Today's post illustrates how I set up a Horizon Cloud environment within Azure.
There are several articles illustrating Horizon Cloud on Azure pre-reqs and deployment. For example there is this great TechZone article with Step by Step actions to deploy Horizon Cloud on Azure: Article
This post however focuses on how to deploy a Horizon Cloud environment completed contained within Azure, without the requirement to connect to an on-premisses network using either a VPN or ExpressRoute links. In order to to achieve this scenario I had to deploy a Windows domain within my Azure subscription. In addition since there is not a on-premises network to connect to there was not a need to deploy internal UAGs, only external UAGs were required.
These were the items required for this integration
- A publicly registered Windows domain with DNS services where I could add DNS entries
- A public CA issued certificate for your Horizon Cloud POD
- An Azure AD Subscription
- A Horizon Cloud tenant
- An AD domain to bind your Horizon Cloud tenant to. In this lab I deployed my AD domain within my Azure subscription
- A Vnet within your Azure subscription
- A Resource Group within your Azure subscription
- 3 Subnets required by Horizon Cloud (management, Desktop and DMZ networks) and 2 more subnets for the AD domain deployed within Azure.
- External DNS entries for your Horizon Cloud POD
- A NTP server, a public NTP server works.
The first thing I created was my vNet and my 5 subnets in Azure. Make sure you select an IP Range for your subnet large enough to create your subnets without overlap.
You will need a Resource Group for the vNet to be part of. You can either create a new Resource Group during the vNet creation or create a Resource Group ahead of time and select it during the vNet creation
Once I had my vNet and subnets in place I created a Windows server VM in order to be my domain controller for my Active Directory domain. This domain is going to be bound to the Horizon Cloud Control Plane later on in the process. I placed the domain controller in my Default subnet. Once I created the VM I accessed it remotely in order to promote it to a domain controller.
Once the domain controller was set up I made sure to change my vNet DNS settings to point to my domain controller instead of Azure default servers. Without this change it would not be possible to bind the Horizon Control Plane to the AD domain.
At this point just to make sure things were going right I created a Windows 10 test VM in a subnet different from the subnet the domain controller uses and joined this new machine to the domain to ensure network connectivity between the subnets in the vNet exists. This is a troubleshooting procedure you can use in the future to troubleshoot network communication between your subnets.
In order to do so I selected my subscription and then selected Resource Providers to see the list and register the ones required by Horizon Cloud.
Next I created the App Registration required by Horizon Cloud. Copy and save the Application ID. You will need it later on in the process.
Once I registered the App I selected it and gave it a role assignment of contributor
After registering the App and giving it the necessary Contributor role I went back to App registrations and selected Certificates & Secrets in order to create a new Client Secret Key which is required by Horizon Cloud. Make sure you save the key value somewhere safe. Once you create the key Azure will no longer let you see the key value.
At this point my Azure settings were complete and I moved on to my Horizon Control Plane console in order to deploy Horizon Cloud into my Azure subscription. I needed the following information to Add my Azure subscription to Horizon Cloud:
- Subscription ID
- Directory ID
- Application ID
- Application Key
For the Subscription ID in Azure I selected my Subscription and then went into Overview
For the Directory ID I selected Azure Active Directory and then Overview. The Directory ID is called Tenant ID in Azure
I had already saved the Application ID and the Application Key in previous steps.
After 40 minutes or so my first Horizon Cloud POD was deployed using my Azure subscription.
Now that I had the 4 necessary attributes I moved into the Horizon Cloud console. I received my Horizon Cloud tenant user id from VMware in an email titled "Welcome to the VMware Horizon Service"
After logging in I selected Settings \ Capacity and then clicked on New \ Microsoft Azure in order to deploy a Horizon Cloud POD into my Azure subscription
I then added the 4 attributes I collected from my Azure subscription in the first page
In the Pod Setup section I configured my POD name, location and NTP server
Lastly in the Gateway Settings page I enabled the external UAGs, provided the FQDN I had previously created in my external DNS for the POD and uploaded my public CA issued certificate for the POD FQDN
After 40 minutes or so my first Horizon Cloud POD was deployed using my Azure subscription.
The last step on this integration was to bind my AD domain to my Horizon Cloud tenant. In order to do so I went in to settings \ Active Directory and clicked on Register to start the binding process
And that was it! I will soon post new articles illustrating how I deployed regular VDI App pools, Windows Multi Session (WVD) VDI pools and RDSH published Apps Pools on Horizon Cloud. I will also post and article on how I connected my Horizon Cloud POD to my Workspace One Access tenant.
Happy testing!
