When you are using the Horizon Cloud Connector virtual appliance with your Horizon pod, you must configure your firewalls to allow the appliance to access the Domain Name Service (DNS) addresses it needs. In addition, your proxy settings require configured ports and protocols and DNS must resolve specific names as described in this topic. Then, after the Horizon Cloud Connector virtual appliance is deployed and you have completed the steps to successfully connect the pod to Horizon Cloud, specific ports and protocols are required for ongoing operations between Horizon Cloud and the virtual appliance.

As described in When Onboarding a Horizon Pod to Use Horizon Subscription Licenses or Cloud-Hosted Services with that Pod, the Horizon Cloud Connector virtual appliance is used with VMware Horizon deployments to activate subscription licenses on Horizon and enable use of cloud-hosted services with your Horizon deployments.

Note: ( Horizon Cloud Connector 2.0 and later) Unless otherwise specified, the following DNS, ports, and protocols requirements apply alike to the primary node and worker node of the Horizon Cloud Connector appliance.

As described in Tight Integration Within the VMware Ecosystem, you can use Horizon Cloud with other products available from the broader VMware ecosystem. Those other products might have additional DNS requirements. Such additional DNS requirements are not detailed here. For such DNS requirements, see the documentation set for the specific products that you will be integrating with your cloud-connected Horizon pod.

DNS Requirements for Pod Connectivity and Service Operations that Apply on a Tenant-Wide Basis

This section describes the DNS requirements for pod connectivity and service operations that apply on a tenant-wide basis. For Horizon Infrastructure Monitoring activation and Horizon Edge Virtual Appliance DNS requirements, see the section after this one. Because the Horizon Infrastructure Monitoring feature is activated on a per-pod basis, its DNS requirements warrant their own descriptive table.

The steps for connecting Horizon Cloud with your Horizon pod using the Horizon Cloud Connector include the step to use a browser to navigate to the Horizon Cloud Connector appliance's IP address and a login screen will appear. To see that login screen requires Internet connectivity between the Horizon Cloud Connector appliance and the Horizon Cloud cloud control plane. The appliance establishes a connection to the Horizon Cloud cloud control plane initially using HTTPS, and then opens a persistent WebSocket connection, using outbound Internet port 443. For ongoing operations, the connection between the Horizon Cloud Connector appliance and Horizon Cloud requires that outbound Internet connection using port 443 open all the time. You must ensure the following Domain Name Service (DNS) names are resolvable and reachable using the specific ports and protocols as listed according to the following tables.

Important:

Keep in mind the following important points:

  • For all tenant accounts, reachability to DNS name cloud.horizon.vmware.com is required. Reachability to cloud.horizon.vmware.com is required in addition to reachability to the regional control plane DNS name for the region specified in your tenant account.

  • Horizon Cloud Connector uses SSL certificates signed by DigiCert, an industry-trusted certificate authority (CA). These certificates use CRL (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) queries that refer to specific DNS names on the DigiCert domain. To ensure Horizon Cloud Connector connectivity, you must configure these DNS names to be resolvable and reachable by the virtual appliance. If these DNS names are not reachable, you will not be able to access the Horizon Cloud Connector configuration portal. The specific names are determined by DigiCert, and therefore are not in VMware's control.

  • If you plan to enable Universal Broker for use with the pod, there are connectivity requirements in addition to the DNS names. For details, see System Requirements for Universal Broker and its related topics.

Your Welcome to Horizon Service email will indicate which regional control plane instance your tenant account was created in. Due to a known issue that existed when the welcome email was sent to you, the email you received might display the system string names used for the regions instead of human-friendly names. If you see a system string name in your welcome email, you can use the following table to relate what is shown in your email with the regional control plane DNS names.

Table 1. Regions in Your Welcome Email Mapped to Regional Control Plane DNS Names
Your welcome email says Regional DNS Name
USA cloud.horizon.vmware.com
EU_CENTRAL_1 or Europe cloud-eu-central-1.horizon.vmware.com
AP_SOUTHEAST_2 or Australia cloud-ap-southeast-2.horizon.vmware.com
PROD1_NORTHCENTRALUS2_CP1 or USA-2 cloud-us-2.horizon.vmware.com
PROD1_NORTHEUROPE_CP1 or Europe-2 cloud-eu-2.horizon.vmware.com
PROD1_AUSTRALIAEAST_CP1 or Australia-2 cloud-ap-2.horizon.vmware.com
Japan cloud-jp.horizon.vmware.com
UK cloud-uk.horizon.vmware.com
Europe-3 cloud-de.horizon.vmware.com

Source

Destination (DNS name)

Port

Protocol

Purpose

Horizon Cloud Connector

cloud.horizon.vmware.com plus one of the following names, depending on which regional control plane instance is specified in your Horizon Cloud tenant account. The regional instance is set when the account is created, as described in Deployments and Onboarding to Horizon Cloud for Microsoft Azure and Horizon Pods.

  • cloud-us-2.horizon.vmware.com
  • cloud-eu-central-1.horizon.vmware.com
  • cloud-eu-2.horizon.vmware.com
  • cloud-ap-southeast-2.horizon.vmware.com
  • cloud-ap-2.horizon.vmware.com
  • cloud-jp.horizon.vmware.com
  • cloud-uk.horizon.vmware.com
  • cloud-de.horizon.vmware.com

443

TCP

Regional control plane instance.

Note: In addition to the regional instance as stated below, reachability to cloud.horizon.vmware.com is required by Horizon Cloud Connector for all tenant accounts.
  • United States: cloud.horizon.vmware.com, cloud-us-2.horizon.vmware.com
  • Europe: cloud-eu-central-1.horizon.vmware.com, cloud-eu-2.horizon.vmware.com
  • Asia Pacific: cloud-ap-southeast-2.horizon.vmware.com, cloud-ap-2.horizon.vmware.com
  • Japan: cloud-jp.horizon.vmware.com
  • United Kingdom: cloud-uk.horizon.vmware.com
  • Germany: cloud-de.horizon.vmware.com
Note: ( Horizon Cloud Connector 2.0) This requirement applies to the primary node only.

Horizon Cloud Connector

Depending on which regional control plane is specified in your Horizon Cloud account:

  • North America: kinesis.us-east-1.amazonaws.com
  • Europe, Germany: kinesis.eu-central-1.amazonaws.com
  • Australia: kinesis.ap-southeast-2.amazonaws.com
  • Japan: kinesis.ap-northeast-1.amazonaws.com
  • United Kingdom: kinesis.eu-west-2.amazonaws.com

443

TCP

Cloud Monitoring Service (CMS)

Horizon Cloud Connector

*.digicert.com

If your organization discourages the use of wildcards in allowable DNS names, you can allow specific names instead. For example, at the time of this writing, the specific DNS names required for certificate validation are:

  • ocsp.digicert.com
  • crl3.digicert.com
  • crl4.digicert.com
  • www.digicert.com/CPS

These DNS names are determined by DigiCert and subject to change. For instructions on how to obtain the specific names required by your certificates, refer to VMware Knowledge Base (KB) article 79859.

80, 443

HTTP, HTTPS

CRL or OCSP queries used to obtain validation from the certificate authority, DigiCert

Horizon Cloud Connector

One of the following names, depending on which regional control plane instance is specified in your Horizon Cloud tenant account. The regional instance is set when the account is created, as described in Deployments and Onboarding to Horizon Cloud for Microsoft Azure and Horizon Pods.

  • connector-azure-us.vmwarehorizon.com
  • connector-azure-eu.vmwarehorizon.com
  • connector-azure-aus.vmwarehorizon.com
  • connector-azure-jp.vmwarehorizon.com
  • connector-azure-uk.vmwarehorizon.com

  • connector-azure-de.vmwarehorizon.com

443

TCP

Regional instance of the Universal Broker service

  • United States: connector-azure-us.vmwarehorizon.com
  • Europe: connector-azure-eu.vmwarehorizon.com
  • Australia: connector-azure-aus.vmwarehorizon.com
  • Japan: connector-azure-jp.vmwarehorizon.com
  • United Kingdom: connector-azure-uk.vmwarehorizon.com
  • Germany: connector-azure-de.vmwarehorizon.com

Horizon Cloud Connector

hydra-softwarelib-cdn.azureedge.net

443

TCP

Used to download the necessary OVF and VMDK files from the CDN repository during automatic updates of the Horizon Cloud Connector.

DNS Requirements to Support Advanced Features

To support certain advanced features such as Horizon Infrastructure Monitoring, the Horizon Cloud Connector appliance must be able to reach the DNS entries described in the following table. For more information, see Horizon Infrastructure Monitoring and the Pods in Your Horizon Cloud Environment.

Source

Destination (DNS name)

Port

Protocol

Purpose

Horizon Cloud Connector

Both of the following:

  • *.blob.core.windows.net
  • horizonedgeprod.azurecr.io

443

TCP

Used for programmatic access to the Azure Blob Storage. Used to download the Docker images from those DNS addresses that the appliance's edge module requires.

Horizon Cloud Connector

*.azure-devices.net, or one of the region-specific names below, depending on which regional control plane applies to your tenant account:

  • North America: edgehubprodna.azure-devices.net
  • Europe: edgehubprodeu.azure-devices.net
  • Australia: edgehubprodap.azure-devices.net
  • Japan: edgehubprodjp.azure-devices.net

443

TCP

Used to connect the appliance to the Horizon Cloud control plane, to download configurations for the appliance's edge module, and to update the edge module's runtime status.

Horizon Cloud Connector

Depending on which regional control plane applies to your tenant account:

  • North America: kinesis.us-east-1.amazonaws.com
  • Europe, Germany: kinesis.eu-central-1.amazonaws.com
  • Australia: kinesis.ap-southeast-2.amazonaws.com
  • Japan: kinesis.ap-northeast-1.amazonaws.com
  • United Kingdom: kinesis.eu-west-2.amazonaws.com

443

TCP

Used to send the pod monitoring data collected by the appliance to the Horizon Cloud control plane.

Ports and Protocols Required by the Horizon Cloud Connector Virtual Appliance

For ongoing operations between Horizon Cloud Connector and Horizon Cloud, the ports and protocols in the following table are required.

Table 2. Horizon Cloud Connector Ports

Source

Target

Port

Protocol

Description

Horizon Cloud Connector

Horizon Cloud

443

HTTPS

Used to pair the Horizon Cloud Connector with Horizon Cloud and transfer data.

Horizon Cloud Connector

Connection Server

443

HTTPS

API calls to Connection Server.

Horizon Cloud Connector

Connection Server

4002

TCP

Java Message Service (JMS) communication between the Cloud Connector and the Connection Server

New version of the Horizon Cloud Connector appliance

Existing version of the Horizon Cloud Connector appliance

22

SSH

Listen for requests to start the update process.

Web browser

Horizon Cloud Connector

443

HTTPS

Listen for the initiation of the pairing process.

Cloud Monitoring Service agent in the desktop or server VMs that are from the cloud-connected Horizon pod on your network

Horizon Cloud Connector appliance

11002

TCP

For the Cloud Monitoring Service agent on a server or desktop VM to send data to the Horizon Cloud Connector

Horizon Cloud Connector

SDK endpoint of the vCenter Server, for example: https://<FQDN of vCenter Server>/sdk

443

TCP

This optional port configuration is required for use by the automated update feature. The automated update feature is deactivated by default and is only enabled on a per-pod basis by request. See Configure Automated Updates of the Horizon Cloud Connector Virtual Appliance.

Horizon Cloud Connector

SDK endpoint of the vCenter Server, for example: https://<FQDN of vCenter Server>/sdk

443

HTTPS

This optional port configuration is required for use by the Horizon Image Management Service. You only need to configure this port and protocol if the Horizon Image Management Service feature is enabled for your tenant account. See Managing Horizon Images from the Cloud.