For every Horizon Cloud node deployed into your Microsoft Azure cloud, a network security group (NSG) is also created in the node's resource group. This NSG's purpose is to serve as a template that enables you to open additional ports that might be needed for the remote applications or RDS desktops provided by your farms.

In Microsoft Azure, a network security group (NSG) governs the network traffic to the resources connected to Azure Virtual Networks (VNet). An NSG defines the security rules that allow or deny that network traffic. For more detailed information about how NSGs filter network traffic, see the Microsoft Azure documentation topic Filter network traffic with network security groups.

When a Horizon Cloud node is deployed into Microsoft Azure, an NSG named vmw-hcs-nodeUUID-nsg-template is created in the node's same resource group named vmw-hcs-nodeUUID (where nodeUUID is the UUID for that particular node).

By default, the node's template NSG is configured with no outbound security rules and with the following inbound security rules. These default inbound security rules support your end users' access their RDS session desktops and remote applications for Blast and PCOIP and USB redirection.

Table 1. Inbound Security Rules in the Node's Template NSG

Priority

Name

Port

Protocol

Source

Destination

Action

1000

AllowBlastUdpIn

22443

UDP

Internet

Any

Allow

1100

AllowBlastTcpIn

22443

TCP

Internet

Any

Allow

1200

AllowPcoipTcpIn

4172

TCP

Internet

Any

Allow

1300

AllowPcoipUdpIn

4172

UDP

Internet

Any

Allow

1400

AllowTcpSideChannelIn

9427

TCP

Internet

Any

Allow

1500

AllowUsbRedirectionIn

32111

TCP

Internet

Any

Allow

In addition to this template NSG, when a farm is created, the system creates an NSG for that farm by copying the template NSG. Every farm has its own NSG that is a copy from the template NSG. A farm's NSG is assigned to the NICs of that farm's server virtual machines (VMs). By default, every farm uses the same default security rules as configured in the node's template NSG.

You can modify both the template NSG and the per-farm NSGs. For example, if you have an application in a farm that you know needs an additional port opened for that application, you would modify that farm's NSG to allow network traffic on that port. If you are planning to create multiple farms that need the same port opened, a simple way to support that scenario is to edit the template NSG prior to creating those farms.

Important:

When planning to modify the base template, make a copy before modifying it. The copy can be a backup in case you need to revert back to the original default settings.