After you deploy your Horizon Cloud pod in a Self-managed/Transit VNet, the following entities are auto-created in CSM and NSX Manager.

Note: Auto-creation of entities is a feature of NSX-T Data Center version 3.1.1 and later only.

Horizon Cloud VMs in CSM

  • Horizon Cloud VMs can be management VMs or VDIs for end users.
  • CSM distinguishes Horizon Cloud management VMs from end-user consumable VDIs as follows:
    • The three types of Horizon Cloud management VMs – UAG, Base, and Node are labeled as Horizon Management VMs in CSM > Clouds > Azure > Instances. The Horizon Cloud administrator has complete control over the security groups assigned to these VMs in Microsoft Azure.
    • All VDIs launched in the Horizon Cloud pod, using any image with NSX Cloud enabled, are NSX-managed if they enable NSX Cloud when launched. NSX Tools are installed on such VDIs and they are managed like other managed VMs in the NSX Enforced mode. In CSM > Clouds > Azure > Instances, you can see these VDIs with the label Horizon VDI.

      See "Managing VMs in the NSX Enforced Mode" in the NSX-T Data Center Administration Guide for details.

      Also see "VMware NSX Cloud and Horizon Cloud Pods in Microsoft Azure" in the Horizon Cloud Service Product Documentation.

Horizon Cloud Entities Created in NSX Manager

NSX Manager Component Auto-created Entities Details
Inventory > Services HorizonUAGPolicyService This service allows communication between the Horizon Cloud UAG and VDIs. See this table for details: DFW Policy Auto-created for Horizon Cloud Integration under the Infrastructure category
Inventory > Services HorizonNodeVMPolicyService This service is used to allow communication from the VDIs to Horizon Cloud Management Node VMs. See this table for details: DFW Policy Auto-created for Horizon Cloud Integration under the Infrastructure category
Inventory > Groups
  • vmw-hcs-<pod-id>-base
  • vmw-hcs-<pod-id>-node
  • vmw-hcs-<pod-id>-uag
  • vmw-hcs-<pod-id>-vdi
The group definition for these groups is as follows:
  • instance-type label that Horizon Cloud applies to these VMs in Microsoft Azure.
  • Microsoft Azure ID of the Self-managed/Transit VNet that also hosts the Horizon Cloud pod.

You manage the VDIs that are included in the vmw-hcs-<id>-vdi group. The other groups are managed by Horizon Cloud.

The Horizon Cloud jumpbox VMs are grouped under vmw-hcs-<id>-node

Inventory > Virtual Machines Horizon Cloud VDIs with names provided by Horizon Cloud These are the VDIs in Horizon Cloud that are categorized as Virtual Machines in NSX Manager. All security policies and other configurations in NSX Manager are targeted towards these Virtual Machines.
Inventory > Tags
  • Tag Scope: azure:instance_type
  • Tag Values:
    • HORIZON_MGMT
    • HORIZON_BASE
    • HORIZON_UAG
    • HORIZON_VDI
These system tags are used to create groups for security policies.

Security Policy

Under Security > Distributed Firewall > Infrastructure a DFW policy is created with the name: vmw-hcs-<pod_id>-security-policy. This policy has the following Allow rules.

.
Table 1. DFW Policy Auto-created for Horizon Cloud Integration under the Infrastructure category
DFW Rule Name Source Destination Service/Ports Protocols
AllowHCSUAGToVDI Unified Access Gateway VDI HorizonUAGPolicyService

TCP (Source: Any; Destination: 22443,32111,4172,443,8443,9427)

UDP (Source: Any | Destination: 22443,4172)

TCP and UDP
AllowVDIToHCSNode VDI Node VMs HorizonNodeVMPolicyService (Source: Any; Destination: 3099,4001,4002) TCP
Note: All networking for NSX-managed VDIs within the VNet is through Microsoft Azure. NSX-T Data Center only manages traffic going out of the VNet.

See "Group VMs using NSX-T Data Center and Public Cloud Tags" in the NSX-T Data Center Administration Guide for details on discovered tags: these are tags that you apply in Microsoft Azure to your VDIs and they are visible in NSX Manager to enable tag-based grouping.