Use these instructions to install the Isolation Segment tile, which allows you to isolate deployment workloads into dedicated resource pools called isolation segments.

Installing the tile installs a single isolation segment. However, you can install multiple isolation segments using the Replicator tool shown in Step 4.

After you install the tile, you must follow the procedure in Register an isolation segment in Managing isolation segments to create the isolation segment in the Cloud Controller database (CCDB). The topic also includes information about managing an isolation segment.

For more information about how isolation segments work, see Isolation segments in TAS for VMs Security.

Step 1: Configure routing (Optional)

By default, the VMware Tanzu Application Service for VMs (TAS for VMs) Gorouter handles traffic for your isolation segment. However, you can deploy a dedicated Gorouter for your isolation segment instead. For information about configuring and managing routing for isolation segments, see Routing for isolation segments.

To deploy a dedicated Gorouter:

  1. Add a load balancer in front of the TAS for VMs Gorouter. The steps to do this depend on your IaaS, but the setup of the load balancer must mirror the setup of the load balancer for the TAS for VMs Gorouter that you configured in the TAS for VMs tile.

  2. Create a wildcard DNS entry for traffic routed to any app in the isolation segment. For example, *.iso.example.com.

  3. Attach the wildcard DNS entry to the load balancer you created.

Step 2: Install the tile

To install the Isolation Segment tile:

  1. Download the product file from the Isolation Segment page of Broadcom Support.

  2. Go to your Tanzu Operations Manager URL in a browser to log in to the Tanzu Operations Manager Installation Dashboard.

  3. Click Import a Product and select the downloaded product file.

  4. Under Isolation Segment in the left column, click the + icon.

Step 3: Configure the tile

Click the orange Isolation Segment tile to start the configuration process.

Assign AZs and networks

In the Assign AZ and Networks pane, you assign jobs to your Availability Zones (AZs) and networks.

To configure the Assign AZ and Networks pane:

  1. Select Assign AZs and Networks.

  2. Select an AZ for your singleton jobs, and one or more AZs to balance other jobs in.

  3. Select a network. This network does not need to be the same network where you deployed TAS for VMs. For most deployments, operators can create unique networks in which to deploy the Isolation Segment tile. These networks can maintain network reach with the Diego components because the Diego Cells can reach the Diego Brain and Diego Database VMs.

  4. Click Save.

Configure networking

In the Networking pane, you configure security and routing services for your IaaS.

To configure the Networking pane:

  1. Select Networking.
  2. (Optional) Under Gorouter IPs, enter one or more static IP addresses for the Gorouters that handle this isolation segment. These IP addresses must be within the subnet CIDR block that you defined in the Tanzu Operations Manager network configuration for your isolation segment. If you have a load balancer, configure it to point to these IP addresses.

    Note Entering the static IP addresses is not necessary for deployments running on a public IaaS such as AWS, GCP, or Azure because users specify the IaaS load balancer in the Resource Config pane of the Isolation Segment tile.

  3. Under Certificates and private keys for the Gorouter, you must provide at least one certificate and private key pair for the Gorouter. The Gorouter is configured to receive TLS communication by default. You can configure multiple certificates for the Gorouter.

    Important When providing custom certificates, enter them in this order: wildcard, Intermediate, CA. For more information, see the DigiCert documentation.

    1. To configure a certificate and private key for the Gorouter:
      1. Click Add. The Gorouter uses the certificate you configure as the default certificate.
      2. For Name, enter a human-readable name that describes the use of this certificate.
      3. For Certificate and private key, choose one of the following options:
        • Enter a certificate signed by a Certificate Authority (CA).
        • Click Generate RSA Certificate. Clicking this link causes the Tanzu Operations Manager CA to automatically generate a certificate.
        For the values to use, see Providing a Certificate for your TLS termination point.

        Note If you configured your Tanzu Operations Manager front end without a certificate, you can use this new certificate to finish configuring Tanzu Operations Manager. To configure your Tanzu Operations Manager front end certificate, see the Tanzu Operations Manager documentation.

    2. (Optional) To configure multiple certificates for the Gorouter:
      1. For each additional certificate and key pair, click Add.
      2. Configure the fields you configured for the first certificate and key pair in the previous step. For more information about generating certificates in Tanzu Operations Manager for your wildcard system domains, see Providing a Certificate for Your TLS Termination Point.

        3. Important Ensure that you add any certificates that you generate in this pane to your infrastructure load balancer.

  4. (Optional) When validating requests using mutual TLS to back ends and route services, the Gorouter trusts multiple CAs by default. To configure which CA certificates Gorouter trusts, choose one of the following options:
    • For backwards compatibility with older versions of Isolation Segment:
      1. Under Trusted CAs for client requests, select Trust the same CAs used for back ends and route services.
    • If you want the Gorouter to trust a particular set of CAs only:
      1. Under Trusted CAs for client requests, select Only trust the following CAs.
      2. For Trusted client CAs, enter the CAs you want the Gorouter to trust. The CAs you provide in this field are the only CAs that the Gorouter trusts for client requests. The Gorouter does not trust any well-known CAs that are provided with the stemcell.
  5. Under TLS versions, select the range of TLS versions to use in Gorouter communications. The Gorouter supports TLS v1.2 to TLS v1.3 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the Gorouter, see TLS cipher suite support in Securing traffic into TAS for VMs.
  6. (Optional) Under Load balancing algorithm, select either Round-robin or Least-connection as your load balancing algorithm for the Gorouter. Round-robin is selected by default, and VMware recommends this option for most use cases. Some use cases, such as those where apps have long-lived connections, might benefit from the least-connection algorithm. For more information, see Router balancing algorithm in HTTP Routing.
  7. Under Client IP logging, Log client IPs is selected by default. To comply with the General Data Protection Regulation (GDPR), select one of the following options:
    • If your load balancer exposes its own source IP address, select Do not log X-Forwarded-For header.
    • If your load balancer exposes the source IP address of the originating client, select Do not log source IP or X-Forwarded-For header.
  8. Under TLS termination point, configure how TAS for VMs handles x-forwarded-client-cert (XFCC) HTTP headers based on where TLS is terminated for the first time in your deployment. The table below indicates which option to choose based on your deployment configuration:
    Deployment Configuration TLS Option Additional Notes
    • The load balancer is terminating TLS, and
    • The load balancer is configured to put the client certificate from a mutual authentication TLS handshake into the X-Forwarded-Client-Cert HTTP header
    		 Infrastructure load balancer The Gorouter forwards the XFCC header when included in the request.
    • The load balancer is configured to pass through the TLS handshake through TCP to instances of the Gorouter
    		 Gorouter The Gorouter strips the XFCC header if it is included in the request and forwards the client certificate received in the TLS handshake in a new XFCC header.

    Caution If you select the The Gorouter does not request client certificates option in the Gorouter behavior for client certificate validation field, the XFCC header cannot be delivered to apps.

    For a description of the behavior of each configuration option, see Forward Client Certificate to Apps in HTTP Routing.
  9. To configure Gorouter behavior for handling client certificates, select one of the following options under Gorouter behavior for client certificate validation:
    • The Gorouter does not request client certificates: The Gorouter does not request client certificates, so the client does not provide them, and the Gorouter does not validate them. This option is incompatible with configuring the Gorouter as your TLS termination point, which requires mutual authentication.
    • The Gorouter requests but does not require client certificates: The Gorouter requests client certificates in TLS handshakes and validates them when they are presented, but does not require them. This option is configured by default.
    • The Gorouter requires client certificates: The Gorouter validates that the client certificate is signed by a Certificate Authority (CA) that the Gorouter trusts. If the Gorouter cannot validate the client certificate, the TLS handshake fails.

    Requests to the platform fail upon upgrade if your load balancer is configured with client certificates and the Gorouter is not configured with the appropriate CA. To mitigate this issue, select The Gorouter does not request client certificates.

  10. In the TLS cipher suites for the Gorouter field, review the TLS cipher suites for TLS handshakes between the Gorouter and front end clients such as load balancers. The default value for this field is ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

    To modify the default configuration, use an ordered, colon-separated list of Golang-supported TLS cipher suites in the OpenSSL format. This field does not apply to TLS v1.3. For TLS v1.3, the Gorouter only uses a set of default ciphers, and this is not configurable.

    Verify that the ciphers are supported by any clients or front end components that initiate TLS handshakes with the Gorouter. For a list of TLS ciphers supported by the Gorouter, see TLS Cipher Suite Support in Securing Traffic into TAS for VMs.

    Verify that every client participating in TLS handshakes with the Gorouter has at least one cipher suite in common with the Gorouter.

    Important Specify cipher suites that are supported by the versions configured under Select the range of TLS versions supported by the Gorouter. For example, TLS v1.3 does not support configuring cipher suites. If you select TLSv1.3 only, you cannot configure cipher suites for the Gorouter.

    AWS Classic Load Balancers do not support the TAS for VMs default cipher suites. For more information about configuring your AWS load balancers and Gorouter, see TLS Cipher suite support by AWS load balancers in Securing traffic into TAS for VMs.
  11. (Optional) If you want the Gorouter to reject any unencrypted traffic, select the Reject HTTP requests check box. When this check box is selected, the Gorouter does not listen on port 80.
  12. (Optional) To configure the Gorouter to only generate secure cookies, select the Do not use insecure cookies check box.
  13. (Optional) To deactivate the addition of Zipkin tracing headers on the Gorouter, deselect the Enable Zipkin tracing headers on the Gorouter check box. Zipkin tracing headers are enabled by default. For more information about using Zipkin trace logging headers, see HTTP headers for zipkin tracing in HTTP routing.
  14. (Optional) To activate the addition of W3C tracing headers on the Gorouter, select the Add W3C tracing headers check box. W3C tracing headers are disabled by default. Specify W3C tracing tenant ID name in W3C tenant ID field. If specified, the tracestate identifier will be "tenant-id@gorouter" where "tenant-id" is the value specified. If not specified, the tracestate identifier will be "gorouter." For more information about using W3C trace logging headers, see HTTP headers for W3C tracing in HTTP routing.
  15. (Optional) The Allow the Gorouter to write access logs locally check box is selected by default. VMware recommends deselecting this check box for high-traffic deployments, since logs might not be rotated fast enough and can fill up the disk.
  16. (Optional) By default, the Gorouter does not accept PROXY requests. To configure the Gorouter to accept PROXY requests, select the Accept PROXY requests check box. When you select this check box, client-side load balancers that stop TLS but do not support HTTP can pass along information from the originating client using the PROXY protocol. Configuring this option might impact Gorouter performance. For more information about configuring the Gorouter to accept PROXY requests, see the About HTTP header forwarding sections in Securing Traffic into TAS for VMs.
  17. Selecting the Bypass security checks for route service lookup check box might create security concerns. However, you might need to select this check box for backwards compatibility. For more information, see Route Services.
  18. (Optional) To limit the number of app connections to the back end, enter a value in Maximum connections per back end. Configuring this field allows you to prevent a poorly-behaving app from impacting other apps. To allow an unlimited number of app connections to the back end, enter either 0 or no value. The default value is 500.

    To determine a value to configure in this field, review the highest number of concurrent connections that instances of the most popular apps in your deployment have received. You can determine the number of concurrent connections for an app by reviewing the httpStartStop event metrics emitted for each app request. If your deployment uses App Metrics, you can also find this information in your App Metrics deployment. For more information, see the App Metrics documentation.
  19. Under Keep-alive connections, select one of the following options:
    • Allow: The Gorouter maintains TCP connections after receiving an HTTP response. This option is selected by default.
    • Do not allow: The Gorouter closes TCP connections after receiving an HTTP response.
    For more information, see Keep-alive connections in HTTP Routing.
  20. (Optional) For Back end request timeout and idle timeout, enter in seconds the amount of time that requests between the Gorouter and apps are allowed to remain idle before being closed. The default value is 900. To accommodate larger uploads over connections with high latency, increase the value.
  21. (Optional) To configure whether the Gorouter shows or hides GET request query parameters in access logs, select one of the following options under Query parameter logging in Gorouter access logs:
    • Log query parameters: The Gorouter logs all query paramaters without altering them.

      • CautionIf you select this option, GET request query parameters in Gorouter access logs might contain sensitive information.

    • Log a hash of query parameters: The Gorouter hashes all query paramaters.
    • Do not log query parameters: The Gorouter hides all query paramaters.
  22. (Optional) Increase the value of Load balancer unhealthy threshold to specify the amount of time, in seconds, that the Gorouter continues to accept connections before shutting down. During this period, health checks might report the Gorouter as unhealthy, which causes load balancers to failover to other Gorouters. Configure a value that is greater than or equal to the maximum time it takes your load balancer to consider a Gorouter instance unhealthy, given repeated failed health checks.
  23. (Optional) Modify the value of Load balancer healthy threshold. This field specifies the amount of time, in seconds, to wait until declaring the Gorouter instance started. This allows an external load balancer enough time to register the Gorouter instance as healthy.
  24. (Optional) If app developers in your organization want certain HTTP request headers to appear in their app logs with information from the Gorouter, enter them as a comma-separated list under HTTP headers to log. For example, to support app developers that deploy Spring apps to TAS for VMs, you can enter Spring-specific HTTP request headers.

    The Gorouter always logs the following HTTP request headers:
    • Referer
    • User-Agent
    • X-Forwarded-For
    • X-Forwarded-Proto
    • X-Vcap-Request-ID
  25. For **Maximum request header size**, enter the maximum total size (in KB) that all headers in a request to the Gorouter can have combined, including header keys, header values, and all values in the request line. Configuring this field allows TAS for VMs to prevent denial-of-service attacks from requests with large headers. Requests with headers that exceed this limit cause a `431` status code. Enter a value between `1` and `1024`. VMware recommends configuring a limit of `48`. To account for backwards compatibility, you can configure a higher limit, if required. Configuring this field does not limit the size of the request body.
  26. For DNS search domains, enter the domains for your app containers to use as DNS search domains as a comma-separated list. Your containers append these search domains to host names to resolve them into full domain names.
  27. The Enforce Silk network policy check box is selected by default. To deactivate Silk network policy enforcement between apps, deselect this check box. Deactivating network policy enforcement allows all apps to send network traffic to all other apps in the foundation, despite no policy specifically allowing it.
  28. (Optional) For additional security, under HTTP response headers to remove, enter headers that you want the Gorouter to remove from app responses in the Header name field.
  29. (Optional) Under Sticky session cookies, enter one or more sticky session cookie names in the Cookie name field. The default cookie name is JSESSIONID. Some apps require a different cookie name. For example, Spring WebFlux requires SESSION for the cookie name. Gorouter uses these cookies to support session affinity, or sticky sessions. For more information, see Session Affinity in HTTP Routing.
  30. Click Save.

Configure app containers

In the App Containers pane, you enable microservice frameworks, private Docker registries, and other services that support your apps at the container level.

To configure the App Containers pane:

  1. Select App Containers.

  2. (Optional) To give apps that generally stay within their CPU entitlements priority access to extra CPU during CPU bursts, activate the Allow CPU burst optimization check box. This check box is activated by default. When this check box is activated, apps that generally stay within their CPU entitlements have higher-priority access to extra CPU than apps that generally exceed their CPU entitlements. When this check box is deactivated, all apps have equal access to extra CPU during CPU bursts. Whether you activate or deactivate this check box, all apps are always guaranteed the amount of CPU that is within their CPU entitlements.

  3. Choose how the Gorouter verifies app identity to activate encryption and prevent misrouting under Gorouter app identity verification:

    • The Gorouter uses TLS to verify app identity: Activates the Gorouter to verify app identity using TLS. This is the default option.
    • The Gorouter and apps use mutual TLS to verify each other’s identity: Activates your apps and the Gorouter to verify each other’s identity using mutual TLS (mTLS). This option deactivates TCP routing because app containers accept incoming communication only from the Gorouter.

    For more information, see Preventing Misrouting in HTTP Routing.

  4. (Optional) You can configure TAS for VMs to run app instances in Docker containers by provided a comma-separated list of their IP address ranges in the Docker registry allow list field. For more information, see Using Docker Registries.

  5. Select your preference for disk cleanup scheduling. If you choose Clean up disk space once usage fills disk, enter a value in MB for Reserved disk space for other jobs. This is the amount of space the garbage collection algorithm must keep free for other jobs. For more information about the configuration options and how to configure a reserved amount, see Configuring Diego Cell Disk Cleanup Scheduling.

  6. The Allow containerd delegation check box governs whether or not Garden delegates containers create and destroy operations to the containerd tool. By default, this option is activated and Garden uses containerd. Deactivate this option by deselecting the check box. For more information about the containerd tool, see containerd.

  7. Under NFSv3 volume services, select Allow or Do not allow. NFS volume services allow app developers to bind existing NFS volumes to their apps for shared file access. For more information, see Enabling Volume Services.

    Important In a fresh installation, NFSv3 volume services are activated by default. In an upgrade, NFSv3 volume services is set to the same setting as it was in the previous deployment.

  8. (Optional) To configure LDAP for NFSv3 volume services:

    • For LDAP service account user, enter the user name of the service account in LDAP that manages volume services.
    • For LDAP service account password, enter the password for the service account.
    • For LDAP server host, enter the hostname or IP address of the LDAP server.
    • For LDAP server port, enter the LDAP server port number. The default port is 389.
    • For LDAP user search base, enter the location in the LDAP directory tree from which any LDAP user search begins. The typical LDAP search base matches your domain name.
      For example, a domain named cloud.example.com typically uses the following LDAP user search base: ou=Users,dc=example,dc=com.
    • (Optional) For LDAP server CA certificate, you can enter a certificate if your LDAP server supports TLS and you want to enable TLS connections from the NFS driver to your LDAP server. This is the CA certificate that your LDAP server uses to verify the TLS certificates for NFS. Paste in the root certificate from your CA certificate or your self-signed certificate.

    ImportantUAA can only parse one certificate entered into this field. If you enter multiple certificates, UAA only uses the first one you entered and ignores the rest. You only need to include one root certificate or self-signed certificate.

  9. (Optional) To limit the number of log lines each app instance in your isolation segment can generate per second, select Enable under App log rate limit (deprecated) and enter an integer for Maximum app log lines per second. At minimum, VMware recommends using the default limit of 100. This feature is deactivated by default.

    Note This method of limiting log output from applications is deprecated. VMware recommends using the log rate limiting quota feature which provides more granular control over application log output.

  10. Click Save.

Configure system logging

In the System Logging pane, you can configure system logging in TAS for VMs to forward log messages from TAS for VMs component VMs to an external service. VMware recommends forwarding logs to an external service for use in troubleshooting. If you do not fill these fields, platform logs are not forwarded but remain available on the component VMs and for download through Tanzu Operations Manager.

To configure the System Logging pane:

  1. Select System Logging.

  2. Select an option under Configure syslog for system components?. Do not use** is selected by default. This setting only affects Diego Cell and Gorouter components within the isolation segment. This setting does not affect shared TAS for VMs system components.

  3. To use syslog, select Use.

  4. Enter the address of your external syslog aggregation service in the Syslog server address field. The address can be a hostname or IP address.

  5. Enter a port number in the Syslog server port field.

  6. Select a protocol from the Transport protocol menu. This is the protocol the system uses to transmit logs to syslog.

  7. (Optional) To transmit logs over TLS, select the Enable TLS check box.

  8. Enter a Permitted peer. This is the SHA1 fingerprint of the remote peer.

  9. Paste the certificate for your TLS certificate authority (CA) in the TLS CA certificate field.

  10. (Optional) Activate the Use TCP for file forwarding local transport check box to transmit logs over TCP. This prevents log truncation, but might cause performance issues.

  11. (Optional) The Do not forward debug logs check box is activated by default. To forward DEBUG syslog messages to an external service, deactivate the check box.

    Some Isolation Segment components generate a high volume of DEBUG syslog messages. Activating the Do not forward debug logs check box prevents TAS for VMs components from forwarding the DEBUG syslog messages to external services. However, Isolation Segment still writes the messages to the local disk.

  12. (Optional) To specify a custom syslog rule, enter it in the Custom rsyslog configuration field in RainerScript syntax. For more information about customizing syslog rules, see Customizing Syslog Rules. For more information about RainerScript, see the RainerScript documentation.

  13. (Optional) For OpenTelemetry Collector Metric Exporters (beta), the default value is empty, which deactivates the beta OpenTelemetry Aggregate Metric Egress support. To configure the Isolation Segment tile to send metrics over the OpenTelemetry protocol, enter valid OpenTelemetry Collector Exporter YAML configuration in this field. See Configuring the OpenTelemetry Collector for examples of how to configure exporters. Currently the Isolation Segment tile provides support for a limited number of OpenTelemetry Collector Exporters, including the OTLP exporter. This feature is in beta and may still change in significant ways.

CautionIf you configure a metric exporter that listens on a port, ensure that the port is not claimed by a Isolation Segment component on any of the VMs in your deployment.

  1. Click Save.

Configure advanced features

The Advanced Features pane includes new capabilities that might have certain constraints. Although these features are fully supported, VMware recommends caution when using them in production environments.

Do not deploy Diego Cells

If you intend to deploy Diego Cells only through one or more isolation segment deployments, use this option to remove all Diego Cells from the TAS for VMs deployment. You might wish to do this to completely separate updates to Diego Cells from updates to the rest of the TAS for VMs deployment.

Important At least one isolation segment must deploy non-isolated Diego cell VMs so that the TAS for VMs installation has the shared Diego cells that are necessary to host system components that run as apps. Do not deploy app-based system components or run smoke-test errands until the non-isolated Diego cells in these isolation segment deployments are present.

Diego Cell memory and disk overcommit

If your apps do not use the full allocation of disk space and memory set in the Resource Config tab, you might want use this feature. These fields control the amount to overcommit disk and memory resources to each Diego Cell VM.

For example, you might want to use the overcommit if your apps use a small amount of disk and memory capacity compared to the amounts set in the Resource Config settings for Diego Cell.

Note Due to the risk of app failure and the deployment-specific nature of disk and memory use, VMware has no recommendation for how much, if any, memory or disk space to overcommit.

To use overcommit:

  1. Select Advanced Features.

  2. In the Diego Cell memory capacity field, enter in MB the total desired amount of Diego Cell memory. See the Diego Cell row in the Resource Config tab for the current Diego Cell memory capacity settings that this field overrides.

  3. In the Diego Cell disk capacity field, enter in MB the total desired amount of Diego Cell disk capacity. See the Diego Cell row in the Resource Config tab for the current Diego Cell disk capacity settings that this field overrides.

  4. Click Save.

Important Entries made to each of these two fields set the total amount of resources allocated, not the overage.

App graceful shutdown period

If your apps require a longer period of time to finish in-flight jobs and gracefully shut down, you can increase the graceful shutdown period. By default, this graceful shutdown period is set to 10 seconds.

When TAS for VMs requests a shutdown of an app, the processes in the container have a period of time to gracefully shut down before the processes are forcefully terminated. For more information, see Shutdown in App Container Lifecycle.

If you significantly increase the value of the graceful shutdown period, platform upgrades and updates might become slower. This is because each Diego Cell uses the graceful shutdown period when it is cleaning up evacuated app instances and waits for each app to gracefully shut down.

VMware recommends using isolation segments to separate apps that have different shutdown requirements to ensure Diego Cell update times are reliable.

Caution To avoid unexpected behavior, you must ensure that App graceful shutdown period has the same value in all environments that have deployed apps.

To increase the app graceful shutdown period:

  1. Select Advanced Features.

  2. In the App graceful shutdown period field, enter the number of seconds that you want the platform to wait for an app instance to exit after it is signaled to gracefully shut down. The default and minimum value is 10.

  3. Click Save.

SMB volume services

Configuring TAS for VMs to deploy SMB volume services allows developers to bind existing SMB shares to their apps for shared file access.

To configure TAS for VMs to deploy SMB volume services:

  1. Select Advanced Features.

  2. Select the Enable SMB volume services check box.

  3. Click Save.

  4. Select Errands.

  5. Set the SMB Broker Errand to On.

  6. Click Save.

For more information about SMB volume services, see Enabling volume services.

Configure compute and networking Isolation

In the Compute and Networking Isolation pane, you can activate or deactivate compute isolation and configure Gorouter sharding for isolation segments.

Compute isolation is when an app runs on compute resources, such as clusters, resource pools, and servers, that are isolated from other resources by a network partition or firewall.

Networking isolation, or Gorouter sharding, is when traffic to an app instance uses a dedicated route that is isolated from routes used by other app instances by a network partition or firewall rule.

In the Isolation Segment tile, you cannot deactivate compute isolation and activate networking isolation at the same time. This is because networking isolation configures the route by which traffic goes to the Isolation Segment tile. Both compute and networking isolation are activated by default.

Options for configuring compute and networking isolation

The following table describes the ways VMware recommends configuring the Compute and Networking Isolation pane and the Requests to isolation segments property in the Networking pane of the TAS for VMs tile:

Use case Compute isolation Gorouter sharding mode Requests to isolation segments Other requirements Scaling recommendations
Use compute isolation and network isolation Enabled Isolation segment only Reject requests for all isolation segments Isolation Segment has its own load balancer and uses a different domain from TAS for VMs Apps in the isolation segment can have their own Diego Cells and Gorouters.
Use compute isolation and extra Isolation Segment Gorouters Enabled Isolation segment only Accept requests for all isolation segments Isolation Segment has its own load balancer and uses the same domain as TAS for VMs Apps in the isolation segment can have their own Diego Cells and Gorouters.
Use compute isolation only Enabled No isolation segment Accept requests for all isolation segments Isolation Segment uses TAS for VMs load balancer and domain Scale Isolation Segment Gorouters to 0.
Use network isolation in some cases See other rows for guidance See other rows for guidance Accept requests for some isolation segments See other rows for guidance See other rows for guidance

The use cases from the previous table are described here:

  • Use compute isolation and network isolation for all isolation segments: This is the most common case. For this use case, select Reject requests for all isolation segments for the Requests to isolation segments radio button in the Networking pane of the TAS for VMs tile. This configuration routes traffic between an isolation segment and a block of compute resources that is dedicated solely to that isolation segment. It also ensures that no traffic is routed through the TAS for VMs Gorouters.

  • Use compute isolation and extra Isolation Segment Gorouters: To configure traffic for your isolated apps to pass through the Gorouters for both Isolation Segment and TAS for VMs, activate compute isolation and networking isolation, and select Accept requests for all isolation segments for the Requests to isolation segments radio button in the Networking pane of the TAS for VMs tile. You can also use either the same apps domain you configured in the Domains pane of the TAS for VMs tile, or a different domain that you configure with the DNS for the load balancer for the Isolation Segment Gorouters. This configuration is useful if you want to configure isolated compute resources for your apps but do not have additional networking restrictions.

  • Use compute isolation only: To configure the TAS for VMs load balancer and apps domain route requests from your isolated apps, you can activate compute isolation, deactivate networking isolation, and select Accept requests for all isolation segments for Requests to isolation segments in the Networking pane of the TAS for VMs tile. This configuration allows you to move Diego Cells out of TAS for VMs and into isolation segments, so you can upgrade TAS for VMs first and your Isolation Segment tiles as time permits. This allows you to upgrade a large foundation in pieces, making it easier to upgrade within scheduled maintenance windows. This configuration is useful if your foundation has additional compute resource blocks, but no additional Gorouters for Isolation Segment configured in the Resource Config pane.

  • Use network isolation in some cases: For this use case, in Requests to isolation segments (Networking pane), select Accept requests for some isolation segments TAS for VMs tile. Then provide a comma-separated list of Isolation Segment names that Gorouters accept traffic to. See other cases for guidance on how to configure each Isolation Segment. Compute and Networking Isolation pane and Requests to isolation segments setting in the TAS for VMs tile in a manner other than the use cases described here, the smoke tests fail. To deploy the tile anyway, you must deactivate the Smoke Test errand in the Errands pane of the TAS for VMs tile. VMware does not recommend deactivating smoke tests. To configure the Smoke Test errand, see Configure Errands.

Configure compute and networking isolation pane

To configure the Compute and Networking Isolation pane:

  1. Select Compute and Networking Isolation.

  2. Under Compute isolation, activate or deactivate compute isolation:

  3. To deactivate compute isolation, select Do not allow. Select this option if you do not require compute isolation and you are deploying the Isolation Segment tile for the purpose of making upgrades more manageable. For example, if you have a TAS for VMs tile with a large volume of Diego Cells. This approach helps separate the upgrade of the TAS for VMs control plane from the upgrade of the Diego Cells. Further, it splits the upgrade of the Diego Cells into smaller groups.

  4. To activate compute isolation, select Allow and enter a placement tag for your Diego Cells in the Segment name field. This placement tag identifies the Diego Cells that run in your isolation segment and does not have to be unique across your Operations Manager deployment. You use this placement tag when following the steps in Register an isolation segment in Managing isolation segments to create the isolation segment in the CCDB.

    If you deactivate compute isolation, you must set Gorouter sharding mode to No isolation segment. Otherwise, the Isolation Segment tile fails to schedule the apps in your isolation segment.

  5. Under Networking isolation, activate or deactivate networking isolation by selecting a sharding mode. For more information, see Sharding Gorouters for isolation segments in Routing for isolation segments.

  6. Isolation segment only: The Gorouters for the TAS for VMs tile acknowledge requests only for apps deployed within the Diego Cells of the tile. All other requests fail.

  7. No isolation segment: The Gorouters for the TAS for VMs tile reject requests for any isolation segment. Choose this option to add a group of Gorouters for the TAS for VMs tile, such as when you want a private point of entry for the system domain or to configure a group of Gorouters to receive requests from your corporate intranet.

Configure smoke tests

In the Smoke Tests pane, you specify the org and space where smoke tests are run. In the org and space that you specify, the Smoke Test errand pushes the app to a Operations Manager org. The app runs basic functionality tests against both the TAS for VMs and Isolation Segment tiles after an installation or update.

The Smoke Test errand verifies that your deployment can:

  • Push, scale, and delete apps

  • Create and delete orgs and spaces

The Smoke Test errand is on by default. You can turn off the Smoke Test errand in the Errands pane. For more information, see Configure Errands.

To configure the Smoke Tests pane:

  1. Select Smoke Tests.

  2. (Optional) In Domain, enter the name of the apps domain that Isolation Segment uses when pushing an app to run smoke tests.

  3. To configure routing from the isolation segment to either the TAS for VMs or Isolation Segment Gorouters, enter the apps domain you configured in the Domains pane of the TAS for VMs tile.

  4. To configure separate routing for the isolation segment, enter a different apps domain.

  5. If you have a shared apps domain, select A temporary space within the system org, which creates a temporary space within the system org for running smoke tests and deletes the space afterwards. Otherwise, select A specified org and space and complete these fields to configure where Isolation Segment pushes an app to run smoke tests:

  6. For Org, enter the org Isolation Segment uses when pushing an app to run smoke tests.

  7. For Space, enter the space Isolation Segment uses when pushing an app to run smoke tests.

  8. Click Save.

Important If you configure the Compute and Networking Isolation pane and the Requests to isolation segments property in the TAS for VMs tile in a manner other than the use cases described in Options for Configuring Compute and Networking Isolation, the smoke tests fail.

Configure errands

Errands are scripts that Tanzu Operations Manager runs automatically when it installs or uninstalls a product, such as a new version of TAS for VMs. There are two types of errands: post-deploy errands run after the product is installed, and pre-delete errands run before the product in uninstalled.

By default, Tanzu Operations Manager always runs all errands.

In the Errands pane, you can select On to always run an errand or Off to never run it.

For more information about how Tanzu Operations Manager manages errands, see Managing Errands in Tanzu Operations Manager.

You must deactivate the Smoke Test errand if:
  • You configure the Compute and Networking Isolation pane and the Requests to isolation segments check box in the TAS for VMs tile in a manner other than the use cases described in Options for Configuring Compute and Networking Isolation. Otherwise, apps fail to schedule in Isolation Segment.
  • Both the V2 and V1 Firehoses are deactivated in TAS for VMs. Otherwise, the deploy fails.

Configure resources

In the Resource Config pane, you must associate load balancers with the VMs in your deployment to activate traffic.

To configure the Resource Config pane:

  1. Select Resource Config.

  2. If you use a dedicated Gorouter for your isolation segment:

    The configuration settings available in Resource Config vary depending on your IaaS.

    If you have the Load Balancers column in your Resource Config pane:

Enter the wildcard DNS entry attached to your load balancer into the Router row under Load Balancers.

If you do not have the Load Balancers column in your Resource Config pane:

  1. Go to the Networking pane.
  2. Specify Gorouter IPs.
  3. Manually attach the IP addresses to your load balancer.

After tile configuration

After you configure the Isolation Segment tile:

  1. Register the isolation segment in the CCDB by following the procedure in Register an isolation segment in Managing isolation segments.

    If you run smoke tests as a post-deploy errand in the Isolation Segment tile, the smoke tests check if your isolation segment in registered in the Cloud Controller database (CCDB). If not, the smoke tests register it in the CCDB. This eliminates the need to manually register the isolation segment with the cf create-isolation-segment command. For more information about running smoke tests, see Configure Smoke Tests.

  2. Return to the Tanzu Operations Manager Installation Dashboard.

  3. Click Review Pending Changes, then Apply Changes to deploy the tile.

After the tile finishes deploying, see Managing isolation segments for more information about managing an isolation segment.

Step 4: Copy the tile (optional)

To create multiple isolation segments, you can copy the Isolation Segment tile with the Replicator tool.

To create multiple isolation segments:

  1. Download the Replicator tool from the Isolation Segment page of Broadcom Support.

  2. Go to the directory where you downloaded the Replicator tool.

  3. Replicate the tile by running:

    ./replicator \
      --name "TILE-NAME" \
      --path /PATH/TO/ORIGINAL.pivotal \
      --output /PATH/TO/COPY.pivotal

    Where:

    • TILE-NAME is a unique name you provide for the new Isolation Segment tile. The name must be ten characters or less and only contain alphanumeric characters, dashes, underscores, and spaces.
    • /PATH/TO/ORIGINAL.pivotal is the absolute path to the original Isolation Segment tile you downloaded from Broadcom Support.
    • /PATH/TO/COPY.pivotal is the absolute path for the copy that the Replicator tool produces.

  4. Follow the procedures in this topic using the new .pivotal file, starting with Step 1.

Upgrading replicated tiles

For information about upgrading replicated Isolation Segment tiles, see Upgrading Replicated Tiles in Upgrading TAS for VMs and Other Operations Manager Products.

check-circle-line exclamation-circle-line close-line
Scroll to top icon