note: Most recently an Azure expert within Microsoft stated “If something runs slowly in one region of Azure, try running it another region because the other region might not be as busy”. There is no way to tell how busy or how much contention is occurring within the public cloud.
    4. What are the SLAs that are expected and does management understand that IT no longer has any involvement in uptime of the service? The business needs to understand that most common SLAs are 99% (3+ days of downtime/year) and 99.5% (almost 2 days of downtime/year).
    5. What are your plans should the service might be deprecated? (since these are services, the public cloud provider may decide to deprecate features or the entire solution due to lack of adoption or profitability).

Background: At the end of the day, it is all about user experience and if users don’t like it, it won’t be used. Not all public cloud providers have the same capabilities/services in every region possibly resulting in different experiences based on the location the user connects to. Not all DaaS offerings will look similar for users requiring them to adjust learn a new way to perform a task (e.g. print or access a local file).

    1. Have you tested worst case scenarios for latency to understand the impact on the user experience?
      This should include testing from end point to the cloud provider and from the cloud provider to the backend application (the last part assuming a portion of the