How CloudHealth Optimises and Secures Your Cloud Assets


Over the past 12 months we have seen further growth within the cloud, as many organisations scale or create new digital services in response to the coronavirus pandemic. Improved speed and agility has allowed businesses to pivot where traditional siloed infrastructure may have caused them to stall.

As the usage of cloud services expands, standardising and consolidating cloud tooling becomes important for financial management, operational governance, and security and compliance. Visibility into distributed system architectures across many accounts or subscriptions, or even multi-cloud, is another key challenge. For some customers cloud workloads are not optimised or configured to best standards, many will spend more than their anticipated budget, and others may accidentally expose data or services.

Those with an established cloud strategy may decide to implement a Cloud Centre of Excellence (CCoE); responsible for cloud operations, security, and financial management. The CCoE will navigate the security and configuration landscape of cloud assets, automating response and remediation to configuration drift or threats. As the team grows in maturity optimisations are made continuously and automatically, inline with the key drivers of the business. This is where CloudHealth comes in.

CloudHealth by VMware is a multi-cloud SaaS solution managing more than $11B of public cloud spend for over 10,000 customers. CloudHealth accelerates business transformation in the cloud by providing a single platform solution for visibility into AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure, VMware Cloud on AWS, and on-premises VMware based environments. The key functionality is broken down into the 2 products we’ll look at below.

CloudHealth Multicloud Platform

CloudHealth takes data from cloud platforms, data centres, and third party tools for application, security, and configuration management. Data is ingested and aggregated using CloudHealth’s integrated data layer, which performs analysis on usage, performance, cost, and security posture. CloudHealth becomes a single source for multi-cloud management across environments, strengthening security and compliance, consolidating management, and improving collaboration between previously siloed teams of people and tools.

Data and assets can be categorised by tags or other metadata, and viewed in logical business groups known as perspectives . Perspectives provide a breakdown for cost allocation using dynamic groups such as line of business, department, cost centre, or project. The output can be used to identify trends and build dashboards and reports. This approach simplifies financial management, saves time, aids with budgeting and forecasting, and encourages accountability through accurate chargeback or showback.

CloudHealth Cost Dashboard

Whilst visibility is great, to really have a positive impact on operations we need to know what to do with the data collected. CloudHealth presents back cost optimisation recommendations and security risks, but can also carry out remediation actions automatically.

Cost optimisation is where you can save money, using AWS as an example, based on things like; EC2 instances that are oversized or on an inefficient purchase plan, elastic IP addresses or EBS volumes that are not attached to any resources, snapshots that have not been deleted. In the physical on-premises world all of these issues were common as part of VM sprawl, they impacted capacity planning and resource consumption but were mostly hidden or swallowed as part of the wider infrastructure cost. As organisations shift from large capital investments to ongoing revenue and consumption based pricing, oversized or unused resources literally convert to money going out of the door every single month.

CloudHealth Health Check

Recommendations and actions are where CloudHealth carries out remediation for incorrectly configured or under-utilised resources. Policies can also be used to define desired states and ensure operational compliance. For example, an organisation may want to report on untagged resources, connected accounts, or open ports. The number of available actions currently appears to only cover AWS and Azure, but with support recently added for Oracle Cloud Infrastructure, and Google Cloud Platform before that, hopefully this functionality will continue to be built out.

CloudHealth Remediation Actions

At the time of writing CloudHealth is priced based on cloud spend, and can be purchased as a 1, 2, or 3 year prepaid commitment, or variable pricing based on the previous months cloud spend. A free trial is available to uncover ROI in your own environment from CloudHealth here.

Where VMware environments are in use with vRealize Operations, the CloudHealth management pack for vRealize Operations can be installed. Bringing CloudHealth dashboards and prospects into vROps allows IT ops teams to track on-premises infrastructure and public cloud costs from a single interface. The CloudHealth management pack for vROps can be downloaded from the VMware Marketplace, instructions are here.

CloudHealth Secure State

By default CloudHealth provides real-time information on security risk exposure, but for deep-dive visibility and remediation those who are serious about security will want to look at Secure State. CloudHealth Secure State is available with CloudHealth or standalone, and currently supports AWS, Azure, and GCP.

Dashboards within CloudHealth Secure State enable at-a-glance checks on security posture and compliance. There are over 700 built-in security rules and compliance frameworks that can be used as security guardrails, with the ability to add custom rules and frameworks on top.

As systems become distributed over multiple accounts, subscriptions, or even clouds, the dynamics of securing an organisations assets shift significantly. Previously all services were contained within a data centre, firstly using perimeter firewalls and then with micro-segmentation. IT teams were generally in control and had visibility throughout the corporate network. Nowadays a developer or user responsible for a service can potentially open applications or data to the public, either on purpose or by accident. Cloud security guardrails form an important baseline for security posture and cloud strategy. Security guardrails are made up of critical must-have configurations in policies with auto-remediation actions attached, they help avoid mistakes or configuration drift to ultimately reduce security risk.

CloudHealth Secure State gives further visibility into resource relationships and context, using the Explore UI. Explore enables a powerful model of multi-cloud or account architectures, with visual topology diagrams of complex environments. Cyber security analysts or operations centres can drill down into individual resources with all interoperable components and dependencies already mapped out.

CloudHealth Secure State Dashboard
CloudHealth Secure State Compliance

Featured image by Scott Webb on Unsplash

How to Deploy VMware Horizon Cloud on Microsoft Azure


VMware Horizon Cloud is a cloud-native virtual desktop platform that transforms an organisation’s digital workspace experience. Virtual desktops and applications can be accessed by end-users securely from any device, anywhere, with a cost-effective subscription-based model. Infrastructure administrators can deploy highly available and distributed environments consuming capacity from Microsoft Azure, VMware Cloud on AWS, or on-premises infrastructure. VMware Horizon Cloud can also be deployed to IBM Cloud. You can read more about the Horizon Cloud service offerings in the VMware Horizon Cloud Service Documentation.

Horizon on Azure allows customers to deploy Horizon Cloud as a VMware managed service using Infrastructure-as-a-Service (IaaS) from their own Microsoft Azure subscription. Horizon Cloud on Azure delivers virtual applications and dedicated or floating Windows 10 desktops, leveraging Azure cloud resources for multiple scalable deployment options. The Horizon Cloud admin console provides a single interface to manage virtual desktops and users with built-in service monitoring, logs, and analytics. You can see a full list of features in the VMware Horizon Cloud on Azure FAQs.

Example Design

AD Req

During pod deployment Horizon Cloud deploys a pair of Unified Access Gateways in an Azure Virtual Machine Scale Set behind an Azure Load Balancer assigned a public IP address. The Unified Access Gateways provide secure external access from a demilitarised zone (DMZ) subnet and directs authenticated requests accordingly. The public load balancer IP address is visible from the Horizon Cloud management portal and will need adding with the FQDN to a public DNS zone. A certificate matching the FQDN is uploaded in PEM format during the UAG deployment wizard.

A further Azure Load Balancer with a private IP address is automatically deployed with an Azure Virtual Machine Scale Set for the pod’s manager instances into a management subnet. The manager IP address is also visible from the Horizon Cloud portal and will need adding with the FQDN to a private DNS zone. A certificate chain matching the internal load balancer FQDN and DNS resolution is necessary if integrating Horizon with Workspace ONE, you can read more in the Overview of Configuring SSL Certificates on the Horizon Cloud Pod’s Manager VMs documentation.

The gold image(s) and virtual desktop pools are deployed and managed from the Horizon Cloud portal and use a dedicated private tenant subnet. Each of the components mentioned is provisioned to the customer’s Azure subscription organised in Azure Resource Groups with the supporting resources such as databases, Key Vaults, disks, Storage Accounts, network interfaces, and Network Security Groups.

Workspace ONE and True SSO

Each pod deployment in the example design can serve up to 2000 virtual desktops and can scale out to multiple pods across additional regions to provide extra capacity and resilience. Using Workspace ONE with Horizon Cloud enables a single URL for all users to access regardless of where their virtual desktop is located. Workspace ONE Access, formerly VMware Identity Manager, adds a further layer of security with Multi-Factor Authentication (MFA).

To allow for Single-Sign-On (SSO), VMware’s True SSO needs to be used. True SSO removes the need to enter the username and password more than once while accessing virtual desktops and published applications. True SSO comes with an additional set of requirements which you should review in full before starting along with the Integrate a Horizon Cloud Pod in Microsoft Azure with Workspace ONE Access documentation. At a high-level Active Directory (AD) with DNS and an enterprise Certificate Authority (CA) are needed. If you are deploying a greenfield environment, without an existing federated Azure Active Directory (AAD), then you may need to manually install Active Directory Domain Services on Virtual Machines in the Azure subscription as portrayed in the example design above. Azure Active Directory Domain Services (AAD DS) cannot be used with an enterprise CA at the time of writing which is a requirement for True SSO. Configuration of Workspace ONE and True SSO is beyond the scope of this document, but it is recognised as a component in the overall design.


Azure Pre-Requisites

Review the VMware Horizon Cloud Service on Microsoft Azure Requirements Checklist. Before Horizon pod deployment, you will need to configure the following Azure resources:

  • Azure subscription with available capacity
  • The following resource providers registered in each Azure subscription:
    • microsoft.authorization, microsoft.keyvault,, microsoft.sql, microsoft.dbforpostgresql, microsoft.insights (registers automatically when a service using insights is deployed)
  • Azure Active Directory (AAD) App registration (service principal) with an authentication key for each subscription
    • You will need the Subscription ID, Directory ID, Application ID and key to hand
  • Contributor role assigned to the subscription access control (IAM) for the above service principal
  • A VNet created with the Microsoft.Sql service endpoint enabled, DNS configured, internet access, and 3 non-overlapping address ranges (subnets can be added in advance or at pod deployment)
    • Management subnet, minimum /27
    • Tenant subnet, minimum /27 up to /21 based on the number of virtual desktops
    • DMZ subnet, minimum /28
  • Any required VNet peering should be in place for line of sight Active Directory access, and optional Express Route or VPN for on-premises connectivity

    Horizon Pod Deployment

    Access to Horizon Cloud is provided through email invite via your VMware representative. After logging in the first step is to add pod capacity, the Getting Started page defaults to the Capacity section. Next to Microsoft Azure click Add.

    The Add Microsoft Azure Capacity wizard opens. Follow the instructions to associate the Horizon Cloud control plane with the Azure subscription, using the Subscription ID, and the Azure AD (AAD) App Registration, using the Directory ID with the Application ID and Key for the service principal created during the pre-requisite configuration.


    In the Pod Setup page, configure the pod details. Enter the network settings, including the VNet and subnets to use as discussed in the design section above.


    Configure the external Unified Access Gateways (UAGs) with the public FQDN and the DMZ subnet. Upload the certificate to be applied to both UAGs in PEM format, the certificate must use the FQN specified in this page and must be signed by a trusted Certificate Authority.


    If the pod and gateway configurations validate successfully, then review the summary details and click submit to begin the pod deployment.


    The screenshot below shows the completed post-setup dashboard. In this instance, 3 pods for Azure capacity have been configured.


    After adding capacity to Horizon Cloud, the next step is to configure Active Directory. Review in full the Horizon Cloud service accounts requirements before starting. If you are using a third-party identity source, validate the permissions outlined are acceptable, along with the enterprise CA requirement mentioned above. Cross-check with the Active Directory Requirements section of the VMware Horizon Cloud Service on Microsoft Azure Requirements Checklist.

    Click Configure next to Active Directory to register your domain, add the domain bind and domain join accounts, and define the AD group for Horizon Cloud administrators. After applying the Active Directory configuration, you will need to log back into the portal with a domain account with Horizon Cloud administrative permissions, as well as your My VMware account. You can configure additional My VMware accounts under Settings and then General Settings.

    Publish a Horizon Desktop Image

    With Active Directory configured, we can go ahead and add the first gold image. As an optional configuration item, you can specify the allowed Virtual Machine types for deployments under Settings and then VM Types & Sizes.

    Images can be uploaded or imported from the Azure Marketplace under Inventory and Imported VMs. When you select an image from the Marketplace choose an OS and configure settings like domain join, and Horizon Agent features such as Smart Card / USB redirection, etc. You can enable a public IP address to access the image over RDP, or you can use the Azure Portal (Bastion) to apply software and configuration to the base build. During the import process, Horizon Cloud enables the RDS role, automates the agent installation, and performs a bootstrap process to securely pair the agent and the Horizon Cloud pod.


    Click Import, after a few minutes the image Status changes to green and the Agent Status Active. With the image imported, you can carry out any customisations required to the base build. When complete, select the image and from the More drop-down menu click Convert to image. The build is now converted to an image, Horizon runs sysprep for you, seals the OS, and publishes to the Images section.

    This example is using a single gold image, but you can use multiple images and farms to publish many desktops and applications to end-users. The final step is to configure a new Desktop Assignment enabling users to deploy the image from Horizon Cloud. Click Assignments and New then select Desktops. Choose floating or dedicated desktop types and fill in the fixed attributes, fixed attributes on the assignment cannot be changed after publishing. Complete the flexible attributes, such as minimum and a maximum number of desktops, and machine prefix. Flexible attributes can be updated later.


    Virtual desktops are powered off and deallocated when they are not being used to balance infrastructure costs. You can configure power off protect timings or add power management schedules. On the Users page add the Active Directory users or user groups that will have access to the desktop pool. After the Assignment is created and online it is available for use.


    Users given access to the Assignment can now log in direct to the public FQDN for the pod.


    Entitled images and applications are shown in the Horizon client.


    Back in the Horizon Cloud admin portal the dashboard and reports functionality can be used for general monitoring of the service. At the time of writing, there is no syslog forwarding feature available from the Horizon Cloud portal. Automation of report downloads in CSV format can be scripted, or an agent used on the image build itself, such as a Splunk forwarder.


    Here are some additional gotchas found at the time of deployment. These are expected to be fixed in future releases.

    • Communicating with the internal IP address of a basic Azure Load Balancer across regions with VNet peering is not supported, a standard Azure Load Balancer is needed. At the time of writing the Horizon Cloud pod deployment uses basic load balancers for the internal manager VMs.
    • When applying a certificate to the internal load balancer for the manager VMs to facilitate Workspace ONE integration at the time of writing a common name in the certificate will be ignored if Subject Alternative Names (SANs) are present. All pods should be added as SANs.

    Useful Documentation