You must have a subscription for cloud capacity in Microsoft Azure and then bring that subscription information to pair that cloud capacity with Horizon Cloud. You use the Horizon Universal Console to stand up the deployment in that subscription and create golden images. From those images, you provision remote apps and single-session and multi-session desktops to your end users to securely access from any device.

The deployment creates what is called a Horizon Cloud pod. The remote apps and single-session and multi-session desktops are provisioned from that pod using the capacity in your Microsoft Azure subscription. You choose where the desktops and applications reside, based on the location of the deployed pod.

For the overall introduction to Horizon Cloud, see Introduction to the Service. For the suggested workflow of activities for your first Horizon Cloud pod deployment, see Horizon Cloud Pod - First Pod Onboarding - High-Level Workflow.

The Deployed Horizon Cloud Pod

The pod deployed by Horizon Cloud into Microsoft Azure has a physical regional location in a Microsoft Azure cloud. In the pod deployment wizard, you select where to place the pod, according to the regions available for your particular Microsoft Azure subscription. You also select an existing virtual network (VNet) that the pod will use in your selected region. You have the option to deploy an external gateway configuration with the pod, with that external gateway's resources deployed either into the same VNet as the pod or into a separate VNet that is peered with the pod's VNet.
Note: You preconfigure your Microsoft Azure environment with the pod VNet (and with the external gateway VNet if using that configuration option). You can either create in advance those subnets that the pod and external gateway configuration require, or let the pod deployer create the subnets during deployment. If you do not create the subnets in advance, the pod deployer creates the subnets as it deploys the required VMs and resources into your environment. If you choose to have the pod deployer create its required subnets, you have to know what IP address spaces you want to use for the pod's subnets before you start the deployment wizard. If you choose to create the subnets in advance, you must ensure they meet certain requirements before you start the deployment process. For details about requirements when you create the subnets in advance, see First-Gen Tenants - In Advance of Pod Deployment, Create the Horizon Cloud Pod's Required Subnets on your VNet in Microsoft Azure and First-Gen Tenants - When Using Existing Subnets for a Horizon Cloud Pod in Microsoft Azure.
Important: This pod in Microsoft Azure is not a tenant. This pod does not adhere to the exact same set of characteristics that defines a tenant and which you would expect from a tenant. For example, even though a tenant would have a one-to-one mapping to an Active Directory domain and be isolated from other tenants, all of the Horizon Cloud pods in Microsoft Azure that are deployed using the same Horizon Cloud customer account record need to be able to reach the same Active Directory servers and the DNS configuration needs to resolve all of those Active Directory domains.

To do multi-tenancy, you would set up multiple Horizon Cloud customer account records. The Horizon Cloud customer account record, which is created when you registered with VMware to use the Horizon Cloud Service and is associated with your VMware Customer Connect credentials, is more like a tenant. A Horizon Cloud customer account record is isolated from other Horizon Cloud customer account records. A single customer account record maps to multiple pods, and when someone uses any of the account credentials associated with that customer account record to log in to the administrative console, the console reflects all of the pods that are mapped to that customer account record.

The pod deployment process automatically creates a set of resource groups in your Microsoft Azure capacity. Resource groups are used to organize the assets that the environment needs and creates, such as:

  • VMs for the pod manager instances.
  • VMs for the Unified Access Gateway instances and their load balancers
  • VM for the connector VM in the external gateway configuration when you deploy that configuration in a VNet separate from the pod's VNet
  • VMs for the RDSH-capable golden images
  • VMs for the VDI desktop golden images
  • VMs for the assignable (published, sealed) images that are made from the golden images
  • VMs for the RDSH farms that provide the RDSH desktops and remote applications
  • VMs for the VDI desktops
  • Additional assets that the VMs and the environment require for supported operations, such as network interfaces, IP addresses, disks, key vaults, Microsoft Azure Database for PostgreSQL server resource, and various items along those lines. The pod deployment process can create the required virtual subnets also, using the values you specify in the deployment wizard.

All of the resource groups created by Horizon Cloud in your Microsoft Azure environment are named using the prefix vmw-hcs.

Caution: Do not manually modify or delete the pod-related resources using the Microsoft Azure portal except for:
  • Manual creation of golden images.
  • Modifying farm and VDI desktop assignment network security groups as need to configure ports for your business circumstances.

Horizon Cloud automatically configures the pod-related resources to ensure the pod operates as designed. Never manually change settings for the resources that Horizon Cloud automatically creates and deploys during workflows, including assigned IP addresses or names, and so on. Never manually power off VM instances or delete them directly using the Microsoft Azure portal. Never manually delete the manager VM or Unified Access Gateway VMs. Never manually delete NICs from the resource groups, especially from the Unified Access Gateway resource groups. If you change the generated settings or manually power off VMs or manually delete VMs or NICs that were created by the pod deployer, unpredictable results can occur and pod operations, pod updates, and pod deletion operations might encounter failures.

The following diagram illustrates a deployed pod which has both the external and internal types of gateway configurations, and where the external gateway resides in the same VNet as the pod itself. In this diagram, RG means resource group.

The Unified Access Gateway instances in the external gateway configuration have NICs on the demilitarized (DMZ) network. With an external gateway configuration, you can have your end users located in the Internet, outside your corporate network, accessing their pod-provisioned virtual desktops and applications through that configuration. With an internal gateway configuration, you can have your end users located in your intranet, inside your corporate network, making trusted connections to their pod-provisioned virtual desktops and applications through that gateway.

The pod deployer provides the option to deploy the pod with both configurations up front. Alternatively, you can deploy the pod with only one gateway configuration or with none at all, and edit the deployed pod to add the non-chosen gateway configuration later. You can also deploy the pod initially without either type and add on later.

The system deploys the pod with high availability, having two pod manager VMs by default.

Figure 1. Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations

Architecture illustration of the pod's resource groups, VMs, and subnets for a pod that has both types of Unified Access Gateway configurations, with the external gateway residing in the same VNet as the pod.

The following diagram illustrates the resources that are deployed when you choose the option to have the external gateway residing in its own VNet, separate from the pod's VNet. The two VNets must be peered. This diagram also applies when you choose the option to have the external gateway's resources deployed using a Microsoft Azure subscription that is different than the one used for the pod. Because VNets cannot cross subscriptions, choosing to deploy the external gateway into its own subscription is a subset of choosing the external gateway to reside in its own VNet.

Tip: Deploying the external gateway configuration into its own VNet gives you the ability to deploy these Horizon Cloud pods into complex Microsoft Azure environments that use hub-spoke network topology in Microsoft Azure.
Figure 2. Illustration of the External Gateway's Architecture Elements When the External Gateway is Deployed into Its Own VNet, Separate from the Pod's VNet

Architecture illustration of an external gateway's elements when the external gateway is deployed into its own VNet. In this case, there is a Connector VM with a NIC to the VNet's management subnet, along with the standard elements for the external gateway itself.

Subscriptions and Number of Pods

Be mindful about the number of pods you deploy into a single subscription, especially if you plan to have each pod running at a large scale. Even though multiple pods can be deployed into a single Microsoft Azure subscription, whether all into one region or spread across multiple regions, Microsoft Azure imposes certain limits within a single subscription. Because of those Microsoft Azure limits, deployment of a large number of pods into a single subscription increases the likelihood of hitting those limits. Numerous variables, and combinations of those variables, are involved in reaching those limits, such as the number of pods, the number of farms and assignments within each pod, the number of farm RDSH VMs within each pod, the number of desktops within each assignment, and so on.

If you plan to have pods running at a large scale, consider adopting the approach of having multiple subscriptions with those multiple subscriptions under one Microsoft Azure account. Microsoft Azure customers use this approach, and often prefer it, because it provides some benefits for ongoing management of the subscriptions. Using this approach, you would deploy a single pod per subscription, roll up those subscriptions in a single primary account, and avoid the chances of hitting the Microsoft Azure limits that are imposed on a single subscription.

When You Have Existing Pods That Were Deployed Prior to This Current Horizon Cloud Release

As described in Horizon Cloud Pods - Maintenance and Updates, VMware updates the Horizon Cloud software components periodically to include new features and bug fixes. The in-cloud management environment is updated on a weekly basis and the binaries that are the basis of the pod software components are typically updated on a roughly quarterly basis. The Horizon Cloud Service documentation page provides access to the Release Notes page which provides What's New lists for each calendar timepoint at which substantive customer-visible features have debuted.

When you deploy a new pod, that pod is always created at the manifest version that is the latest one for the current in-production service environment. As an example, if you created a new pod in August 2019, that pod was deployed with software components that were current for Horizon Cloud as of that date. Depending on how long you have been using your Horizon Cloud environment, on a given calendar date, your overall Horizon Cloud environment might include some pods that are at the latest released version and some that are at an earlier released version which are not yet updated to the latest manifest.

Important: In general, the content in this Administration Guide describes features, workflows, and behaviors that are available in the current in-production release and which are applicable when your pod is at the latest pod manifest version which was made available in this current release. The cloud-based console in which you perform management and administrative tasks is dynamic. The console's Web-based interface will typically display messages when an area or action in the console requires upgrading the pod to use that feature. For a pod that existed prior to this release, some workflows might require different steps than are described in this Administration Guide. For a list of workflows in this release that are now different for pods at the latest manifest version, if any, see the documentation topic For Current Customers with Existing Cloud-Connected Pods — About Horizon Cloud Releases and the sections it contains.

Microsoft Azure Terminology and References

The VMware Horizon Cloud Service on Microsoft Azure product documentation uses the applicable Microsoft Azure terminology as appropriate in the descriptions and task steps of the VMware Horizon Cloud Service on Microsoft Azure workflows. If the Microsoft Azure terminology is unfamiliar to you, you can use the following applicable references in the Microsoft Azure product documentation to learn more.

Note: All capitalization and spelling in the citations below follow the same capitalization and spelling found in the linked-to articles in the Microsoft Azure documentation itself.
Useful Microsoft Azure References Description
Microsoft Azure glossary: A dictionary of cloud terminology on the Azure platform Use this glossary to learn the meaning of terms as used in the Microsoft Azure cloud context, for terms such as load balancer, region, resource group, subscription, virtual machine, and virtual network (vnet).
Note: The Microsoft Azure glossary does not include the term service principal because the service principal is a resource automatically created in Microsoft Azure when an application registration is created in Microsoft Azure. The reason why you create an application registration in your Microsoft Azure subscription is because that is the way you authorize Horizon Cloud as an application to use your Microsoft Azure capacity. The application registration and its companion service principal enable the Horizon Cloud cloud service acting as an application to access resources in your Microsoft Azure subscription. Use the next reference below to learn about applications and service principals that can access resources in Microsoft Azure.
Use portal to create an Azure Active Directory application and service principal that can access resources

Use this article to learn about the relationship between an application and a service principal in a Microsoft Azure cloud.

Azure Resource Manager overview

Use this article to learn about the relationships between resources, resource groups, and the Resource Manager in Microsoft Azure.

Azure VNet

Use this article to learn about the Azure Virtual Network (VNet) service in Microsoft Azure. See also Azure Virtual Network FAQs.

Azure VNet Peering

Use this article to learn about virtual network peering in Microsoft Azure.

Hub-spoke network topology in Azure

Use this article to learn about hub-spoke network topology in Microsoft Azure.

Microsoft Azure ExpressRoute Overview

Use this article to learn about Microsoft Azure ExpressRoute and how you can use it to establish connections between your on-premises networks, Microsoft Azure, and your Horizon Cloud pods.

About VPN Gateway

Planning and design for VPN Gateway

Create a Site-To-Site connection in the Azure portal

Use these articles to learn about how to configure VPNs in Microsoft Azure.

What is Azure Load Balancer?

Use this article to learn about the Azure load balancers that are deployed for a pod: the load balancer for the pod manager VMs and the load balancers for the gateway configurations.

What is Azure Database for PostgreSQL? Use this article to learn about the Microsoft Azure Database for PostgreSQL service.
What is Azure Virtual Desktop? Use this article to learn about Microsoft Azure Virtual Desktop and how it relates to Microsoft Windows 10 Enterprise multi-session and Microsoft Windows 7 Enterprise with Extended Security Updates. When your Horizon Cloud tenant account has the configuration for Horizon Cloud Service on Microsoft Azure extending Microsoft Azure Virtual Desktop, support is provided for using Microsoft Windows 10 Enterprise multi-session and Microsoft Windows 7 Enterprise with your pods deployed in Microsoft Azure.