This documentation page describes the Horizon Universal Console Add Horizon Edge UI flow which you use to deploy a Horizon Edge into your Microsoft Azure subscription.
The Horizon Edge is a thin-edge cloud infrastructure. For Microsoft Azure deployments, the Azure subscription is the provider. A Horizon Edge deployed in Microsoft Azure uses the Azure Kubernetes Service (AKS) to host the Horizon Edge Gateway, which provides high availability.
After your environment is configured with at least one Active Directory domain and an identity provider, the console makes this Add Horizon Edge UI flow available.
Before doing these steps in the console, you must verify that you or your IT team have completed the following listed items.
For example, if the selected NAT gateway in Cluster outbound type is not connected to the selected Management Subnet, when you click Deploy, the UI will display a message and prevent further progress. At that point, you'll have to back out of the wizard, complete that requirement to connect the NAT gateway with the management subnet, and restart the wizard from the beginning.
- Review the Requirements Checklist for Deploying a Microsoft Edge and ensure that those requirements are fulfilled.
- Review the preparatory items described in the hyperlinked pages within the page Microsoft Azure Deployments, Horizon Edge - Preparing to Deploy and ensure that those items are completed.
- Verify you have the Azure subscription information, network information, FQDNs, and such items so that you can specify those in the wizard's fields and lists.
- Verify that the necessary outbound ports are allowed. See Make Appropriate Destination URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment on Horizon Cloud Service - next-gen.
- If you plan to use a proxy server for routing traffic, it must be reachable via the Edge management subnet.
- Decide whether you want this Horizon Edge's primary provider to be dedicated to the Horizon Edge Gateway and Unified Access Gateway instances, or if you want the primary provider to also deliver the end-user desktops and applications.
Note: If you want the primary provider dedicated to this Horizon Edge's gateway appliances, you'll need the Azure subscription information for the wizard's step of specifying a secondary provider for the desktops and applications.
- Start the console's Add Horizon Edge wizard.
The console makes the Add Horizon Edge wizard available from various entry points. Your starting point in the console for this step typically depends on whether your environment is greenfield or it has existing deployments of Horizon Edge for Horizon 8 or for Microsoft Azure.
After using one of those three methods to start the wizard, the console displays Add Horizon Edge, starting at the wizard's step 1.
- No Horizon Edges yet - start from the console's Horizon Edge card
If your environment has zero Horizon Edges, you usually start the wizard by clicking
The following screenshot illustrates this Horizon Edge card.
- No Horizon Edges - alternatively, start from the console's Capacity page
- If there are no Horizon Edges deployed in the environment yet, the Capacity page contains text and a Start menu. In this scenario, you can start the wizard by navigating to and clicking .
- At least one Horizon Edge - start from the console's Capacity page
- If there is at least one Horizon Edge deployed in the environment yet, the Capacity page contains a grid that lists the existing Horizon Edges. In this scenario, you can start the wizard navigating to and clicking .
- In the General Information section, add a unique Horizon Edge Name.
- In the Primary Provider section, select Add New in the Azure Subscription field to add a new subscription and a unique Provider Name.
- Add your Microsoft Azure subscription ID from the Microsoft Azure Portal in the Subscription ID field.
- In the Azure Cloud Type field, select the Microsoft Azure Cloud type associated with your Microsoft Azure subscription from the drop-down menu.
- Select the Azure Region from the available regions in the drop-down menu.
- In the Directory ID field, add the Directory ID from your Microsoft Azure Portal.
- In the Service Principal sub-section, add the Application ID and Application Key created in the Microsoft Azure portal.
- Select the checkbox to dedicate the primary provider to the deployment of Horizon gateway appliances: Horizon Edge Gateway and Unified Access Gateway.
If not selected, the provider will also deliver desktops and applications.
- Optionally, you can add a name and value pair for up to 10 Azure Resource Tags.
- You can also add up to four Additional Service Principals.
- You can also add up to three unique Secondary Providers and five unique service principals per provider, for a maximum total Horizon Edge capacity of 20,000 VMs.
The secondary provider must be in the same Azure region as the primary provider.
- In the Networks section, Select Tenant (desktop) subnets for the Primary Provider and the Secondary Providers.
You can select the subnets at a later stage. However, you can't deploy any resources into a provider until you select at least one subnet.
- In the Site section select Add New from the drop-down menu in the Site field and add the Site Name.
- In the Connectivity section, select the type of network connection from Microsoft Azure Private Link and Internet to establish for your Horizon Edge.
For more information about this requirement, see Microsoft Azure Subscription Requirements .
- In the Horizon Edge Gateway section, select Cluster Outbound Type from NAT gateway and User defined routes.
The default selection is NAT gateway. If you select NAT gateway, then a NAT gateway must be associated to the management subnet. If you select User defined routes, then a route table must be attached to the management subnet with default route pointing to an NVA. For more information, see Network Requirements. Also, the required ports and urls must be reachable, or the AKS Edge deployment might fail. For more information, see Make Appropriate Destination URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment on Horizon Cloud Service - next-gen.AKS adds entries to the route table on the management subnet for internal routing of Kubernetes pods. Do not remove the entries.Cluster Outbound Type cannot be edited after the Horizon edge creation.
- In the Edge Gateway section, select the User assigned managed identity that has the required roles.
For more information on User assigned managed identity, see Requirements Checklist for Deploying a Microsoft Azure Edge.
- In the Virtual Network sub-section, select a virtual network for your site.
The virtual networks available are determined by the previously selected Microsoft Azure region. To create a new virtual network, go to the Microsoft Azure portal.
- Select the Management Subnet to use for Horizon Edge Gateway and Unified Access Gateway instances.
Ensure that the Management subnet selected is configured with a NAT gateway because a Horizon Edge using an AKS cluster needs a NAT Gateway for outbound connectivity.Caution: Ensure that the selected Management subnet is not used by another AKS cluster. See Network Requirements.
- In the Service CIDR text box, enter the IP address range for this CIDR.
Provide a minimum of /27 range. Ensure that this CIDR range is not be used by any network element on or connected to the Management Subnet’s virtual network. Ensure that this CIDR range does not conflict with other important IP addresses, such as the DNS server IP, AD server IP or Unified Access Gateway IP addresses.
- In the Pod CIDR text box, enter the IP address range for this CIDR.
Provide a minimum of /21 range. Ensure that this CIDR range is not used by any network element on or connected to the Management Subnet’s virtual network. Ensure that this CIDR range does not conflict with other important IP addresses, such as the DNS server IP, AD server IP or Unified Access Gateway IP addresses.
- To route outbound requests through a proxy server, enable Use outbound proxy.
- Enter a name and the IP address of the proxy server.
- Enter the port number where the HTTP/TCP proxy listens for HTTP/HTTPS traffic.
- To add a certificate for SSL/TLS secure communication, select Enable SSL.
Horizon Cloud Service only supports SSL authentication. User name and password authentication is not supported.
- Upload a proxy certificate.
Horizon Cloud Service only supports certificates in PEM format. The certificate must support Subject Alternative Names (SANs) instead of the deprecated Common Names.
- Click Deploy to activate the Horizon Edge creation process.
- In the Unified Access Gateway section, select the Access Type.
Three options are available:
Note: For all the three options, outbound Internet access to *.horizon.vmware.com is still required. See Unified Access Gateway Requirements. When Allow Internal Access Over a Corporate Network is the Unified Access Gateway Access Type, either user defined routing or NAT Gateway can be applied to the Management subnet to allow outbound traffic. When the Unified Access Gateway Access Type is configured externally with a DMZ network, external access to *.horizon.vmware.com must be configured on the DMZ network.
- Internal - if you want to reach your VMs via intranet (internal corporate network) only. A layer 4 load balancer will be deployed with a frontend in the Desktop network.
- External - if you want to reach your VMs via the Internet. A layer 4 load balancer will be deployed with a public IP.
- Internal and External - allow both internal and external access.
- You select the toggle to enable Automatic Public IP for UAG, or switch off if you prefer to go with manual public IP.
The toggle is switched on by default. If a manual custom IP is deployed you must take care of the routing from the UAG private IP to the given public IP.
- For the Certificate Type field select between PEM and PFX from the drop-down menu.
- In the Certificate field, upload the certificate that allows clients to trust connections to the Unified Access Gateway in Microsoft Azure.
- Select the VM Model from the available VM models from the menu..
- Add a value in the UAG VMs field.
- Click Save.
- On the Getting Started Completed tile, click Continue to navigate to the Horizon Universal Console Home page.
What to do next
For Unified Access Gateway 2203.1 or later, if a Unified Access Gateway instance goes into maintenance mode or enters an unhealthy state and becomes inaccessible, ongoing sessions for end users using Horizon HTML Access will reconnect to a healthy Unified Access Gateway instance. The reconnection period can take a couple of minutes.