In part 2 of this blog series, I walked through the required setup within Microsoft Azure for networking and service principle creation. In part 3 of the blog series, I will be walking you through the steps to deploy your first Node with Horizon Cloud Service on Microsoft Azure.
The process is really simple:
- Login, Select to Add an Azure Node
- Enter the Azure Service Principle Information
- Enter the required node information
- Once Built, perform domain bind and domain join
Let’s go through each of these in turn;
(Note the values used in the following images are just examples for illustration, and you should substitute these for values suitable to your environment.)
Log in at http://cloud.horizon.vmware.com, using the MyVMware credentials used to register the service. You will have received welcome information to that email address.
You will then need to accept the Terms of Service. Once you are happy to accept, click Accept.
Next, Add Cloud Capacity by clicking ‘Add’:
Now, enter the Service Principle information. See part 2 of this blog for details on how to obtain these values if you don’t have them. The ‘Environment’ is one of Azure (Global), Azure Germany, Azure China, or Azure US Government Cloud. This is specific to your Azure subscription.
When you click Add, the values are verified against your Azure subscription. If anything fails validation, you will need to verify the values and try again. Often, I have seen customers enter the correct values in the UI above, but they forget to give the contributor level permissions to the service principle.
Once successfully validated, you can enter the required node details. This includes a location (a free-form location you can use to logically group nodes; e.g. USA vs Europe, or Sales vs Marketing – totally up to you how you wish to do this.) This is also where you select the required Azure Region you wish to deploy into. In the example below, I selected East US. Once selected, the Virtual Network (VNets) within that region are automatically queried, and you need to select the VNet onto which you want to connect the node.
For the networking CIDR ranges, you need a Management Subnet – this needs to be a /28 network (i.e. 16 addresses).
The Desktop Subnet however should be much larger. This is a key point when adding a node – since today, it’s not possible to extend a subnet address range after the node has been created. Each and every desktop/server you create for your end users, along with any base images will sit on this desktop subnet. If you plan to deploy 1000 desktops to users then you should make sure this is at least a /22 to allow for 1024 hosts. In addition, if you plan to connect your network to an on-premise network (e.g. using Express route) then this network will be an extension of an on-premise network, and so you need to be sure to avoid any address space overlap.
Finally, enter at least one NTP server (this can be a fully qualified domain name (FQDN), or an IP address.) Multiple values can be entered and separated with commas.
Next, select whether you want to add internet facing desktops using the Unified Access Gateway to provide secure edge authentication. Provide your required FQDN (this is the FQDN that your end users will use to access their desktops, so it must be a domain name that you own). Provide a /28 network for the DMZ, and optionally provide DNS and any network Routes. The DNS and Routes are used to allow network access from the Gateway to any on-premise secondary authentication appliances (e.g. Radius servers). Finally, provide a Valid Certificate in PEM format (note that the certificate should not include any passphrase).
2 Factor Authentication can be enabled at this stage too if required. In the example below, I am leaving this as disabled.
Once complete, click Validate & Proceed – at this stage, Horizon Cloud Service will go and check:
- That the subnet ranges you requested are valid and are not in use in your Azure subscription on the chosen VNet.
- That the subscription has sufficient family cores and VMs available to deploy the node
- That the certificate (if Unified Access Gateway was enabled) is in the valid format
If they validate OK, then review the values on the summary screen and then click Submit and the node will start deploying. The screen will look like this:
The node is in ‘pending’ state. This means that Horizon Cloud Service is currently creating the Subnets and is deploying a small temporary JumpBox VM into your environment which will orchestrate the buildout of the node. Note that at any point after this, you can close your browser and come back to it later – the browser does not need to remain open for the node buildout to complete.
It is at this step that we have seen several customers have problems – the Node should remain in Pending state for no more than 15 minutes. If it takes longer than this, then that usually suggests there is an issue with networking within your Azure environment (usually an issue with DNS or outbound network access). Of course, since you’ve read part 2 of this blog of this blog series, then this won’t be a problem for you!
If the networking is configured properly, then the JumpBox will establish a connection with VMware Horizon Cloud Service. You will see this represented as ‘Downloading’ whilst the jump box downloads the binaries needed to build the node. Downloading usually takes around 20 minutes, but this will vary depending on network performance from Horizon Cloud Service to your selected Azure region.
The screen will change to ‘Building’ as the node is built – this takes around 10 minutes
Finally, ‘Connecting’ as the node completes build out and securely pairs with the cloud service – again, this takes around 10-15 minutes.
In total, we typically see a node taking less than 40 minutes from start to finish to complete deployment.
Once the node successfully connects to the cloud service, you will see this change to ‘Complete’ and you can expand the General Setup section. The next step is to perform the Active Directory configuration.
Active Directory Domain Bind / Join
This is in 3 stages, the first being to perform Domain Bind. Provide the Domain Controller NetBIOS name, DNS Domain name, and then the primary Bind username and password. In addition, a secondary bind account is required too.
When you click the Domain Bind button, a bouncing cloud will appear. Typically, this stage takes around 10-30 seconds to complete. If this step fails, then usually that means either:
- The NetBIOS name or DNS name is invalid
- The Azure networking isn’t configured properly, and the Node is unable to resolve/contact the domain controller
- The credentials provided are incorrect
Again, you should breeze through this having gone through part 2 of this blog series!
Once this stage successfully completes, provide the Domain Join credentials. This is used by the system to provide any domain join activities for desktops and servers managed by Horizon Cloud Service. Please ensure that these credentials do not expire. If you are unable to use an account with no expiry – then additional auxiliary domain join accounts can be added – the intent here is that you ensure that these accounts expire at different times, giving you the ability to manually cycle out the credentials without any degradation of service to your end users.
Once you click Save, you will be asked to select the Domain Groups/Users that should have access to the administrative interface (super users). In the example below, I selected Domain Admins, but you could search and select any appropriate group from your environment.
Finally, once you click save, you will then be logged out and asked to re-authenticate. Now that Domain bind/join is completed, you have to authenticate with 2 sets of credentials. First, your MyVMware credentials, and then your AD credentials (note that this AD user must be a member of the Administrator user group you added above.)
Once authenticated successfully, you will be prompted to select whether you wish to partake in the Customer Experience Improvement Program for VMware – read the information, select Yes or No (your choice!), and click Save. Once complete, you will see a screen similar to the following;
Click Monitor->Dashboard. You should see that the node is reporting as being healthy.
If you click Settings->Capacity, and click on the Node, you will see the details of the node you just added;
Next, if you want to better understand why the Capacity of the node is reporting as 40% (as per the example above), click back to the Settings->Capacity screen, but this time, change the view to ‘Type’ and click (show details). This will show the cores/VM counts being used in your Azure subscription, which is being consumed in Azure leading to the reported Capacity;
Congratulations! You have now successfully added your first VMware Horizon Cloud Service Azure Node to Azure, Domain Bound/Joined it, checked it is healthy, confirmed some details about the node, and explored to understand how the capacity is being used within Microsoft Azure!
In the next part of this blog series, I will explain how to create Images which can be used to deliver RDSH Farm capacity (and in future VDI capacity too!).
Do reach out with any comments, suggestions or feedback using our community site available here, as we would love to hear from you.
Source: VMware EUC – https://blogs.vmware.com/euc/digital-workspace