For every Horizon Cloud pod deployed into your Microsoft Azure subscription, a network security group (NSG) is also created in the pod's resource group to act as a template. You can use this template to ensure you have opened those additional ports that you might need for the remote applications or RDS desktops provided by your farms.

In Microsoft Azure, a network security group (NSG) governs the network traffic to the resources connected to Azure Virtual Networks (VNet). An NSG defines the security rules that allow or deny that network traffic. For more detailed information about how NSGs filter network traffic, see the Microsoft Azure documentation topic Filter network traffic with network security groups.

When a Horizon Cloud pod is deployed into Microsoft Azure, an NSG named vmw-hcs-podID-nsg-template is created in the pod's same resource group named vmw-hcs-podID, where podID is the pod's ID. You can obtain the pod's ID from the pod's details page, navigating from the Capacity page in the Horizon Universal Console.

By default:

  • Microsoft Azure creates some default rules automatically in each NSG when it is created. In every NSG that is created, Microsoft Azure creates some inbound and outbound rules at priority 65000 and higher. Such Microsoft Azure default rules are not described in this documentation topic, because they are created by Microsoft Azure automatically when anybody or any system creates an NSG in Microsoft Azure. Those rules are not created by Horizon Cloud. For details on those default rules, see the Microsoft Azure documentation topic Default security rules.
  • The Horizon Cloud pod deployer creates the following inbound security rules in the pod's template NSG. These default inbound security rules support end-user clients' access to the RDS session desktops and remote applications for Blast and PCOIP and USB redirection.
Table 1. Inbound Security Rules Created by the Horizon Cloud Pod Deployer in the Pod's Template NSG
Priority Name Port Protocol Source Destination Action
1000 AllowBlastUdpIn 22443 UDP Internet Any Allow
1100 AllowBlastTcpIn 22443 TCP Internet Any Allow
1200 AllowPcoipTcpIn 4172 TCP Internet Any Allow
1300 AllowPcoipUdpIn 4172 UDP Internet Any Allow
1400 AllowTcpSideChannelIn 9427 TCP Internet Any Allow
1500 AllowUsbRedirectionIn 32111 TCP Internet Any Allow

In addition to this template NSG, when a farm is created, the system creates an NSG for that farm by copying the template NSG. Every farm has its own NSG that is a copy from the template NSG. A farm's NSG is assigned to the NICs of that farm's virtual machines (VMs). By default, every farm uses the same default security rules as configured in the pod's template NSG.

You can modify both the template NSG and the per-farm NSGs. For example, if you have an application in a farm that you know needs an additional port opened for that application, you would modify that farm's NSG to allow network traffic on that port. If you are planning to create multiple farms that need the same port opened, a simple way to support that scenario is to edit the template NSG prior to creating those farms.

Important: When planning to modify the base template, make a copy before modifying it. The copy can be a backup in case you need to revert back to the original default settings.