If VPN and VDI were once obscure acronyms, they’re not anymore. When the pandemic pushed companies to switch to a remote-first workforce quite literally overnight, there wasn’t exactly time to figure out the best option for access. Companies doubled down on whatever system was either in place or quickest to stand up, eager to meet the urgent need.
Now, people have formed opinions. Months of relying on VDI, virtual desktop infrastructure, or VPN, virtual private network, or some Frankensteined combination of both has given everyone the experience to know what they do not want, if not the expertise to know what might work better.
Learn more about network connectivity
Both VDI and VPN have their advantages, and neither will work perfectly in every situation. By understanding the needs of your workforce and the realities of your tools and technology, however, you can set up a system that will make remote work possible, and perhaps even preferable, without the in-office network.
What is the difference between VPN and VDI?
While VPN and VDI both solve the same problem — giving remote workers access to needed systems — they go about it in two fundamentally different ways. A VPN connects your computer to the corporate network, giving you access to the files and information you might need. VDI connects you to a virtual computer within the corporate network, giving you access to the files and information, as well as the software and processing, available on the virtual machine itself.
The difference is where the work happens. Some companies will need that work to happen within a closed corporate network, others are happy to have work take place where it needs to and connect as it can.
AWS Workspaces and other VDI products simplify connection down to an application and a set of credentials. From any device, employees can log into a virtual computer with everything they need. VPN, on the other hand, requires credentials, plus a client and all the necessary software on the local machine. In turn, it allows work to take place locally. It’s not as dependent on the quality of the internet connection, but it does require the right configuration across every device that needs access.
When the pandemic hit, we had clients who were fiercely loyal to one or the other, and a lot more who had no opinion whatsoever. Organizations with mobile workforces — where most folks are assigned a laptop and personalization, apps and data are stored locally on that machine — tended to already have a VPN infrastructure established, and just needed the licenses and equipment to handle additional load. Organizations with a more stationary workforce — where desktops are the norm, personalization is stored in user profiles, data is stored on shared servers and applications are controlled centrally — tended to have more standards to enforce and favored a VDI infrastructure. Now, after a year of near-mandatory remote work, it’s worth reexamining the benefits and setbacks with clear eyes.
VPN vs VDI: Speed
There are two major factors on which VPN and VDI are judged: speed and security. When we talk about speed here, however, we’re talking about two different things:
- How quick is it to set up?
- How responsive is it?
For a lot of our clients, there was an obvious answer to which technology was best: Whichever one they were already using. There wasn’t time to step back and assess the merits, just an urgent need to expand access. Many clients had a VPN of some kind enabled so staff could access documents outside of the office. Others were switching to a VDI-enabled workforce to allow for hot-desking, where people could access their “computer” from any workstation. By and large, they continued down the path they were already on, just with increased urgency.
For those that didn’t have a solution in the works, the decision was less clear. Establishing a VPN may take more upfront work — it requires setting up a client on the local machine to access the network, as well as a tightly controlled, usually two-factor-authenticated login. Once the VPN is set up, however, work is generally more seamless, because it takes place on your local machine.
VDIs on the other hand, can be provisioned quickly, duplicating an environment for anyone who needs it and providing the right credentials. The work itself is often what lags: Employees are beholden to a strong internet connection. If they go offline for any reason, they also get disconnected from their virtual machine, causing frustration.
VPN vs VDI: Security
While any combination of the words “access” and “private network” is likely to raise alarm bells, both VDI and VPN are relatively secure technologies made more secure through proper configuration.
Still, any machine that accesses your VPN becomes a node on your network. You need to know both the machines and the people using them are safe. This can be done if you provide employees with company-issued hardware configured to your specifications, but gets much more challenging if people are using personal devices.
VDI is more secure out of the box, because you’re working virtually on a machine over which the company retains physical control. Importantly, data isn’t being moved in or out. If your company is subject to compliance requirements about where data is located, this may be the only option.
VPN does allow you to disable the thumb drive, for example, so data can’t be as easily moved off the machine, but you’re still able to save files locally. With VDI, files stay within the company network, though again there are workarounds to get files out. Unlike with VPN, however, the second your connection turns off — or is remotely disconnected, as it may be during a termination — you can no longer access that data.
Cloud repatriation is just a reconsideration
Evaluating which remote access has the best performance for your needs
This is one area where cost can’t contribute much to the decision-making process. VDI may be cheaper on the face, but by the time you’ve factored in the cost of infrastructure for virtual machines, there’s no clear winner. More importantly, they just do different things. An apples-to-apples comparison isn’t realistic.
Instead, think of the traits of your team and the technology they use. By answering the questions below, you should start to see a trend around, if nothing else, which will be the most frustrating to use. And in a remote-first world, that may be the cost that matters most.
Questions to ask when choosing between VPN and VDI:
Will my team need to work offline at any point?
VDI works by connecting you remotely to another machine. If your internet cuts out, so does your work. For teams who need to do work offline — say on trains or airplanes, or just via a less-reliable internet connection — a VPN is the better option. Just download what you need to work locally, then send it in when you can connect.
Will my team always have access to the hardware they need?
A VDI’s ability to patch in any device is especially useful for companies that may have people in the field. Employees can work off of Chromebooks or iPads and still access the full functionality of their virtual machine. They can also replace their hardware more easily, since a VDI connection doesn’t necessitate the same local client and setup that a VPN does.
If printing across locations is a necessary part of your team’s work, however, then VPN may be the way to go. It is possible to print to a local printer with some VDI implementations, but this setup can be problematic and difficult to support. VPNs typically allow you to print to local printers, as well as ones on the corporate network if needed. VPNs, on the other hand, let you print to any machine connected to the network, so you can send documents anywhere they need to be.
Does my team need access from personal devices?
A VPN will connect a device directly to the network, so you need to know that it’s trusted. When companies can provide and configure the devices that need access, it’s a great solution. If not, VDI offers a more reliable experience that doesn’t require much in the way of software, and that doesn’t open up your network.
Is my team using software or programs they might not have locally?
In some ways, this is an extension of the question above. If your team uses apps with restricted licenses or software that needs a specific configuration, VDI is an excellent workaround. Instead of needing to duplicate environments across multiple devices, VDI allows everything to live in one place, and be accessed from any device.
Does my team need functionality specific to a local machine, such as a webcam or microphone?
Teleconferencing doesn’t work over VDI — a virtual machine can’t facilitate a physical presence. If your team needs a webcam or microphone to do their job, they’ll have to use a VPN to get the access they need.
How adept is your team at troubleshooting?
VDI can be harder to deploy, but once it’s up, it’s much easier to manage because you can access the machine. VPNs are more of a black box — you can’t necessarily see what’s gone wrong, and need to rely on your people to communicate and test. A VDI connection gives your IT team more control over troubleshooting and takes responsibility off of a less-technical workforce.
So which is better: a VPN or a virtual desktop?
There is, unfortunately, no single solution. There may not even be a single solution within your company — plenty of our clients use a combination of VPN and VDI access, switching based on tasks and roles. It would be nice to have blanket advice to offer everyone. Like everything else when it comes to infrastructure, however, the best choice depends entirely on your specific situation.
Colocation and cloud work together
Still, it’s a debate we’re pleased to be having. Go back 5-10 years, and no solution would be functional enough to even consider as a replacement for in-person connectivity. Today, both VPNs and VDIs are effective enough to keep a large part of the economy going through a pandemic. It’s a question of what advantages you want, not whether it’s possible at all.