After the first node deployment, you can deploy additional nodes from the Capacity page.

About this task

When you add a new node, you can use the same subscription that you used before for your previous nodes, or you can use a different subscription if required by your organization. If you plan to use different subscription, you must perform the steps described in Getting Started with VMware Horizon Cloud Service on Microsoft Azure to obtain the subscription ID, directory ID, application ID, and application key. You can find the getting started document online here.


The IP addresses mentioned in these steps are examples. You should use the address ranges that meet your organization's needs. For each step that mentions an IP address range, substitute ones that are applicable for your organization.


The first node must be completely deployed and the Active Directory domain-bind and domain-join steps completed before you can deploy additional nodes.

Verify that you have the management subnet, desktop subnet, and DMZ subnet (when choosing Internet-enabled desktops) that you want to use. You enter these subnets in the wizard using CIDR notation (classless inter-domain routing notation). The wizard will display an error if the entered subnets overlap. For the management and DMZ subnets, a CIDR of at least /28 is required. If you want to keep the management and DMZ subnet ranges co-located, you can make the DMZ subnet the same as the management subnet with an IP specified. For example, if the management subnet is, the DMZ subnet would be


The CIDRs you enter must be defined so that each combination of prefix and bit mask results in an IP address range having the prefix as the starting IP address. Microsoft Azure requires that the CIDR prefix be the start of the range. For example, a correct CIDR of would result in an IP range of to, and the prefix is the same as the starting IP address ( However, an incorrect CIDR of would result in an IP range of to, where the starting IP address is not the same as the prefix of Ensure that your CIDRs result in IP address ranges where the starting IP address matches the CIDR prefix.

If you are planning to use the Unified Access Gateway capability to have Internet-enabled desktops, you must have the required fully qualified domain name (FQDN) which your end users will use to access the service and have a signed SSL certificate (in PEM format) based on that FQDN. The certificate must be signed by a trusted CA.


  1. In the Administration Console, navigate to Settings > Capacity.
  2. Click New > Node
  3. Click Select under the Microsoft Azure option.
    The Add Cloud Capacity wizard opens to its first step.

  4. Select the subscription to use for the new node or select Add New to specify a new subscription.
    • If you select an existing subscription, the remaining fields populate with that subscription's information and you can click Next to go to the next step.

    • If you select Add New, provide the required information and then click Next.



      Subscription Name

      When providing new subscription information, enter a friendly name so you can identify this subscription from other previously entered subscriptions.


      Select the cloud environment associated with your subscription.

      Subscription ID

      Enter your cloud capacity subscription ID (in UUID form). This subscription ID must be valid for the environment you selected. For Microsoft Azure, you can obtain this UUID from your Microsoft Azure portal's Subscriptions area.

      Directory ID

      Enter your Microsoft Azure AD Directory ID (in UUID form). For Microsoft Azure, you can obtain this UUID from your Microsoft Azure Active Directory properties in the Microsoft Azure portal.

      Application ID

      Enter the application ID (in UUID form) associated with the service principal you created in the Microsoft Azure portal. Creating an application registration and its associated service principal in your Microsoft Azure Active Directory is a prerequisite.

      Application Key

      Enter the key value for the service principal's authentication key that you created in the Microsoft Azure portal. Creating this key is a prerequisite.

    When you click Next, in the case where you added a new subscription, the system verifies the validity of all of the specified values and whether they are appropriately related to each other, such as:

    • Is the specified subscription ID valid in the selected environment.

    • Are the specified directory ID, application ID, and application key valid in that subscription.

    • Is the Contributor role configured on the application's service principal for the specified application ID.

    If you see an error message about checking values, at least one of the values is invalid either by not existing in your subscription or not having a valid relationship with another of the values. For example, if you specified a Directory ID that is in your subscription but you specified an Application ID value that is in a different directory, the error message will display.

    More than one value might be invalid if that error message appears. If you see that error message, verify the subscription-related information that you collected and the configuration of the service principal.

  5. In this step of the wizard, provide the required networking information.



    Node Name

    Enter a friendly name for this node. This name is used in the Administration Console to identify this node from your other nodes.


    Select an existing location or click Add to specify a new one.

    Locations group your nodes according to names you provide (Business Unit A, Business Unit B, East Coast Stores, and so on).

    Microsoft Azure Region

    Select the physical geographic Microsoft Azure region into which you want this node to be deployed. You can select the same region that was used for other nodes or a different region. The available regions in this list are determined by the Environment setting in the first wizard step.

    Consider choosing the region based on its proximity to the end users you intend to serve with this node. Nearer proximity would provide lower latency.


    Optional: Enter a description for this node.

    Virtual Network

    Select a virtual network (vnet) from the list. You can select the same one that was used for your other nodes or a different one.

    Only vnets that exist in the region selected in the Microsoft Azure Region field are shown here. You must have already created the vnet you want to use in that region in your Microsoft Azure subscription.

    Management Subnet (CIDR)

    Enter a subnet (in CIDR notation) to which the node and Unified Access Gateway instances get connected, such as For the management subnet, a CIDR of at least /28 is required.

    Desktop Subnet (CIDR)

    Enter the subnet (in CIDR notation) to which all of this node's RDSH servers for end-user remote desktops and applications get connected, such as Minimum: /28. Recommended: /22.

    NTP Servers

    Enter the list of NTP servers to use for time synchronization, separated by commas (for example,

    Internet Enabled Desktops?

    When Yes is selected, access to desktops and applications is enabled for users located outside of your corporate network. The node includes a load balancer and Unified Access Gateway instances to enable this access.


    Leaving the default Yes setting is recommended.

    When set to No, clients must connect directly to the node and not through Unified Access Gateway. In this case, some post-deployment steps are required, as described in Suggested Workflow for a Horizon Cloud Node in Microsoft Azure.


    Enter the required fully qualified domain name (FQDN), such as, which your end users will use to access the service. You must own that domain name and have a certificate in PEM format that can validate that FQDN.

    DMZ Subnet (CIDR)

    Enter the subnet (in CIDR notation) for the DMZ (demilitarized zone) network that will be configured to connect the Unified Access Gateway instances to the load balancer.


    Upload the certificate in PEM that Unified Access Gateway will use to allow clients to trust connections to the Unified Access Gateway instances running in Microsoft Azure. The certificate must be based on the FQDN you entered and be signed by a trusted CA.

  6. Click Validate & Proceed.

    When you click Validate & Proceed, the system verifies the validity and appropriateness of your specified values, such as:

    • Are the subnets valid and non-overlapping with other networks in the selected region within your subscription.

    • Are there enough virtual machine (VM) and cores in your subscription's quota to build out the node.

    • Is the certificate in the correct PEM format.

    If everything validates OK, the summary page displays.

  7. Review the summarized information and click Submit

    The system starts deploying the node into your Microsoft Azure environment.


Deploying the node can take up to an hour. Until the node is successfully deployed, a progress icon is displayed for that node. You might need to refresh the screen in your browser to see the updating progress.


When deploying additional nodes in Microsoft Azure China cloud, the process can take longer than an hour to complete. The process is subject to geographic network issues that can cause slow download speeds as the binaries are downloaded from the cloud control plane.