You can install VMware Tanzu Application Service for VMs (TAS for VMs) on Azure VMware Solution (AVS) with NSX-T internal networking, using the VMware NSX-T Container Plug-in.

AVS provides you with private clouds that contain vSphere clusters built from dedicated bare-metal Azure infrastructure.

AVS is a VMware-validated solution with ongoing validation and testing of enhancements and upgrades. Microsoft Corporation manages and maintains private cloud infrastructure and software.

For more information about AVS, see the Azure VMware Solution documentation.

All provisioned private clouds have vCenter Server, vSAN, vSphere, and NSX-T.

Deploying TAS for VMs to AVS is similar to traditional TAS for VMs deployments on vSphere, but there are a few minor differences due to the way that AVS deploys vSphere components.

To install NSX-T to run with TAS for VMs:

1. Configure NSX-T to Integrate with TAS for VMs

2. Activate NSX-T Mode in the BOSH Director

3. Configure TAS for VMs for External Container Networking

4. Install and Configure the NSX-T Container Plug-in

Prerequisites

Before deploying TAS for VMs with NSX-T networking, you must have:

• BOSH and Tanzu Operations Manager installed and configured on vSphere. For more information, see Deploying Tanzu Operations Manager on vSphere and Configuring BOSH Director on vSphere.

• The VMware NSX-T Container Plug-in tile downloaded from VMware Tanzu Network and imported to the Tanzu Operations Manager Installation Dashboard. For information about downloading and importing VMware Tanzu products to the Installation Dashboard, see Adding and Importing Products.

• The TAS for VMs tile downloaded from VMware Tanzu Network and imported to the Tanzu Operations Manager Installation Dashboard. The TAS for VMs tile must be configured but not deployed yet. Configure the tile for the first time, but do not click Review Pending Changes or Apply Changes.

• The URLs and user credentials for your AVS private cloud vCenter and NSX-T Manager. See Connect to the local vCenter of your private cloud in the AVS documentation.

Configure NSX-T to integrate with TAS for VMs

To set up NSX-T to integrate with TAS for VMs, complete these procedures:

• Regenerate NSX-T Management TLS Certificate with a Valid SAN

• Configure Logical Switches

• Configure Routers

• Configure Load Balancer

Regenerate NSX-T management TLS certificate with a valid SAN

The AVS-deployed NSX-T Manager includes a self-signed TLS certificate with an invalid Subject Alternative Name (SAN). This causes issues when connecting from VMware Tanzu Operations Manager and the BOSH Director, so you must create a new certificate using the NSX-T Manager’s fully qualified domain name (FQDN) or IP address as the new SAN.

For instructions, see Generate and Register the NSX-T Management TLS Certificate and Private Key in the VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) documentation.

Configure segments

To configure segments:

1. In vSphere, create logical network switches to correspond to the networks that your foundation uses.
2. Log in to the NSX-T Manager Dashboard.
3. Go to Advanced Networking & Security.
4. Go to the Segment page.

5. For each of these networks:

   • Infrastructure (BOSH and Tanzu Operations Manager, defined in the Assign AZs and Networks pane of the BOSH Director tile)
   • Deployment (TAS for VMs, defined in the Assign AZs and Networks pane of the TAS for VMs tile)
   • Services and Dynamic Services (marketplace services and on-demand services, also defined in the TAS for VMs tile)
   • Isolation Segment (optional, defined in the Assign AZs and Networks pane of the Isolation Segment tile)

   Do the following:

   1. Click +Add.
   2. Enter a name for the segment (such as TAS for VMs-Infrastructure, TAS for VMs-Deployment).
   3. Click Add.

Configure gateways

Create T1 gateways for TAS for VMs, to connect from the T0 gateways. For each TAS for VMs network, Infrastructure, Deployment, and so on, create a T1 gateways as follows:

1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Routing > Gateways.
2. Click +Add > Tier-1 Gateways.

3. Configure the gateway to include the Edge Cluster. They are required to enable the Load Balancer.

   The Infrastructure network gateway configuration might look like the following image:

Create T1 gateway downlink ports for TAS for VMs.

For each T1 gateway you created, add a New Router Port to allow traffic in and out:

1. In the NSX-T Manager UI, select the T1 gateway.
2. Click Edit in the hamburger icon.
3. Go to Services Interface.
4. Click Set.
5. For Segments, enter the name of the segment you defined for the network in Add New Segments.

6. For IP Address, use the first IP of the appropriate subnet. In this example, 192.168.1.0/24 is set aside for Infrastructure (Tanzu Operations Manager and BOSH Director), and 192.168.2.0/24 for the Deployment, so 192.168.1.1 and 192.168.2.1 are used respectively.

7. Advertise the routes of the T1 gateways to the T0 gateway, so the T0 gateway can correctly route incoming requests based on their destination IP address:

8. Click Gateway in the list.
9. Click the More Options menu and select Edit.

10. Expand Route Advertisement.

    1. Turn on All Connected Segments & Service Ports by using the green switch.
    2. Turn on All IPSec Local Endpoints.
    3. Turn on All LB VIP Routes by using the green switch(necessary if Load Balancing service is configured).

11. Navigate to IP Address Pools.

12. Click IP Address Pools in the navigation.
13. Click IP Address Blocks to allocate an IP block for TAS for VMs orgs.
14. Add IP Address Block.
15. Enter a name (for example, TAS for VMs-container-ip-block). This IP block name is also used in the VMware NSX-T tile in the NCP section under IP Blocks of Container Networks.
16. Enter a description, such as Subnets are allocated from this pool to each newly-created org.
17. Enter a CIDR to allocate an address block large enough to accommodate all TAS for VMs apps. A /14 CIDR is large enough for ~1,000 Orgs with ~250 apps each. If you are planning such a large foundation, see VMware NSX-T TAS for VMs limits in the VMware documentation.

Configure load balancer

To configure a load balancer:

Create Active Health Monitors (health checks) for use by the virtual server later on.

In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Monitors > Active Health Monitors.

Create the health monitor for web load balancing:

1. Click +Add.
   1. Enter Monitor Properties:
      • Name: pas-web-monitor
      • Health Check Protocol: LbHttpMonitor
      • Monitoring Port: 8080
   2. Click Next.
   3. Enter Health Check Parameters:
      • HTTP Method: GET
      • HTTP Request URL: /health
      • HTTP Response Code: 200
   4. Click Finish.

Create the health monitor for TCP load balancing:

1. Click +Add.
2. Enter Monitor Properties: - Name: pas-tcp-monitor - Health Check Protocol: LbHttpMonitor - Monitoring Port: 80
3. Click Next.
4. Enter Health Check Parameters: - HTTP Method: GET - HTTP Request URL: /health - HTTP Response Code: 200

Create the health monitor for SSH load balancing:

1. Click +Add.
2. Enter Monitor Properties: - Name: pas-ssh-monitor - Health Check Protocol: LbTcpMonitor - Monitoring Port: 2222 -
3. Click Next, then click Finish.

Create server pools (collections of VMs which handle traffic) for use by the virtual server:

1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Server Pools.

2. Create the server pool for web load balancing:

   1. Click +Add to add a new pool.
   2. Enter General Properties:
      • Name: pas-web-pool
   3. Click Next.
   4. Enter SNAT Translation:
      • Translation Mode: IP List
      • Enter a range of available IPs for SNAT translation. By default, ports from 4000 to 64000 are for all configured SNAT IP addresses. Allocate enough IPs to handle your traffic load. Without enough IPs, the SNAT port is exhausted.
   5. Click Next.
   6. Enter Pool Members:
      • Membership Type: Static
   7. Click Next.
   8. Enter Health Monitors:
      • Active Health Monitor: pas-web-monitor
   9. Click Finish.

Create the server pool for TCP load balancing:

1. Click +Add to add new pool.
2. Enter General Properties: - Name: pas-tcp-pool
3. Click Next.
4. Enter SNAT Translation: - Translation Mode: Transparent
5. Click Next.
6. Enter Pool Members: - Membership Type: Static
7. Click Next.
8. Enter Health Monitors: - Active Health Monitor: pas-tcp-monitor
9. Click Finish.

Create the server pool for SSH load balancing:

1. Click +Add to add new pool.
2. Enter General Properties Name: pas-ssh-pool
3. Click Next.
4. Enter SNAT Translation: Translation Mode: Transparent
5. Click Next.
6. Enter Pool Members: Membership Type: Static
7. Click Next.
8. Enter Health Monitors: Active Health Monitor: pas-ssh-monitor
9. Click Finish. - Name: pas-ssh-pool
   1. Click Next.
   2. Enter SNAT Translation:
      • Translation Mode: Transparent
   3. Click Next.
   4. Enter Pool Members:
      • Membership Type: Static
   5. Click Next.
   6. Enter Health Monitors:
      • Active Health Monitor: pas-ssh-monitor
   7. Click Finish.

Create virtual servers.

1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Virtual Servers.
2. Create the virtual server which forwards unencrypted web (HTTP) traffic to the foundation:

Important Foundations requiring end-to-end encryption cannot activate the virtual server on port 80, or, if activated, configure it to redirect traffic to the encrypted port (443).

1. Click +Add.
2. Enter General Properties:
   • Name: pas-web-vs
   • Application Type: Layer 4 (TCP)
   • Application Profile: nsx-default-lb-fast-tcp-profile
3. Click Next.
4. Enter Virtual Server Identifiers:
   • IP Address: use the address of the DNS record of *.system.YOUR-SYSTEM-DOMAIN.com
   • Port: 80,443
5. Enter Server Pool and Rules:
   • Default Server Pool: pas-web-pool
6. Click Next several times, then click Finish.

Create the virtual server which forwards traffic to apps with custom ports to the foundation:

1. Click +Add to add a new virtual server.
2. Enter General Properties:
   • Name: pas-tcp-vs
   • Application Type: Layer 4 (TCP)
   • Application Profile: nsx-default-lb-fast-tcp-profile
3. Click Next.
4. Enter Virtual Server Identifiers:
   • IP Address: use the address of the DNS record of tcp.apps.YOUR-SYSTEM-DOMAIN.com
   • Port: use the same ports as configured in the TAS for VMs Tile > Networking > TCP Routing Ports, e.g. 1024-1123,5900
5. Click Next.
6. Enter Server Pool and Rules: * Default Server Pool: pas-tcp-pool
7. Click Next, then click Finish.

Create the virtual server which forwards SSH traffic to the foundation:

1. Click +Add to add a new virtual server.
2. Enter General Properties:
   • Name: pas-ssh-vs
   • Application Type: Layer 4 (TCP)
   • Application Profile: nsx-default-lb-fast-tcp-profile
3. Click Next.
4. Enter Virtual Server Identifiers:
   • IP Address: use the address of the DNS record of ssh.system.YOUR-SYSTEM-DOMAIN.com
   • Port: 2222
5. Click Next.
6. Enter Server Pool and Rules:
   • Default Server Pool: pas-ssh-pool
7. Click Next, then click Finish.

Create the load balancer:

1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Load Balancers.
   1. Click +Add.
   2. Enter the fields:
      • Name: pas-lb
      • Load Balancer Size: Choose Small unless you have a larger Foundation
   3. Click OK.
2. Select pas-lb.
3. Click Actions > Attach to a Virtual Server, and then select pas-web-vs. Repeat this procedure for the Virtual Servers pas-tcp-vs and pas-ssh-vs.
4. Click Action > Attach to a Logical Router, and then select T1-Router-TAS for VMs-Deployment.

Enable NSX-T mode in the BOSH Director

To activate NSX-T mode in the BOSH Director:

1. From the Tanzu Operations Manager Installation Dashboard, click the BOSH Director tile.

2. In the vCenter Configs pane, click the pencil icon for the vCenter Config that you want to edit.

3. Select NSX Networking.

4. Configure BOSH Director authentication to the NSX Manager by following the NSX Networking instructions in the Step 2: Configure vCenter section of Configuring BOSH Director on vSphere.

Configure TAS for VMs for external container networking

To configure TAS for VMs for external container networking:

1. If you have not already done so, download the TAS for VMs tile from VMware Tanzu Network and import it to the Installation Dashboard. For instructions, see Adding and Importing Products.

2. Configure TAS for VMs, following the directions in TAS for VMs Overview. When you configure Networking, select External under Container networking interface plugin.
   

3. Update the server pool membership for the NSX-T load balancers:

   1. Open the BOSH Director for vSphere tile > Resource Config pane.
   2. Click the arrow next to each job to reveal the NSX-T CONFIGURATION column. See Step 10: Resource Config Pane in Configuring BOSH Director on vSphere.
   3. Under Logical Load Balancer, enter a JSON-formatted structure to defining a list of server_pools a VM extension for each of the three server pools: pas-web-pool, pas-tcp-pool, and pas-ssh-pool.

Install and configure the NSX-T container plug-in

To install and configure the NSX-T Container Plug-In tile:

1. If you have not already done so, download the VMware NSX-T Container Plug-in tile from VMware Tanzu Network and import it to the Installation Dashboard. For instructions, see Adding and Importing Products.

   

2. Click the VMware NSX-T tile to open its Settings tab, and configure the NSX Manager pane as follows:

   • NSX Manager Address: The NSX-T Manager host address or IP address.
   • Use Client Certificates or Username/Password: Configure this setting as follows:
     1. If you are using VMware Workspace ONE Access, formerly called VMware Identity Manager (vIDM), then select Client Certificate Authentication.
     2. Otherwise, select Basic Authentication with Username and Password and enter NSX Manager Admin Username and Admin Password credentials in the fields underneath.
   • NSX Manager CA Cert: Obtain this certificate from NSX-T Manager as follows:
     1. SSH into NSX-T Manager using the admin account that you created when you deployed NSX-T Manager.
     2. From the NSX-T Manager command line, run get certificate api to retrieve the certificate.

   

3. Open and configure the NCP (NSX-T Container Plugin) pane as follows:

   • TAS for VMs Foundation Name: If unsure, use TAS for VMs. If multiple foundations co-exist on the same NSX-T Manager, choose a unique string, such as TAS for VMs-beta. NCP creates artifacts, such as T1 routers and prefixes their names with this string for easy identification.
   • Overlay Transport Zone: A uniquely identifying string for the Transport Zone that you chose when you created segments for each network. This can be the name of the transport zone if no other zones in NSX-T share the same name, or else the UUID for the transport zone.
   • Tier-0 Router: A uniquely identifying string for the T0 router. This can be the tag string that you gave the router in NSX-T Manager if no other T0 routers in NSX-T share the same name, or else the UUID for the router.
   • Subnet Prefix of Container Networks: Subnet mask to set the address range size for apps in a single org. Defaults to 24. This number must be higher than the mask for all TAS for VMs orgs in the NSX-T Manager New IP Block pane, to define each org’s fraction of the total TAS for VMs address space.
   • Enable SNAT for Container Network: Select this check box.

   

4. In the NSX Node Agent pane, select the Enable Debug Level of Logging for NSX Node Agent check box.

5. Click Save and return to the Installation Dashboard.

6. After you have configured both the TAS for VMs tile and the VMware NSX-T tile, click Review Pending Changes.

7. Click Apply Changes to deploy TAS for VMs with NSX-T networking.