For every Horizon Cloud pod deployed into your Microsoft Azure subscription, a network security group (NSG) is also created in the pod's resource group to act as a template. You can use this template to ensure you have opened those additional ports that you might need for the remote applications or RDS desktops provided by your farms.
In Microsoft Azure, a network security group (NSG) governs the network traffic to the resources connected to Azure Virtual Networks (VNet). An NSG defines the security rules that allow or deny that network traffic. For more detailed information about how NSGs filter network traffic, see the Microsoft Azure documentation topic Filter network traffic with network security groups.
When a Horizon Cloud pod is deployed into Microsoft Azure, an NSG named vmw-hcs-podID-nsg-template is created in the pod's same resource group named vmw-hcs-podID, where podID is the pod's ID. You can obtain the pod's ID from the pod's details page, navigating from the Capacity page in the Horizon Universal Console.
By default:
- Microsoft Azure creates some default rules automatically in each NSG when it is created. In every NSG that is created, Microsoft Azure creates some inbound and outbound rules at priority 65000 and higher. Such Microsoft Azure default rules are not described in this documentation topic, because they are created by Microsoft Azure automatically when anybody or any system creates an NSG in Microsoft Azure. Those rules are not created by Horizon Cloud. For details on those default rules, see the Microsoft Azure documentation topic Default security rules.
- The Horizon Cloud pod deployer creates the following inbound security rules in the pod's template NSG. These default inbound security rules support end-user clients' access to the RDS session desktops and remote applications for Blast and PCOIP and USB redirection.
| Priority | Name | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|---|
| 1000 | AllowBlastUdpIn | 22443 | UDP | Internet | Any | Allow |
| 1100 | AllowBlastTcpIn | 22443 | TCP | Internet | Any | Allow |
| 1200 | AllowPcoipTcpIn | 4172 | TCP | Internet | Any | Allow |
| 1300 | AllowPcoipUdpIn | 4172 | UDP | Internet | Any | Allow |
| 1400 | AllowTcpSideChannelIn | 9427 | TCP | Internet | Any | Allow |
| 1500 | AllowUsbRedirectionIn | 32111 | TCP | Internet | Any | Allow |
In addition to this template NSG, when a farm is created, the system creates an NSG for that farm by copying the template NSG. Every farm has its own NSG that is a copy from the template NSG. A farm's NSG is assigned to the NICs of that farm's virtual machines (VMs). By default, every farm uses the same default security rules as configured in the pod's template NSG.
You can modify both the template NSG and the per-farm NSGs. For example, if you have an application in a farm that you know needs an additional port opened for that application, you would modify that farm's NSG to allow network traffic on that port. If you are planning to create multiple farms that need the same port opened, a simple way to support that scenario is to edit the template NSG prior to creating those farms.
