VMware Horizon Cloud Service on Microsoft Azure Network Ports Diagrams
Introduction
This document provides port and protocol requirements for connectivity between the various components and servers in a VMware Horizon® Cloud Service with Microsoft Azure™ deployment. This document is intended to be a companion to the Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level, which provides ports and protocols in tabular format. The tables tell you which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications, as well as how to choose how your end users will connect.
In Figure 1, the All Network Ports diagram shows all the possible client connection types for Horizon Cloud Service on Microsoft Azure, and includes all display protocols. Following Figure 1, subsequent sections of this document provide subsets of the All Network Ports diagram, each focusing on a specific connection type and protocol use.
The first set of diagrams following the All Network Ports diagram covers Horizon Cloud Service on Microsoft Azure with external connectivity. The second set covers Horizon Cloud Service on Microsoft Azure with internal connectivity. To view these diagrams in larger formats, click the diagram images themselves on each page to enlarge them.
This document leverages the Horizon Cloud Service on Microsoft Azure product documentation for a tabular listing of all possible ports from a source component to destination components within a typical Horizon Cloud Service on Microsoft Azure deployment. This does not mean that all these ports necessarily need to be open. If a component or protocol is not in use, then the ports associated with it can be ignored. For example:
-
If Blast Extreme is the only display protocol used, the PCoIP ports need not be opened.
-
If VMware Dynamic Environment Manager™ is not deployed, ports to and from it can be ignored.
Furthermore, this document does not list all possible ports for all possible integrations with third-party services. The document lists ports to third-party services that are critical to a functioning deployment.
The ports shown are destination ports. In the diagrams, arrows depict the direction of communication from source to destination and assume a stateful connection.
The Horizon Cloud tables and diagrams include connections to the following products, product families, and components:
Audience
This guide is intended for security architects, engineers, and administrators who are implementing a Horizon Cloud Service on Microsoft Azure infrastructure.
It is assumed that you have familiarity with Windows data center technologies such as Microsoft Azure and Active Directory, as well as VMware Horizon Cloud Services. You should also be familiar with virtualization technology, cloud computing, network routing, and firewall security architecture. Knowledge of compatibility is also useful when using VMware Horizon Cloud Service on Microsoft Azure (see VMware Product Interoperability Matrices).
Client Connections for Horizon Cloud Service on Microsoft Azure
Deploying Horizon Cloud Service on Microsoft Azure on your Azure infrastructure is somewhat similar to deploying Horizon 7 on vSphere. Microsoft Azure infrastructure must be available and configured for functionality. This includes the ability to communicate with core infrastructure platform components such as DNS, Active Directory, and file shares (if you are using Dynamic Environment Manager).
For details on the network ports required for a Horizon Cloud Service on Microsoft Azure implementation, see Ports and Protocols for a Horizon Cloud Pod at the September 2019 Release's Manifest Level in the VMware Horizon Cloud Deployment Guide.
Note: If you have a deployment of Horizon Cloud with Microsoft Azure-based on a release prior to that, see Ports and Protocols Requirements for a Horizon Cloud Pod Deployed Prior to the September 2019 Release.
Horizon Cloud Service on Microsoft Azure leverages the Horizon Cloud Service for many features, including configuration, administrative interfaces, management, and monitoring. The Horizon Cloud Service on Microsoft Azure pod is downloaded and implemented on your behalf from a cloud-based CDN. To facilitate the functionality of these and other features, the Horizon Cloud Service on Microsoft Azure deployment requires connectivity or visibility to various cloud-based resources, in addition to the network ports requirements. These resources are documented in the DNS Requirements for a Horizon Cloud Pod in Microsoft Azure in the VMware Horizon Cloud Deployment Guide.
The All Network Ports diagram is a combination of all options in a single diagram.
Figure 1: All Network Ports, All Connection Types, All Display Protocols
The All Network Ports diagram describes all supported connection and protocol types.
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
Internal-Tunneled / External Connections
There are two basic connectivity configurations for Horizon Cloud Service on Microsoft Azure: Internal-Tunneled and External connection. Typically, we recommend that you deploy a Horizon Cloud pod with Unified Access Gateway (one or two depending on HA configuration). This configuration is valid for clients using Internal-Tunneled and External connections to the Horizon Cloud Service on Microsoft Azure deployment.
The following diagrams depict an Internal-Tunneled or External connection for Horizon Cloud Service on Microsoft Azure.
External/Internal Tunneled Connections, All Display Protocols
This diagram describes the connections when a user is connecting with both Horizon Client and a Web browser.
Figure 2: External/Internal Tunneled Connections, All Display Protocols
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
External/Internal Tunneled Connection, Blast Extreme
This diagram describes the connections when a user is connecting with a full Horizon Client and Blast Extreme.
Figure 3: External/Internal Tunneled Connections, Blast Extreme
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
External/Internal Tunneled Connection, HTML
This diagram describes the connections when a user is connecting with a Web browser instead of a full Horizon Client.
Figure 4: External/Internal Tunneled Connections, HTML
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
External/Internal Tunneled Connection, PCoIP
This diagram describes the connections when a user is connecting with a full Horizon Client based on the PCoIP protocol.
Figure 5: External/Internal Tunneled Connections, PCoIP
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
Internal-Trusted Connections
The second basic connectivity configuration for Horizon Cloud Service on Microsoft Azure is meant for internal-trusted environments where all client (user) connections go through a VPN or other trusted connection to access Horizon Cloud Service on Microsoft Azure. In this configuration, there is no Unified Access Gateway managing connections into the Horizon Cloud pod.
Note: As mentioned earlier, we recommend that you deploy a Horizon Cloud pod with Unified Access Gateway (one or two depending on HA configuration) as described in the diagrams above.
The following diagrams depict an Internal-Trusted connection for Horizon Cloud Service on Microsoft Azure.
Internal-Direct Connection, All Display Protocols
This diagram describes the connections using all display protocols for an Internal-Direct connection.
Figure 6: Internal-Direct Connection, All Display Protocols
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
Internal-Direct Connection, Blast Extreme
This diagram describes the connections when a user is connecting with a full Horizon Client based on Blast Extreme.
Figure 7: Internal-Direct Connection, Blast Extreme
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
Internal-Direct Connection, HTML
This diagram describes the connections when a user is connecting with a Web browser instead of a full Horizon Client.
Figure 8: Internal-Direct Connection, HTML
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level,
Internal-Direct Connection, PCoIP
This diagram describes the connections when a user is connecting with the PCoIP protocol.
Figure 9: Internal-Direct Connection, PCoIP
For more information, see the Pod Operations Ports and Protocols table in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level.
Summary and Additional Resources
Summary
This document provides the port and protocol requirements that you need to connect the components and servers in your VMware Horizon Cloud Service with Microsoft Azure deployment. The images in this document, combined with the same information in tabular format in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest Level, will help you meet connectivity requirements. If you have a deployment of Horizon Cloud with Microsoft Azure based on a release prior to that, see Ports and Protocols Requirements for a Horizon Cloud Pod Deployed Prior to the September 2019 Release.
Additional Resources
For more information, you can explore the following resources:
-
Quick-Start Tutorial for VMware Horizon Cloud Service on Microsoft Azure
-
VMware Workspace ONE and VMware Horizon Reference Architecture
- When You Choose Microsoft Azure Cloud Capacity for Your Very First Pod Deployment
Changelog
The following updates were made to this guide:
DATE |
CHANGES |
2022-07-05 |
Made the following updates to images:
|
2021-11-11 |
|
2020-12-09
|
|
2020-04-20
|
|
2019-10-25
|
|
About the Author and Contributors
Rick Terlep, End-User-Computing Architect, EUC Technical Marketing, VMware, wrote this document and created the diagrams.
The following people contributed considerable knowledge and assistance with reviewing:
- Daniel Berkowitz, Senior Solution Architect, EUC Cloud Services, VMware
- Jerrid Cunniff, Product Line Manager, EUC Cloud Services, VMware
- Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware
- Frank Taylor, Principal Engineer, EUC, VMware
- Griff James, Staff Engineer, EUC, VMware
- Lee Anne Kowalski, Senior Staff Technical Writer, Information Experience, VMware
- Cindy Heyer Carroll, Senior Technical Marketing Manager, EUC Technical Marketing, VMware
The following people contributed their knowledge to past versions of this document:
- Mark Benson, Senior Staff Engineer, EUC CTO Office, VMware
- Paul Green, Staff Engineer, Enterprise Desktop, VMware
- Andrew Jewitt, Staff Engineer, Enterprise Desktop, VMware
- Jim Yanik, Senior Manager, EUC Technical Marketing, VMware
- Frank Anderson, Alumni
- Ramu Panayappan, Alumni
Feedback
To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.