Tanzu Kubernetes Grid is a managed service offered by VMware Cloud on AWS. Activate Tanzu Kubernetes Grid in one or more SDDC clusters to configure Tanzu support in the SDDC vCenter Server.
Tanzu Services in the Cloud
Like vSphere, Tanzu services in your VMware Cloud on AWS SDDC work very much like they do in an on-premises data center. Because some vSphere and Tanzu components are managed by VMware, a few of the on-premises administrative workflows that you're familiar with aren't needed when you use Tanzu Kubernetes Grid with VMware Cloud on AWS.
- VMware Cloud on AWS users don't have physical access to access ESXi host hardware and cannot log in to the ESXi host operating system. Procedures that require this kind of access are performed by VMware staff.
- Global Permissions are not replicated from your on-premises vCenter Server and the vCenter Server in your SDDC. Global permissions do not apply to objects that VMware manages for you, like SDDC hosts and datastores.
- In VMware Cloud on AWS, the Tanzu workload control plane can be activated only through the VMware Cloud Console.
| Topic | Content Highlights |
|---|---|
| Tanzu Kubernetes Grid for VMware Cloud on AWS is pre-provisioned with a VMware Cloud on AWS custom content library that you cannot modify. | |
| vSphere with Tanzu User Roles and Workflows | The vCenter Server in your SDDC includes a predefined CloudAdmin role that is not present in your on-premises vCenter. This role has privileges required to create and manage workloads on your SDDC, but does not allow access to SDDC management components that are supported and managed by VMware, such as hosts, clusters, and management virtual machines. |
| Deploying Workloads to vSphere Pods | Tanzu Kubernetes Grid for VMware Cloud on AWS does not support vSphere Pods. |
| Using vSphere Namespaces with TKG 2.0 Clusters on Supervisor | vSphere namespaces for Kubernetes releases are configured automatically during Tanzu Kubernetes Grid activation. |
The Workload Control Plane, Namespace Segments, and Tier-1 Gateways
Each vSphere namespace requires an SDDC network segment. To preserve network isolation between namespaces, the workload control plane creates a Tier-1 router in your SDDC network for each namespace you create. These routers, which are listed on the Tier-1 Gateways page of the SDDC NSX Manager and Networking & Security tab, handle east-west traffic between containers connected to the namespace segment, and route north-south traffic through namespace egress and ingress points. They function much like the Compute Gateway (CGW) in your SDDC, but unlike the CGW, which is created as part of the SDDC and persists for the life of the SDDC, these per-namespace Tier-1 gateways are created and destroyed along with the Tanzu namespaces they support.
For more about SDDC network architecture, see NSX Networking Concepts in the VMware Cloud on AWS Networking and Security guide, and read the VMware Tech Zone article TKG Managed Service Networking.
How Tanzu Activation Affects an SDDC Network
When you activate Tanzu Kubernetes Grid in a VMware Cloud on AWS SDDC, the system creates several additional Tier-1 routers for use by the Workload Control Plane. After activation, vSphere creates additional Tier 1 routers for each namespace you create. Read-only details about these routers are listed in the Tier-1 Gateways page of the SDDC.
In an SDDC that uses AWS Direct Connect, ingress and egress CIDRs are advertised to the DX connection. In an SDDC that is a member of an SDDC group, these CIDRs are advertised to the VTGW.
