Before you log in to the Horizon Cloud Administration Console and run the node deployment wizard for the first time, you must perform these preparatory tasks.

  1. Fulfill the prerequisites described in the separate prerequisites checklist document, especially:

    • Ensure your Microsoft Azure account and subscription encompasses the node's required number and sizes of virtual machines. See Microsoft Azure Virtual Machine Requirements for a Horizon Cloud Node.

    • Ensure a virtual network (VNet) exists in the region in which you are going to deploy the node and that virtual network meets the requirements for a Horizon Cloud node. If you do not have an existing VNet, create one that meets the requirements. See Configure the Required Virtual Network in Microsoft Azure.


      Not all Microsoft Azure regions support GPU-enabled virtual machines. If you want to use the node for GPU-capable desktops or remote applications, ensure that the Microsoft Azure region you select for the node provides for those NV-series VM types that you want to use and which are supported in this Horizon Cloud release. See the Microsoft documentation at for details.

    • If you want to manually create the subnets for the node on your VNet in advance of deploying the node, ensure that the required number of subnets is created on your VNet, that their address spaces meet the node's requirements, and that they are empty of resources. Optionally Create the Node's Required Subnets on your VNet in Microsoft Azure.


      These subnets you create on your VNet for a node deployment must be empty. You can create the subnets prior to deploying the node, but do not put any resources on those subnets or otherwise use any of the IP addresses. If an IP address is already in use on the subnets, the node might fail to deploy.

      If you do not want to create the subnets in advance, the node deployment process will create them using the CIDR information you enter into the on-screen wizard.

    • Ensure that virtual network is configured to point to a valid Domain Name Services (DNS) server that is resolving external names. See Configure the Virtual Network's DNS Server.


      The node deployment process requires external and internal name resolution. If the VNet points to a DNS server that cannot resolve external names, the deployment process will fail.

    • Ensure you have an Active Directory setup that is supported for use with this release, your virtual network can reach it, and the DNS server can resolve its name. See Active Directory Domain Configurations.

  2. Create a service principal and get your Microsoft Azure subscription ID, application ID, application authentication key, and Microsoft Azure AD Directory ID. These resources are used by Horizon Cloud to perform its operations on your Microsoft Azure environment. For detailed steps, see Create the Required Service Principal by Creating an Application Registration.


    The service principal must have the Contributor role, and not the Owner role. Even though you might think having the Owner role is good enough to use, as a superset of the Contributor role privileges, the node deployment process specifically requires the Contributor role. The wizard will block you from continuing to the next step if the service provider has any role other than Contributor. The reason for requiring the specific Contributor role is so that you do not give the node the fullest level of permissions in your subscription. The idea is to give the node only as much access to your Microsoft Azure environment as needed for Horizon Cloud operations. The Microsoft Azure role-based access control (RBAC) provides the Contributor role for the purpose of creating and managing resources in your subscription, which is the level of permissions that Horizon Cloud needs. For details, see Built-in roles for Azure role-based access control in the Microsoft Azure documentation.

  3. If you are deploying the node with a Unified Access Gateway configuration, obtain the signed TLS/SSL server certificate that can allow your end users' clients to trust connections to the desktops and remote applications. This certificate should match your FQDN that your end users will use in their clients and be signed by a trusted Certificate Authority (CA). Also, all certificates in the certificate chain must have valid time frames, including any intermediate certificates. If any certificate in the chain is expired, unexpected failures can occur later in the node onboarding process.

    Unified Access Gateway presents your CA-signed certificate, so that the end users' clients can trust the connections. To support trusted access from the Internet, you use an external Unified Access Gateway configuration deployed as part of the node deployment process. To support trusted access within your corporate network, you use an internal Unified Access Gateway configuration. Both configuration types can be deployed during the initial node deployment process.


    This FQDN cannot contain underscores. In this release, connections to the Unified Access Gateway instances will fail when the FQDN contains underscores.

  4. If your signed SSL server certificate that you will use with the Unified Access Gateway configuration is not in PEM format or is not a single PEM file containing the full entire certificate chain with the private key, convert the certificate information to the required PEM format. See the steps in Convert a Certificate File to the PEM Format Required for Node Deployment.

  5. Obtain a My VMware account and register for Horizon Cloud, if you are not already registered for it.

After you have completed those preparatory tasks, log in to the Horizon Cloud Administration Console at using your My VMware account. After logging in, you'll see the Add Cloud Capacity area on the screen and can click Add to start the node deployment wizard. Complete the wizard by entering the required information in each screen. For detailed steps, see Deploy a Node for VMware Horizon Cloud Service on Microsoft Azure.


Login authentication into the Horizon Cloud Administration Console relies on My VMware account credentials. If the My VMware account system is experiencing a system outage and cannot take authentication requests, you will not be able to log in to the Administration Console during that time period. If you encounter issues logging in to the Administration Console's first login screen, check the Horizon Cloud System Status page at to see the latest system status. On that page, you can also subscribe to receive updates.