The purpose of this documentation topic here is to explain to you what you will see after you use Horizon Cloud to create a pod in your Microsoft Azure subscription and you subsequently log in to the Microsoft Azure portal and look at what the pod deployer created there. As part of deploying the pod in Microsoft Azure, the automated deployment process creates a set of network security groups (NSGs) and associates each with specific individual network interfaces (NICs) that are on each of the VMware controlled pod-related virtual machines (VMs). Such pod-related VMs are the pod's manager VMs, and the VMs that are deployed when the pod is configured with Unified Access Gateway.
The pod deployer associates the appropriate deployer-created NSG with the appropriate NIC, according to the VMware design and architecture for the pod. These NSGs are used at a NIC level to ensure that each NIC on a particular VMware managed appliance can receive the traffic that VMware managed appliance is supposed to receive for standard service and pod operations over the NIC's attached subnet, and to block all traffic that appliance is not supposed to receive. Each NSG contains a set of security rules that define the allowed traffic to and from each NIC.
The NSGs described here are separate from the ones used for the base VMs, farms, and VDI desktops that are provisioned by the pod when you create them using the Horizon Universal Console. Those NSGs have different usage information. For information about those NSGs, see the following topics:
- The Network Security Groups (NSGs) Created by the Horizon Cloud Import Virtual Machine from Marketplace Wizard
- About Network Security Groups and Farms in a Horizon Cloud Pod
- About Network Security Groups and VDI Desktops in a Horizon Cloud Pod
- Copying or moving these NSGs or NSG rules to any subnet used by Horizon Cloud
- Copying or moving these NSGs or NSG rules between the NICs that are associated with the pod VMs.
The NSGs created by Horizon Cloud and the rules inside of them are specific to the particular NICs and VMs to which they are attached, and are expressly for the purposes of those NICs and VMs. Any change to those NSGs or rules, or any attempt to use them for any other purpose — even on the same subnets to which those NICs are attached — will most likely result in disrupting the required network traffic to and from the NICs to which they are attached. That disruption in turn could result in disrupting all pod operations. The lifecycle of these NSGs is managed by Horizon Cloud, and there are specific reasons for each one. Those reasons include:
- The ability for the cloud control plane to communicate with the pod.
- Management of the pod's infrastructure
- Pod lifecycle operations
However, you can create your own NSGs containing your own organization's rules within resource groups outside of the pod's resource groups that are auto-created and managed by Horizon Cloud for the pod's VMs. The rules in your own NSGs must not conflict with Horizon Cloud's requirements for the management and operations of the pod's VMs. Such NSGs should be attached to the management, tenant, and DMZ subnets used by the pod. Creating your own NSGs within the resource groups managed by Horizon Cloud will cause failure during deletion actions on the Horizon Cloud managed resource groups if your NSGs in those resource groups are associated with a resource that resides in a different resource group.
As described in the Microsoft Azure documentation, the purpose of a network security group (NSG) is to filter network traffic to and from resources in your Microsoft Azure environment using security rules. Each rule has a set of properties such as source, destination, port, protocol, and so on that determine the traffic allowed for the resources to which the NSG is associated. The NSGs that Horizon Cloud automatically creates and associates with the VMware controlled pod VMs' NICs contain particular rules which Horizon Cloud has determined are needed for the service's management of the pod, for proper running of ongoing pod operations, and for managing the pod's lifecycle. Generally speaking, each rule defined in these NSGs is intended to provide for the pod operations' port traffic that is part and parcel of the service's fulfillment of the standard business purposes of a Horizon Cloud subscription, such as the VDI use cases of delivering virtual desktops to end users. See also Ports and Protocols Requirements for a Horizon Cloud Pod.
The sections below list the NSG rules that Horizon Cloud defines in those NSGs.
General Facts About These NSGs
This list applies to all of the deployer-created NSGs that the deployer associates with specific NICs on the pod-related VMs.
- These VMware created NSGs are for the security of the VMware controlled software appliances. When VMware adds new software to your subscription and additional rules are required, those new rules are added to these NSGs.
- In the Microsoft Azure portal, the NSGs have names that contain the pattern
vmw-hcs-podUUID, where podUUID is the pod's identifier, except for the NSGs that are for an external gateway configuration that is deployed into its own VNet. In that case, the gateway's relevant NSGs have names that contain the patternvmw-hcs-ID, where ID is the deployment ID for that external gateway.Note: For the scenario where the external gateway configuration is deployed into a separate subscription using the option to deploy into an existing resource group that you pre-created in that subscription, the NSG on the gateway connector's VM's management NIC is named in a pattern based on the resource group's name instead of thevmw-hcs-podUUIDpattern. As an example, if you named that resource grouphcsgateways, then in that resource group, Horizon Cloud creates an NSG namedhcsgateways-mgmt-nsg, and associates that NSG with the gateway connector VM's management NIC.You can locate these identifiers by navigating to the pod's details from the administrative console's Capacity page.
Note: When you choose to have the pod's external Unified Access Gateway use a custom resource group, the name of the gateway connector VM's deployer-created NSG contains the name of that custom resource group instead of the patternvmw-hcs-ID. As an example, if you specify using a custom resource group namedourhcspodgatewayfor your pod's external gateway, the NSG that the deployer creates and associates with the gateway VM's NIC will be namedourhcspodgateway-mgmt-nsg. - The NSGs are located in the same resource group as the VMs and NICs to which they are associated. As an example, the NSGs associated with the NICs on the external Unified Access Gateway VMs are located in the resource group named
vmw-hcs-podUUID-uagwhen the external gateway is deployed in the pod's VNet and using a deployer-created resource group. See also Resource Groups Created For a Pod Deployed In Microsoft Azure. - Horizon Cloud might add new rules or modify these rules as appropriate for ensuring maintainability of the service.
- During a pod update, the NSGs and rules will be retained. They will not be deleted.
- Except for the Horizon Edge Virtual Appliance NSG rules, the Horizon Cloud rules start at priority 1000, and the priorities go up in increments that are 100 typically. The Horizon Cloud rules end with a rule at priority 3000. For the Horizon Edge Virtual Appliance NSG rules, the Horizon Cloud rules start at priority 100, and the priorities go up in increments of 1.
- The
AllowAzureInBoundrules for source IP address 168.63.129.16 provide for the NSGs accepting incoming communication from the Microsoft Azure platform, as described in the Microsoft Azure documentation topic What is IP address 168.63.129.16. All of the pod-related VMs are VMs in Microsoft Azure. As described in that Microsoft Azure documentation topic, their IP address 168.63.129.16 facilitates various VM management tasks that the Microsoft Azure cloud platform does for all VMs in their cloud. As an example, this IP address facilitates having the VM Agent that is within the VM to communicate with the Microsoft Azure platform to signal that the VM is in a Ready state. - In the NSGs for the Unified Access Gateway instances, the
AllowPcoipUdpInBoundrules are set for any port because PCoIP traffic is using variable port numbers in the 4173+ range, so that traffic cannot be restricted to a specific set of ports. - Microsoft Azure creates some default rules automatically in each NSG when it is created. In every NSG that is created, Microsoft Azure creates some inbound and outbound rules at priority 65000 and higher. Such Microsoft Azure default rules are not described in this documentation topic, because they are created by Microsoft Azure automatically. For details on those default rules, see the Microsoft Azure documentation topic Default security rules.
- Each rule defined in these NSGs is intended to provide for the pod operations' port traffic that is part and parcel of the service's fulfillment of the standard business purposes of a Horizon Cloud subscription, such as the VDI use cases of delivering virtual desktops to end users. See also Ports and Protocols Requirements for a Horizon Cloud Pod.
- When you edit your pod to specify additional tenant subnets for use with farms and VDI desktop assignments, the rules in the tenant-subnet-related NSGs on the pod manager VMs' and Unified Access Gateway VMs' NICs are updated to include those additional tenant subnets.
- If you make a support request to VMware and the support team determines the way to service that request is to deploy a temporary jump box VM, this temporary jump box has an NSG in its temporary jump box resource group. This NSG is deleted when the jump box's resource group is deleted when the support team is finished.
Pod Manager VM's Deployer-Created NSGs
The pod manager VM has two NICs, one connected to the management subnet and the other connected to the tenant subnet. The deployer creates a specific NSG for each of those two NICs, and associates each NSG with its appropriate NIC.
- The management NIC has an NSG named in the pattern
vmw-hcs-podUUID-mgmt-nsg. - The tenant NIC has an NSG named in the pattern
vmw-hcs-podUUID-tenant-nsg.
In your Microsoft Azure environment, these NSGs reside in the pod's resource group named in the pattern vmw-hcs-podUUID.
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Rule's Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowSshInBound | 22 | Any | Management subnet | Any | Allow | If during steady-state operations you make a support request to VMware and the support team determines the way to troubleshoot that request is to deploy a jump box VM for SSH communication to your pod's manager VM, this NSG rule supports that use case. Permission will be requested from you prior to any emergency access. The short-lived jump box VM communicates with a pod manager VM using SSH to the VM's port 22. Day-to-day pod operations do not require availability of port 22 on the pod manager VM. |
| Inbound | 1100 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 1200 | AllowHttpsInBound | 443 | Any | Management subnet | Any | Allow | For the cloud control plane to securely communicate with the pod manager's REST API endpoint. |
| Inbound | 1300 | AllowApacheGeodeInBound | 10334 - 10336, 41000-41002, 41100-41102, 42000-42002 | Any | Management subnet | Any | Allow | These ports are used to replicate user sessions and fileshare-related information between the pod manager VMs. |
| Inbound | 1400 | AllowTelegrafInBound | 9172 | Any | Management subnet | Any | Allow | When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect. |
| Inbound | 1500 | AllowAgentJmsInBound | 4001, 4002 | Any | Management subnet | Any | Allow | When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowHttpsInBound | 80 443 |
TCP | VirtualNetwork | Any | Allow | This rule provides for an atypical scenario in which you might have told your internal end users (on your corporate network, such as over VPN) to make their client connections to an FQDN that you have mapped to the pod's Microsoft Azure load balancer. This scenario is sometimes referred to as direct-pod connection. For the login authentication request to the pod manager, the Horizon Clients and Horizon web client use port 443. To support easy redirection as a convenience for a user who might type HTTP in their client instead of HTTPS, that traffic arrives at port 80 and is automatically redirected to port 443. |
| Inbound | 1100 | AllowAgentHttpsInBound | 3443 8443 |
TCP | Tenant subnet | Any | Allow | Port 3443 inbound to this NIC is used by the App Volumes Agent in the base VMs, desktop VMs, farm RDSH VMs to access the App Volumes Manager service running in the pod manager. Port 8443 inbound to this NIC is used by the Unified Access Gateway instances to check with the pod manager. The gateway instances use this endpoint to confirm sending new client connection requests to the pod manager. |
| Inbound | 1110 | AllowGatewayBrokeringHttpsInBound | 8443 | TCP | VirtualNetwork | Any | Allow | For code consistency and ease of maintenance, the pod deployer always writes this rule to this NSG. In a deployment where the pod's external gateway is deployed in its own VNet separate from the pod, this rule supports the inbound traffic from the external gateway's Unified Access Gateway instances to check with the pod manager. The gateway instances use this endpoint to confirm sending new client connection requests to the pod manager. |
| Inbound | 1120 | AllowUagHttpsInBound | 8443 | TCP | Management subnet | Any | Allow | This rule is planned for use in a future service release. |
| Inbound | 1200 | AllowAgentJmsInBound | 4001 4002 |
TCP | Tenant subnet | Any | Allow | The Horizon Agents in the base VMs, desktop VMs, and farm RDSH VMs use these ports. Port 4001 is for Java Message Service (JMS, non-SSL), used by the agent in the VM to communicate with the pod as part of the certificate thumbprint verification and exchange to secure an SSL connection to the pod.
After the keys are negotiated and exchanged between the VM and the pod manager, the agent uses port 4002 to create a secured SSL connection.
Note: Both 4001 and 4002 are required for steady-state operations. At times, the agent might need to re-key with the pod.
|
| Inbound | 1210 | AllowRouterJmsInBound | 4101 | TCP | Tenant subnet | Any | Allow | When a pod is enabled for high availability (HA), this traffic is JMS routing between the pod manager VMs (node-1 and node-2) |
| Inbound | 1300 | AllowAgentUdpInBound | 5678 | UDP | Tenant subnet | Any | Allow | Deprecated for pods of manifests 1600 and later. In the service's September 2019 release, the DaaS agent was incorporated into the Horizon Agent as of pod manifest 1600. Previously, this port 5678 and UDP protocol were used to support use of the DaaS agent. |
| Inbound | 1400 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
External Unified Access Gateway VMs' Deployer-Created NSGs
Each of the VMs for the external Unified Access Gateway configuration has three (3) NICs, one connected to the management subnet, one connected to the tenant subnet, and one connected to the DMZ subnet. The deployer creates a specific NSG for each of those three NICs, and associates each NSG with its appropriate NIC.
- The management NIC has an NSG named in the pattern
vmw-hcs-ID-uag-management-nsg. - The tenant NIC has an NSG named in the pattern
vmw-hcs-ID-uag-tenant-nsg. - The DMZ NIC has an NSG named in the pattern
vmw-hcs-ID-uag-dmz-nsg.
In your Microsoft Azure environment, these NSGs are named in the pattern vmw-hcs-ID-uag where ID is the pod's ID as displayed on the pod's details page in the console, unless the external gateway is deployed in its own VNet separate from the pod's VNet. In the case of an external gateway deployed in its own VNet, the ID is the Deployment ID value shown on the pod's details page.
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowHttpsInBound | 9443 | TCP | Management subnet | Any | Allow | For the service to configure the gateway's administration settings using its management interface. As described in the Unified Access Gateway product documentation, its management interface is at port 9443/TCP. |
| Inbound | 1100 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 1200 | AllowSshInBound | 22 | Any | Management subnet | Any | Allow | For VMware to perform emergency access to the VM if needed for troubleshooting. Permission will be requested from you prior to any emergency access. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
| Outbound | 3000 | DenyAllOutBound | Any | Any | Any | Any | Deny | Added by the deployer to deny outbound traffic from this NIC. |
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 1400 | AllowPcoipUdpInBound | Any | UDP | Tenant subnet | Any | Allow | This rule supports the standard configuration used for Unified Access Gateway working with the Horizon Agent. The Horizon Agents in the desktop and farm VMs send PCoIP data back to the Unified Access Gateway instances using UDP. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
| Outbound | 1000 | AllowHttpsOutBound | 443 8443 |
TCP | Any | Tenant subnet | Allow | This rule supports the Unified Access Gateway instances communicating with the pod manager VMs for the purpose of new client connection requests to the pod managers. |
| Outbound | 1100 | AllowBlastOutBound | 22443 | Any | Any | Tenant subnet | Allow | This rule supports the use case of a Horizon Client Blast Extreme session to the Horizon Agent in a desktop or farm VM. |
| Outbound | 1200 | AllowPcoipOutBound | 4172 | Any | Any | Tenant subnet | Allow | This rule supports the use case of a Horizon Client PCoIP session to the Horizon Agent in a desktop VM. |
| Outbound | 1300 | AllowUsbOutBound | 32111 | TCP | Any | Tenant subnet | Allow | This rule supports the use case of USB redirection traffic. USB redirection is an agent option in the desktop or farm VMs. That traffic uses port 32111 for an end-user client session to the Horizon Agent in a desktop or farm VM. |
| Outbound | 1400 | AllowMmrOutBound | 9427 | TCP | Any | Tenant subnet | Allow | This rule supports the use cases of multimedia redirection (MMR) and client driver redirection (CDR) traffic. These redirections are agent options in the desktop or farm VMs. That traffic uses port 9427, for an end-user client session to the Horizon Agent in a desktop or farm VM. |
| Outbound | 1500 | AllowAllOutBound | Any | Any | Any | Tenant subnet | Allow | When running in a VM that supports multiple user sessions, the Horizon Agent chooses different ports to use for the sessions' PCoIP traffic. Because these ports cannot be determined ahead of time, a NSG rule naming specific ports to allow that traffic cannot be defined ahead of time. Therefore, similar to the rule at priority 1200, this rule supports the use case of multiple Horizon Client PCoIP sessions with such VMs. |
| Outbound | 3000 | DenyAllOutBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's outbound traffic to the items in the previous rows. |
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowHttpsInBound | 80 443 |
TCP | Internet | Any | Allow | This rule provides for the external end users' inbound traffic from the Horizon Clients and the Horizon web client to request the login authentication request to the pod manager. By default, the Horizon Client and Horizon web client use port 443 for this request. To support easy redirection as a convenience for a user who might type HTTP in their client instead of HTTPS, that traffic arrives at port 80 and is automatically redirected to port 443. |
| Inbound | 1100 | AllowBlastInBound | 443 8443 |
Any | Internet | Any | Allow | This rule supports the Unified Access Gateway instances receiving the Blast traffic from the external end users' Horizon Clients. |
| Inbound | 1200 | AllowPcoipInBound | 4172 | Any | Internet | Any | Allow | This rule supports the Unified Access Gateway instances receiving PCoIP traffic from the external end users' Horizon Clients. |
| Inbound | 1300 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
Internal Unified Access Gateway VMs' Deployer-Created NSGs
Each of the VMs for the internal Unified Access Gateway configuration has two (2) NICs, one connected to the management subnet and one connected to the tenant subnet. The deployer creates a specific NSG for each of those two NICs, and associates each NSG with its appropriate NIC.
- The management NIC has an NSG named in the pattern
vmw-hcs-podUUID-uag-management-nsg. - The tenant NIC has an NSG named in the pattern
vmw-hcs-podUUID-uag-tenant-nsg.
In your Microsoft Azure environment, these NSGs reside in the pod's resource group named in the pattern vmw-hcs-podUUID-uag-internal.
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowHttpsInBound | 9443 | TCP | Management subnet | Any | Allow | For the service to configure the gateway's administration settings using its management interface. As described in the Unified Access Gateway product documentation, its management interface is at port 9443/TCP. |
| Inbound | 1100 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 1200 | AllowSshInBound | 22 | Any | Management subnet | Any | Any | For VMware to perform emergency access to the VM if needed for troubleshooting. Permission will be requested from you prior to any emergency access. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
| Outbound | 3000 | DenyAllOutBound | Any | Any | Any | Any | Deny | Added by the deployer to deny outbound traffic from this NIC. |
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 1100 | AllowHttpsInBound | 80 443 |
TCP | VirtualNetwork | Any | Allow | This rule provides for the internal end users' inbound traffic from the Horizon Clients and the Horizon web client to request the login authentication request to the pod manager. By default, the Horizon Client and Horizon web client use port 443 for this request. To support easy redirection as a convenience for a user who might type HTTP in their client instead of HTTPS, that traffic arrives at port 80 and is automatically redirected to port 443. |
| Inbound | 1200 | AllowBlastInBound | 443 8443 |
Any | VirtualNetwork | Any | Allow | This rule supports the Unified Access Gateway instances receiving the Blast traffic from the internal end users' Horizon Clients. |
| Inbound | 1300 | AllowPcoipInBound | 4172 | Any | VirtualNetwork | Any | Allow | This rule supports the Unified Access Gateway instances receiving PCoIP traffic from the internal end users' Horizon Clients. |
| Inbound | 1400 | AllowPcoipUdpInBound | Any | UDP | Tenant subnet | Any | Allow | This rule supports the standard configuration used for Unified Access Gateway working with the Horizon Agent. The Horizon Agents in the desktop and farm VMs send PCoIP data back to the Unified Access Gateway instances using UDP. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
| Outbound | 1000 | AllowHttpsOutBound | 443 8443 |
TCP | Any | Tenant subnet | Allow | This rule supports the Unified Access Gateway instances communicating with the pod manager VMs for the purpose of new client connection requests to the pod. |
| Outbound | 1100 | AllowBlastOutBound | 22443 | Any | Any | Tenant subnet | Allow | This rule supports the use case of a Horizon Client Blast Extreme session to the Horizon Agent in a desktop or farm VM. |
| Outbound | 1200 | AllowPcoipOutBound | 4172 | Any | Any | Tenant subnet | Allow | This rule supports the use case of a Horizon Client PCoIP session to the Horizon Agent in a desktop VM. |
| Outbound | 1300 | AllowUsbOutBound | 32111 | TCP | Any | Tenant subnet | Allow | This rule supports the use case of USB redirection traffic. USB redirection is an agent option in the desktop or farm VMs. That traffic uses port 32111 for an end-user client session to the Horizon Agent in a desktop or farm VM. |
| Outbound | 1400 | AllowMmrOutBound | 9427 | TCP | Any | Tenant subnet | Allow | This rule supports the use cases of multimedia redirection (MMR) and client driver redirection (CDR) traffic. These redirections are agent options in the desktop or farm VMs. That traffic uses port 9427, for an end-user client session to the Horizon Agent in a desktop or farm VM. |
| Outbound | 1500 | AllowAllOutBound | Any | Any | Any | Tenant subnet | Allow | When running in a VM that supports multiple user sessions, the Horizon Agent chooses different ports to use for the sessions' PCoIP traffic. Because these ports cannot be determined ahead of time, a NSG rule naming specific ports to allow that traffic cannot be defined ahead of time. Therefore, similar to the rule at priority 1200, this rule supports the use case of multiple Horizon Client PCoIP sessions with such VMs.. |
| Outbound | 3000 | DenyAllOutBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's outbound traffic to the items in the previous rows. |
Gateway Connector VM's Deployer-Created NSG When an External Gateway is Deployed in Its Own VNet
The gateway connector VM has a single NIC. This NIC is attached to the external gateway's VNet's management subnet. The deployer creates a single NSG and associates that NSG specifically with that NIC. By default, the deployer-created NSG for the gateway connector's management NIC has the same rules as the deployer-created NSG for the pod manager VM.
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 1000 | AllowSshInBound | 22 | Any | Management subnet | Any | Allow | If during steady-state operations you make a support request to VMware and the support team determines the way to troubleshoot that request is to deploy a jump box VM for SSH communication to this gateway connector VM, this NSG rule supports that use case. Permission will be requested from you prior to any emergency access. The short-lived jump box VM communicates with this gateway connector VM using SSH to the VM's port 22. Day-to-day pod operations do not require availability of port 22 on the gateway connector VM. |
| Inbound | 1100 | AllowAzureInBound | Any | Any | 168.63.129.16 | Any | Allow | For the VM to accept incoming communication from the Microsoft Azure platform, as described in the preceding General Facts section and in the Microsoft Azure documentation topic What is IP address 168.63.129.16. |
| Inbound | 1200 | AllowHttpsInBound | 443 | Any | Management subnet | Any | Allow | For the cloud control plane to securely communicate with the gateway connector's REST API endpoint. |
| Inbound | 1300 | AllowApacheGeodeInBound | 10334 - 10336, 41000-41002, 41100-41102, 42000-42002 | Any | Management subnet | Any | Allow | These ports are used to replicate user sessions and fileshare-related information across the pod manager VMs and the gateway connector VM. |
| Inbound | 1400 | AllowTelegrafInBound | 9172 | Any | Management subnet | Any | Allow | When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect. |
| Inbound | 1500 | AllowAgentJmsInBound | 4001, 4002 | Any | Management subnet | Any | Allow | When Horizon Infrastructure Monitoring is activated on the pod, for the Horizon Edge Virtual Appliance to collect the monitoring data it is designed to collect. |
| Inbound | 3000 | DenyAllInBound | Any | Any | Any | Any | Deny | Added by the deployer to limit this NIC's inbound traffic to the items in the previous rows. |
Temporary Jump Box VM's Deployer-Created NSG
If you make a support request to VMware and the support team determines the way to service that request is to deploy a temporary jump box VM, this temporary jump box has an NSG in its temporary jump box resource group. This NSG is deleted when the jump box's resource group is deleted when the support team has completed such work. Permission will be requested from you prior to any emergency access.
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 100 | AllowSSHInBound | 22 | Any | Management subnet | Management subnet | Allow | For SSH communication to the VMware-managed appliances involved in the VMware support team's investigation for your service request. The short-lived jump box VM communicates using SSH and port 22.
Note: In cases where the cloud control plane has lost access to the pod, the support team might deploy an emergency jump box with a public IP to establish access to the pod. That scenario will require this rule to have Source=Any and Destination=Any.
|
| Outbound | 100 | AllowSSHOutbound | 22 | TCP | Management subnet | Management subnet | Allow | For the jump box VM to perform its designed functions. |
| Outbound | 101 | AllowHttpsOutbound | 443 | TCP | Management subnet | Any | Allow | For the jump box VM to download specific externally located software components, such as the Microsoft Azure CLI (Command Line-Interface), to perform its designed functions. |
| Outbound | 102 | AllowHttpOutbound | 80 | TCP | Management subnet | Any | Allow | For the jump box VM to download specific externally located software components, such Ubuntu software updates, to perform its designed functions. |
| Outbound | 103 | AllowUagOutbound | 9443 | TCP | Management subnet | Management subnet | Allow | For the jump box VM to perform its designed functions related to gateway administration settings using the gateway's management interface. |
| Outbound | 104 | AllowDnsOutbound | 53 | Any | Management subnet | Any | Allow | For the jump box VM to reach DNS services. |
| Outbound | 105 | AllowHttpProxyOutbound | Any | TCP | Any | Any | Allow | When the pod deployment is configured to use a proxy with a proxy port different than 80, the temporary jump box deployer creates this rule in this NSG. This rule supports the temporary jump box in such a proxy environment. This rule does not appear in this NSG when the pod deployment's configuration has no proxy specified or has proxy specified with proxy port 80. |
| Outbound | 1000 | DenyAllOutBound | Any | TCP | Any | Any | Deny | Limits this NIC's outbound traffic using TCP to the items in the previous rows. |
Horizon Edge Virtual Appliance Deployer-Created NSGs
The Horizon Edge Virtual Appliance is deployed when you use the Horizon Universal Console to activate Horizon Infrastructure Monitoring on the pod. The Horizon Edge Virtual Appliance has one NIC connected to the same management subnet that is connected to the pod manager VMs. The deployer creates a specific NSG named in the pattern vmw-hcs-podUUID-edge-nsgand associates that NSG with the NIC.
In your Microsoft Azure environment, these NSGs reside in the pod's resource group named in the pattern vmw-hcs-podUUID-edge.
| Direction | Priority | Name | Ports | Protocol | Source | Destination | Action | Rule's Purpose |
|---|---|---|---|---|---|---|---|---|
| Inbound | 100 | AllowSSHInbound | 22 | Any | Management subnet | Any | Allow | If during steady-state operations you make a support request to VMware and the support team determines the way to troubleshoot that request is to deploy a jump box VM for SSH communication to this appliance, this NSG rule supports that use case. Permission will be requested from you prior to any emergency access. The short-lived jump box VM communicates with this appliance using SSH to the VM's port 22. Day-to-day pod operations do not require availability of port 22 on the appliance. |
| Outbound | 101 | AllowHttpsOutbound | 443 | TCP | Management subnet | Any | Allow | For the appliance to download specific externally located software components, such as the Microsoft Azure CLI (Command Line-Interface). The appliance uses this software to perform its designed functions of configuring the other service-deployed VMs for the monitoring data collection it is designed to collect. |
| Outbound | 102 | AllowHttpOutbound | 80 | TCP | Management subnet | Any | Allow | For the appliance to download specific externally located software components, such as the Ubuntu software updates for the its Linux-based operating system. |
| Outbound | 103 | AllowUagOutbound | 9443 | TCP | Management subnet | Management subnet | Allow | This rule is planned for use in a future service update of the Horizon Infrastructure Monitoring feature. |
| Outbound | 104 | AllowDnsOutbound | 53 | Any | Management subnet | Any | Allow | To reach DNS services. |
| Outbound | 105 | AllowHttpProxyOutbound | Any | TCP | Any | Any | Allow | When the associated pod deployment is configured to use a proxy with a proxy port different than 80, the deployer creates this rule in this NSG for the Horizon Edge Virtual Appliance. This rule does not appear in this NSG when the associated pod deployment's configuration has no proxy specified or has proxy specified with proxy port 80.
Attention: Even though the deployer adds this rule by design, use of proxy with the feature is currently unsupported, as described in
Horizon Infrastructure Monitoring. The scenario of using a proxy with
Horizon Infrastructure Monitoring and with
Horizon Edge Virtual Appliance has not been officially validated.
|
| Outbound | 106 | AllowTelegrafOutBound | 9172 | Any | Management subnet | Management subnet | Allow | To collect the monitoring data from the pod manager VMs that the appliance is designed to collect. |
| Outbound | 107 | AllowJmsBrokerOutbound | 4002 | Any | Management subnet | Management subnet | Allow | To collect the monitoring data from the pod manager VMs that the appliance is designed to collect. |
| Outbound | 1000 | DenyAllOutBound | Any | Tcp | Any | Any | Deny | Added by the deployer to limit this NIC's outbound traffic using TCP to the items in the previous rows. |
