The purpose of this documentation topic here is to explain to you what you will see after you use Horizon Cloud to create a pod in your Microsoft Azure subscription and you subsequently log in to the Microsoft Azure portal and look at what the pod deployer created there. As part of deploying the pod in Microsoft Azure, the automated deployment process creates a set of network security groups (NSGs) and associates each with specific individual network interfaces (NICs) that are on each of the VMware controlled pod-related virtual machines (VMs). Such pod-related VMs are the pod's manager VMs, and the VMs that are deployed when the pod is configured with Unified Access Gateway. Also, during pod deployment-related workflows, such as deploying a pod or adding a gateway configuration to a pod, the temporary jump box also has an NSG in its temporary jump box resource group. The pod deployer associates the appropriate deployer-created NSG with the appropriate NIC, according to the VMware design and architecture for the pod. These NSGs are used at a NIC level to ensure that each NIC on a particular VMware managed appliance can receive the traffic that VMware managed appliance is supposed to receive for standard service and pod operations over the NIC's attached subnet, and to block all traffic that appliance is not supposed to receive. Each NSG contains a set of security rules that define the allowed traffic to and from each NIC.

The NSGs described here are separate from the ones used for the base VMs, farms, and VDI desktops that are provisioned by the pod when you create them using the Horizon Universal Console. Those NSGs have different usage information. For information about those NSGs, see the following topics:

Warning: The deployer-created NSG rules described here are configuration requirements of the service. You should never delete or edit any of the Horizon Cloud NSGs that are automatically created and associated with the pod VMs' NICs. This instruction includes actions such as:
  • Copying or moving these NSGs or NSG rules to any subnet used by Horizon Cloud
  • Copying or moving these NSGs or NSG rules between the NICs that are associated with the pod VMs.

The NSGs created by Horizon Cloud and the rules inside of them are specific to the particular NICs and VMs to which they are attached, and are expressly for the purposes of those NICs and VMs. Any change to those NSGs or rules, or any attempt to use them for any other purpose — even on the same subnets to which those NICs are attached — will most likely result in disrupting the required network traffic to and from the NICs to which they are attached. That disruption in turn could result in disrupting all pod operations. The lifecycle of these NSGs is managed by Horizon Cloud, and there are specific reasons for each one. Those reasons include:

  • The ability for the cloud control plane to communicate with the pod.
  • Management of the pod's infrastructure
  • Pod lifecycle operations
Because these deployer-created NSGs are configuration requirements of the service, attempts to change them or move them are considered an unsupported use of Horizon Cloud and a misuse of the service offerings, as described in the Service Level Agreement for VMware Horizon Service.

However, you can create your own NSGs containing your own organization's rules within resource groups outside of the pod's resource groups that are auto-created and managed by Horizon Cloud for the pod's VMs. The rules in your own NSGs must not conflict with Horizon Cloud's requirements for the management and operations of the pod's VMs. Such NSGs should be attached to the management, tenant, and DMZ subnets used by the pod. Creating your own NSGs within the resource groups managed by Horizon Cloud will cause failure during deletion actions on the Horizon Cloud managed resource groups if your NSGs in those resource groups are associated with a resource that resides in a different resource group.

As described in the Microsoft Azure documentation, the purpose of a network security group (NSG) is to filter network traffic to and from resources in your Microsoft Azure environment using security rules. Each rule has a set of properties such as source, destination, port, protocol, and so on that determine the traffic allowed for the resources to which the NSG is associated. The NSGs that Horizon Cloud automatically creates and associates with the VMware controlled pod VMs' NICs contain particular rules which Horizon Cloud has determined are needed for the service's management of the pod, for proper running of ongoing pod operations, and for managing the pod's lifecycle. Generally speaking, each rule defined in these NSGs is intended to provide for the pod operations' port traffic that is part and parcel of the service's fulfillment of the standard business purposes of a Horizon Cloud subscription, such as the VDI use cases of delivering virtual desktops to end users. See also Ports and Protocols Requirements for a Horizon Cloud Pod.

The sections below list the NSG rules that Horizon Cloud defines in those NSGs.

General Facts About These NSGs

This list applies to all of the deployer-created NSGs that the deployer associates with specific NICs on the pod-related VMs.

  • These VMware created NSGs are for the security of the VMware controlled software appliances. When VMware adds new software to your subscription and additional rules are required, those new rules are added to these NSGs.
  • In the Microsoft Azure portal, the NSGs have names that contain the pattern vmw-hcs-podUUID, where podUUID is the pod's identifier, except for the NSGs that are for an external gateway configuration that is deployed into its own VNet. In that case, the gateway's relevant NSGs have names that contain the pattern vmw-hcs-ID, where ID is the deployment ID for that external gateway.
    Note: For the scenario where the external gateway configuration is deployed into a separate subscription using the option to deploy into an existing resource group that you pre-created in that subscription, the NSG on the gateway connector's VM's management NIC is named in a pattern based on the resource group's name instead of the vmw-hcs-podUUID pattern. As an example, if you named that resource group hcsgateways, then in that resource group, Horizon Cloud creates an NSG named hcsgateways-mgmt-nsg, and associates that NSG with the gateway connector VM's management NIC.

    You can locate these identifiers by navigating to the pod's details from the administrative console's Capacity page.

    Note: When you choose to have the pod's external Unified Access Gateway use a custom resource group, the name of the gateway connector VM's deployer-created NSG contains the name of that custom resource group instead of the pattern vmw-hcs-ID. As an example, if you specify using a custom resource group named ourhcspodgateway for your pod's external gateway, the NSG that the deployer creates and associates with the gateway VM's NIC will be named ourhcspodgateway-mgmt-nsg.
  • The NSGs are located in the same resource group as the VMs and NICs to which they are associated. As an example, the NSGs associated with the NICs on the external Unified Access Gateway VMs are located in the resource group named vmw-hcs-podUUID-uag when the external gateway is deployed in the pod's VNet and using a deployer-created resource group. See also Resource Groups Created For a Pod Deployed In Microsoft Azure.
  • Horizon Cloud might add new rules or modify these rules as appropriate for ensuring maintainability of the service.
  • During a pod update, the NSGs and rules will be retained. They will not be deleted.
  • Except for the temporary jump box's NSG rules and the Horizon Edge Virtual Appliance NSG rules, the Horizon Cloud rules start at priority 1000, and the priorities go up in increments that are 100 typically. The Horizon Cloud rules end with a rule at priority 3000. For the jump box's NSG rules and the Horizon Edge Virtual Appliance NSG rules, the Horizon Cloud rules start at priority 100, and the priorities go up in increments of 1.
  • The AllowAzureInBound rules for source IP address 168.63.129.16 provide for the NSGs accepting incoming communication from the Microsoft Azure platform, as described in the Microsoft Azure documentation topic What is IP address 168.63.129.16. All of the pod-related VMs are VMs in Microsoft Azure. As described in that Microsoft Azure documentation topic, their IP address 168.63.129.16 facilitates various VM management tasks that the Microsoft Azure cloud platform does for all VMs in their cloud. As an example, this IP address facilitates having the VM Agent that is within the VM to communicate with the Microsoft Azure platform to signal that the VM is in a Ready state.
  • In the NSGs for the Unified Access Gateway instances, the AllowPcoipUdpInBound rules are set for any port because PCoIP traffic is using variable port numbers in the 4173+ range, so that traffic cannot be restricted to a specific set of ports.
  • Microsoft Azure creates some default rules automatically in each NSG when it is created. In every NSG that is created, Microsoft Azure creates some inbound and outbound rules at priority 65000 and higher. Such Microsoft Azure default rules are not described in this documentation topic, because they are created by Microsoft Azure automatically. For details on those default rules, see the Microsoft Azure documentation topic Default security rules.
  • During deployment-related workflows, such as deploying a pod or adding a gateway configuration to a pod, the temporary jump box also has an NSG in its temporary jump box resource group. This NSG is deleted when the jump box's resource group is deleted at the completion of the workflow.
  • Each rule defined in these NSGs is intended to provide for the pod operations' port traffic that is part and parcel of the service's fulfillment of the standard business purposes of a Horizon Cloud subscription, such as the VDI use cases of delivering virtual desktops to end users. See also Ports and Protocols Requirements for a Horizon Cloud Pod.
  • When you edit your pod to specify additional tenant subnets for use with farms and VDI desktop assignments, the rules in the tenant-subnet-related NSGs on the pod manager VMs' and Unified Access Gateway VMs' NICs are updated to include those additional tenant subnets.

Pod Manager VM's Deployer-Created NSGs

The pod manager VM has two NICs, one connected to the management subnet and the other connected to the tenant subnet. The deployer creates a specific NSG for each of those two NICs, and associates each NSG with its appropriate NIC.

  • The management NIC has an NSG named in the pattern vmw-hcs-podUUID-mgmt-nsg.
  • The tenant NIC has an NSG named in the pattern vmw-hcs-podUUID-tenant-nsg.

In your Microsoft Azure environment, these NSGs reside in the pod's resource group named in the pattern vmw-hcs-podUUID.

Important: When the pod is using the feature to have its external gateway in a separate VNet (which includes the case where that gateway is using a separate subscription from the pod's subscription), the NSG for the pod manager VM's tenant NIC has an additional inbound rule named AllowGatewayBrokeringHttpsInBound for port 8443 TCP with VirtualNetwork as the source. The deployer-created NSG rules on the pod manager VM's tenant NIC when the external gateway is in a separate VNet are listed in the third table below.
Table 1. Deployer-Created NSG Rules on the Pod Manager VM's Management NIC
Direction Priority Name Ports Protocol Source Destination Action Rule's Purpose
Inbound 1000 AllowSshInBound 22 Any Management subnet Any Allow As described in the topic DNS Requirements for a Horizon Cloud Pod in Microsoft and Related Service Features, the short-lived jump box VM communicates with a pod manager VM using SSH to the VM's port 22 in the initial creation of a pod and during subsequent software updates on the pod. Also as described in that topic, day-to-day pod operations do not require availability of port 22 on the pod manager VM. However, if during steady-state operations you make a support request to VMware and the support team determines the way to troubleshoot that request is to deploy a jump box VM for SSH communication to your pod's manager VM, this NSG rule supports that use case. Permission will be requested from you prior to any emergency access.
Inbound 1100 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 1200 AllowHttpsInBound 443 Any Management subnet Any Allow For the cloud control plane to securely communicate with the pod manager's REST API endpoint.
Inbound 1300 AllowApacheGeodeInBound 10334 - 10336, 41000-41002, 41100-41102, 42000-42002 Any Management subnet Any Allow These ports are used to replicate user sessions and fileshare-related information between the pod manager VMs.
Inbound 1400 AllowTelegrafInBound 9172 Any Management subnet Any Allow When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect.
Inbound 1500 AllowAgentJmsInBound 4001, 4002 Any Management subnet Any Allow When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.
Table 2. Deployer-Created NSG Rules on the Pod Manager VM's Tenant NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowHttpsInBound

80

443

TCP VirtualNetwork Any Allow This rule provides for an atypical scenario in which you might have told your internal end users (on your corporate network, such as over VPN) to make their client connections to an FQDN that you have mapped to the pod's Microsoft Azure load balancer. This scenario is sometimes referred to as direct-pod connection. For the login authentication request to the pod manager, the Horizon Clients and Horizon web client use port 443. To support easy redirection as a convenience for a user who might type HTTP in their client instead of HTTPS, that traffic arrives at port 80 and is automatically redirected to port 443.
Inbound 1100 AllowAgentHttpsInBound

3443

8443

TCP Tenant subnet Any Allow

Port 3443 inbound to this NIC is used by the App Volumes Agent in the base VMs, desktop VMs, and farm RDSH VMs to access the App Volumes Manager service that runs in the pod manager VM.

Port 8443 inbound to this NIC is used by the Unified Access Gateway instances to check with the pod manager. The gateway instances use this endpoint to confirm sending new client connection requests to the pod manager.

Inbound 1120 AllowUagHttpsInBound 8443 TCP Management subnet Any Allow This rule is planned for use in a future service release.
Inbound 1200 AllowAgentJmsInBound

4001

4002

TCP Tenant subnet Any Allow

The Horizon Agents in the base VMs, desktop VMs, and farm RDSH VMs use these ports.

Port 4001 is for Java Message Service (JMS, non-SSL), used by the agent in the VM to communicate with the pod as part of the certificate thumbprint verification and exchange to secure an SSL connection to the pod.

After the keys are negotiated and exchanged between the VM and the pod manager, the agent uses port 4002 to create a secured SSL connection.
Note: Both 4001 and 4002 are required for steady-state operations. At times, the agent might need to re-key with the pod.
Inbound 1210 AllowRouterJmsInBound 4101 TCP Tenant subnet Any Allow When a pod is enabled for high availability (HA), this traffic is JMS routing between the pod manager VMs (node-1 and node-2)
Inbound 1300 AllowAgentUdpInBound 5678 UDP Tenant subnet Any Allow Deprecated for pods of manifests 1600 and later. In the service's September 2019 release, the DaaS agent was incorporated into the Horizon Agent as of pod manifest 1600. Previously, this port 5678 and UDP protocol were used to support use of the DaaS agent.
Inbound 1400 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.
Table 3. When the External Gateway resides in a Separate VNet, Deployer-Created NSG Rules on the Pod Manager VM's Tenant NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowHttpsInBound

80

443

TCP VirtualNetwork Any Allow This rule provides for an atypical scenario in which you might have told your internal end users (on your corporate network, such as over VPN) to make their client connections to an FQDN that you have mapped to the pod's Microsoft Azure load balancer. This scenario is sometimes referred to as direct-pod connection. For the login authentication request to the pod manager, the Horizon Clients and Horizon web client use port 443. To support easy redirection as a convenience for a user who might type HTTP in their client instead of HTTPS, that traffic arrives at port 80 and is automatically redirected to port 443.
Inbound 1100 AllowAgentHttpsInBound

3443

8443

TCP Tenant subnet Any Allow

Port 3443 inbound to this NIC is used by the App Volumes Agent in the base VMs, desktop VMs, farm RDSH VMs to access the App Volumes Manager service running in the pod manager.

Port 8443 inbound to this NIC is used by the Unified Access Gateway instances to check with the pod manager. The gateway instances use this endpoint to confirm sending new client connection requests to the pod manager.

Inbound 1110 AllowGatewayBrokeringHttpsInBound 8443 TCP VirtualNetwork Any Allow When the pod's external gateway is deployed in its own VNet separate from the pod, this rule supports the inbound traffic from the external gateway's Unified Access Gateway instances to check with the pod manager. The gateway instances use this endpoint to confirm sending new client connection requests to the pod manager.
Inbound 1120 AllowUagHttpsInBound 8443 TCP Management subnet Any Allow This rule is planned for use in a future service release.
Inbound 1200 AllowAgentJmsInBound

4001

4002

TCP Tenant subnet Any Allow

The Horizon Agents in the base VMs, desktop VMs, and farm RDSH VMs use these ports.

Port 4001 is for Java Message Service (JMS, non-SSL), used by the agent in the VM to communicate with the pod as part of the certificate thumbprint verification and exchange to secure an SSL connection to the pod.

After the keys are negotiated and exchanged between the VM and the pod manager, the agent uses port 4002 to create a secured SSL connection.
Note: Both 4001 and 4002 are required for steady-state operations. At times, the agent might need to re-key with the pod.
Inbound 1210 AllowRouterJmsInBound 4101 TCP Tenant subnet Any Allow When a pod is enabled for high availability (HA), this traffic is JMS routing between the pod manager VMs (node-1 and node-2)
Inbound 1300 AllowAgentUdpInBound 5678 UDP Tenant subnet Any Allow Deprecated for pods of manifests 1600 and later. In the service's September 2019 release, the DaaS agent was incorporated into the Horizon Agent as of pod manifest 1600. Previously, this port 5678 and UDP protocol were used to support use of the DaaS agent.
Inbound 1400 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.

External Unified Access Gateway VMs' Deployer-Created NSGs

Each of the VMs for the external Unified Access Gateway configuration has three (3) NICs, one connected to the management subnet, one connected to the tenant subnet, and one connected to the DMZ subnet. The deployer creates a specific NSG for each of those three NICs, and associates each NSG with its appropriate NIC.

  • The management NIC has an NSG named in the pattern vmw-hcs-ID-uag-management-nsg.
  • The tenant NIC has an NSG named in the pattern vmw-hcs-ID-uag-tenant-nsg.
  • The DMZ NIC has an NSG named in the pattern vmw-hcs-ID-uag-dmz-nsg.

In your Microsoft Azure environment, these NSGs are named in the pattern vmw-hcs-ID-uag where ID is the pod's ID as displayed on the pod's details page in the console, unless the external gateway is deployed in its own VNet separate from the pod's VNet. In the case of an external gateway deployed in its own VNet, the ID is the Deployment ID value shown on the pod's details page.

Table 4. Deployer-Created NSG Rules on the External Unified Access Gateway VMs' Management NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowHttpsInBound 9443 TCP Management subnet Any Allow For the service to configure the gateway's administration settings using its management interface. As described in the Unified Access Gateway product documentation, its management interface is at port 9443/TCP.
Inbound 1100 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 1200 AllowSshInBound 22 Any Management subnet Any Allow For VMware to perform emergency access to the VM if needed for troubleshooting. Permission will be requested from you prior to any emergency access.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.
Outbound 3000 DenyAllOutBound Any Any Any Any Deny Added by the deployer to deny outbound traffic from this NIC.
Table 5. Deployer-Created NSG Rules on the External Unified Access Gateway VMs' Tenant NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 1400 AllowPcoipUdpInBound Any UDP Tenant subnet Any Allow This rule supports the standard configuration used for Unified Access Gateway working with the Horizon Agent. The Horizon Agents in the desktop and farm VMs send PCoIP data back to the Unified Access Gateway instances using UDP.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.
Outbound 1000 AllowHttpsOutBound

443

8443

TCP Any Tenant subnet Allow

This rule supports the Unified Access Gateway instances communicating with the pod manager VMs for the purpose of new client connection requests to the pod managers.

Outbound 1100 AllowBlastOutBound 22443 Any Any Tenant subnet Allow This rule supports the use case of a Horizon Client Blast Extreme session to the Horizon Agent in a desktop or farm VM.
Outbound 1200 AllowPcoipOutBound 4172 Any Any Tenant subnet Allow This rule supports the use case of a Horizon Client PCoIP session to the Horizon Agent in a desktop VM.
Outbound 1300 AllowUsbOutBound 32111 TCP Any Tenant subnet Allow This rule supports the use case of USB redirection traffic. USB redirection is an agent option in the desktop or farm VMs. That traffic uses port 32111 for an end-user client session to the Horizon Agent in a desktop or farm VM.
Outbound 1400 AllowMmrOutBound 9427 TCP Any Tenant subnet Allow This rule supports the use cases of multimedia redirection (MMR) and client driver redirection (CDR) traffic. These redirections are agent options in the desktop or farm VMs. That traffic uses port 9427, for an end-user client session to the Horizon Agent in a desktop or farm VM.
Outbound 1500 AllowAllOutBound Any Any Any Tenant subnet Allow When running in a VM that supports multiple user sessions, the Horizon Agent chooses different ports to use for the sessions' PCoIP traffic. Because these ports cannot be determined ahead of time, a NSG rule naming specific ports to allow that traffic cannot be defined ahead of time. Therefore, similar to the rule at priority 1200, this rule supports the use case of multiple Horizon Client PCoIP sessions with such VMs.
Outbound 3000 DenyAllOutBound Any Any Any Any Deny Added by the deployer to limit this NIC's outbound traffic to the items in the previous rows.
Table 6. Deployer-Created NSG Rules on the External Unified Access Gateway VMs' DMZ NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowHttpsInBound

80

443

TCP Internet Any Allow This rule provides for the external end users' inbound traffic from the Horizon Clients and the Horizon web client to request the login authentication request to the pod manager. By default, the Horizon Client and Horizon web client use port 443 for this request. To support easy redirection as a convenience for a user who might type HTTP in their client instead of HTTPS, that traffic arrives at port 80 and is automatically redirected to port 443.
Inbound 1100 AllowBlastInBound

443

8443

Any Internet Any Allow This rule supports the Unified Access Gateway instances receiving the Blast traffic from the external end users' Horizon Clients.
Inbound 1200 AllowPcoipInBound 4172 Any Internet Any Allow This rule supports the Unified Access Gateway instances receiving PCoIP traffic from the external end users' Horizon Clients.
Inbound 1300 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.

Internal Unified Access Gateway VMs' Deployer-Created NSGs

Each of the VMs for the internal Unified Access Gateway configuration has two (2) NICs, one connected to the management subnet and one connected to the tenant subnet. The deployer creates a specific NSG for each of those two NICs, and associates each NSG with its appropriate NIC.

  • The management NIC has an NSG named in the pattern vmw-hcs-podUUID-uag-management-nsg.
  • The tenant NIC has an NSG named in the pattern vmw-hcs-podUUID-uag-tenant-nsg.

In your Microsoft Azure environment, these NSGs reside in the pod's resource group named in the pattern vmw-hcs-podUUID-uag-internal.

Table 7. Deployer-Created NSG Rules on the Internal Unified Access Gateway VMs' Management NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowHttpsInBound 9443 TCP Management subnet Any Allow For the service to configure the gateway's administration settings using its management interface. As described in the Unified Access Gateway product documentation, its management interface is at port 9443/TCP.
Inbound 1100 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 1200 AllowSshInBound 22 Any Management subnet Any Any For VMware to perform emergency access to the VM if needed for troubleshooting. Permission will be requested from you prior to any emergency access.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.
Outbound 3000 DenyAllOutBound Any Any Any Any Deny Added by the deployer to deny outbound traffic from this NIC.
Table 8. Deployer-Created NSG Rules on the Internal Unified Access Gateway VMs' Tenant NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 1100 AllowHttpsInBound

80

443

TCP VirtualNetwork Any Allow This rule provides for the internal end users' inbound traffic from the Horizon Clients and the Horizon web client to request the login authentication request to the pod manager. By default, the Horizon Client and Horizon web client use port 443 for this request. To support easy redirection as a convenience for a user who might type HTTP in their client instead of HTTPS, that traffic arrives at port 80 and is automatically redirected to port 443.
Inbound 1200 AllowBlastInBound

443

8443

Any VirtualNetwork Any Allow This rule supports the Unified Access Gateway instances receiving the Blast traffic from the internal end users' Horizon Clients.
Inbound 1300 AllowPcoipInBound 4172 Any VirtualNetwork Any Allow This rule supports the Unified Access Gateway instances receiving PCoIP traffic from the internal end users' Horizon Clients.
Inbound 1400 AllowPcoipUdpInBound Any UDP Tenant subnet Any Allow This rule supports the standard configuration used for Unified Access Gateway working with the Horizon Agent. The Horizon Agents in the desktop and farm VMs send PCoIP data back to the Unified Access Gateway instances using UDP.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.
Outbound 1000 AllowHttpsOutBound

443

8443

TCP Any Tenant subnet Allow

This rule supports the Unified Access Gateway instances communicating with the pod manager VMs for the purpose of new client connection requests to the pod.

Outbound 1100 AllowBlastOutBound 22443 Any Any Tenant subnet Allow This rule supports the use case of a Horizon Client Blast Extreme session to the Horizon Agent in a desktop or farm VM.
Outbound 1200 AllowPcoipOutBound 4172 Any Any Tenant subnet Allow This rule supports the use case of a Horizon Client PCoIP session to the Horizon Agent in a desktop VM.
Outbound 1300 AllowUsbOutBound 32111 TCP Any Tenant subnet Allow This rule supports the use case of USB redirection traffic. USB redirection is an agent option in the desktop or farm VMs. That traffic uses port 32111 for an end-user client session to the Horizon Agent in a desktop or farm VM.
Outbound 1400 AllowMmrOutBound 9427 TCP Any Tenant subnet Allow This rule supports the use cases of multimedia redirection (MMR) and client driver redirection (CDR) traffic. These redirections are agent options in the desktop or farm VMs. That traffic uses port 9427, for an end-user client session to the Horizon Agent in a desktop or farm VM.
Outbound 1500 AllowAllOutBound Any Any Any Tenant subnet Allow When running in a VM that supports multiple user sessions, the Horizon Agent chooses different ports to use for the sessions' PCoIP traffic. Because these ports cannot be determined ahead of time, a NSG rule naming specific ports to allow that traffic cannot be defined ahead of time. Therefore, similar to the rule at priority 1200, this rule supports the use case of multiple Horizon Client PCoIP sessions with such VMs..
Outbound 3000 DenyAllOutBound Any Any Any Any Deny Added by the deployer to limit this NIC's outbound traffic to the items in the previous rows.

Gateway Connector VM's Deployer-Created NSG When an External Gateway is Deployed in Its Own VNet

The gateway connector VM has a single NIC. This NIC is attached to the external gateway's VNet's management subnet. The deployer creates a single NSG and associates that NSG specifically with that NIC. By default, the deployer-created NSG for the gateway connector's management NIC has the same rules as the deployer-created NSG for the pod manager VM.

Table 9. Deployer-Created NSG Rules on the External Gateway's Connector VM's Management NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 1000 AllowSshInBound 22 Any Management subnet Any Allow As described in the topic DNS Requirements for a Horizon Cloud Pod in Microsoft and Related Service Features, the short-lived jump box VM communicates with this gateway connector VM using SSH to the VM's port 22 during its initial creation and during subsequent software updates on the pod. Also as described in that topic, day-to-day pod operations do not require availability of port 22 on the gateway connector VM. However, if during steady-state operations you make a support request to VMware and the support team determines the way to troubleshoot that request is to deploy a jump box VM for SSH communication to the gateway connector VM, this NSG rule supports that use case. Permission will be requested from you prior to any emergency access.
Inbound 1100 AllowAzureInBound Any Any 168.63.129.16 Any Allow For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16.
Inbound 1200 AllowHttpsInBound 443 Any Management subnet Any Allow For the cloud control plane to securely communicate with the gateway connector's REST API endpoint.
Inbound 1300 AllowApacheGeodeInBound 10334 - 10336, 41000-41002, 41100-41102, 42000-42002 Any Management subnet Any Allow These ports are used to replicate user sessions and fileshare-related information across the pod manager VMs and the gateway connector VM.
Inbound 1400 AllowTelegrafInBound 9172 Any Management subnet Any Allow When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect.
Inbound 1500 AllowAgentJmsInBound 4001, 4002 Any Management subnet Any Allow When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect.
Inbound 3000 DenyAllInBound Any Any Any Any Deny Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows.

Temporary Jump Box VM's Deployer-Created NSG

During deployment-related workflows, such as deploying a pod or adding a gateway configuration to a pod, the temporary jump box also has an NSG in its temporary jump box resource group. This NSG is deleted when the jump box's resource group is deleted at the completion of the workflow.

Table 10. Deployer-Created NSG Rules on the Jump Box VM's Management NIC
Direction Priority Name Ports Protocol Source Destination Action Purpose
Inbound 100 AllowSSHInBound 22 Any Management subnet Management subnet Allow As described in the topic DNS Requirements for a Horizon Cloud Pod in Microsoft and Related Service Features, ongoing pod operations do not require inbound traffic to the short-lived jump box VM's port 22. However, if during steady-state operations you make a support request to VMware and the support team determines the way to troubleshoot that request is to deploy a jump box VM for SSH communication to your pod's manager VM, this NSG rule supports that use case. Permission will be requested from you prior to any emergency access.
Note: In cases where the cloud control plane has lost access to the pod, the support team might deploy an emergency jumpbox with a public IP to establish access to the pod. That scenario will require this rule to have Source=Any and Destination=Any.
Outbound 100 AllowSSHOutbound 22 TCP Management subnet Management subnet Allow For the jump box VM to perform its designed functions of configuring the other service-deployed VMs as required by the service.
Outbound 101 AllowHttpsOutbound 443 TCP Management subnet Any Allow For the jump box VM to download specific externally located software components, such as the Microsoft Azure CLI (Command Line-Interface). The jump box uses this software to perform its designed functions of configuring the other service-deployed VMs.
Outbound 102 AllowHttpOutbound 80 TCP Management subnet Any Allow For the jump box VM to download specific externally located software components, such as the Ubuntu software updates for the pod's Linux-based VMs. The jump box uses this software to perform its designed functions of configuring the other service-deployed VMs.
Outbound 103 AllowUagOutbound 9443 TCP Management subnet Management subnet Allow For the service to configure the gateway's administration settings using its management interface. As described in the Unified Access Gateway product documentation, its management interface is at port 9443/TCP.
Outbound 104 AllowDnsOutbound 53 Any Management subnet Any Allow For the jump box VM to reach DNS services.
Outbound 1000 DenyAllOutBound Any TCP Any Any Deny Added by the deployer to limit this NIC's outbound traffic using TCP to the items in the previous rows.

Horizon Edge Virtual Appliance Deployer-Created NSGs

The Horizon Edge Virtual Appliance is deployed when you use the Horizon Universal Console to activate Horizon Infrastructure Monitoring on the pod. The Horizon Edge Virtual Appliance has one NIC connected to the same management subnet that is connected to the pod manager VMs. The deployer creates a specific NSG named in the pattern vmw-hcs-podUUID-edge-nsgand associates that NSG with the NIC.

In your Microsoft Azure environment, these NSGs reside in the pod's resource group named in the pattern vmw-hcs-podUUID-edge.

Table 11. Deployer-Created NSG Rules on the Horizon Edge Virtual Appliance Management NIC
Direction Priority Name Ports Protocol Source Destination Action Rule's Purpose
Inbound 100 AllowSSHInbound 22 Any Management subnet Any Allow Day-to-day operations of the appliance do not require availability of port 22. However, if during steady-state operations you make a support request to VMware and the support team determines the way to troubleshoot that request is to deploy a jump box VM for SSH communication to the appliance, this NSG rule supports that use case. Permission will be requested from you prior to any emergency access.
Outbound 101 AllowHttpsOutbound 443 TCP Management subnet Any Allow For the appliance to download specific externally located software components, such as the Microsoft Azure CLI (Command Line-Interface). The appliance uses this software to perform its designed functions of configuring the other service-deployed VMs for the monitoring data collection it is designed to collect.
Outbound 102 AllowHttpOutbound 80 TCP Management subnet Any Allow For the appliance to download specific externally located software components, such as the Ubuntu software updates for the its Linux-based operating system.
Outbound 103 AllowUagOutbound 9443 TCP Management subnet Management subnet Allow This rule is planned for use in a future service update of the Horizon Infrastructure Monitoring feature.
Outbound 104 AllowDnsOutbound 53 Any Management subnet Any Allow To reach DNS services.
Outbound 106 AllowTelegrafOutBound 9172 Any Management subnet Management subnet Allow To collect the monitoring data from the pod manager VMs that the appliance is designed to collect.
Outbound 107 AllowJmsBrokerOutbound 4002 Any Management subnet Management subnet Allow To collect the monitoring data from the pod manager VMs that the appliance is designed to collect.
Outbound 1000 DenyAllOutBound Any Tcp Any Any Deny Added by the deployer to limit this NIC's outbound traffic using TCP to the items in the previous rows.