This documentation page describes the Horizon Universal Console Add Horizon Edge UI flow which you use to deploy a Horizon Edge into your Microsoft Azure subscription.

Introduction

The Horizon Edge is a thin-edge cloud infrastructure. For Microsoft Azure deployments, an Azure subscription is the provider.

After your environment is configured with at least one Active Directory domain and an identity provider, the console makes this Add Horizon Edge UI flow available.

Deployment Types

A Horizon Edge deployed in Microsoft Azure uses either the Edge Gateway (VM) format or the Edge Gateway (AKS) format.

You decide which type to use, based on the qualities you need.

Deployment Type Key Qualities Details
AKS
  • Supports more than 5K (5000) sessions
  • Azure Kubernetes Service has Microsoft-related requirements that must be met
  • SSO login experience and monitoring data collection are handled through replicated services that support delivery of these functions with full failover capability in the case of failure.

AKS is a Microsoft Azure standard for enterprise cloud-native apps in Microsoft Azure data centers.

The AKS type provides an Edge Gateway of a clustered architecture, which provides for replicated services supporting the SSO login experience and monitoring data collections.

VM
  • Supports up to 5K (5000) sessions
  • Less prerequisites involved in the Microsoft Azure subscription than for the AKS type
  • If at some future time the deployed VM is unavailable, the resulting behavior is:
    • End users will have to log in without single sign-on (SSO)
    • Monitoring data for the desktops will not be recorded during the period the VM is unavailable.

Even though the VM type is simpler to deploy due to less prerequisites than the AKS type, if the deployed VM becomes unavailable:

  • The end users will see the login flow without the SSO login experience. For example they'll have to sign in using their Active Directory credentials.
  • The desktops' monitoring data that is sent to the Edge Gateway VM is not recorded during the period the VM is unavailable.

Prerequisites

Before doing these steps in the console, you must verify that you or your IT team have completed the following listed items.

Important: As you select items in the console UI, the system will attempt to confirm that specific items are in place, and if those requirements are unfulfilled, you will be blocked from completing the UI steps.

For example, when deploying the AKS deployment type, if the selected NAT gateway in Cluster outbound type is not connected to the selected Management Subnet, when you click Deploy, the UI will display a message and prevent further progress. At that point, you'll have to back out of the wizard, complete that requirement to connect the NAT gateway with the management subnet, and restart the wizard from the beginning.

  • Review the Requirements Checklist for Deploying a Microsoft Edge and ensure that those requirements are fulfilled.
  • Review the preparatory items described in the hyperlinked pages within the page Microsoft Azure Deployments, Horizon Edge - Preparing to Deploy and ensure that those items are completed.
  • Verify you have the Azure subscription information, network information, FQDNs, and such items so that you can specify those in the wizard's fields and lists.
  • Verify that the necessary outbound ports are allowed. See Make Appropriate Destination URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment.
  • If you plan to use a proxy server for routing traffic, it must be reachable via the Edge management subnet.
  • Decide whether you want this Horizon Edge's primary provider to be dedicated to the Horizon Edge Gateway and Unified Access Gateway instances, or if you want the primary provider to also deliver the end-user desktops and applications.
    Note: If you want the primary provider dedicated to this Horizon Edge's gateway appliances, you'll need the Azure subscription information for the wizard's step of specifying a secondary provider for the desktops and applications.

Starting the Deployment Wizard

The console makes the Add Horizon Edge wizard available from various entry points. Your starting point in the console for this step typically depends on whether your environment is greenfield or it has existing deployments of Horizon Edge for Horizon 8 or for Microsoft Azure.

No Horizon Edges yet - start from the console's Horizon Edge card
If your environment has zero Horizon Edges, you usually start the wizard by clicking START DEPLOYMENT.

The following screenshot illustrates this Horizon Edge card.


Add Horizon Edge page where you can create a Horizon Edge definition

No Horizon Edges - alternatively, start from the console's Capacity page
If there are no Horizon Edges deployed in the environment yet, the Capacity page contains text and a Start menu. In this scenario, you can start the wizard by navigating to Resources > Capacity and clicking Start > Microsoft Azure.
At least one Horizon Edge - start from the console's Capacity page
If there is at least one Horizon Edge deployed in the environment yet, the Capacity page contains a grid that lists the existing Horizon Edges. In this scenario, you can start the wizard navigating to Resources > Capacity and clicking Add > Microsoft Azure.
After using one of those three methods to start the wizard, the console displays Add Horizon Edge, starting at the wizard's step 1.
Horizon Edge page where you enter a unique name for the Horizon Edge definition

General Information

Add a unique Horizon Edge Name that will distinguish this Horizon Edge from others you'll see in the console. You can add an optional description.

Primary Provider

Complete this section. When you have completed this step, continue to the next step.

  1. For Azure Subscription, either select one of your environment's existing providers or use Add New to provide new provider subscription information.

    When adding new provider subscription information, provide:

    • A unique name for this provider that will distinguish it from others you'll see in the console.
    • Your Microsoft Azure subscription ID from the Microsoft Azure Portal.
    • Select the Azure Cloud type, Azure region, and directory ID applicable for that Microsoft Azure subscription ID.
    • Provide the service principal's information (the Application ID and Application Key) that you created in the Microsoft Azure portal for this purpose.
  2. If you want to dedicate this provider to the Horizon Edge Gateway and Unified Access Gateway instances and use a separate provider for delivering end-user entitled resources, then select the displayed checkbox.

    If unselected, this provider will also deliver the end-user entitled resources.

  3. Optionally, you can specify Azure resource tags to use for this Horizon Edge deployment by expanding the UI to see this section.
  4. Optionally, in this UI step, you can add up to four additional service principals (Application ID and Application Key pairs).

Secondary Providers

Adding secondary providers to a Horizon Edge is optional.

The secondary provider must be in the same Azure region as the primary provider.

For each secondary provider, you can add up to five unique service principals, for a maximum total Horizon Edge capacity of 20,000 VMs.

Networks

In the Networks section, select the tenant (desktop) subnets you want to use for the primary and secondary providers.

You can select the subnets at a later stage. However, the system prevents deploying any resources into a provider until the Horizon Edge has at least one associated tenant subnet.

Site

In the Site section, select from an existing site in your environment or select Add New to add new site information. For a new site, provide a unique name and an optional description.

Connectivity

Complete the Connectivity section. When you have completed this step, continue to the next step.

  1. Select the type of network connection to use for this Horizon Edge, either Azure Private Link or Internet.

    For more information about this requirement, see Microsoft Azure Subscription Requirements.

  2. In the App Volumes Application Storage section, select the subnet for the Azure private endpoint.
    Note: It is recommended that after configuring the private endpoint, end users log out from their virtual machines and log in again.
    Option Description
    Use Edge Gateway management subnet Edge Gateway management subnet where a private endpoint resource is created.

    It is recommended to use this default option.

    Configure custom subnet Ensure that you have set up the prerequisites. For information about these prerequisites, see Azure Private Endpoint for an App Volumes Application Storage Account.
    1. Select the confirmation check boxes.
    2. Select a virtual network from the Private Endpoint vNet drop-down.
    3. Select the corresponding subnet from the Subnet drop-down.

    After the Horizon Edge is deployed and the private endpoint is successfully created, status of the private endpoint is Configured. If the status is Not Configured, the private endpoint can be configured again using the Configure Private Endpoint option in the App Volumes Application Storage section of the Horizon Edge. For more information about using this option, see the Configure Private Endpoint for an App Volumes Application Storage Account section in Horizon Edge Details.

    If there are connectivity issues between any of the existing desktop pools and file shares affecting application delivery and you want to revert to the public network access for the storage account until you troubleshoot these issues, then you can use the Remove Private Endpoint option. This option removes the configured private endpoint and automatically enables public network access for the storage account in the Azure portal. After fixing the issues, you can configure the private endpoint using the Configure Private Endpoint option.

Horizon Edge Gateway

In the Horizon Edge Gateway section, select a deployment type (Azure Kubernetes Service or Single Virtual Machine).

After selecting a deployment type, configure the Horizon Edge Gateway settings using the instructions for that specific deployment type, as follows.

When you have completed the UI fields as displayed for your chosen deployment type, follow the on-screen prompts.

  • Azure Kubernetes Service - This option is for Edge Gateway (AKS). The following screenshot shows the type of information displayed and prompted for when you select the Azure Kubernetes Service deployment type.Screenshot of the Horizon Edge Gateway step of the wizard for adding the Edge Gateway (AKS) deployment type.
  • Single Virtual Machine - This option is for Edge Gateway (VM). The following screenshot shows the type of information displayed and prompted for when you select the Single Virtual Machine deployment type.Screenshot of the Horizon Edge Gateway step of the wizard for adding the Edge Gateway (VM) deployment type.
Note: The UI will display a label about High Availability, based on the selected deployment type. It cannot be edited later. For the Single Virtual Machine deployment type, the displayed string means that if the VM is unavailable, the end users will see the login flow without the SSO login experience and the desktops' monitoring data is will not be recorded during the period the VM is unavailable. For the Azure Kubernetes Service deployment type, the displayed string means the SSO login experience and monitoring data collection are handled through replicated services that enable a full failover of those functions.
Deployment Type Steps
Azure Kubernetes Service (AKS)

For the Azure Kubernetes Service option,

  1. Select Cluster Outbound Type from NAT gateway and User defined routes.

    The default selection is NAT gateway. If you select NAT gateway, then a NAT gateway must be associated to the management subnet. If you select User defined routes, then a route table must be attached to the management subnet with the default route configured with a next hop type of virtual appliance. For more information, see Network Requirements. Also, the required ports and URLs must be reachable, or the AKS Edge deployment might fail. For more information, see Make Appropriate Destination URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment.

    AKS adds entries to the route table on the management subnet for internal routing of Kubernetes pods. Do not remove the entries.

    Cluster Outbound Type cannot be edited after the Horizon edge creation.

  2. Select the User assigned managed identity that has the required roles.

    For more information on User assigned managed identity, see Requirements Checklist for Deploying a Microsoft Azure Edge.

  3. In the Virtual Network sub-section, select a virtual network for your site.

    The virtual networks available are determined by the previously selected Microsoft Azure region. To create a new virtual network, go to the Microsoft Azure portal.

  4. Select the Management Subnet to use for Horizon Edge Gateway and Unified Access Gateway instances.

    Ensure that the Management subnet selected is configured with a NAT gateway because a Horizon Edge using an AKS cluster needs a NAT Gateway for outbound connectivity.

    Caution: Ensure that the selected Management subnet is not used by another AKS cluster. See Network Requirements.
  5. In the Service CIDR text box, enter the IP address range for this CIDR.

    Provide a minimum of /27 range. Ensure that this CIDR range is not used by any network element on or connected to the Management Subnet’s virtual network. Ensure that this CIDR range does not conflict with other important IP addresses, such as the DNS server IP, AD server IP or Unified Access Gateway IP addresses.

  6. In the Pod CIDR text box, enter the IP address range for this CIDR.

    Provide a minimum of /21 range. Ensure that this CIDR range is not used by any network element on or connected to the Management Subnet’s virtual network. Ensure that this CIDR range does not conflict with other important IP addresses, such as the DNS server IP, AD server IP or Unified Access Gateway IP addresses.

  7. Optionally adjust the default AKS Cluster DNS Prefix.
  8. To enable Single Sign-On for resources that are part of this Horizon Edge, toggle Use SSO and select the appropriate configuration from the SSO Configurations drop-down menu.
  9. To route outbound requests through a proxy server, enable Use outbound proxy.
    1. Enter a name and the IP address of the proxy server.
    2. Enter the port number where the HTTP/TCP proxy listens for HTTP/HTTPS traffic.
    3. To add a certificate for SSL/TLS secure communication, select Enable SSL.

      Horizon Cloud Service only supports SSL authentication. User name and password authentication is not supported.

    4. Upload a proxy certificate.

      Horizon Cloud Service only supports certificates in PEM format. The certificate must support Subject Alternative Names (SANs) instead of the deprecated Common Names.

  10. Click Deploy to activate the Horizon Edge creation process.
Single Virtual Machine

For the Single Virtual Machine option,

  1. In the Virtual Network sub-section, select a virtual network for your site.

    The virtual networks available are determined by the previously selected Microsoft Azure region. To create a new virtual network, go to the Microsoft Azure portal.

  2. Select the Management Subnet to use for Horizon Edge Gateway and Unified Access Gateway instances.
  3. To enable Single Sign-On for resources that are part of this Horizon Edge, toggle Use SSO and select the appropriate configuration from the SSO Configurations drop-down menu.
  4. To route outbound requests through a proxy server, enable Use outbound proxy.
    1. Optionally, select Proxy settings from another Horizon Edge.
    2. Enter a name and the IP address of the proxy server.
    3. Enter the port number where the HTTP/TCP proxy listens for HTTP/HTTPS traffic.
    4. Optionally, if the proxy server required credentials, enter the Username and Password.
    5. To add a certificate for SSL/TLS secure communication, select Enable SSL.
  5. Click Deploy to activate the Horizon Edge creation process.

Unified Access Gateway

In the Unified Access Gateway section, complete the fields required for your deployment.

When you have completed the UI fields, continue to the next step.

  1. Select the Access Type.

    Three options are available:

    • Internal access over a corporate network - if you want to reach your VMs via intranet (internal corporate network) only. A layer 4 load balancer will be deployed with a frontend in the Desktop network.
    • External access over the internet - if you want to reach your VMs via the Internet. A layer 4 load balancer will be deployed with a public IP.
    • Internal and external access - allow both internal and external access.
    Note: For all the three options, outbound Internet access to *.horizon.vmware.com is still required. See Unified Access Gateway Requirements. When using Internal access over a corporate network, either user-defined routing or NAT Gateway can be applied to the Management subnet to allow outbound traffic. When the external access is configured externally with a DMZ network, external access to *.horizon.vmware.com must be configured on the DMZ network.
  2. You select the toggle to enable Automatic Public IP for UAG, or switch off if you prefer to go with manual public IP.

    The toggle is switched on by default. If a manual custom IP is selected an external UAG will be deployed with a private front-end IP address on the DMZ network. You must then take care of the routing from this private IP address to the customer provided public one.

    Provide the FQDN for the Unified Access Gateway deployment.

  3. For the Certificate Type field select between PEM and PFX from the drop-down menu.
  4. In the Certificate field, upload the certificate that allows clients to trust connections to the Unified Access Gateway in Microsoft Azure.
  5. Select the VM Model from the available VM models from the menu..
  6. Add a value in the UAG VMs field.
  7. Click Save.

What to do next

After you complete this procedure, you must create DNS records that match the FQDN you entered for the Unified Access Gateway instances. See Configure Required DNS Records After Deploying Horizon Edge Gateway and Unified Access Gateway.

Note: After you complete the Horizon Cloud deployment and entitle desktops or applications to end users, be aware of how the following Unified Access Gateway behavior affects and benefits end users using Horizon HTML Access (the web client).

For Unified Access Gateway 2203.1 or later, if a Unified Access Gateway instance goes into maintenance mode or enters an unhealthy state and becomes inaccessible, ongoing sessions for end users using Horizon HTML Access will reconnect to a healthy Unified Access Gateway instance. The reconnection period can take a couple of minutes.

Be aware that refreshing the SSL certificate for the Unified Access Gateway terminates end user sessions.