The purpose of this checklist is to inform you of the required elements for a Horizon Cloud on Microsoft Azure deployment.

Important: A Horizon Cloud on Microsoft Azure deployment refers to a native Microsoft Azure infrastructure.

Checklist Audience

This checklist is for Horizon Cloud customer accounts that have never had a Horizon Cloud on Microsoft Azure deployment in their tenant environment. You might hear such tenants referred to as clean-slate environments or greenfield environments.

You must perform some items that follow before you deploy Horizon Cloud. You can defer some items until after the deployment is finished and running.

Microsoft Azure Subscription Requirements

Valid Microsoft Azure subscriptions in a supported Microsoft Azure environment (Azure Commercial). If you want to deploy Horizon Edge appliances, which includes Horizon Edge Gateway and Unified Access Gateway instances, in their own dedicated provider (Microsoft Azure subscription), obtain another valid Microsoft Azure subscription to deploy pool templates.
Note:

Horizon Cloud supports most Microsoft Azure regions.

Valid Microsoft Azure administrative privileges in each Microsoft Azure subscription, for you to use the Microsoft Azure portal and perform the Horizon Cloud deployment preparation steps.
Create one or more service principals in each Microsoft Azure subscriptions, noting the Subscription ID, directory ID, and application ID, and assign the appropriate role to each service principal in your subscriptions.
Note: When you create multiple service principals, they share the Subscription ID and directory ID, but each service principal has its own application ID.
Create a Microsoft Azure User Managed Identity.

Horizon Edge using an AKS cluster requires a user managed identity with the Network Contributor role at the management VNet’s resource group scope and the Managed Identity Operator role at the Microsoft Azure subscription scope. See Microsoft documentation about managing user-assigned managed identities.

Register the required resource providers for your Microsoft Azure subscription, See Confirm That the Required Resource Providers Are Registered in Your Microsoft Azure Subscription.
Create a custom role that provides READ permissions to the Azure Compute Galleries in you subscriptions and assign that custom role to all service principals configured for a given Horizon Edge.
The subscription must allow the creation of resource groups that do not have tags on them.

Microsoft Azure Capacity Requirements

Where the following table refers to Microsoft Azure capacity, no manual installation is necessary. As long as the stated capacities are available in the subscription, the deployer automatically instantiates the described VMs.

Microsoft Azure capacity for the core Horizon Edge resources to deploy into that subscription.
  • Horizon Edge Gateway – 4 x Standard_D2s_v3 VMs
    • Going forward, Horizon Cloud deployments make use of an Azure Kubernetes Service (AKS) cluster, which requires 4 x Standard_D2s_v3 VMs for capacity.

      During the normal operation of the AKS cluster, four Standard_D2s_v3 nodes are required. One additional node is required and used during the upgrade process.

    • Previous deployments made use of a 1 x Standard D4s v3 VMs
  • Unified Access Gateway instances – Minimum of 2 x of the supported sizes that follow. The default and recommended size is Standard_F8s_v2.
    • Standard_A4_v2
    • Standard_D8s_v4
    • Standard_D16s_v4
    • Standard_D8s_v5
    • Standard_D16s_v5
    • Standard_F8s_v2
    • Standard_F16s_v2
    Note: The A4_v2 VM model is only sufficient for proofs-of-concept (PoCs), pilots, or smaller environments where you know that you will not exceed 1,000 active sessions on the Horizon Edge.
When your Horizon Edge instance is ready to use, your capacity in Microsoft Azure cloud also must accommodate the imported VMs, images, pool template VMs, and App Volumes app-capture VMs that you create in that Horizon Edge instance. See the Image Management System Requirements section.

Network Requirements

The following network requirements include the details necessary to provide high availability to your Horizon Cloud deployment. These requirements include support for the configuration of Horizon Edge Gateway using an AKS cluster. Configuring Horizon Edge Gateway using an AKS cluster provides you with a more easily scalable solution.

Microsoft Azure Virtual Network (VNet) created in your target Microsoft Azure region with applicable address space to cover required subnets. See Configure the Network Requirements.
Three non-overlapping address ranges in CIDR format in your site's VNet, reserved for subnets.

The following subnet requirements are minimum. For larger environments, larger subnets might be required.

  • Management subnet — /26 minimum

    Configure a NAT gateway for the Management subnet because a Horizon Edge using an AKS cluster needs a NAT Gateway for outbound connectivity.

  • Desktop subnet - Primary (tenant) — /27 minimum, but sized appropriately based on the number of desktops and RDS servers. You can add more subnets as required.
    Note:

    If you are using an internal load balancer, ensure that all Desktop subnets for your desktop VMs fall in the IP ranges described in RFC1918.

  • DMZ subnet — /27 minimum for the cluster of Unified Access Gateway instances
You must create subnets manually on the VNet as a prerequisite. See Configure the Network Requirements As a best practice, do not attach other resources to the subnets.

When you choose to use a dedicated provider to deploy Horizon Gateway appliances (Horizon Edge Gateway and Unified Access Gateway) you must create backend subnets in the provider from which desktops will be deployed.

Configure a NAT gateway on the Management subnet to enable outbound connectivity for the Horizon Edge Gateway.
Gather the following CIDR IP address ranges, which you need to configure the Horizon Edge Gateway during deployment.
Note: Ensure that these ranges do not conflict with other ranges in use in your environment.
  • Service CIDR — /27 minimum
  • Pod CIDR — /21 minimum
  • Docker Bridge CIDR — /26 minimum

To successfully deploy an AKS cluster, you must comply with the following Microsoft Azure requirement. At the time that you deploy Horizon Edge using the Horizon Universal Console, ensure that the Service CIDR, Pod CIDR, and address space of the Management subnet's VNet do not conflict with the following IP ranges:

  • 169.254.0.0/16
  • 172.30.0.0/16
  • 172.31.0.0/16
  • 192.0.2.0/24
Configure the VNet (Virtual Network) DNS server, pointing to a valid DNS server that can resolve both internal machine names and external names. See Configure Required DNS Records After Deploying Horizon Edge Gateway and Unified Access Gateway.

For internal endpoints, AD server is an example.

For external endpoints, outbound Internet access on the VNets you are using for the gateway deployment must resolve and reach specific DNS names using specific ports and protocols. This is required for deployment and ongoing operations.

Outbound Internet access on the VNets you are using for the Horizon Edge deployment must resolve and reach specific DNS names using specific ports and protocols. This is required for deployment and ongoing operations. For the list of DNS names and ports, see Make Appropriate Ports and URLs Reachable to Deploy a Horizon Edge Gateway in Microsoft Azure.
Optional. Microsoft Azure VPN/Express Route configured, when you want networking between the VNet and your on-premises corporate network.
Regarding Horizon Edge using an AKS cluster, if the VNet you are using for the Horizon Edge deployment has a custom DNS server, you must add the Microsoft Azure DNS IP address 168.63.129.16 as an upstream DNS server.

Ports and Protocols Requirements

Specific ports and protocols are required for deployment and ongoing operations of your Horizon Cloud environment. See Horizon Cloud Port and Protocol Requirements for Your Horizon Cloud Deployment in Microsoft Azure.

Unified Access Gateway Requirements

A cluster of Unified Access Gateway VMs is associated to a pool template, which enables clients to have trusted HTML Access connections to the VMs in that pool template.

You use the Horizon Universal Console to configure Horizon Cloud with the Unified Access Gateway. The items below are required for that type of configuration.

Outbound Internet access to *.horizon.vmware.com is still required when Allow internal access over a corporate network is the Unified Access Gateway Access type. Either a Firewall or NAT Gateway can be applied to the DMZ subnet to allow outbound traffic.

FQDN is required for the Unified Access Gateway configuration.
Certificate or certificates for the Unified Access Gateway in PEM format matching the FQDN.
Note: If the certificate or certificates that you supply for this purpose use CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) settings that refer to specific DNS names, then you must ensure outbound Internet access on the VNet to those DNS names is resolvable and reachable. During configuration of your supplied certificate in the Unified Access Gateway configuration, the Unified Access Gateway software reaches out to those DNS names to check the certificate's revocation status. If those DNS names are not reachable, deployment fails. These names are highly dependent on the CA that you used to obtain the certificates, which is outside VMware's control.

Identity Provider Requirements

When Microsoft Azure Active Directory is your identity provider, a user with Global Administrator privileges must do the following.
  • Approve the requested permissions.
  • Provide consent for the entire organization.
When Workspace ONE Access is your identity provider, a user with admin privileges must do the following.
  • Approve the requested permissions.
  • Provide consent for the entire organization.

Active Directory Requirements

The console's Active Directory registration workflow mandates the following items.

One of the following supported Active Directory configurations:
  • On-premises Active Directory Server connected via VPN/Express Route
  • Active Directory Server located in Microsoft Azure
  • Microsoft Azure Active Directory Domain Services
Supported Microsoft Windows Active Directory Domain Services (AD DS) domain functional levels.
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

Supported Microsoft Windows Active Directory Domain Services (AD DS) OS Versions.

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R
Domain Bind Account
Active Directory domain bind account (a standard user with read access) that has the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >

The account must have the following permissions:

  • List Contents
  • Read All Properties
  • Read Permissions
  • Read tokenGroupsGlobalAndUniversal (implied by Read All Properties)

You should also set the account password to Never Expire to ensure continued access to log in to your Horizon Cloud environment.

  • If you are familiar with the VMware Horizon on-premises offering, the above permissions are the same set that are required for the Horizon on-premises offering's secondary credential accounts.
  • Generally speaking, the domain bind accounts should be granted the default out-of-the-box read-access-related permissions typically granted to Authenticated Users in a Microsoft Active Directory deployment. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request those AD administrators preserve the Authenticated Users standard defaults for the domain bind accounts you will use for Horizon Cloud.

Reference: Creating Active Directory Domain Bind and Domain Join Accounts

Auxiliary Domain Bind Account
Must be separate from the main domain bind account. The UI will prevent re-using the same account in both fields.

Active Directory domain bind account (a standard user with read access) that has the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >

The account must have the following permissions:

  • List Contents
  • Read All Properties
  • Read Permissions
  • Read tokenGroupsGlobalAndUniversal (implied by Read All Properties)

You should also set the account password to Never Expire to ensure continued access to log in to your Horizon Cloud environment.

  • If you are familiar with the VMware Horizon on-premises offering, the above permissions are the same set that are required for the Horizon on-premises offering's secondary credential accounts.
  • Generally speaking, the domain bind accounts should be granted the default out-of-the-box read-access-related permissions typically granted to Authenticated Users in a Microsoft Active Directory deployment. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request those AD administrators preserve the Authenticated Users standard defaults for the domain bind accounts you will use for Horizon Cloud.
Domain Join Account
Active Directory domain join account which can be used by the system to perform Sysprep operations and join the virtual computers to the domain. Typically a new account that you create for this express purpose. (A domain join user account)

The account must have the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >

The use of white spaces in the account's user name is currently unsupported.

You should also set the account password to Never Expire to ensure continued ability for Horizon Cloud to perform the Sysprep operations and join the virtual computers to the domain.

This account requires the following Active Directory permissions, applied to the Computers OU, or to the OU that you will enter into the console's Domain Join UI.

  • Read All Properties - this object only
  • Create Computer Objects - this object and all descendant objects
  • Delete Computer Objects - this object and all descendant objects
  • Write All Properties - Descendant Computer objects
  • Reset Password - Descendant Computer objects

Regarding the target Organizational Unit (OU) that you plan to use for pool templates, this account also requires the Active Directory permission named Write All Properties on all descendant objects of that target Organizational Unit (OU).

For more details, see Creating Active Directory Domain Bind and Domain Join Accounts.

In Microsoft Active Directory, when you create a new OU, the system might automatically set the Prevent Accidental Deletion attribute which applies a Deny to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the Deny that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the Deny permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.

Optional Auxiliary Domain Join Account
Active Directory domain join account which can be used by the system to perform Sysprep operations and join the virtual computers to the domain. Typically a new account that you create for this express purpose. (A domain join user account)

The account must have the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >

The use of white spaces in the account's user name is currently unsupported.

You should also set the account password to Never Expire to ensure continued ability for Horizon Cloud to perform the Sysprep operations and join the virtual computers to the domain.

This account requires the following Active Directory permissions, applied to the Computers OU, or to the OU that you will enter into the console's Domain Join UI.

  • Read All Properties - this object only
  • Create Computer Objects - this object and all descendant objects
  • Delete Computer Objects - this object and all descendant objects
  • Write All Properties - Descendant Computer objects
  • Reset Password - Descendant Computer objects

Regarding the target Organizational Unit (OU) that you plan to use for pool templates, this account also requires the Active Directory permission named Write All Properties on all descendant objects of that target Organizational Unit (OU).

In Microsoft Active Directory, when you create a new OU, the system might automatically set the Prevent Accidental Deletion attribute which applies a Deny to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the Deny that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the Deny permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.

Active Directory organizational unit (OU) or units (OUs) for virtual desktops and RDS session-based desktops or published applications or both.

In Microsoft Active Directory, when you create a new OU, the system might automatically set the Prevent Accidental Deletion attribute which applies a Deny to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the Deny that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the Deny permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.

Image Management System Requirements

Your Microsoft Azure subscription must accommodate the following requirements depending on the types of images you want to provision from the deployed Horizon Edge.

Base for the image. One or more of the supported Microsoft Azure VM configurations.
  • Gen-1 VM models only are supported.

Ensure you have enough quota for the model you want to use for the base VM. The following model types are recommended.

Non-GPU:
  • Standard_DS2_v2

GPU-Enabled:

  • Standard_NV12s_v3

Model types besides the Non-GPU and GPU-Enabled types listed are supported, though not necessarily verified. Ensure you have enough quota in your subscription if you select one of these models.

Pool Template VM Requirements

Your Microsoft Azure subscription must accommodate the following requirements depending on the types of pool template VMs you want to provision from the deployed Horizon Edge.

Model selection for the VMs in pool templates — any of the Microsoft Azure VM configurations available in the Microsoft Azure region, except for those not compatible with Horizon Cloud desktop operations.

Consider the following details when selecting a VM model.

  • Gen-1 VM models alone are supported for VMs in pool templates.
  • The decision to select between a GPU-enabled model type and Non-GPU model type depends on the VM selected during image creation.
  • To create a multi-session pool template, select an image created using a multi-session operating system.
  • For production environments, VMware scale testing recommends using models that have a minimum of 2 CPUs or larger.
  • See Microsoft Azure VM Types and Sizes for Horizon Cloud Service - next-gen (89090) to learn about the compatibility of different Microsoft Azure VM types and sizes with VMware Horizon Cloud Service - next-gen.

Horizon Client and Horizon HTML Access (the web client) Requirements

To enable end-user access to entitled resources in your Horizon Cloud environment, ensure that they use one of the following supported clients.
Horizon Client
End users can use the following Horizon Client versions:
  • Horizon Client for Windows 2111 or later
  • Horizon Client for Mac 2111 or later
  • Horizon Client for Linux 2206 or later
Horizon HTML Access
End users can connect to the version of HTML Access built into the Horizon Cloud environment.