Here are instructions for installing VMware Tanzu Application Service for VMs (TAS for VMs) on vSphere with NSX-T internal networking, using the VMware NSX-T Container plug-in for Ops Manager.
These instructions use the NSX-T Policy API, the next-generation interface for integrating with the NSX-T networking and security framework.
TAS for VMs uses a Container Network Interface (CNI) plug-in to support secure and direct internal communication between containers.
The internal Silk plugin that comes packaged with TAS for VMs, or
On vSphere, the NSX-T Container Plug-in (NCP), which is installed as the VMware NSX-T Container Plug-in for Ops Manager tile in Ops Manager.
Before deploying TAS for VMs with NSX-T networking, you must have the following:
An NSX-T environment with NSX-T components installed and configured. The NSX-T version must support the versions of NCP and TAS for VMs you intend to use. Verify the compatibility between NSX-T, NCP and TAS for VMs with the following documentation:
BOSH and Ops Manager installed and configured on vSphere. For more information, see Deploying Ops Manager on vSphere and Configuring BOSH Director on vSphere.
The VMware NSX-T Container Plug-in for Ops Manager tile is downloaded from VMware Tanzu Network and imported to the Ops Manager Installation Dashboard. For information about downloading and importing VMware Tanzu products to the Installation Dashboard, see Add and Import Products in Adding and Deleting Products.
The TAS for VMs tile is downloaded from VMware Tanzu Network and imported to the Ops Manager Installation Dashboard. The TAS for VMs tile must be in one of these states:
class=“note important”> Important Deploying TAS for VMs with its container network interface (CNI) set to Silk configures Diego Cells to use an internally-managed container network. Subsequently switching the CNI interface to External NSX-T leads to errors.
The following graphic shows how to deploy an NSX-T machine to run TAS for VMs across multiple vSphere hardware clusters. NSX-T runs a Tier-0 (T0) gateway and multiple Tier-1 (T1) gateways, each connecting to a network within Ops Manager. Each vSphere hardware column cluster corresponds to an Availability Zone (AZ) in Ops Manager: The NXT T0 Router is connected between the IP Backbone and the T1 Routers. The T1 Routers each terminate on a network. Three network types are shown: On-demand Orgs, Isolation Segments, and On-demand Services.
Installing NSX-T to run with TAS for VMs requires:
To set up NSX-T to integrate with TAS for VMs, complete these procedures:
To configure logical switches:
In vSphere, create logical network switches to correspond to the networks that Ops Manager uses.
For each of these networks:
Isolation Segment (optional, defined in the Assign AZs and Networks pane of the Isolation Segment tile) do the following:
TAS for VMs-Infrastructure
, TAS for VMs-Deployment
).Click ADD.
Create T0 network address translation (NAT) rules to communicate with Ops Manager:
Create network address translation (NAT) rules to communicate with Ops Manager:
Create T1 routers for TAS for VMs, to connect from the T0 router. For each Ops Manager network, Infrastructure, Deployment, and so on, create a T1 router as follows:
In the NSX-T Manager UI, navigate to Advanced Networking & Security > Routing > Routers.
Configure the router. Include the Edge Cluster and Edge Cluster Members; they are required to enable the Load Balancer. The Infrastructure network router configuration might look like the following diagram:
Create T1 router downlink ports for TAS for VMs. For each T1 router you created, add a New Router Port as follows, to allow traffic in and out:
For IP Address, use the first IP of the appropriate subnet. In this example, 192.168.1.0/24 is set aside for Infrastructure (Ops Manager and BOSH Director), and 192.168.2.0/24 for the Deployment, so 192.168.1.1 and 192.168.2.1 are used respectively.
Advertise the routes of the T1 routers to the T0 router, so the T0 router can correctly route incoming requests based on their destination IP address:
Create T1 gateways for TAS for VMs, to connect from the T0 gateway. For each Ops Manager network, Infrastructure, Deployment, and so on, create a T1 gateway as follows:
Advertise the routes of the T1 gateways to the T0 gateway, so the T0 gateway can correctly route incoming requests based on their destination IP addresses:
Allocate an IP block for TAS for VMs orgs.
TAS for VMs-container-ip-block
). This IP block name is also used in the VMware NSX-T tile in the NCP section under IP Blocks of Container Networks.Subnets are allocated from this pool to each newly-created org
./14
CIDR is large enough for ~1,000 Orgs with ~250 apps each. If you are planning such a large foundation, see VMware NSX-T TAS for VMs limits in the VMware documentation.Allocate an IP block for TAS for VMs orgs.
TAS for VMs-container-ip-block
). This IP block name is also used in the VMware NSX-T tile in the NCP section under IP Blocks of Container Networks.Subnets are allocated from this pool to each newly-created org
./14
CIDR is large enough for approximately 1,000 Orgs with about 250 apps each. If you are planning a large foundation, see VMware NSX-T TAS for VMs limits in the VMware documentation.Create an external SNAT IP pool:
external-ip-pool
).Set a subnet of externally-routable IP addresses for future NAT IP addresses.
In vSphere, create segments that correspond to the networks that Ops Manager uses.
In vSphere, create segments that correspond to the networks that Ops Manager uses.
tas-web-monitor
/health
tas-tcp-monitor
/health
Create the health monitor for SSH load balancing:
tas-ssh-monitor
Create Server Pools (collections of VMs that handle traffic) for use by the virtual servers.
tas-web-pool
Automap
Static
tas-web-monitor
Create the server pool for TCP load balancing:
tas-tcp-pool
Disabled
Static
tas-tcp-monitor
Create the server pool for SSH load balancing:
tas-ssh-pool
Disabled
Static
tas-ssh-monitor
Create the load balancer. In the NSX-T Manager UI, go to Networking, then Load Balancing, and click the Load Balancers tab.
tas-lb
Small
unless you have a larger Foundation.t1-deployment
Attach your load balancer to the Tier 1 gateway fronting your deployment instances.Click Add Active Monitor.
tas-web-monitor
/health
To create the health monitor for TCP load balancing:
tas-tcp-monitor
/health
To create the health monitor for SSH load balancing:
tas-ssh-monitor
To create Server Pools (collections of VMs which handle traffic) for use by the virtual servers:
To create the server pool for web load balancing:
tas-web-pool
Automap
Static
tas-web-monitor
To create the server pool for TCP load balancing:
Click Add Server Pool to add a new pool.
tas-tcp-pool
Disabled
Static
tas-tcp-monitor
Create the server pool for SSH load balancing:
tas-ssh-pool
Disabled
Static
tas-ssh-monitor
To create the load balancer:
tas-lb
Small
unless you have a larger Foundation.t1-deployment
Attach your load balancer to the Tier 1 gateway fronting your deployment instances.To create the virtual server that forwards unencrypted web (HTTP) traffic to the foundation:
Important For foundations requiring end-to-end encryption, do not enable the virtual server on port 80. If it must be enabled, configure it to redirect traffic to the encrypted port (443).
tas-web-vs
default-tcp-lb-app-profile
*.system.YOUR-SYSTEM-DOMAIN.com
80,443
tas-web-pool
To create the virtual server that forwards traffic to apps with custom tcp ports to the foundation:
tas-tcp-vs
default-tcp-lb-app-profile
tcp.apps.YOUR-SYSTEM-DOMAIN.com
1024-1123,5900
tas-tcp-pool
To create the virtual server that forwards SSH traffic to the foundation:
tas-ssh-vs
default-tcp-lb-app-profile
ssh.system.YOUR-SYSTEM-DOMAIN.com
.2222
tas-ssh-pool
To enable NSX-T mode in the BOSH Director:
From the Ops Manager Installation Dashboard, open the BOSH Director tile.
In the vCenter Configs pane, click the pencil icon for the vCenter Config you want to edit.
Select NSX Networking below.
Configure BOSH Director authentication to the NSX Manager by following the NSX Networking instructions in the Step 2: Configure vCenter section of Configuring BOSH Director on vSphere.
Verify that the Use NSX-T Policy API option is selected.
To configure TAS for VMs for external container networking:
If you have not already done so, download the TAS for VMs tile from VMware Tanzu Network and import it to the Installation Dashboard.
For instructions, see Add and Import Products.
Configure TAS for VMs, following the directions in Configuring TAS for VMs. When you configure Networking, select External under Container networking interface plugin.
server_pools
list with the NSX-T Server Pool these instance must be added to upon deployment.
To install and configure the tile:
If you have not already done so, download the VMware NSX-T Container Plug-in for Ops Manager tile from VMware Tanzu Network and import it to the Installation Dashboard. For instructions, see Add and Import Products.
1. If you are using VMware Workspace ONE Access, formerly called VMware Identity Manager
(vIDM), then select **Client Certificate Authentication**.
1. Otherwise, select **Basic Authentication with Username and Password** and enter **NSX Manager Admin Username** and **Admin Password** credentials in the fields underneath.
NSX Manager CA Cert: Obtain this certificate from NSX-T Manager as follows:
ssh
into NSX-T Manager using the admin account that you created when you deployed NSX-T Manager.From the NSX-T Manager command line, run get certificate api
to retrieve the certificate.
Open and configure the NCP (NSX-T Container Plugin) pane as follows:
TAS for VMs
. If multiple foundations co-exist on the same NSX-T Manager, choose a unique string, such as TAS for VMs-beta
. NCP creates artifacts, such as T1 gateways and prefixes their names with this string for easy identification.24
. This number must be higher than the mask for all TAS for VMs orgs in the NSX-T Manager New IP Block pane, to define each org’s fraction of the total TAS for VMs address space.In the NSX Node Agent pane, enable the Enable Debug Level of Logging for NSX Node Agent check box.
Click Save and return to the Installation Dashboard.
After you have configured both the TAS for VMs tile and the VMware NSX-T tile, click Review Pending Changes, then Apply Changes to deploy TAS for VMs with NSX-T networking.
After you have deployed TAS for VMs with NSX-T, you may need to upgrade either Ops Manager, TAS for VMs, the NSX-T Container Plug-in or NSX-T Data Center. If you upgrade one of these components, you may need to upgrade the other components as well.
For example, if you want to upgrade NSX-T Data Center, you may need to upgrade the NSX-T Container Plug-in first.
To upgrade TAS for VMs with NSX-T Networking:
Plan the upgrade by determining the compatibility of NCP, NSX-T and TAS for VMs by checking the following documentation:
Download the desired version of VMware NSX-T Container Plug-in for Ops Manager tile from VMware Tanzu Network.
In Ops Manager, import the new version of the tile to the Installation Dashboard. For instructions, see Adding and Importing Products.
Click Review Pending Changes and review your changes.
Click Apply Changes.
Continue with the upgrade of Ops Manager, TAS for VMs, or NSX-T Data Center. For more information, see Upgrade NCP in a Ops Manager Environment in the VMware NSX-T Data Center documentation.