Here are instructions for installing VMware Tanzu Application Service for VMs (TAS for VMs) to VMware Cloud (VMC) on Amazon Web Services (AWS).
VMC provides Software Defined Data Centers (SDDCs) that run on AWS with a high level management console to configure networking rules. This topic describes the procedures for configuring and installing TAS for VMs on VMC using public IP addresses for ingress.
To install and configure TAS for VMs on VMC:
-
Install Tanzu Operations Manager
-
Configure BOSH Director
-
Install and Configure TAS for VMs
Prerequisites
Before you install and configure TAS for VMs on VMC:
(Optional) If you plan to connect to the VMC SDDC using a VPN or Direct Connect Virtual Interfaces (VIFs):
Activate browser access to vCenter
By default, ingress to vCenter is not enabled. If you are not using a VPN or other network, you must create a firewall rule in SDDC to allow vCenter access from your workstation’s public IP address.
To enable browser access to vCenter:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security, and then select Security.
- Click Gateway Firewall.
- Click Management Gateway.
- Click + Add Rule.
- Name: Enter
vCenter Browser Inbound Rule
.
- Sources:
- Click User Defined Groups.
- Click Add Group.
- For Group name, enter
public ip address
.
- Click Set Members.
- Select IP Addresses.
- Enter your public IP address. For example,
66.170.99.1
. You can locate your public IP address by navigating to https:ifconfig.me/.
- Press Enter.
- Click Apply.
- Click Save.
- Destinations: Select vCenter and then click Apply.
- Services: Enter
HTTPS, ICMP, SSO
.
- Click Publish.
Record vCenter credentials
To gather login credentials for the vCenter instance in your SDDC:
- Go to the VMC console.
- Select SDDCs.
- Click Open vCenter on your datacenter tile.
- A dialog box appears with the text: Before you can log into vCenter, you must open network access to vCenter through the management gateway. Choose an option for opening network access.
- Click Show Credentials.
- Record the credentials.
After enabling browser access and recording your vCenter credentials, you can access and authenticate with your cluster’s vCenter server.
Install Tanzu Operations Manager
To install Tanzu Operations Manager on VMC:
-
Find the VMC pre-installed network to use for the BOSH infrastructure network:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security.
- Select Network, and then select Segments.
- Record the segment name for sddc-cgw-nework-1.
- Record the subnet 192.168.1.1/24. SDDC combines the gateway IP address and CIDR into a single value.
-
If nothing has changed, create a file named options.json
with the following contents:
{
"NetworkMapping": [
{
"Name": "Network 1",
"Network": "sddc-cgw-network-1"
}
],
"PropertyMapping": [
{
"Key": "ip0",
"Value": "192.168.1.10"
},
{
"Key": "netmask0",
"Value": "255.255.255.0"
},
{
"Key": "gateway",
"Value": "192.168.1.1"
},
{
"Key": "DNS",
"Value": "8.8.8.8"
},
{
"Key": "ntp_servers",
"Value": "time.google.com"
}
]
}
-
Replace the following example text in the following code, then run the commands to upload the Tanzu Operations Manager file to VMC:
EXAMPLE-PASSWORD
: the vCenter password you recorded in Record vCenter Credentials.
www.example.com
: your vCenter URL.
PATH-TO-OPS-MANAGER
: the path to your Tanzu Operations Manager OVA file.
export GOVC_DATACENTER=SDDC-Datacenter
export GOVC_DATASTORE=WorkloadDatastore
export GOVC_RESOURCE_POOL=Compute-ResourcePool
export GOVC_URL='[email protected]':'EXAMPLE-PASSWORD©'@www.example.com
govc library.create tas
govc library.import tas PATH-TO-OPS-MANAGER
govc library.deploy -options options.json /tas/ops-manager-vsphere-2.##.#-build.### ops-manager
govc pool.create /SDDC-Datacenter/host/Cluster-1/Resources/az{1,2,3}
Note VMware recommends using govc library.*
commands instead of govc import.ova
.
The govc import.ova
commands depend on access to the ESXi hosts, which is not configured by default in VMC. Using these commands can cause errors like the following: govc: Post "https://10.2.32.4/nfc/5224a51f-114e-4627-8ca8-547c2e2e9488/disk-0.vmdk": dial tcp 10.2.32.4:443: i/o timeout
-
Log in to vCenter:
- Go to the VMC console.
- Select SDDCs.
- Click Open vCenter on your datacenter tile.
- Select Show Credentials, and then click Open vCenter.
- Find the Tanzu Operations Manager VM.
- Open the Hosts & Clusters view.
- Open the
Compute-ResourcePool
and select the ops-manager
VM.
- Click ▶ to power on the Tanzu Operations Manager VM.
-
Create public IP addresses for Tanzu Operations Manager and HAProxy:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security.
- Select Public IPs, and then select Request New IP.
- For Notes, enter
ops-manager
and click Save.
- Record the IP address. For example,
54.190.190.190
.
- Click Request New IP.
- For Notes, enter
HAProxy
and click Save.
- Record the IP address. For example,
54.180.180.180
.
-
Create a second network segment to use as the BOSH deployment network:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security.
- Select Network, and then select Segments.
- Click Add Segment:
- For Segment Name, enter
bosh-network
.
- For Type, enter
routed
.
- For Subnets, enter a subnet. For example,
192.168.2.1/24
.
-
Assign public IP addresses to Tanzu Operations Manager and HAProxy:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security.
- Select NAT, and then click Add NAT Rule.
- For Rule Name, enter
ops-manager
.
- For Public IP, enter the IP address you created for Tanzu Operations Manager in a previous step. For example,
54.190.190.190
.
- For Internal IP, enter
192.168.1.10
.
- Click Save.
- Select Add NAT Rule.
- For Rule Name, enter
HAProxy
.
- For Public IP, enter the IP address you created for HAProxy in a previous step. For example,
54.180.180.180
.
- For Internal IP, enter
192.168.2.2
.
- Click Save.
-
Add firewall rules that allow ingress to Tanzu Operations Manager and HAProxy:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security, and then select Security.
- Select Gateway Firewall, and then Compute Gateway.
- Click Add Rule.
- Select the newly-created rule:
- For Rule Name, enter
opsman-ingress
.
- For Sources, select Any.
- Configure Destinations:
- Click Add Group.
- For Group name, enter
OM
.
- Click Set Members.
- Select IP Addresses.
- Enter the Tanzu Operations Manager internal IP address,
192.168.1.10
.
- Press Enter.
- Click Apply.
- Click Save.
- Click Apply.
- Click Publish.
- Click Add Rule.
- Select the newly-created rule:
- For Rule Name, enter
HAProxy-ingress
.
- For Sources, select Any.
- Configure Destinations:
- Click Add Group.
- For Group name, enter
HAProxy
.
- Click Set Members.
- Select IP Addresses.
- Enter the HAProxy internal IP address,
192.168.2.2
.
- Press Enter.
- Click Apply.
- Click Save.
- Click Apply.
- Click Publish.
-
Add a firewall rule that allows egress for the 192.168.1.x and 192.168.2.x subnets:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security, and then select Security.
- Select Gateway Firewall, and then select Compute Gateway.
- Click Add Rule.
- Select the newly-created rule:
- For Rule Name, enter
tas-egress
.
- Edit Sources.
- Click Add Group.
- For Group name, enter
tas
.
- Click Set Members.
- Select IP Addresses.
- Enter the first subnet CIDR,
192.168.1.0/24
.
- Press Enter.
- Enter the second subnet CIDR,
192.168.2.0/24
.
- Press Enter.
- Click Apply.
- Click Save.
- Click Apply.
- For Destinations, select Any.
- Click Publish.
-
Add a firewall rule that allows ingress to vCenter from the TAS for VMs control plane:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security, and then select Security.
- Click Gateway Firewall, and then select Management Gateway.
- Click Add Rule.
- Select the newly-created rule:
- For Rule Name, enter
vCenter Inbound Rule
.
- Edit Sources:
- Click User Defined Groups.
- Click Add Group.
- For Group name, enter
Tanzu Operations Manager public IP
.
- Click Set Members.
- Select IP Addresses.
- Enter your Tanzu Operations Manager public IP address. For example,
54.190.190.190
.
- Press Enter.
- Click Apply.
- Click Save.
- Click Add Group.
- For Group name, enter
Workloads Compute NAT public IP
.
- Click Set Members.
- Select IP Addresses.
- Enter your Workloads Compute NAT public IP address. For example,
44.232.216.160
. You can locate your Workloads Compute NAT public IP address in the Networking & Security Overview.
- Press Enter.
- Click Apply.
- Click Save.
- Edit Destinations: Select vCenter and then click Apply.
- Edit Services: Enter
HTTPS, ICMP, SSO
.
- Click Publish.
-
Add a firewall rule that allows ingress to ESXi from the TAS for VMs control plane:
- Go to the VMC console.
- Select SDDCs.
- Click View Details on your datacenter tile.
- Select Networking & Security, and then select Security.
- Click Gateway Firewall, and then select Management Gateway.
- Click Add Rule.
-
Select the newly-created rule:
- For Rule Name, enter
ESXi Inbound Rule
.
- Edit Sources:
- Click User Defined Groups.
- Click Add Group.
- For Group name, enter
Tanzu Operations Manager private IP
.
- Click Set Members.
- Select IP Addresses.
- Enter the Tanzu Operations Manager private IP address,
192.168.1.10
.
- Press Enter.
- Click Apply.
- Click Save.
- Click Add Group.
- For Group name, enter
BOSH Director private IP
.
- Click Set Members.
- Select IP Addresses.
- Enter the BOSH Director private IP address,
192.168.1.11
.
- Press Enter.
- Click Apply.
- Click Save.
- Edit Destinations: Select vCenter and then click Apply.
- Edit Services: Enter
HTTPS, ICMP, SSO
.
- Click Publish.
Configure BOSH Director
The procedure in this section contains only the configuration information that is specific to VMC. For more information about configuring BOSH on vSphere, see Configuring BOSH Director on vSphere.
To configure BOSH Director for VMC: When configuring the BOSH Director, do not configure NSX-T networking. Select Standard vCenter Networking.
-
Log in to Tanzu Operations Manager:
- Go to the IP address you configured for Tanzu Operations Manager. For example, https://54.190.190.190/.
- Enter a Username, Password, and Password confirmation to create an Admin user.
- Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore and is not recoverable.
-
Select the BOSH Director for vSphere tile and configure BOSH as follows:
- Settings, then vCenter Config
- vCenter Host: your vCenter URL. For example,
vcenter.sddc-35-162-72-214.vmwarevmc.com
.
- vCenter Username:
[email protected]
- vCenter Password: Enter the password you gathered from the SDDC.
- Datacenter Name: Enter
SDDC-Datacenter
.
- Virtual Disk Type: Select Thin.
- Ephemeral Datastore Names: Enter
WorkloadDatastore
.
- Persistent Datastore Names: Enter
WorkloadDatastore
.
- Select Standard vCenter Networking.
- Settings, then Director Config
- NTP Servers: Enter an NTP server of your choice. For example,
time.google.com
.
- Settings, then Create Availability Zones
- az1:
- Name:
az1
- Clusters:
- Cluster:
Cluster-1
- Resource Pool:
az1
- az2:
- Name:
az2
- Clusters:
- Cluster:
Cluster-1
- Resource Pool:
az2
- az3:
- Name:
az3
- Clusters:
- Cluster:
Cluster-1
- Resource Pool:
az3
- Settings, then Create Networks, then Networks
- infra:
- Name:
infra
- Subnets:
- vSphere Network Name:
sddc-cgw-network-1
- CIDR:
192.168.1.0/24
- Reserved IP Ranges:
192.168.1.1-192.168.1.10
- DNS:
8.8.8.8
- Gateway:
192.168.1.1
- Availability Zones:
az1, az2, az3
- deployment:
- Name:
deployment
- Subnets:
- vSphere Network Name:
bosh-network
- CIDR:
192.168.2.0/24
- Reserved IP Ranges:
192.168.2.1
- DNS:
8.8.8.8
- Gateway:
192.168.2.1
- Availability Zones:
az1, az2, az3
- Settings, then Assign AZs and Networks
- Singleton Availability Zone:
az1
- Network:
infra
- Settings, then Security
- Include Tanzu Operations Manager Root CA in Trusted Certs: Select the check box.
-
After you finish configuration, click Apply Changes. The following warning appears:
Click Ignore Warnings & Apply Changes. EditCluster
permission is not required.
Install TAS for VMs
To configure TAS for VMs for VMC:
-
Configure the TAS for VMs tile as follows:
- Settings, then Assign AZs and Networks
- Network: Select
deployment
.
- Click Save.
- Settings, then Domains
- Set up a wildcard domain and ensure that it maps to the HAProxy public IP address you configured earlier. For example:
- System domain:
sys.54.180.180.180.nip.io
- Apps domain:
run.54.180.180.180.nip.io
- Settings, then Networking
- Set the HAProxy IP address to the one you specified in the NAT rule. This is the first available IP address in the
deployment
network.
- Generate a certificate for the Gorouter and HAProxy:
- Certificates and private keys for the Gorouter and HAProxy: Click Add.
- Name:
haproxy cert
- Click Generate RSA Certificate.
- Add
*.
domains for your system and apps domain, separated by a comma. For example, *.**sys.54.180.180.180.nip.io,*.run.54.180.180.180.nip.io
.
- Set HAProxy as the TLS termination point:
- TLS Termination: HA Proxy
- Deactivate TLS forwarding for HAProxy:
- HAProxy forwards all requests to the Gorouter over TLS: Click Disable.
- Settings, then UAA
- For UAA configuration, generate a SAML certificate for *.login.SYSTEM-DOMAIN:
- SAML service provider credentials
- Click Generate RSA Certificate.
- Enter your domain. For example,
*.login.sys.54.180.180.180.nip.io
- Click Generate.
- Settings, then Resource Config:
- Scale the HAProxy instances up to 1.
- HAProxy
- Set Instances to 1.
- Click Save.
-
After you finish configuration, click Apply Changes. The following warning appears again:
-
Click Ignore Warnings & Apply Changes. EditCluster
permission is not required.