When the Microsoft Azure VNet that is used by your pods is configured for NSX Cloud, you are able to leverage the features of NSX-T Data Center network virtualization with those pods' farms and VDI desktop assignments. You can use the micro-segmentation features of NSX Cloud to restrict access between farm RDSH instances and VDI desktops even when those virtual machines are in the same tenant subnet.
For the specific version of NSX-T Data Center that is supported for this integration, see the documentation topic Horizon Cloud — Environments, Operating Systems, and Compatibility.
NSX Cloud integrates the NSX-T Data Center core components, NSX Manager and NSX Controllers, with your Microsoft Azure cloud environment. For an overview of the NSX Cloud architecture and components, see NSX Cloud Architecture and Components in the VMware NSX-T Data Center documentation. The core NSX Cloud components are:
- NSX Manager
- NSX Controller
- Cloud Service Manager (CSM)
- NSX Public Cloud Gateway (PCG)
- NSX Agent
One requirement of using NSX Cloud with your Microsoft Azure environment is you must establish a connection between your Microsoft Azure VNet and your on-premises NSX-T Data Center appliances. Because Microsoft Azure does not allow you to modify a VNet's CIDR block after a VNet is peered or after attaching a VPN Gateway, ensure you have checked all of the values you want to use before you attach the VNet to the VPN Gateway. For a workflow of the high-level steps for connecting NSX Cloud to your public cloud, see Day-0 Workflow for Connecting NSX Cloud with Your Public Cloud.
The following table is a high-level summary of the end-to-end steps to enable using the NSX Cloud features with your pod's RDSH VMs and VDI desktop VMs. Some of the links in the Details column open the relevant NSX-T Data Center version 2.4 documentation topics. If you are using NSX-T Data Center 2.3 instead, when you take one of the links below to the 2.4 version topic, you can use the upper blue menu to switch to the 2.3 version of the same documentation topic. The following screenshot illustrates the position of that blue menu for the Deploy or Link NSX Public Cloud Gateways topic.
|Install CSM in your on-premises NSX-T environment and connect it with NSX Manager.||Refer to the NSX-T Data Center documentation topic here.|
|Enable the ports and protocols that are required for hybrid connectivity.||Refer to the NSX-T Data Center documentation topic here.|
|Peer your Microsoft Azure VNet with your on-premises NSX-T Data Center environment.||Refer to the NSX-T Data Center documentation topic here.|
|Enable CSM to access your Microsoft Azure inventory.||Refer to the NSX-T Data Center documentation topic here.|
|Deploy the NSX Cloud PCG on the configured Microsoft Azure VNet.||Refer to the NSX-T Data Center documentation topics:|
|Create a VM and import it into Horizon Cloud using the Import Virtual Machine from Marketplace wizard.||See Create a Base Virtual Machine Automatically from the Microsoft Azure Marketplace and Pair it with Horizon Cloud. To make it easy to install the required NSX agent, a best practice is to select the option for a public IP address.
Note: When importing the VM, select the options for optimizing the VM and, for Windows 10, removing Windows Store Apps. Using those options helps prevent sysprep issues when subsequently sealing the image.
|Connect to the imported VM and install the required NSX agent.||Install the NSX Agent in the Horizon Cloud Imported Image VM|
|Publish the image.||Convert a Configured Image VM to an Assignable Image in Horizon Cloud|
|Create farms and VDI desktop assignments using that image and the setting to enable NSX Cloud management for that farm or assignment.
When the RDSH VMs and VDI desktop VMs are created, they appear in your NSX Cloud inventory.
|Enable the distributed firewalls rules in NSX Manager that will allow communication with the RDSH VMs and VDI desktop VMs||Because NSX Cloud will block these communications by default, you must enable some distributed firewall rules in NSX Manager to allow communication with the NSX-managed VMs that are provisioned from the pod. See Firewall Rules Required in NSX Manager for Pod-Provisioned VMs.
If you are using NSX-T Data Center 2.4, in addition to enabling the firewall rules, you must also add a forwarding policy to route the traffic pertaining to the NSX-managed VMs over the Microsoft Azure cloud's network (underlay). See Add the Required Forwarding Policy in NSX Manager for the Pod-Provisioned VMs.
|Use NSX Cloud features with the RDSH VMs and VDI desktop VMs in your NSX Cloud inventory.||See this NSX Cloud topic and its subtopics in the NSX-T Data Center Administration Guide.|
Horizon Cloud Workflows and NSX Cloud
When you create an RDSH farm or a VDI desktop assignment in your Horizon Cloud pod using a golden image VM that you configured with the NSX agent, you can decide to whether to enable NSX Cloud management on that farm or VDI desktop assignment. When you enable NSX Cloud management for a farm or VDI desktop assignment, all of the virtual machines (VMs) in that farm or VDI desktop assignment are tagged for use in NSX Cloud. You specify NSX Cloud management when you create the farm or VDI desktop assignment, and you cannot change that state after the farm or assignment is created. The Horizon Cloud workflows to create a farm and a VDI desktop assignment include a toggle for enabling use of NSX Cloud with the farm's RDSH instances or the VDI desktop assignment's virtual desktops. For details of those workflows, see:
- Create a Farm
- Create a Dedicated VDI Desktop Assignment Provisioned by a Single Pod in Microsoft Azure
- Create a Floating VDI Desktop Assignment Provisioned by a Single Pod in Microsoft Azure
Setting the NSX Cloud Managed toggle to Yes when creating a farm or VDI desktop assignment gives the resulting farm's RDSH VMs or VDI desktop VMs with a custom tag named
nsx.network=default. The NSX Cloud PCG manages all VMs that have that tag. NSX Cloud automatically discovers the VMs in your configured Microsoft Azure VNet that have this tag and includes these VMs in your public cloud inventory. You can then manage and secure those VMs using the CSM component of NSX-T Data Center. For details, see this NSX Cloud topic and its subtopics in the NSX-T Data Center Administration Guide.
Some limitations apply when using the NSX Cloud management feature with your pods in Horizon Cloud:
- You cannot edit the name of a farm or VDI desktop assignment that has NSX Cloud management enabled.
- To use both disk encryption and the NSX Cloud management features for a floating VDI desktop assignment, you must install the latest version of the NSX agent. That combination is not supported with previous NSX agent versions.