You run the node deployment wizard to deploy the component called a Horizon Cloud node, or node for short. This component pairs with Horizon Cloud so that you can use your Microsoft Azure capacity with Horizon Cloud.

About this task


The IP addresses mentioned in these steps are examples. You should use the address ranges that meet your organization's needs. For each step that mentions an IP address range, substitute ones that are applicable for your organization.


Verify that all of the preparatory tasks are completed, as described in Preparing to Deploy a Horizon Cloud Node Into Microsoft Azure.

Verify that you have an existing virtual network in your Microsoft Azure subscription, and in the region in which you are deploying the node, as described in Configure the Required Virtual Network in Microsoft Azure.

Verify that virtual network is configured to point to a DNS that can resolve external addresses.

Verify that the management subnet, desktop subnet, and DMZ subnet (when choosing Internet-enabled desktops) that you want to use do not overlap. You enter these subnets using CIDR notation (classless inter-domain routing notation). The wizard will display an error if the entered subnets overlap. For the management and DMZ subnets, a CIDR of at least /28 is required. If you want to keep the management and DMZ subnet ranges co-located, you can make the DMZ subnet the same as the management subnet with an IP specified. For example, if the management subnet is, the DMZ subnet would be


The CIDRs you enter must be defined so that each combination of prefix and bit mask results in an IP address range having the prefix as the starting IP address. Microsoft Azure requires that the CIDR prefix be the start of the range. For example, a correct CIDR of would result in an IP range of to, and the prefix is the same as the starting IP address ( However, an incorrect CIDR of would result in an IP range of to, where the starting IP address is not the same as the prefix of Ensure that your CIDRs result in IP address ranges where the starting IP address matches the CIDR prefix.

If you are planning to use the Unified Access Gateway capability to have Internet-enabled desktops, you must have the required fully qualified domain name (FQDN) which your end users will use to access the service and have a signed SSL certificate (in PEM format) based on that FQDN. The certificate must be signed by a trusted CA.


  1. Log in to the Horizon Cloud Administration Console at using your My VMware account ID and password.
    A My VMware account ID has the form of

    The My VMware account login screen for Horizon Cloud

    After signing in, the Horizon Cloud Administration Console opens. When you have no existing nodes, the Getting Started wizard is displayed by default with the Capacity section expanded.

    Getting Started screen's Capacity area with no nodes

  2. In the Add Cloud Capacity area, click Add.
    The Add Cloud Capacity wizard opens to its first step.

  3. Provide the required information.

    If you use your mouse, keyboard, or touchpad to copy and paste a value from the Microsoft Azure portal user interface directly into one of these fields, ensure the copy action does not include any extra spaces or tabs at the beginning or end of the value before pasting it into the field.



    Apply Subscription

    Select the name of a previously entered subscription or select Add New to enter new subscription information.

    Subscription Name

    When providing new subscription information, enter a friendly name so you can identify this subscription from other previously entered subscriptions.


    Select the cloud environment associated with your subscription.

    Subscription ID

    Enter your cloud capacity subscription ID (in UUID form). This subscription ID must be valid for the environment you selected. For Microsoft Azure, you can obtain this UUID from your Microsoft Azure portal's Subscriptions area.

    Directory ID

    Enter your Microsoft Azure AD Directory ID (in UUID form). For Microsoft Azure, you can obtain this UUID from your Microsoft Azure Active Directory properties in the Microsoft Azure portal.

    Application ID

    Enter the application ID (in UUID form) associated with the service principal you created in the Microsoft Azure portal. Creating an application registration and its associated service principal in your Microsoft Azure Active Directory is a prerequisite.

    Application Key

    Enter the key value for the service principal's authentication key that you created in the Microsoft Azure portal. Creating this key is a prerequisite.

  4. Click Next.

    When you click Next, the system verifies the validity of all of the specified values and whether they are appropriately related to each other, such as:

    • Is the specified subscription ID valid in the selected environment.

    • Are the specified directory ID, application ID, and application key valid in that subscription.

    • Is the Contributor role configured on the application's service principal for the specified application ID.

    If you see an error message about checking values, at least one of the values is invalid either by not existing in your subscription or not having a valid relationship with another of the values. For example, if you specified a Directory ID that is in your subscription but you specified an Application ID value that is in a different directory, the error message will display.

    More than one value might be invalid if that error message appears. If you see that error message, verify the subscription-related information that you collected and the configuration of the service principal.

  5. In this step of the wizard, provide the required networking information.



    Node Name

    Enter a friendly name for this node. This name is used in the Administration Console to identify this node from your other nodes.


    Select an existing location or click Add to specify a new one.

    Locations group your nodes according to names you provide (Business Unit A, Business Unit B, East Coast Stores, and so on).

    Microsoft Azure Region

    Select the physical geographic Microsoft Azure region into which you want the node to be deployed. The available regions are determined by the previously selected Microsoft Azure environment.

    Consider choosing the region based on its proximity to the end users you intend to serve with this node. Nearer proximity would provide lower latency.


    Optional: Enter a description for this node.

    Virtual Network

    Select a virtual network from the list.

    Only virtual networks (vnets) that exist in the region selected in the Microsoft Azure Region field are shown here. You must have already created the vnet you want to use in that region in your Microsoft Azure subscription.

    Management Subnet (CIDR)

    Enter a subnet (in CIDR notation) to which the node and Unified Access Gateway instances get connected, such as For the management subnet, a CIDR of at least /28 is required.

    Desktop Subnet (CIDR)

    Enter the subnet (in CIDR notation) to which all of this node's RDSH servers for end-user remote desktops and applications get connected, such as Minimum: /28. Recommended: /22.

    NTP Servers

    Enter the list of NTP servers to use for time synchronization, separated by commas (for example,

    Internet Enabled Desktops?

    When Yes is selected, access to desktops and applications is enabled for users located outside of your corporate network. The node includes a load balancer and Unified Access Gateway instances to enable this access.


    Leaving the default Yes setting is recommended.

    When set to No, clients must connect directly to the node and not through Unified Access Gateway. In this case, some post-deployment steps are required. See the information in VMware Horizon Cloud Service on Microsoft Azure Administration Guide.


    Enter the required fully qualified domain name (FQDN), such as, which your end users will use to access the service. You must own that domain name and have a certificate in PEM format that can validate that FQDN.

    DMZ Subnet (CIDR)

    Enter the subnet (in CIDR notation) for the DMZ (demilitarized zone) network that will be configured to connect the Unified Access Gateway instances to the load balancer.


    Upload the certificate in PEM format that Unified Access Gateway will use to allow clients to trust connections to the Unified Access Gateway instances running in Microsoft Azure. The certificate must be based on the FQDN you entered and be signed by a trusted CA.

  6. Click Validate & Proceed.

    When you click Validate & Proceed, the system verifies the validity and appropriateness of your specified values, such as:

    • Are the subnets valid and non-overlapping with other networks in the selected region within your subscription.

    • Are there enough virtual machine (VM) and cores in your subscription's quota to build out the node.

    • Is the certificate in the correct PEM format.

    If everything validates OK, the summary page displays.

  7. Review the summarized information and click Submit .

    The system starts deploying the node into your Microsoft Azure environment.


Deploying your first node can take up to an hour. Until the node is successfully deployed, a progress icon is displayed in the Administration Console's Getting Started screen. You might need to refresh the screen in your browser to see the progress.


When deploying a node in Microsoft Azure China cloud, the process can take up to seven (7) hours to complete. The process is subject to geographic network issues that can cause slow download speeds as the binaries are downloaded from the cloud control plane.

When the node is successfully deployed, a green checkmark is displayed in the Getting Started screen along with a message about completing the domain join process.


If the deployment process fails for some reason or if you dislike the values you used and want to start over before registering your Active Directory domain, a Delete button is displayed. Click the Delete button to delete the artifacts that were deployed. When the screen indicates the node is successfully deleted, you can start the process over by clicking Add again.

What to do next

Expand the General Setup section of the Horizon Cloud Getting Started wizard and complete the required task of registering an Active Directory domain. Registering Active Directory is the next required step. After registering the domain, you continue management of this node in the Administration Console. See the Getting Started chapter of VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

After registering the Active Directory domain, follow the Getting Started wizard to see which task to complete next.

If you deployed the node with the Internet-Enabled Desktops option set to Yes (the default), before your end users can access their RDS desktops and remote applications, you must configure a CNAME record in your DNS server to map the auto-generated public FQDN of the node's deployed load balancer to the FQDN that you entered in the deployment wizard. The public load balancer IP address has an auto-generated public FQDN in the form, where nodeID is the node's UUID and region is the Microsoft Azure region where the node is located. Your DNS server record maps that auto-generated public FQDN of the load balancer with the FQDN that your end users will use, and which is used in the uploaded certificate.

For the steps to obtain the load balancer's public FQDN in the Microsoft Azure portal, see the VMware Horizon Cloud Service on Microsoft Azure Administration Guide .