You must have a subscription for cloud capacity in Microsoft Azure and then bring that subscription information to pair that cloud capacity with Horizon Cloud. You use the Horizon Universal Console to stand up the deployment in that subscription and create golden images. From those images, you provision remote apps and single-session and multi-session desktops to your end users to securely access from any device.
The deployment creates what is called a Horizon Cloud pod. The remote apps and single-session and multi-session desktops are provisioned from that pod using the capacity in your Microsoft Azure subscription. You choose where the desktops and applications reside, based on the location of the deployed pod.
For the overall introduction to Horizon Cloud, see Introduction to the Service. For the suggested workflow of activities for your first Horizon Cloud pod deployment, see Horizon Cloud Pod - First Pod Onboarding - High-Level Workflow.
The Deployed Horizon Cloud Pod
To do multi-tenancy, you would set up multiple Horizon Cloud customer account records. The Horizon Cloud customer account record, which is created when you registered with VMware to use the Horizon Cloud Service and is associated with your VMware Customer Connect credentials, is more like a tenant. A Horizon Cloud customer account record is isolated from other Horizon Cloud customer account records. A single customer account record maps to multiple pods, and when someone uses any of the account credentials associated with that customer account record to log in to the administrative console, the console reflects all of the pods that are mapped to that customer account record.
The pod deployment process automatically creates a set of resource groups in your Microsoft Azure capacity. Resource groups are used to organize the assets that the environment needs and creates, such as:
- VMs for the pod manager instances.
- VMs for the Unified Access Gateway instances and their load balancers
- VM for the connector VM in the external gateway configuration when you deploy that configuration in a VNet separate from the pod's VNet
- VMs for the RDSH-capable golden images
- VMs for the VDI desktop golden images
- VMs for the assignable (published, sealed) images that are made from the golden images
- VMs for the RDSH farms that provide the RDSH desktops and remote applications
- VMs for the VDI desktops
- Additional assets that the VMs and the environment require for supported operations, such as network interfaces, IP addresses, disks, key vaults, Microsoft Azure Database for PostgreSQL server resource, and various items along those lines. The pod deployment process can create the required virtual subnets also, using the values you specify in the deployment wizard.
All of the resource groups created by Horizon Cloud in your Microsoft Azure environment are named using the prefix
- Manual creation of golden images.
- Modifying farm and VDI desktop assignment network security groups as need to configure ports for your business circumstances.
Horizon Cloud automatically configures the pod-related resources to ensure the pod operates as designed. Never manually change settings for the resources that Horizon Cloud automatically creates and deploys during workflows, including assigned IP addresses or names, and so on. Never manually power off VM instances or delete them directly using the Microsoft Azure portal. Never manually delete the manager VM or Unified Access Gateway VMs. Never manually delete NICs from the resource groups, especially from the Unified Access Gateway resource groups. If you change the generated settings or manually power off VMs or manually delete VMs or NICs that were created by the pod deployer, unpredictable results can occur and pod operations, pod updates, and pod deletion operations might encounter failures.
The following diagram illustrates a deployed pod which has both the external and internal types of gateway configurations, and where the external gateway resides in the same VNet as the pod itself. In this diagram,
RG means resource group.
The Unified Access Gateway instances in the external gateway configuration have NICs on the demilitarized (DMZ) network. With an external gateway configuration, you can have your end users located in the Internet, outside your corporate network, accessing their pod-provisioned virtual desktops and applications through that configuration. With an internal gateway configuration, you can have your end users located in your intranet, inside your corporate network, making trusted connections to their pod-provisioned virtual desktops and applications through that gateway.
The pod deployer provides the option to deploy the pod with both configurations up front. Alternatively, you can deploy the pod with only one gateway configuration or with none at all, and edit the deployed pod to add the non-chosen gateway configuration later. You can also deploy the pod initially without either type and add on later.
The system deploys the pod with high availability, having two pod manager VMs by default.
The following diagram illustrates the resources that are deployed when you choose the option to have the external gateway residing in its own VNet, separate from the pod's VNet. The two VNets must be peered. This diagram also applies when you choose the option to have the external gateway's resources deployed using a Microsoft Azure subscription that is different than the one used for the pod. Because VNets cannot cross subscriptions, choosing to deploy the external gateway into its own subscription is a subset of choosing the external gateway to reside in its own VNet.
Subscriptions and Number of Pods
Be mindful about the number of pods you deploy into a single subscription, especially if you plan to have each pod running at a large scale. Even though multiple pods can be deployed into a single Microsoft Azure subscription, whether all into one region or spread across multiple regions, Microsoft Azure imposes certain limits within a single subscription. Because of those Microsoft Azure limits, deployment of a large number of pods into a single subscription increases the likelihood of hitting those limits. Numerous variables, and combinations of those variables, are involved in reaching those limits, such as the number of pods, the number of farms and assignments within each pod, the number of farm RDSH VMs within each pod, the number of desktops within each assignment, and so on.
If you plan to have pods running at a large scale, consider adopting the approach of having multiple subscriptions with those multiple subscriptions under one Microsoft Azure account. Microsoft Azure customers use this approach, and often prefer it, because it provides some benefits for ongoing management of the subscriptions. Using this approach, you would deploy a single pod per subscription, roll up those subscriptions in a single primary account, and avoid the chances of hitting the Microsoft Azure limits that are imposed on a single subscription.
When You Have Existing Pods That Were Deployed Prior to This Current Horizon Cloud Release
As described in Horizon Cloud Pods - Maintenance and Updates, VMware updates the Horizon Cloud software components periodically to include new features and bug fixes. The in-cloud management environment is updated on a weekly basis and the binaries that are the basis of the pod software components are typically updated on a roughly quarterly basis. The Horizon Cloud Service documentation page provides access to the Release Notes page which provides What's New lists for each calendar timepoint at which substantive customer-visible features have debuted.
When you deploy a new pod, that pod is always created at the manifest version that is the latest one for the current in-production service environment. As an example, if you created a new pod in August 2019, that pod was deployed with software components that were current for Horizon Cloud as of that date. Depending on how long you have been using your Horizon Cloud environment, on a given calendar date, your overall Horizon Cloud environment might include some pods that are at the latest released version and some that are at an earlier released version which are not yet updated to the latest manifest.
Microsoft Azure Terminology and References
The VMware Horizon Cloud Service on Microsoft Azure product documentation uses the applicable Microsoft Azure terminology as appropriate in the descriptions and task steps of the VMware Horizon Cloud Service on Microsoft Azure workflows. If the Microsoft Azure terminology is unfamiliar to you, you can use the following applicable references in the Microsoft Azure product documentation to learn more.
|Useful Microsoft Azure References||Description|
|Microsoft Azure glossary: A dictionary of cloud terminology on the Azure platform||Use this glossary to learn the meaning of terms as used in the Microsoft Azure cloud context, for terms such as load balancer, region, resource group, subscription, virtual machine, and virtual network (vnet).
Note: The Microsoft Azure glossary does not include the term service principal because the service principal is a resource automatically created in Microsoft Azure when an application registration is created in Microsoft Azure. The reason why you create an application registration in your Microsoft Azure subscription is because that is the way you authorize Horizon Cloud as an application to use your Microsoft Azure capacity. The application registration and its companion service principal enable the Horizon Cloud cloud service acting as an application to access resources in your Microsoft Azure subscription. Use the next reference below to learn about applications and service principals that can access resources in Microsoft Azure.
|Use portal to create an Azure Active Directory application and service principal that can access resources||
Use this article to learn about the relationship between an application and a service principal in a Microsoft Azure cloud.
|Azure Resource Manager overview||
Use this article to learn about the relationships between resources, resource groups, and the Resource Manager in Microsoft Azure.
Use this article to learn about the Azure Virtual Network (VNet) service in Microsoft Azure. See also Azure Virtual Network FAQs.
|Azure VNet Peering||
Use this article to learn about virtual network peering in Microsoft Azure.
|Hub-spoke network topology in Azure||
Use this article to learn about hub-spoke network topology in Microsoft Azure.
|Microsoft Azure ExpressRoute Overview||
Use this article to learn about Microsoft Azure ExpressRoute and how you can use it to establish connections between your on-premises networks, Microsoft Azure, and your Horizon Cloud pods.
Use these articles to learn about how to configure VPNs in Microsoft Azure.
|What is Azure Load Balancer?||
Use this article to learn about the Azure load balancers that are deployed for a pod: the load balancer for the pod manager VMs and the load balancers for the gateway configurations.
|What is Azure Database for PostgreSQL?||Use this article to learn about the Microsoft Azure Database for PostgreSQL service.|
|What is Azure Virtual Desktop?||Use this article to learn about Microsoft Azure Virtual Desktop and how it relates to Microsoft Windows 10 Enterprise multi-session and Microsoft Windows 7 Enterprise with Extended Security Updates. When your Horizon Cloud tenant account has the configuration for Horizon Cloud Service on Microsoft Azure extending Microsoft Azure Virtual Desktop, support is provided for using Microsoft Windows 10 Enterprise multi-session and Microsoft Windows 7 Enterprise with your pods deployed in Microsoft Azure.|