To create a Horizon Edge deployment and install or update appliance modules, you must allow the appropriate URLs on the respective ports.

For the following tables, the listed purposes are in the context of a Horizon Edge deployment.

Allow URLs for the Management Subnet and Check URL Access

Allow the appropriate URLs according to your site location and needs.

Destination (DNS name) Port Protocol Purpose
  • *
443 TCP Used for programmatic access to the Azure Blob Storage.

Used to download the Docker images from those DNS addresses that the appliance's module requires.

*, or one of the region-specific names that follows, depending on which regional control plane applies to your tenant account:

North America:







443 / TCP TCP Used to connect the appliance to the Horizon Cloud control plane, to download configurations for the appliance's module, and to update the appliance's module's runtime status. 443 TCP Used for sending operation metrics to VMware Tanzu® Observability™ by Wavefront. VMware operators receive the data with which to support customers.

Tanzu Observability is a streaming analytics platform. You can send your data to Tanzu Observability and view and interact with the data in custom dashboards. See the documentation for VMware Tanzu Observability by Waveftont.

*, or one of the region-specific names that follow, depending on which regional Workspace ONE Intelligence target applies to your tenant account:
443 TCP Used for sending events or metrics to Workspace ONE Intelligence.

See Workspace ONE Intelligence.

If your firewall or network security group (NSG) supports the use of service tags, apply Azure service tag AzureCloud. If your firewall or NSG does not support the use of service tags, use the host name 1514 and 1515 TCP Used for system monitoring. 443 TCP Used to upload deployment logs to Azure Blob Storage for troubleshooting purposes.
  • *
443 HTTPS Used for patching Microsoft components of the Horizon Edge Gateway. 123 UDP Used for time synchronization.
80 HTTP Used for patching Ubuntu components.
Determine If the Management Subnet URLs Are Reachable

The Horizon Cloud Service next-gen Edge Subnet URL Checker tool is a VMware Fling that you can use to check the preceding list of management subnet URLs. If you are not registered at, sign up now.

After you are registered, visit The tool is a .exe file. To download and use the tool on the Windows 10 or later based virtual machine on the network where your Horizon Edge resides, perform the steps that follow.

  1. Download the Horizon Cloud Service next-gen Edge Subnet URL Checker onto your Windows virtual machine deployed on the Horizon Edge network.
  2. Double click the file to run the executable.

    A dialog box appears.

  3. Click Yes.
  4. Open the output folder at C:/VMwareURLCheckerOutput/.

    The folder contains the output files for each regional control plane.

  5. Open the output file of the region where you are deploying the Horizon Edge to determine if the necessary URLs are accessible.
    The following details apply.
    • The file displays the status of the required URLs for the Management subnet.
    • The expected status for each URL is REACHABLE.
    • When a URL has a status of UNREACHABLE, view the error message and make the necessary changes to unblock the issue.
  6. Rerun the executable as necessary until the status for all domains in your desired region is REACHABLE.

Allow URL for the Tenant Subnet - Global VM Hub DNS Hostname

If using a global VM Hub instance suits the needs of your site, when you deploy a Horizon Edge Gateway, allow the URL listed in the following table.

Destination (DNS Name) Port Protocol Purpose
* 443 TCP For agent related operations, such as certificate signing using VM Hub and renewal.

Allow URLs for the Tenant Subnet - Regional VM Hub DNS Hostnames

If using regional VM Hub instances suits the needs of your site, when you deploy a Horizon Edge Gateway in a given region, use the two corresponding URLs, as indicated.

The port, protocol, and purpose for each regional VM Hub instance matches those for a global VM Hub instance, as such.

Port 443
Protocol TCP
Purpose For agent related operations, such as certificate signing using VM Hub and renewal.
For the Following Azure Regions Allow the Following Destination (DNS Name) URLs
  • westus2
  • westus
  • westus3
  • westcentralus
  • centralus
  • eastus2
  • eastus
  • southcentralus
  • northcentralus
  • canadacentral
  • canadaeast
  • brazilsouth
  • brazilsoutheast
  • usgovvirginia
  • northeurope
  • norwaywest
  • norwayeast
  • uaecentral
  • uaenorth
  • uksouth
  • ukwest
  • westeurope
  • germanywestcentral
  • germanynorth
  • swedencentral
  • swedensouth
  • francecentral
  • francesouth
  • switzerlandnorth
  • switzerlandwest
  • japaneast
  • australiaeast
  • jioindiawest