When the Microsoft Azure VNet that is used by your pods is configured for NSX Cloud, you are able to leverage the features of NSX-T Data Center network virtualization with those pods' farms and VDI desktop assignments. You can use the micro-segmentation features of NSX Cloud to restrict access between farm RDSH instances and VDI desktops even when those virtual machines are in the same tenant subnet.
For the specific version of NSX-T Data Center that is supported for this integration with the current pod manifest for the current Horizon Cloud Service version, see the documentation topic Horizon Cloud — Environments, Operating Systems, and Compatibility.
Horizon Cloud integration is supported with NSX Cloud management components — NSX Manager and Cloud Service Manager (CSM) — deployed either on-premises or, starting with NSX-T Data Center version 3.1.1, natively in Microsoft Azure. For an overview of the NSX Cloud architecture and components, see NSX Cloud Architecture and Components in the VMware NSX-T Data Center documentation.
One requirement of using NSX Cloud with your Microsoft Azure environment is you must establish a connection between your Microsoft Azure VNet and your on-premises NSX-T Data Center appliances. Because Microsoft Azure does not allow you to modify a VNet's CIDR block after a VNet is peered or after attaching a VPN Gateway, ensure you have checked all of the values you want to use before you attach the VNet to the VPN Gateway. For a workflow of the high-level steps for connecting NSX Cloud to your public cloud, see the version 3.1 topic Integrate Horizon Cloud Service with NSX Cloud in the NSX-T Data Center documentation.
The following table is a high-level summary of the end-to-end steps to enable using the NSX Cloud features with your pod's RDSH VMs and VDI desktop VMs. Some of the links in the Details column open the relevant NSX-T Data Center version 3.1 documentation topics.
|Integrate Horizon Cloud with NSX Cloud for use with the Horizon Cloud pod||Refer to the NSX-T Data Center documentation topic Integrate Horizon Cloud Service with NSX Cloud.
Important: If you intend to create App Volumes assignments in the pod, you must manually open port 445/TCP for the pod's tenant subnet in your NSX firewall rules after you deploy the NSX PCG and before you create your first App Volumes assignment using that pod. As stated in App Volumes Applications for Horizon Cloud on Microsoft Azure - Overview and Prerequisites, to support the use of the App Volumes features that are supported for use with a Horizon Cloud pod, you must configure port 445 for TCP protocol traffic on the pod's tenant subnet.
|Create a VM and import it into Horizon Cloud using the Import Virtual Machine from Marketplace wizard.||See Create a Base Virtual Machine Automatically from the Microsoft Azure Marketplace and Pair it with Horizon Cloud on a Per-Pod Basis. To make it easy to install the required NSX agent, a best practice is to select the option for a public IP address.
Note: When importing the VM, select the options for optimizing the VM and, for Windows 10, removing Windows Store Apps. Using those options helps prevent sysprep issues when subsequently sealing the image.
|Connect to the imported VM and install the required NSX Tools.||Install the NSX Tools in the Horizon Cloud Imported Image VM|
|Publish the image.||Convert a Configured Image VM to an Assignable Image in Horizon Cloud on a Per-Pod Basis|
|Create farms and VDI desktop assignments using that image and the setting to enable NSX Cloud management for that farm or assignment.
When the RDSH VMs and VDI desktop VMs are created, they appear in your NSX Cloud inventory.
|Enable the distributed firewalls rules in NSX Manager that will allow communication with the RDSH VMs and VDI desktop VMs||Because NSX Cloud will block these communications by default, you must enable some distributed firewall rules in NSX Manager to allow communication with the NSX-managed VMs that are provisioned from the pod. See Firewall Rules Required in NSX Manager for Pod-Provisioned VMs.
If you are using NSX-T Data Center 2.4, in addition to enabling the firewall rules, you must also add a forwarding policy to route the traffic pertaining to the NSX-managed VMs over the Microsoft Azure cloud's network (underlay). See Add the Required Forwarding Policy in NSX Manager for the Pod-Provisioned VMs.
|Use NSX Cloud features with the RDSH VMs and VDI desktop VMs in your NSX Cloud inventory.||See this NSX Cloud topic and its subtopics in the NSX-T Data Center Administration Guide.|
Horizon Cloud Workflows and NSX Cloud
When you create an RDSH farm or a VDI desktop assignment in your Horizon Cloud pod using a golden image VM that you configured with the NSX agent, you can decide to whether to enable NSX Cloud management on that farm or VDI desktop assignment. When you enable NSX Cloud management for a farm or VDI desktop assignment, all of the virtual machines (VMs) in that farm or VDI desktop assignment are tagged for use in NSX Cloud. You specify NSX Cloud management when you create the farm or VDI desktop assignment, and you cannot change that state after the farm or assignment is created. The Horizon Cloud workflows to create a farm and a VDI desktop assignment include a toggle for enabling use of NSX Cloud with the farm's RDSH instances or the VDI desktop assignment's virtual desktops. For details of those workflows, see:
- Horizon Cloud Pods - Create a Farm
- Create a Dedicated VDI Desktop Assignment Provisioned by a Single Pod in Microsoft Azure
- Create a Floating VDI Desktop Assignment Provisioned by a Single Pod in Microsoft Azure
Setting the NSX Cloud Managed toggle to Yes when creating a farm or VDI desktop assignment gives the resulting farm's RDSH VMs or VDI desktop VMs with a custom tag named
nsx.network=default. The NSX Cloud PCG manages all VMs that have that tag. NSX Cloud automatically discovers the VMs in your configured Microsoft Azure VNet that have this tag and includes these VMs in your public cloud inventory. You can then manage and secure those VMs using the CSM component of NSX-T Data Center. For details, see this NSX Cloud topic and its subtopics in the NSX-T Data Center Administration Guide.
Some limitations apply when using the NSX Cloud management feature with your pods in Horizon Cloud:
- You cannot edit the name of a farm or VDI desktop assignment that has NSX Cloud management enabled.
- To use both disk encryption and the NSX Cloud management features for a floating VDI desktop assignment, you must install the latest version of the NSX agent. That combination is not supported with previous NSX agent versions.