Horizon Cloud on Azure next-gen Deployment – Part 02

Continuing to PART – 01 post on prerequisites …

In this article let us discuss about Azure Capacity & Networking requirements

Azure Capacity Requirements

Horizon Edge Gateway capacity requirements :

As of writing this post , there are 2 types of Edge deployments are supported

  • Edge Gateway (AKS)
  • Edge Gateway (VM based)
Edge Gateway (AKS)

There 2 modes supported in the AKS based Edge Gateway deployment

– HA
– No – HA

In HA based Edge AKS deployment by default 4 nodes will be deployed
In NON-HA Edge AKS , deployment creates single node AKS cluster

Supported model sizes are listed in the Horizon Cloud next-gen checklist page

Horizon Cloud frequently updates the AKS Edge with latest supported versions of AKS on Azure . Hence make sure 10 vCPU Quota available ( 8 vCPU for Edge + 2 vCPU for Upgrades)

Edge Gateway (VM Based)

VM based edge deployment is a straight forward approach and requires 4 vCPU Quota to be available before deployment

Supported model sizes are listed in the Horizon Cloud next-gen checklist page

Unified Access Gateway (UAG) capacity requirements :

With the deployment minimum of 2 UAGs will be deployed and in next-gen UAG’s having light-weight management overhead and pre-dominantly used for only Protocol traffic

Supported model sizes are listed in the Horizon Cloud next-gen checklist page

Network Requirements

Edge Gateway
Edge Gateway ( AKS)Edge Gateway ( VM
vNET vNET to be created by customer from Azure portal with
a valid Address space for the subnets

Note :
Due to Azure AKS limitations , make sure the vNET address
space isn’t belonging to below IP ranges

169.254.0.0/16
172.30.0.0/16
172.31.0.0/16
192.0.2.0/24
vNET to be created by customer from Azure portal with
a valid Address space for the subnets

There is no specific limitations with IP ranges
Subnets3 Subnets required

DMZ – /27 minimum
Management – /26 minimum
Desktop – /27 minimum

For Edge deployment only Management subnet needed
For UAG deployment DMZ & Desktop subnets are required
3 Subnets required

DMZ – /27 minimum
Management – /26 minimum
Desktop – /27 minimum

For Edge deployment only Management subnet needed
For UAG DMZ & Desktop subnets are required
Virtual IP addressSince this deployment is AKS based and it required below CIDR details

Service CIDR – /27 minimum
Pod CIDR – /21 minimum

Please make sure above CIDR ranges not conflict with any other IP ranges in your network environment specifically with AD , DNS , DHCP and etc IP ranges
Not Applicable
vNET DNSValid Internal DNS Server to provided

Note :

For a successful Edge deployment , the deployment will try accessing external DNS names hence make sure that External URL’s are resolved with the DNS server provided
Valid Internal DNS Server to provided

Note :

For a successful Edge deployment , the deployment will try accessing external DNS names hence make sure that External URL’s are resolved with the DNS server provided
Outbound typeNAT Gateway / User defined routes

AKS Based deployment requires outbound connectivity to the Edge Gateway – hence to provide that customer requires either a NAT Gateway or Firewall to achieve it

Customer has to create a NAT Gateway in Azure if they would like to go with it
Not Applicable
route tableIf customer using User defined routes for outbound type then customer has to attach the route table used by firewall for management subnet

Also customer has to allow required ports / DNS URL’s as per the list provided below

1 – DNS URL’s
2 – Port and Protocol

For NATGateway – we don’t need to create route table and allowing any URL’s and ports

If customer using Firewall & NAT Gateway both then Firewall will take a precedence
Not Applicable but if customer would like to route the traffic through firewall then they have to make sure all the required ports / DNS URL’s be allowed in firewall

1 – DNS URL’s
2 – Port and Protocol
ProxySupported and OptionalSupported and Optional
Unified Access Gateway ( UAG )
Description
vNETUAG’s can be deployed in the same VNET as Edge or in the Different vNET
If you would like to to deploy in different vNET make sure Edge vNET having a pairing with new vNET
Deployment typesThere are 3 types deployments are possible with UAG at this time of writing the post

1 – External only
2 – Internal & External
3 – Internal only
SubnetsExternal only deployment :
Requires 3 subnets – DMZ , Management & Desktop

Internal & External deployment :
Requires 3 subnets – DMZ , Management & Desktop

Internal only deployment :
Requires 2 subnets – Management & Desktop
route tablemake sure not to attach route table (if you are using) on DMZ subnet because it causes session launches to fail because of assemetric routing
Outbound internet With External only & Internal and External deployments – make sure *.horizon.vmware.com is allowed on DMZ subnet and also URL’s ending with .horizon.vmware.com to be resolvable else session launch will fail

With Internal only (Allow internal access over a corporate network) – please add NAT Gateway / Firewall to be added to Management subnet for outbound traffic and allow required URL’s
CertificatePEM / PFX are supported

FQDN name provided for UAG should be matched with certificate FQDN or you need to use a wildcard certificate
Certificate with CRL / OCSPSupported but the CRL / OCSP DNS names to be reachable from DMZ ( for External & Internal and External deployment ) and Management ( For Internal only – corporate network )