Requirements Checklist for Deploying a Microsoft Azure Edge

Checklist Audience

This checklist is for Horizon Cloud customer accounts that have never had a Horizon Cloud on Microsoft Azure deployment in their tenant environment. You might hear such tenants referred to as clean-slate environments or greenfield environments.

You must perform some items that follow before you deploy Horizon Cloud. You can defer some items until after the deployment is finished and running.

Microsoft Azure Subscription Requirements


☐	Valid Microsoft Azure subscriptions in a supported Microsoft Azure environment (Azure Commercial, Azure Government). If you want to deploy Horizon Edge appliances, which includes Horizon Edge Gateway and Unified Access Gateway instances, in their own dedicated provider (Microsoft Azure subscription), obtain another valid Microsoft Azure subscription to deploy pools. Note: Horizon Cloud supports most Microsoft Azure regions.
☐	Valid Microsoft Azure administrative privileges in each Microsoft Azure subscription, for you to use the Microsoft Azure portal and perform the Horizon Cloud deployment preparation steps.
☐	Create one or more service principals in each Microsoft Azure subscriptions, noting the Subscription ID, directory ID, and application ID, and assign the appropriate role to each service principal in your subscriptions. See Create a Service Principal for the Microsoft Azure Subscription. To use a custom role for your service principal, see To Use a Custom Role for Horizon Cloud App Registration. Note: When you create multiple service principals, they share the Subscription ID and directory ID, but each service principal has its own application ID.
☐	Create a Microsoft Azure User Managed Identity. Horizon Edge using an AKS cluster requires a user managed identity with the Network Contributor role at the management VNet’s resource group scope and the Managed Identity Operator role at the Microsoft Azure subscription scope. See Microsoft documentation about managing user-assigned managed identities. If your Management subnet has a route table and the resource group of that route table is different than the VNet’s resource group, then the Network Contributor role must also be assigned to the resource group of the route table.
☐	Register the required resource providers for your Microsoft Azure subscription. See Confirm That the Required Resource Providers Are Registered in Your Microsoft Azure Subscription.
☐	Create a custom role that provides READ permissions to the Azure Compute Galleries in your subscriptions and assign that custom role to all service principals configured for a given Horizon Edge.
☐	The subscription must allow the creation of resource groups that do not have tags on them.

Microsoft Azure Capacity Requirements

Where the following table refers to Microsoft Azure capacity, no manual installation is necessary. As long as the stated capacities are available in the subscription, the deployer automatically instantiates the described VMs.


☐	Microsoft Azure capacity for the core Horizon Edge resources to deploy into that subscription. Horizon Edge Gateway – enough quota for a 4 node AKS cluster and an additional node during upgrades. Horizon Cloud deployments make use of an Azure Kubernetes Service (AKS) cluster, which requires four nodes of one of the supported VM sizes for capacity. Below is the list of supported VM SKU sizes for a Microsoft Azure Edge deployment in descending order of priority. If your Microsoft Azure subscription has capacity for at least one of the following VM SKU sizes, the Edge deployment is accepted. Otherwise, the Edge deployment is rejected. Standard_D2s_v3 - 2 vCPU, 8GB memory Standard_D2ds_v5 - 2 vCPU, 8GB memory Standard_D2a_v4 - 2 vCPU, 8GB memory During the normal operation of the AKS cluster, four VM nodes are required. One additional node is required and used during the upgrade process. Run commands to check for the availability of the Microsoft Azure VM model and to check the regional CPU output. See Check the Availability of the Microsoft Azure VM Model. Unified Access Gateway instances – Minimum of 2 x of the supported sizes that follow. The default and recommended size is Standard_F8s_v2. Standard_A4_v2 Standard_D8s_v4 Standard_D16s_v4 Standard_D8s_v5 Standard_D16s_v5 Standard_F8s_v2 Standard_F16s_v2 Note: The `A4_v2` VM model is only sufficient for proofs-of-concept (PoCs), pilots, or smaller environments where you know that you will not exceed 1,000 active sessions on the Horizon Edge. When your Horizon Edge instance is ready to use, your capacity in Microsoft Azure cloud also must accommodate the imported VMs, images, pool VMs, and App Volumes app-capture VMs that you create in that Horizon Edge instance. See the Image Management System Requirements section.

Network Requirements

The following network requirements include the details necessary to provide high availability to your Horizon Cloud deployment. These requirements include support for the configuration of Horizon Edge Gateway using an AKS cluster. Configuring Horizon Edge Gateway using an AKS cluster provides you with a more easily scalable solution.


☐	Microsoft Azure Virtual Network (VNet) created in your target Microsoft Azure region with applicable address space to cover required subnets. See Configure the Network Requirements.
☐	The following subnet requirements are minimum. For larger environments, larger subnets might be required. Management subnet — /26 minimum Configure a NAT gateway for the Management subnet because a Horizon Edge using an AKS cluster needs a NAT Gateway for outbound connectivity. Desktop (tenant) subnet - Primary — /27 minimum, but sized appropriately based on the number of desktops and RDS servers. You can add more subnets as required. DMZ subnet — /27 minimum for the cluster of Unified Access Gateway instances (not required for Internal Unified Access Gateway Access Type). You must create subnets manually on the VNet as a prerequisite. See Configure the Network Requirements As a best practice, do not attach other resources to the subnets. When you choose to use a dedicated provider to deploy Horizon Gateway appliances (Horizon Edge Gateway and Unified Access Gateway) you must create backend subnets in the provider from which desktops will be deployed.
☐	If you select the cluster outbound type value as NAT gateway at the time of Edge creation, configure a NAT gateway on the Management subnet to enable outbound connectivity for the Horizon Edge Gateway. If you select the cluster outbound type value as User defined routes at the time of Edge creation, configure a route table on the management subnet having the default route 0.0.0.0/0 pointing to a next hop of type VirtualAppliance or VirtualNetworkGateway.
☐	Gather the following CIDR IP address ranges, which you need to configure the Horizon Edge Gateway during deployment. Note: Ensure that these ranges do not conflict with other ranges in use in your environment. Service CIDR — /27 minimum Pod CIDR — /21 minimum To successfully deploy an AKS cluster, you must comply with the following Microsoft Azure requirement. At the time that you deploy Horizon Edge using the Horizon Universal Console, ensure that the Service CIDR, Pod CIDR, and address space of the Management subnet's VNet do not conflict with the following IP ranges: 169.254.0.0/16 172.30.0.0/16 172.31.0.0/16 192.0.2.0/24
☐	Configure the VNet (Virtual Network) DNS server, pointing to a valid DNS server that can resolve both internal machine names and external names. See Configure Required DNS Records After Deploying Horizon Edge Gateway and Unified Access Gateway. For internal endpoints, AD server is an example. For external endpoints, outbound Internet access on the VNets you are using for the gateway deployment must resolve and reach specific DNS names using specific ports and protocols. This is required for deployment and ongoing operations.
☐	Outbound Internet access on the VNets you are using for the Horizon Edge deployment must resolve and reach specific DNS names using specific ports and protocols. This is required for deployment and ongoing operations. For the list of DNS names and ports, see Make Appropriate Destination URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment on Horizon Cloud Service - next-gen.
☐	Optional. Microsoft Azure VPN/Express Route configured, when you want networking between the VNet and your on-premises corporate network.
☐	Regarding Horizon Edge using an AKS cluster, if the VNet you are using for the Horizon Edge deployment has a custom DNS server, you must add the Microsoft Azure DNS IP address 168.63.129.16 as an upstream DNS server.

Ports and Protocols Requirements


☐	Specific ports and protocols are required for deployment and ongoing operations of your Horizon Cloud environment. See Port and Protocol Requirements for Your Horizon Cloud Deployment in Microsoft Azure.

Unified Access Gateway Requirements

A cluster of Unified Access Gateway VMs is associated to a pool, which enables clients to have trusted HTML Access connections to the VMs in that pool.

You use the Horizon Universal Console to configure Horizon Cloud with the Unified Access Gateway. The items below are required for that type of configuration.


☐	Outbound Internet access to .horizon.vmware.com is required in all configuration types. When Allow Internal Access Over a Corporate Network is the Unified Access Gateway Access Type, either user defined routing or NAT Gateway can be applied to the Management subnet to allow outbound traffic. When the Unified Access Gateway Access Type is configured externally with a DMZ network, external access to .horizon.vmware.com must be configured on the DMZ network.
☐	FQDN is required for the Unified Access Gateway configuration.
☐	Certificate or certificates for the Unified Access Gateway in PEM format matching the FQDN. Note: If the certificate or certificates that you supply for this purpose use CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) settings that refer to specific DNS names, then you must ensure outbound Internet access on the VNet to those DNS names is resolvable and reachable. During configuration of your supplied certificate in the Unified Access Gateway configuration, the Unified Access Gateway software reaches out to those DNS names to check the certificate's revocation status. If those DNS names are not reachable, deployment fails. These names are highly dependent on the CA that you used to obtain the certificates, which is outside VMware's control.

Identity Provider Requirements


☐	When Microsoft Entra ID is your identity provider, a user with Global Administrator privileges must do the following. Approve the requested permissions. Provide consent for the entire organization.
☐	When Workspace ONE Access is your identity provider, a user with admin privileges must do the following. Approve the requested permissions. Provide consent for the entire organization.

Active Directory Requirements

The console's Active Directory registration workflow mandates the following items.


☐	If you plan to connect your Active Directory using LDAPS, gather PEM-encoded root and intermediate CA certificates for your Active Directory domain. When you use the Horizon Universal Console to set up your Active Directory Domain, you are prompted at that time to upload the PEM-encoded root and intermediate CA certificates.
☐	One of the following supported Active Directory configurations: On-premises Active Directory Server connected via VPN/Express Route Active Directory Server located in Microsoft Azure Microsoft Entra ID Domain Services
☐	Supported Microsoft Windows Active Directory Domain Services (AD DS) domain functional levels. Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Supported Microsoft Windows Active Directory Domain Services (AD DS) OS Versions. Windows Server 2019 Windows Server 2016 Windows Server 2012 R
☐	Domain Bind Account Active Directory domain bind account (a standard user with read access) that has the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: `"/ \ [ ] : ; \| = , + * ? < >` The account must have the following permissions: List Contents Read All Properties Read Permissions Read tokenGroupsGlobalAndUniversal (implied by Read All Properties) Set the account password to Never Expire to ensure continued access to log in to your Horizon Cloud environment. If you are familiar with the VMware Horizon on-premises offering, the above permissions are the same set that are required for the Horizon on-premises offering's secondary credential accounts. Domain bind accounts are granted the default out-of-the-box read-access-related permissions typically granted to Authenticated Users in a Microsoft Active Directory deployment. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request those AD administrators preserve the Authenticated Users standard defaults for the domain bind accounts you will use for Horizon Cloud. Reference: Creating Active Directory Domain Bind and Domain Join Accounts
☐	Auxiliary Domain Bind Account Must be separate from the main domain bind account. The UI will prevent re-using the same account in both fields. Active Directory domain bind account (a standard user with read access) that has the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: `"/ \ [ ] : ; \| = , + * ? < >` The account must have the following permissions: List Contents Read All Properties Read Permissions Read tokenGroupsGlobalAndUniversal (implied by Read All Properties) Set the account password to Never Expire to ensure continued access to log in to your Horizon Cloud environment. If you are familiar with the VMware Horizon on-premises offering, the above permissions are the same set that are required for the Horizon on-premises offering's secondary credential accounts. Domain bind accounts are granted the default out-of-the-box read-access-related permissions typically granted to Authenticated Users in a Microsoft Active Directory deployment. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request those AD administrators preserve the Authenticated Users standard defaults for the domain bind accounts you will use for Horizon Cloud.
☐	Domain Join Account Active Directory domain join account which can be used by the system to perform Sysprep operations and join the virtual computers to the domain. Typically a new account that you create for this express purpose. (A domain join user account) The account must have the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: `"/ \ [ ] : ; \| = , + * ? < >` The use of white spaces in the account's user name is currently unsupported. Set the account password to Never Expire to ensure continued ability for Horizon Cloud to perform the Sysprep operations and join the virtual computers to the domain. This account requires the following Active Directory permissions, applied to the Computers OU, or to the OU that you will enter into the console's Domain Join UI. Read All Properties - this object only Create Computer Objects - this object and all descendant objects Delete Computer Objects - this object and all descendant objects Write All Properties - Descendant Computer objects Reset Password - Descendant Computer objects Regarding the target Organizational Unit (OU) that you plan to use for pools, this account also requires the Active Directory permission named Write All Properties on all descendant objects of that target Organizational Unit (OU). For more details on creating and reusing domain join accounts, see Creating Active Directory Domain Bind and Domain Join Accounts. In Microsoft Active Directory, when you create a new OU, the system might automatically set the `Prevent Accidental Deletion` attribute which applies a `Deny` to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the `Deny` that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the `Deny` permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.
☐	Optional Auxiliary Domain Join Account Active Directory domain join account which can be used by the system to perform Sysprep operations and join the virtual computers to the domain. Typically a new account that you create for this express purpose. (A domain join user account) The account must have the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: `"/ \ [ ] : ; \| = , + * ? < >` The use of white spaces in the account's user name is currently unsupported. Set the account password to Never Expire to ensure continued ability for Horizon Cloud to perform the Sysprep operations and join the virtual computers to the domain. This account requires the following Active Directory permissions, applied to the Computers OU, or to the OU that you will enter into the console's Domain Join UI. Read All Properties - this object only Create Computer Objects - this object and all descendant objects Delete Computer Objects - this object and all descendant objects Write All Properties - Descendant Computer objects Reset Password - Descendant Computer objects Regarding the target Organizational Unit (OU) that you plan to use for pools, this account also requires the Active Directory permission named Write All Properties on all descendant objects of that target Organizational Unit (OU). In Microsoft Active Directory, when you create a new OU, the system might automatically set the `Prevent Accidental Deletion` attribute which applies a `Deny` to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the `Deny` that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the `Deny` permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.
☐	Active Directory organizational unit (OU) or units (OUs) for virtual desktops and RDS session-based desktops or published applications or both. In Microsoft Active Directory, when you create a new OU, the system might automatically set the `Prevent Accidental Deletion` attribute which applies a `Deny` to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the `Deny` that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the `Deny` permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.

Image Management System Requirements

Your Microsoft Azure subscription must accommodate the following requirements depending on the types of images you want to provision from the deployed Horizon Edge.


☐	Base for the image. One or more of the supported Microsoft Azure VM configurations. Microsoft Azure generation 1 and 2 VMs are supported. Ensure you have enough quota for the model you want to use for the base VM. The following model types are the default and recommended. Non-GPU: Standard_DS2_v2 GPU-Enabled: Standard_NV12s_v3 Model types besides the Non-GPU and GPU-Enabled types listed are supported, though not necessarily verified. Ensure you have enough quota in your subscription if you select one of these models.

Pool VM Requirements

Your Microsoft Azure subscription must accommodate the following requirements depending on the types of pool VMs you want to provision from the deployed Horizon Edge.


☐	Model selection for the VMs in pools — any of the Microsoft Azure VM configurations available in the Microsoft Azure region, except for those not compatible with Horizon Cloud desktop operations. Consider the following details when selecting a VM model. The decision to select between a GPU-enabled model type and Non-GPU model type depends on the VM selected during image creation. To create a multi-session pool, select an image created using a multi-session operating system. For production environments, VMware scale testing recommends using models that have a minimum of 2 CPUs or larger. See Microsoft Azure VM Types and Sizes for Horizon Cloud Service - next-gen (89090) to learn about the compatibility of different Microsoft Azure VM types and sizes with VMware Horizon Cloud Service - next-gen. Microsoft Azure generation 1 and 2 VMs are supported in pools.

Horizon Client and Horizon HTML Access (the web client) Requirements


☐	To enable end-user access to entitled resources in your Horizon Cloud environment, ensure that they use one of the following supported clients. Horizon Client End users can use the following Horizon Client versions: Horizon Client for Windows 2111 or later Horizon Client for Mac 2111 or later Horizon Client for Linux 2206 or later Horizon Client for Android 2303 or later Horizon Client for iOS 2303 or later Horizon Client for Chrome 2306 or later Horizon HTML Access End users can connect to the version of HTML Access built into the Horizon Cloud environment.