After you deploy your Horizon Cloud pod in a Self-managed/Transit VNet, the following entities are auto-created in CSM and NSX Manager.
Horizon Cloud VMs in CSM
- Horizon Cloud VMs can be management VMs or VDIs for end users.
- CSM distinguishes Horizon Cloud management VMs from end-user consumable VDIs as follows:
- The three types of Horizon Cloud management VMs – UAG, Base, and Node are labeled as Horizon Management VMs in . The Horizon Cloud administrator has complete control over the security groups assigned to these VMs in Microsoft Azure.
- All VDIs launched in the Horizon Cloud pod, using any image with NSX Cloud enabled, are NSX-managed if they enable NSX Cloud when launched. NSX Tools are installed on such VDIs and they are managed like other managed VMs in the NSX Enforced mode. In , you can see these VDIs with the label Horizon VDI.
See "Managing VMs in the NSX Enforced Mode" in the NSX-T Data Center Administration Guide for details.
Also see "VMware NSX Cloud and Horizon Cloud Pods in Microsoft Azure" in the Horizon Cloud Service Product Documentation.
Horizon Cloud Entities Created in NSX Manager
NSX Manager Component | Auto-created Entities | Details |
---|---|---|
HorizonUAGPolicyService | This service allows communication between the Horizon Cloud UAG and VDIs. See this table for details: DFW Policy Auto-created for Horizon Cloud Integration under the Infrastructure category | |
HorizonNodeVMPolicyService | This service is used to allow communication from the VDIs to Horizon Cloud Management Node VMs. See this table for details: DFW Policy Auto-created for Horizon Cloud Integration under the Infrastructure category | |
|
The group definition for these groups is as follows:
You manage the VDIs that are included in the vmw-hcs-<id>-vdi group. The other groups are managed by Horizon Cloud. The Horizon Cloud jumpbox VMs are grouped under vmw-hcs-<id>-node |
|
Horizon Cloud VDIs with names provided by Horizon Cloud | These are the VDIs in Horizon Cloud that are categorized as Virtual Machines in NSX Manager. All security policies and other configurations in NSX Manager are targeted towards these Virtual Machines. | |
|
These system tags are used to create groups for security policies. |
Security Policy
Under vmw-hcs-<pod_id>-security-policy. This policy has the following Allow rules.
a DFW policy is created with the name:DFW Rule Name | Source | Destination | Service/Ports | Protocols |
---|---|---|---|---|
AllowHCSUAGToVDI | Unified Access Gateway | VDI | HorizonUAGPolicyService TCP (Source: Any; Destination: 22443,32111,4172,443,8443,9427) UDP (Source: Any | Destination: 22443,4172) |
TCP and UDP |
AllowVDIToHCSNode | VDI | Node VMs | HorizonNodeVMPolicyService (Source: Any; Destination: 3099,4001,4002) | TCP |
See "Group VMs using NSX-T Data Center and Public Cloud Tags" in the NSX-T Data Center Administration Guide for details on discovered tags: these are tags that you apply in Microsoft Azure to your VDIs and they are visible in NSX Manager to enable tag-based grouping.