To create a Horizon Edge deployment and install or update appliance modules in your Horizon Cloud Service - next-gen environment, you must allow the appropriate URLs on the respective ports.

For the following tables, the listed purposes are in the context of a Horizon Edge deployment.

Allow URLs for the Management Subnet and Check URL Access

Allow the appropriate URLs and wildcard subdomains according to your site location and needs. More specifically, perform the following tasks.
  • Allow the URLs and wildcard subdomains in the table that follows. For example, by adding the URLs and wildcard subdomain to an allow list for the firewall and network security group.
  • Bypass SSL deep packet inspection as follows.
    • In the firewall for the URLs and wildcard subdomains in the table that follows.
    • In the proxy server, if applicable.

      Therefore, if the Horizon Edge Gateway is connected to the Horizon Cloud control plane through a proxy server, bypass SSL deep packet inspection in the proxy server for the URLs and wildcard subdomains in the table that follows.

Destination (DNS name) Port Protocol Purpose
*.blob.core.windows.net 443 TCP Used for programmatic access to the Azure Blob Storage and to upload the Horizon Edge logs as and when required.

Used for downloading Docker images to create the required Horizon Edge modules, which are useful for monitoring, SSO, UAG updates, and such.

horizonedgeprod.azurecr.io 443 TCP Used for authentication while downloading Docker images to create the required Horizon Edge modules, which are useful for monitoring, SSO, UAG updates, and such.

*.azure-devices.net, or one of the region-specific names that follows, depending on which regional control plane applies to your tenant account:

North America:

  • edgehubprodna.azure-devices.net

Europe:

  • edgehubprodeu.azure-devices.net

Japan:

  • edgehubprodjp.azure-devices.net
443 / TCP TCP Used to connect the appliance to the Horizon Cloud control plane, to download configurations for the appliance's module, and to update the appliance's module's runtime status.
vmwareprod.wavefront.com 443 TCP Used for sending operation metrics to VMware Tanzu® Observability™ by Wavefront. VMware operators receive the data with which to support customers.

Tanzu Observability is a streaming analytics platform. You can send your data to Tanzu Observability and view and interact with the data in custom dashboards. See the documentation for VMware Tanzu Observability by Wavefront.

*.data.vmwservices.com, or one of the region-specific names that follow, depending on which regional Workspace ONE Intelligence target applies to your tenant account:
  • eventproxy.na1.data.vmwservices.com
  • eventproxy.eu1.data.vmwservices.com
  • eventproxy.eu2.data.vmwservices.com
  • eventproxy.uk1.data.vmwservices.com
  • eventproxy.ca1.data.vmwservices.com
  • eventproxy.ap1.data.vmwservices.com
  • eventproxy.au1.data.vmwservices.com
  • eventproxy.in1.data.vmwservices.com
443 TCP Used for sending events or metrics to Workspace ONE Intelligence.

See Workspace ONE Intelligence.

If your firewall or network security group (NSG) supports the use of service tags, apply Azure service tag AzureCloud. If your firewall or NSG does not support the use of service tags, use the host name monitor.horizon.vmware.com. 1514 and 1515 TCP Used for system monitoring.
azcopyvnext.azureedge.net 443 TCP Used to upload deployment logs to Azure Blob Storage for troubleshooting purposes.
  • management.azure.com
  • login.microsoftonline.com
  • mcr.microsoft.com
  • *.data.mcr.microsoft.com
  • packages.microsoft.com
  • acs-mirror.azureedge.net
443 HTTPS Used for patching Microsoft components of the Horizon Edge Gateway.
time.google.com 123 UDP Used for time synchronization.
  • security.ubuntu.com
  • azure.archive.ubuntu.com
  • changelogs.ubuntu.com
  • motd.ubuntu.com
80 HTTP Used for patching Ubuntu components.

Determine If the Management Subnet URLs Are Reachable

The Horizon Cloud Service - next-gen Edge Subnet URL Checker tool is available in TechZone on the Utilities page. Related information is available on the Deploying a Horizon Edge Gateway for Horizon 8 Environments Techzone page.

The tool is provided as an .exe file. To download and use the Horizon Cloud Service - next-gen Edge Subnet URL Checker tool on a Windows 10 or later-based virtual machine on the network where your Horizon Edge resides, perform the following steps.

  1. Download the Horizon Cloud Service - next-gen Edge Subnet URL Checker onto your Windows virtual machine deployed on the Horizon Edge network.
  2. Double click the file to run the executable.

    A dialog box appears.

  3. Click Yes.
  4. Open the output folder at C:/VMwareURLCheckerOutput/.

    The folder contains the output files for each regional control plane.

  5. Open the output file of the region where you are deploying the Horizon Edge to determine if the necessary URLs are accessible.
    The following details apply.
    • The file displays the status of the required URLs for the Management subnet.
    • The expected status for each URL is REACHABLE.
    • When a URL has a status of UNREACHABLE, view the error message and make the necessary changes to unblock the issue.
  6. Rerun the executable as necessary until the status for all domains in your desired region is REACHABLE.

Allow URL for the Tenant (Desktop) Subnet - Global VM Hub DNS Hostname

If using a global VM Hub instance suits the needs of your site, when you deploy a Horizon Edge Gateway, allow the URL listed in the following table.

Destination (DNS Name) Port Protocol Purpose
*.horizon.vmware.com 443 TCP For agent related operations, such as certificate signing using VM Hub and renewal.

Allow URLs for the Tenant (Desktop) Subnet - Regional VM Hub DNS Hostnames

If using regional VM Hub instances suits the needs of your site, when you deploy a Horizon Edge Gateway in a given region, use the two corresponding URLs, as indicated.

The port, protocol, and purpose for each regional VM Hub instance matches those for a global VM Hub instance, as such.

Port 443
Protocol TCP
Purpose For agent related operations, such as certificate signing using VM Hub and renewal.
For the Following Azure Regions Allow the Following Destination (DNS Name) URLs
  • westus2
  • westus
  • westus3
  • westcentralus
  • centralus
  • cloud-sg-us-r-westus2.horizon.vmware.com
  • cloud-sg-us-r-westus2-mqtt.horizon.vmware.com
  • eastus2
  • eastus
  • southcentralus
  • northcentralus
  • canadacentral
  • canadaeast
  • brazilsouth
  • brazilsoutheast
  • usgovvirginia
  • cloud-sg-us-r-eastus2.horizon.vmware.com
  • cloud-sg-us-r-eastus2-mqtt.horizon.vmware.com
  • northeurope
  • norwaywest
  • norwayeast
  • uaecentral
  • uaenorth
  • uksouth
  • ukwest
  • westeurope
  • cloud-sg-eu-r-northeurope.horizon.vmware.com
  • cloud-sg-eu-r-northeurope-mqtt.horizon.vmware.com
  • germanywestcentral
  • germanynorth
  • swedencentral
  • swedensouth
  • francecentral
  • francesouth
  • switzerlandnorth
  • switzerlandwest
  • cloud-sg-eu-r-germanywestcentral.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral-mqtt.horizon.vmware.com
  • japanwest
  • japaneast
  • cloud-sg-jp-r-japaneast.horizon.vmware.com
  • cloud-sg-jp-r-japaneast-mqtt.horizon.vmware.com
  • australiaeast
  • australiacentral
  • australiacentral2
  • australiasoutheast
  • cloud-sg-jp-r-australiaeast.horizon.vmware.com
  • cloud-sg-jp-r-australiaeast-mqtt.horizon.vmware.com
  • centralindia
  • jioindiawest
  • jioindiacentral
  • southindia
  • westindia
  • cloud-sg-jp-r-centralindia.horizon.vmware.com
  • cloud-sg-jp-r-centralindia-mqtt.horizon.vmware.com

Allow URLs for Proxy Enablement

If you plan to use a proxy server to control the traffic flow from your environment, open the required ports to allow the Horizon Edge Gateway to reach the proxy server. When the format of your Microsoft Azure Edge is Edge Gateway (AKS), see Outbound network and FQDN rules for Azure Kubernetes Service (AKS) clusters.