You can install VMware Tanzu Application Service for VMs (TAS for VMs) on Azure VMware Solution (AVS) with NSX-T internal networking, using the VMware NSX-T Container Plug-in.
AVS provides you with private clouds that contain vSphere clusters built from dedicated bare-metal Azure infrastructure.
AVS is a VMware-validated solution with ongoing validation and testing of enhancements and upgrades. Microsoft Corporation manages and maintains private cloud infrastructure and software.
For more information about AVS, see the Azure VMware Solution documentation.
All provisioned private clouds have vCenter Server, vSAN, vSphere, and NSX-T.
Deploying TAS for VMs to AVS is similar to traditional TAS for VMs deployments on vSphere, but there are a few minor differences due to the way that AVS deploys vSphere components.
To install NSX-T to run with TAS for VMs:
Before deploying TAS for VMs with NSX-T networking, you must have:
BOSH and Tanzu Operations Manager installed and configured on vSphere. For more information, see Deploying Tanzu Operations Manager on vSphere and Configuring BOSH Director on vSphere.
The VMware NSX-T Container Plug-in tile downloaded from Broadcom Support and imported to the Tanzu Operations Manager Installation Dashboard. For information about downloading and importing VMware Tanzu products to the Installation Dashboard, see Adding and Importing Products.
The TAS for VMs tile downloaded from Broadcom Support and imported to the Tanzu Operations Manager Installation Dashboard. The TAS for VMs tile must be configured but not deployed yet. Configure the tile for the first time, but do not click Review Pending Changes or Apply Changes.
The URLs and user credentials for your AVS private cloud vCenter and NSX-T Manager. See Connect to the local vCenter of your private cloud in the AVS documentation.
To set up NSX-T to integrate with TAS for VMs, complete these procedures:
The AVS-deployed NSX-T Manager includes a self-signed TLS certificate with an invalid Subject Alternative Name (SAN). This causes issues when connecting from VMware Tanzu Operations Manager and the BOSH Director, so you must create a new certificate using the NSX-T Manager’s fully qualified domain name (FQDN) or IP address as the new SAN.
For instructions, see Generate and Register the NSX-T Management TLS Certificate and Private Key in the VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) documentation.
To configure segments:
For each of these networks:
Do the following:
TAS for VMs-Infrastructure
, TAS for VMs-Deployment
).Create T1 routers for TAS for VMs, to connect from the T0 router. For each TAS for VMs network, Infrastructure, Deployment, and so on, create a T1 router as follows:
Configure the router. to include the Edge Cluster and Edge Cluster Members. They are required to enable the Load Balancer.
The Infrastructure network router configuration might look like the following image:
Create T1 router downlink ports for TAS for VMs.
For each T1 router you created, add a New Router Port as follows, to allow traffic in and out:
For IP Address, use the first IP of the appropriate subnet. In this example, 192.168.1.0/24 is set aside for Infrastructure (Tanzu Operations Manager and BOSH Director), and 192.168.2.0/24 for the Deployment, so 192.168.1.1 and 192.168.2.1 are used respectively.
Advertise the routes of the T1 routers to the T0 router, so the T0 router can correctly route incoming requests based on their destination IP address:
Expand Route Advertisement.
Navigate to IP Address Pools.
TAS for VMs-container-ip-block
). This IP block name is also used in the VMware NSX-T tile in the NCP section under IP Blocks of Container Networks.Subnets are allocated from this pool to each newly-created org
./14
CIDR is large enough for ~1,000 Orgs with ~250 apps each. If you are planning such a large foundation, see VMware NSX-T TAS for VMs limits in the VMware documentation.To configure a load balancer:
Create Active Health Monitors (health checks) for use by the virtual server later on.
In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Monitors > Active Health Monitors.
Create the health monitor for web load balancing:
pas-web-monitor
LbHttpMonitor
GET
/health
Create the health monitor for TCP load balancing:
pas-tcp-monitor
- Health Check Protocol: LbHttpMonitor
- Monitoring Port: 80GET
- HTTP Request URL: /health
- HTTP Response Code: 200Create the health monitor for SSH load balancing:
pas-ssh-monitor
- Health Check Protocol: LbTcpMonitor
- Monitoring Port: 2222 -Create server pools (collections of VMs which handle traffic) for use by the virtual server:
In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Server Pools.
Create the server pool for web load balancing:
pas-web-pool
IP List
4000
to 64000
are for all configured SNAT IP addresses. Allocate enough IPs to handle your traffic load. Without enough IPs, the SNAT port is exhausted.Static
pas-web-monitor
Create the server pool for TCP load balancing:
pas-tcp-pool
Transparent
Static
pas-tcp-monitor
Create the server pool for SSH load balancing:
pas-ssh-pool
Transparent
Static
pas-ssh-monitor
Create virtual servers.
Create the virtual server which forwards unencrypted web (HTTP) traffic to the foundation:
Important For foundations requiring end-to-end encryption, do not enable the virtual server on port 80, or, if enabled, should configure it to redirect traffic to the encrypted port (443).
pas-web-vs
Layer 4 (TCP)
nsx-default-lb-fast-tcp-profile
*.system.YOUR-SYSTEM-DOMAIN.com
80,443
pas-web-pool
Create the virtual server which forwards traffic to apps with custom ports to the foundation.
pas-tcp-vs
Layer 4 (TCP)
nsx-default-lb-fast-tcp-profile
tcp.apps.YOUR-SYSTEM-DOMAIN.com
1024-1123,5900
pas-tcp-pool
Create the virtual server which forwards SSH traffic to the foundation:
pas-ssh-vs
Layer 4 (TCP)
nsx-default-lb-fast-tcp-profile
ssh.system.YOUR-SYSTEM-DOMAIN.com
2222
pas-ssh-pool
Create the load balancer.
pas-lb
Small
unless you have a larger Foundationpas-lb
.pas-web-vs
. Repeat this procedure for the Virtual Servers pas-tcp-vs
and pas-ssh-vs
.T1-Router-TAS for VMs-Deployment
.To enable NSX-T mode in the BOSH Director:
From the Tanzu Operations Manager Installation Dashboard, click the BOSH Director tile.
In the vCenter Configs pane, click the pencil icon for the vCenter Config that you want to edit.
Select NSX Networking.
Configure BOSH Director authentication to the NSX Manager by following the NSX Networking instructions in the Step 2: Configure vCenter section of Configuring BOSH Director on vSphere.
To configure TAS for VMs for external container networking:
If you have not already done so, download the TAS for VMs tile from Broadcom Support and import it to the Installation Dashboard. For instructions, see Adding and Importing Products.
Configure TAS for VMs, following the directions in Configuring TAS for VMs. When you configure Networking, select External under Container networking interface plugin.
Update the server pool membership for the NSX-T load balancers:
server_pools
a VM extension for each of the three server pools: pas-web-pool
, pas-tcp-pool
, and pas-ssh-pool
.To install and configure the NSX-T Container Plug-In tile:
If you have not already done so, download the VMware NSX-T Container Plug-in tile from Broadcom Support and import it to the Installation Dashboard. For instructions, see Adding and Importing Products.
Click the VMware NSX-T tile to open its Settings tab, and configure the NSX Manager pane as follows:
NSX Manager CA Cert: Obtain this certificate from NSX-T Manager as follows:
ssh
into NSX-T Manager using the admin account that you created when you deployed NSX-T Manager.Open and configure the NCP (NSX-T Container Plugin) pane as follows:
TAS for VMs
. If multiple foundations co-exist on the same NSX-T Manager, choose a unique string, such as TAS for VMs-beta
. NCP creates artifacts, such as T1 routers and prefixes their names with this string for easy identification.24
. This number must be higher than the mask for all TAS for VMs orgs in the NSX-T Manager New IP Block pane, to define each org’s fraction of the total TAS for VMs address space.In the NSX Node Agent pane, select the Enable Debug Level of Logging for NSX Node Agent check box.
Click Save and return to the Installation Dashboard.
After you have configured both the TAS for VMs tile and the VMware NSX-T tile, click Review Pending Changes, then Apply Changes to deploy TAS for VMs with NSX-T networking.