Before you log in to the Horizon Cloud Administration Console and run the node deployment wizard for the first time, you must perform these preparatory tasks.

  1. Fulfill the prerequisites described in the separate prerequisites checklist document, especially:

    • Ensure your Microsoft Azure account and subscription encompasses the node's required number and sizes of virtual machines. See Microsoft Azure Virtual Machine Requirements for a Horizon Cloud Node.

    • Ensure a virtual network exists in the region in which you are going to deploy the node and that virtual network meets the requirements for a Horizon Cloud node. If you do not have an existing virtual network, create one that meets the requirements. See Configure the Required Virtual Network in Microsoft Azure.


      Do not create the management and tenant subnets in advance on the VNet you create. The node deployment process creates those subnets using the CIDR information you enter into the on-screen wizard. If you create the subnets in advance, the node deployment wizard will flag an error and block further advancement in the wizard.


      Not all Microsoft Azure regions support GPU-enabled virtual machines. If you want to use the node for GPU-capable desktops or remote applications, ensure that the Microsoft Azure region you select for the node provides for those NV-series VM types that you want to use and which are supported in this Horizon Cloud release. See the Microsoft documentation at for details.

    • Ensure that virtual network is configured to point to a valid Domain Name Services (DNS) server that is resolving external names. See Configure the Virtual Network's DNS Server.


      The node deployment process requires external and internal name resolution. If the VNet points to a DNS server that cannot resolve external names, the deployment process will fail.

    • Ensure you have an Active Directory setup that is supported for use with this release, your virtual network can reach it, and the DNS server can resolve its name. See Active Directory Domain Configurations.

  2. Create a service principal and get your Microsoft Azure subscription ID, application ID, application authentication key, and Microsoft Azure AD Directory ID. These resources are used by Horizon Cloud to perform its operations on your Microsoft Azure environment. For detailed steps, see Create the Required Service Principal by Creating an Application Registration.


    The service principal must have the Contributor role, and not the Owner role. Even though you might think having the Owner role is good enough to use, as a superset of the Contributor role privileges, the node deployment process specifically requires the Contributor role. The wizard will block you from continuing to the next step if the service provider has any role other than Contributor. The reason for requiring the specific Contributor role is so that you do not give the node the fullest level of permissions in your subscription. The idea is to give the node only as much access to your Microsoft Azure environment as needed for Horizon Cloud operations. The Microsoft Azure role-based access control (RBAC) provides the Contributor role for the purpose of creating and managing resources in your subscription, which is the level of permissions . For details, see Built-in roles for Azure role-based access control in the Microsoft Azure documentation.

  3. If you want to have Internet-enabled desktops, so that users outside of your corporate network can access them, obtain the signed TLS/SSL server certificate that can allow your end users' clients to trust connections to the desktops. This certificate should match your FQDN that your end users will use in their clients and be signed by a trusted Certificate Authority (CA).

    To support desktops and applications that users can access from the Internet, Unified Access Gateway is deployed as part of the node deployment process. Unified Access Gateway presents your CA-signed certificate, so that the clients can trust the connections.


    This FQDN cannot contain underscores. In this release, connections to the Unified Access Gateway instances will fail when the FQDN contains underscores.

  4. If your signed SSL server certificate that you will use with the node's Unified Access Gateway is not in PEM format or is not a single PEM file containing the full entire certificate chain with the private key, convert the certificate information to the required PEM format. See the steps in Convert a Certificate File to the PEM Format Required for Node Deployment.

  5. Obtain a My VMware account and register for Horizon Cloud, if you are not already registered for it.

After you have completed those preparatory tasks, log in to the Horizon Cloud Administration Console at using your My VMware account. After logging in, you'll see the Add Cloud Capacity area on the screen and can click Add to start the node deployment wizard. Complete the wizard by entering the required information in each screen. For detailed steps, see Deploy a Node for VMware Horizon Cloud Service on Microsoft Azure.


Login authentication into the Horizon Cloud Administration Console relies on My VMware account credentials. If the My VMware account system is experiencing a system outage and cannot take authentication requests, you will not be able to log in to the Administration Console during that time period. If you encounter issues logging in to the Administration Console's first login screen, check the Horizon Cloud System Status page at to see the latest system status. On that page, you can also subscribe to receive updates.