This blog post is part of a series of posts I will be creating regarding the Horizon Cloud Next-Gen deployment. In this post, I will explain the prerequisites for Horizon Cloud deployment. Coming posts in the series will have topics like image deployment, Pool creation, App Deployment, Dynamic Environment Manager integration, and maybe more.
If you are new to Horizon Cloud on Azure and want to deploy a greenfield environment you will need to configure several items on Microsoft Azure before you can deploy Horizon Cloud. In this blog post, I will explain how to configure these prerequisites in Microsoft Azure but also some other prerequisites for the Horizon Cloud deployment.
- Microsoft Azure subscription requirements
- Service Pricipal
- Microsoft Azure User Managed Identity
- Resource providers
- Microsoft Azure Capacity Requirements
- Horizon Edge
- Unified Access Gateway
- Network Requirements
- Microsoft Azure Virtual Network
- Address Ranges
- NAT Gateway
- Horizon Edge Gateway CIDR IP Address ranges
- VNet DNS Server
- Outbound internet
- Unified Access Gateway
- Outbound internet access
- Active Directory Requirements
- Active Directory
- Functional Levels and OS support
- Domain Bind Accounts
- Domain Join Account(s)
- Horizon Client and Horizon HTML Access
- Horizon Cloud Deployment
Microsoft Azure subscription requirements
For Horizon Cloud on Azure, we need a valid Microsoft Azure subscription(s).
Azure Administrative permissions
To start the Horizon Cloud deployment we will need valid Microsoft Azure administrative permissions in every Microsoft Azure subscription that will be used during the Horizon Cloud deployment. In this article, I will be using only one subscription.
Create one or more service principals. A service principal is the app’s identity in the Azure AD tenant.
To create a service principal you need to sign in to the Azure portal (https://portal.azure.com)
- Select Azure Active Directory.
- Select App Registration then select New registration (When you create a new App Registration a Service Principal is automatically created).
- Name the application.
- Select a supported account type (In this example I used Accounts in this organizational directory only).
- In the App, Registration select Certificates & Secrets and create a New client secret.
- Add a description and choose when the secret expires (In this example I choose 730 days (24 months)).
- Copy the Client’s secret value and Secret ID and store them in a password manager.
Microsoft Azure User Managed Identity
Horizon Edge is using an AKS Cluster and this requires a managed identity with a Network Contributor role at the management VNET’s resource group. It requires the Manged Identity Operator role at the Microsoft Azure subscription.
- In the Azure portal go to Managed Identities.
- Select Add to Create the User Assigned Managed Identity.
- Go to Subscriptions and select the correct subscription.
- Select Access Control (IAM).
- Select Add role assignment underneath Grant access to this resource.
- Select the Role Managed Identity Operator and click next.
- Under Members, select Managed Identity besides Assign Access to.
- Click Select member and choose the previously created Managed Identity.
- Click Review + Assign to complete.
- Repeat the same for the Network Resource Group where the Managed Identity is added with the Network Contributor Role.
Make sure that the below-mentioned resource providers in the Azure subscription are registered.
- In the Azure portal go to subscriptions.
- Select the correct subscription and select Resource Providers.
- Check if all the items in the above-mentioned list are registered.
- If the item is not registered, select the item and click register.
Microsoft Azure Capacity Requirements
The Horizon Cloud deployment is fully automated from the console and no manual VM creation is needed. However, the following capacities must be available in the subscription.
The Horizon Edge Gateway makes use of an Azure Kubernetes Service (AKS) cluster which requires 4 x Standard_D2s_v3 VMs for capacity.
Unified Access Gateway
The unified access gateways default and the recommended size is 2 x Standard_F8s_v2.
However, the following models are also supported
The following network requirements are necessary for the deployment of Horizon Cloud.
Microsoft Azure Virtual Network
- In the Azure portal go to Virtual Network and select Create.
- Select the appropriate subscription, and created a new Resource Group.
- Fill in a Virtual Network Name and select the correct Region.
- Click Next to configure the IP Address space and subnets.
Horizon Cloud requires at least three non-overlapping subnets.
- Management subnet – /26 minimum.
- This subnet will be used for the AKS Cluster and for the NAT Gateway.
- Desktop subnet – /27 minimum.
- Size the desktop subnet based on the number of VMs. Multiple desktop subnets are supported if needed.
- DMZ subnet – /27 minimum.
- This subnet will be used for the Unified Access Gateway instances.
The AKS Cluster (Horizon Edge) needs outbound connectivity. Therefore we need to configure a NAT Gateway.
- In the Azure portal using the search bar to find the NAT Gateway service.
- Select the NAT Gateway and click on Create.
- Choose the correct Subscription and if needed create a new resource group.
- Provide a NAT Gateway Name and select the correct region.
- Click Next to configure the Outbound IP.
- Create a new Public IP Address.
- Click Next to configure the subnet.
- Select the Virtual Network and select the management subnet that was created earlier.
Horizon Edge Gateway CIDR IP Address ranges
To successfully deploy the AKS cluster we will need to reserve three CIDR IP Address ranges that do not conflict with the existing address ranges in the environment.
- Service CIDR – /27 minimum. Example: 10.0.0.0/27
- Pod CIDR – /27 minimum. Example: 10.244.0.0/21
- Docker Bridge CIDR – /26 minimum. Example: 172.17.0.0/26
Also, make sure that the CIDR IP Address ranges do not conflict with the following IP ranges.
VNet DNS Server
Configure a DNS Server on the VNet that points to a valid DNS server that can resolve both internal and external machine names.
- In the Azure portal go to the Virtual Network.
- Select the correct VNet and select DNS Servers.
- Select Custom and add the IP address of the DNS Server(s).
The VNet used for the Horizon Edge deployment must be able to reach and resolve specific DNS names using specific ports and protocols. See: Make Appropriate Ports and URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment.
Unified Access Gateway
During the Horizon Cloud deployment, a cluster of Unified Access Gateway VMs is created and linked to the Horizon Cloud environment. This gives the end-user a secure HTML connection to the environment’s VMs. The following items must be prepared before the deployment.
Outbound internet access
The UAGs must have access to *.horizon.vmware.com. This can be done by a NAT Gateway or Firewall in the DMZ subnet.
A Fully Qualified Domain Name is required for the UAG config.
The UAGs require certificates in order to make a secure connection. These certificates must be in PEM format and must match the FQDN in the previous step.
Active Directory Requirements
During the Horizon Cloud deployment an Active Directory registration workflow must be followed. The following items need to be in place to complete this AD registration workflow.
One of the following AD configurations is supported.
- On-premises AD Server connected via VPN/Express Route.
- AD Server in Microsoft Azure
- Microsoft Azure AD Domain Services
Functional Levels and OS support
The following functional levels are supported.
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
The following AD DS OS versions are supported.
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R
Domain Bind Accounts
A Domain bind account is a normal user account that will be used by the console to read AD information that will be used in the Horizon Cloud console. Think of adding groups to assignments.
During the deployment, you will be asked to provide a Domain Bind account and an Auxiliary Domain bind account.
The accounts must have the following permissions:
- List Contents
- Read All Properties
- Read Permissions
- Read tokenGroupsGlobalAndUniversal (implied by Read All Properties)
Domain Join Account(s)
A Domain Join account is used to join VMs to the domain and perform sysprep operations. For production environments, I would recommend to also create an Auxiliary Domain Join account. However, this is optional during the deployment and can also be done later.
The account(s) must have the following permissions on the VM OU:
- Read All Properties – this object only
- Create Computer Objects – this object and all descendant objects
- Delete Computer Objects – this object and all descendant objects
- Write All Properties – Descendant Computer objects
- Reset Password – Descendant Computer objects
Double-check if the Prevent Accidental Deletion is not set during the creation of the OU. For more information please check: https://www.geursen.net/domain-join-account-horizon-daas-9-x/
Horizon Client and Horizon HTML Access
End-users will be able to connect to the Horizon Cloud environment with the Horizon Client or via the Horizon HTML client. The following clients are supported.
- Horizon Client for Windows 2111 or later
- Horizon Client for Mac 2111 or later
- Horizon Client for Linux 2206 or later
- HTML Access built-in version
Horizon Cloud Deployment
With all these requirements we will be able to start the deployment of Horizon Cloud (Next-Gen) on Azure. In my next blog post, I will show the step-by-step deployment of Horizon Cloud.
If you have any questions or comments feel free to contact me.