For every Horizon Cloud pod deployed into your Microsoft Azure cloud, a network security group (NSG) is also created in the pod's resource group to act as a template. You can use this template to ensure you have opened those additional ports that you might need for the VDI desktops provided by your VDI desktop assignments.

In Microsoft Azure, a network security group (NSG) governs the network traffic to the resources connected to Azure Virtual Networks (VNet). An NSG defines the security rules that allow or deny that network traffic. For more detailed information about how NSGs filter network traffic, see the Microsoft Azure documentation topic Filter network traffic with network security groups.

When a Horizon Cloud pod is deployed into Microsoft Azure, an NSG named vmw-hcs-podID-nsg-template is created in the pod's same resource group named vmw-hcs-podID, where podID is the pod's ID. You can obtain the pod's ID from the pod's details page, navigating from the Capacity page in the Horizon Universal Console.

By default:

  • Microsoft Azure creates some default rules automatically in each NSG when it is created. In every NSG that is created, Microsoft Azure creates some inbound and outbound rules at priority 65000 and higher. Such Microsoft Azure default rules are not described in this documentation topic, because they are created by Microsoft Azure automatically when anybody or any system creates an NSG in Microsoft Azure. Those rules are not created by Horizon Cloud. For details on those default rules, see the Microsoft Azure documentation topic Default security rules.
  • The Horizon Cloud pod deployer creates the following inbound security rules in the pod's template NSG. These default inbound security rules support your end-user clients' access to their VDI desktops using Blast and PCOIP and USB redirection.
Table 1. Inbound Security Rules Created by the Horizon Cloud Pod Deployer in the Pod's Template NSG
Priority Name Port Protocol Source Destination Action
1000 AllowBlastUdpIn 22443 UDP Internet Any Allow
1100 AllowBlastTcpIn 22443 TCP Internet Any Allow
1200 AllowPcoipTcpIn 4172 TCP Internet Any Allow
1300 AllowPcoipUdpIn 4172 UDP Internet Any Allow
1400 AllowTcpSideChannelIn 9427 TCP Internet Any Allow
1500 AllowUsbRedirectionIn 32111 TCP Internet Any Allow

In addition to this template NSG, when a VDI desktop assignment is created, the system creates an NSG for that assignment's pool of desktops by copying the template NSG. Every VDI desktop assignment's pool has its own NSG that is a copy from the template NSG. A pool's NSG is assigned to the NICs of that pool's VDI desktop virtual machines (VMs). By default, every VDI desktop pool uses the same default security rules as configured in the pod's template NSG.

You can modify both the template NSG and the per-VDI-desktop-assignment NSGs. For example, if you have an application in a VDI desktop that you know needs an additional port opened for that application, you would modify the corresponding VDI desktop assignment pool's NSG to allow network traffic on that port. If you are planning to create multiple VDI desktop assignments that need the same port opened, a simple way to support that scenario is to edit the template NSG prior to creating the VDI desktop assignments.

Important: When planning to modify the base template, make a copy before modifying it. The copy can be a backup in case you need to revert back to the original default settings.