You can install VMware Tanzu Application Service for VMs (TAS for VMs) on vSphere with NSX-T internal networking, using the VMware NSX-T Container plug-in for Operations Manager.

Important These instructions were updated to use the NSX-T Policy API, the next-generation interface for integrating with the NSX-T networking and security framework.

TAS for VMs uses a Container Network Interface (CNI) plug-in to support secure and direct internal communication between containers.

This plug-in is either:

Prerequisites

Before you deploy TAS for VMs with NSX-T networking, you must have the following:

  • An NSX-T environment with NSX-T components that are installed and configured, including a Tier-0 gateway (configured in Active/Passive HA mode) attached to a North-South Transport Zone and NSX-T edge cluster. The NSX-T version must support the versions of NCP and TAS for VMs you intend to use. Verify the compatibility between NSX-T, NCP, and TAS for VMs with the following documentation:

  • BOSH and Tanzu Operations Manager installed and configured on vSphere. For more information, see Deploying Tanzu Operations Manager on vSphere and Configuring BOSH Director on vSphere.

  • The VMware NSX-T Container Plug-in for Operations Manager tile is downloaded from VMware Tanzu Network and imported to the Tanzu Operations Manager Installation Dashboard. For information about downloading and importing VMware Tanzu products to the Installation Dashboard, see Add and Import Products in Adding and Deleting Products.

  • The TAS for VMs tile is downloaded from VMware Tanzu Network and imported to the Tanzu Operations Manager Installation Dashboard. The TAS for VMs tile must be in one of these states:

    • Configured but not currently deployed. You did not click Review Pending Changes, then Apply Changes on this version of TAS for VMs.
    • Deployed previously, with the Container network interface plug-in field set to External in the Networking pane of the TAS for VMs tile.

Important If you deploy TAS for VMs with its container network interface (CNI) set to Silk, Diego Cells are configured to use an internally managed container network. If you subsequently switch the CNI interface to External NSX-T, this leads to errors.

Architecture

The following graphic shows how to deploy an NSX-T machine to run TAS for VMs across multiple vSphere hardware clusters. NSX-T runs a Tier-0 (T0) gateway and multiple Tier-1 (T1) gateways, each connecting to a network within Operations Manager. Each vSphere hardware column cluster corresponds to an Availability Zone (AZ) in Operations Manager: The NXT T0 Router is connected between the IP Backbone and the T1 Routers. The T1 Routers each end on a network.

Three network types are shown: On-demand Orgs, Isolation Segments, and On-demand Services.

When you push an app to a new org for the first time, the NSX-T plug-in starts NSX-T to create a new T1 gateway and allocate an address range for the org, on demand.

Install and configure TAS for VMs and NSX-T

To install NSX-T to run with TAS for VMs, follow these procedures:

  1. Configure NSX-T to Integrate with TAS for VMs.

  2. Activate NSX-T Mode in the BOSH Director.

  3. Configure TAS for VMs for External Container Networking.

  4. Install and Configure the NSX-T Tile.

Set up NSX-T to integrate with TAS for VMs

To set up NSX-T to integrate with TAS for VMs, follow these procedures:

Configure NAT rules

To configure Network Address Translation (NAT) rules:

  1. Create network address translation (NAT) rules to communicate with Tanzu Operations Manager:

    1. Go to Networking.
    2. Go to the NAT pane.
    3. Select your T0 gateway.
    4. Click ADD NAT RULE.

    5. Add a rule for destination NAT (DNAT) with:

      • The externally-specified destination IP address of incoming requests. If your Tanzu Operations Manager has a DNS entry (for example, opsmgr.example.com), this is its IP address.
      • The Tanzu Operations Manager internal network address.

      • Firewall setting bypass: the packet bypasses firewall rules.

        NAT page

    6. Add a rule for source NAT (SNAT) for the infrastructure and deployment networks:

      • The externally-specified destination IP address.
      • The internal network address in CIDR notation.

      • Firewall Setting bypass: the packet bypasses firewall rules.

        NAT page

Configure gateways

To configure Tier-1 (T1) gateways:

  1. Create T1 gateways for TAS for VMs, to connect from the T0 gateway. For each Operations Manager network, Infrastructure, Deployment, and so on, create a T1 gateway as follows:

    1. In the NSX-T Manager UI, go to Networking, then Tier-1 Gateways.
    2. Click ADD TIER-1 GATEWAY.
    3. Configure the gateway. Include the Edge Cluster, as it is required to activate the Load Balancer. The Infrastructure network gateway configuration looks similar to the following image:

    Configure Infrastructure network gateway.

  2. Advertise the routes of the T1 gateways to the T0 gateway, so the T0 gateway can correctly route incoming requests based on their destination IP addresses:

    1. Edit your T1 Gateway and go to Route Advertisement.
    2. Activate All Connected Segments & Service Ports.

    3. Activate All LB VIP Routes. (necessary if Load Balancing service is configured).

      Tier-1 Gateways page

  3. Allocate an IP block for TAS for VMs orgs.

    1. From the NSX-T Manager, go to Networking, then IP Address Pools, click the IP Address Blocks tab, and click Add IP Address Block.
    2. Enter a name (for example, TAS for VMs-container-ip-block). This IP block name is also used in the VMware NSX-T tile in the NCP section under IP Blocks of Container Networks.
    3. Enter a description, such as Subnets are allocated from this pool to each newly-created org.

    4. Enter a CIDR to allocate an address block large enough to accommodate all TAS for VMs apps. A /14 CIDR is large enough for approximately 1,000 Orgs with about 250 apps each. If you are planning a large foundation, see VMware NSX-T TAS for VMs limits in the VMware documentation.

      IP Address Pools page

  4. Create an external SNAT IP pool:

    1. Go to Networking, then IP Address Pools.
    2. Click the IP Address Pools tab and then click Add IP Address Pool.
    3. Enter a name (for example, external-ip-pool).
    4. Enter a description (for example, “IP pool that provides 1 public IP for each TAS for VMs Org”). Later, you enter this pool name, on the VMware NSX-T tile, in the NCP section, under IP Pools used to provide External (NAT) IP Addresses to Org Networks.

    5. Set a subnet of externally-routable IP addresses for future NAT IP addresses.

      IP Address Pools page

      Set Subnets page

  5. In vSphere, create segments that correspond to the networks that Operations Manager uses.

    1. Log in to the NSX-T Manager Dashboard.
    2. Go to Networking.
    3. Go to the Segments pane.
    4. For each of these networks…
      • Infrastructure (BOSH and Tanzu Operations Manager, defined in the Assign AZs and Networks pane of the BOSH Director tile)
      • Deployment (TAS for VMs, defined in the Assign AZs and Networks pane of the TAS for VMs tile)
      • Services and Dynamic Services (marketplace services and on-demand services, also defined in the TAS for VMs tile)
      • Isolation Segment (optional, defined in the Assign AZs and Networks pane of the Isolation Segment tile) …do the following:
        1. Click ADD SEGMENT.
        2. Enter a name for the segment.
        3. Enter a Gateway to connect to.
        4. Click SAVE.

Segments page

Configure segments

  1. Create Active Monitors (health checks) for use by the virtual servers later.

    1. In the NSX-T Manager UI, go to Networking, then Load Balancing, and click the Monitors tab.
    2. Create the health monitor for web load balancing:
    3. Click Add Active Monitor.
    4. Select HTTP.
      • Name: tas-web-monitor
      • Monitoring Port: 8080
      • Monitoring Port: 8080
    5. Configure Additional Properties:
      • HTTP Request URL: /health
      • HTTP Response Code: 200
    6. Click Save.

  2. Create the health monitor for TCP load balancing:

    1. Click Add Active Monitor.
    2. Select HTTP.
      • Name: tas-tcp-monitor
      • Monitoring Port: 80
    3. Configure Additional Properties:
      • HTTP Request URL: /health
      • HTTP Response Code: 200
    4. Click Save.

  3. Create the health monitor for SSH load balancing:

    1. Click Add Active Monitor.
    2. Select TCP:
      • Name: tas-ssh-monitor
      • Monitoring Port: 2222
    3. Click Save.

  4. Create Server Pools (collections of VMs that handle traffic) for use by the virtual servers.

    1. In the NSX-T Manager UI, go to Networking, then Load Balancing, and click the Server Pools tab.

    2. Create the server pool for web load balancing:

      1. Click Add Server Pool to add a new pool.
        • Name: tas-web-pool
      2. Enter SNAT Translation: Automap
      3. Click Select Members:
        • Membership Type: Static
      4. Click Active Monitor Set:
        • Select tas-web-monitor
        • Click Apply
      5. Click Save.

    3. Create the server pool for TCP load balancing:

      1. Click Add Server Pool to add a new pool.
        • Name: tas-tcp-pool
      2. Enter SNAT Translation: Deactivated
      3. Click Select Members:
        • Membership Type: Static
      4. Click Active Monitor Set:
        • Select tas-tcp-monitor
        • Click Apply
      5. Click Save.

    4. Create the server pool for SSH load balancing:

      1. Click ADD SERVER POOL to add a new pool.
        • Name: tas-ssh-pool
      2. Enter SNAT Translation: Deactivated
      3. Click Select Members:
        • Membership Type: Static
      4. Click Active Monitor Set:
        • Select tas-ssh-monitor
        • Click Apply
      5. Click Save.

  5. Create the load balancer. In the NSX-T Manager UI, go to Networking, then Load Balancing, and click the Load Balancers tab.

    1. Click Add Load Balancer.
      1. Enter the fields:
        • Name: tas-lb
        • Load Balancer Size: Select Small unless you have a larger Foundation.
        • Attachment: t1-deployment Attach your load balancer to the Tier 1 gateway fronting your deployment instances.
      2. Click Save
      3. When you see Want to continue configuring this Load Balancer?, click Yes.
      4. Click Virtual Servers Set.

  6. Click Add Active Monitor.

  7. Select HTTP:
    • Name: tas-web-monitor
    • Monitoring Port: 8080.
  8. Configure Additional Properties:
    • HTTP Request URL: /health
    • HTTP Response Code: 200.
  9. Click Save.

For foundations requiring end-to-end encryption, do not enable the virtual server on port 80. If it must be enabled, configure it to redirect traffic to the encrypted port (443).

To create the virtual server that forwards unencrypted web (HTTP) traffic to the foundation:

  1. Click Virtual Servers Set.
  2. Click Add Virtual Server.
  3. Select L4 TCP.
    • Name: tas-web-vs
    • Application Profile: default-tcp-lb-app-profile
    • IP Address: use the address of the DNS record of *.system.YOUR-SYSTEM-DOMAIN.com
    • Port: 80,443
    • Server Pool: tas-web-pool
  4. Click Save.

To create the virtual server that forwards traffic to apps with custom tcp ports to the foundation:

  1. Click Add Virtual Server.
  2. Click L4 TCP.
    • Name: tas-tcp-vs
    • Application Profile: default-tcp-lb-app-profile
    • IP Address: use the address of the DNS record of tcp.apps.YOUR-SYSTEM-DOMAIN.com
    • Port: use the same ports as configured in the TAS for VMs Tile, then Networking, and TCP Routing Ports. For example: 1024-1123,5900
    • Server Pool: tas-tcp-pool
  3. Click Save.

To create the virtual server that forwards SSH traffic to the foundation:

  1. Click Add Virtual Server.
  2. Click L4 TCP.
    • Name: tas-ssh-vs
    • Application Profile: default-tcp-lb-app-profile
    • IP Address: Use the address of the DNS record of ssh.system.YOUR-SYSTEM-DOMAIN.com.
    • Port: 2222
    • Server Pool: tas-ssh-pool
  3. Click Save.

Activate NSX-T Mode in the BOSH Director

To activate NSX-T mode in the BOSH Director:

  1. From the Tanzu Operations Manager Installation Dashboard, open the BOSH Director for vSphere tile.

  2. In the vCenter Config pane, click the pencil icon for the vCenter Config you want to edit.

  3. Select NSX Networking.

  4. Configure BOSH Director authentication to the NSX Manager by following the NSX Networking instructions in the Step 2: Configure vCenter section of Configuring BOSH Director on vSphere.

  5. Verify that the Use NSX-T Policy API option is selected.

Use NSX-T Policy API check box

Configure TAS for VMs for external container networking

To configure TAS for VMs for external container networking:

  1. If you have not already done so, download the TAS for VMs tile from VMware Tanzu Network and import it to the Installation Dashboard.

    For instructions, see Add and Import Products.

    Tanzu Operations Manager Installation Dashboard with NSX-T tile

  2. Configure TAS for VMs, starting with Prerequisites. When you configure Networking, select External under Container networking interface plugin.

    Container networking interface plug-in radio buttons. External is selected.

Install and configure the NSX-T container plug-in

  1. Configure TAS for VMs to add router, diego_brain, and tcp_router instances to the corresponding NSX-T server pools upon deployment.

    1. Open the TAS for VMs tile, then click the Resource Config pane.
    2. Click the arrow next to each job to reveal the NSX-T Configuration column.
    3. Under Logical Load Balancer, complete the JSON server_pools list with the NSX-T Server Pool these instance must be added to upon deployment.
      • router: tas-web-pool
      • diego_brain: tas-ssh-pool
      • tcp_router: tas-tcp-pool

    4. Click Save.

      NSX-T configuration

  2. If you have not already done so, download the VMware NSX-T Container Plug-in for Operations Manager tile from VMware Tanzu Network and import it to the Installation Dashboard. For instructions, see Add and Import Products.

    Installation Dashboard with NSX-T tile.

  3. Click the VMware NSX-T tile to open the Settings tab, and configure NSX Manager:

    • NSX Manager Address: The NSX-T Manager host address or IP address.
    • Use Client Certificates or Username/Password:
      1. If you are using VMware Workspace ONE Access, formerly called VMware Identity Manager (vIDM), click Client Certificate Authentication.
      2. Otherwise, select Basic Authentication with Username and Password, and enter NSX Manager Admin Username and Admin Password credentials in the fields underneath.
    • NSX Manager CA Cert: Obtain this certificate from NSX-T Manager as follows:
      1. ssh into NSX-T Manager using the admin account that you created when you deployed NSX-T Manager.
      2. From the NSX-T Manager command line, run get certificate api to retrieve the certificate.

  4. Open and configure the NCP (NSX-T Container Plug-in) pane as follows:

    • TAS for VMs Foundation Name: If unsure, use TAS for VMs. If multiple foundations co-exist on the same NSX-T Manager, choose a unique string, such as TAS for VMs-beta. NCP creates artifacts such as T1 gateways and prefixes their names with this string for easy identification.
    • Overlay Transport Zone: A uniquely identifying string for the Transport Zone that you chose when you created segments for each network. This can be the name of the transport zone if no other zones in NSX-T share the same name, or else the UUID for the transport zone.
    • Tier-0 Router: A uniquely identifying string for the T0 gateway. This can be the tag string that you gave the gateway in NSX-T Manager if no other T0 gateways in NSX-T share the same name, or else the UUID for the gateway.
    • IP Blocks of Container Networks: Use the same IP block created in Configure Gateways.
    • Subnet Prefix of Container Networks: Subnet mask to set the address range size for apps in a single org. Defaults to 24. This number must be higher than the mask for all TAS for VMs orgs in the NSX-T Manager New IP Block pane, to define the fraction of the total TAS for VMs address space for each org.
    • IP Pools used to provide External (NAT) IP Addresses to Org Networks: Use the same IP Pool created in Configure Gateways.

    • Enable NSX-T Policy API: Activate this check box to use the new Policy API.

      NSX-T tile config: NCP

  5. In the NSX Node Agent pane, activate the Enable Debug Level of Logging for NSX Node Agent check box.

    NSX-T tile config: NSX-T Node Agent

  6. Click Save and return to the Installation Dashboard.

  7. After you configure both the TAS for VMs tile and the VMware NSX-T tile, click Review Pending Changes.
  8. Click Apply Changes to deploy TAS for VMs with NSX-T networking.

Upgrade TAS for VMs with NSX-T networking

After you deploy TAS for VMs with NSX-T, you might need to upgrade Tanzu Operations Manager, TAS for VMs, the NSX-T Container Plug-in or NSX-T Data Center. If you upgrade one of these components, you might need to upgrade the other components as well.

For example, if you want to only upgrade NSX-T Data Center, you might need to upgrade the NSX-T Container Plug-in first.

To upgrade TAS for VMs with NSX-T Networking:

  1. Plan the upgrade by determining the compatibility of NCP, NSX-T and TAS for VMs by checking the following documentation:

  2. Download the VMware NSX-T Container Plug-in for Operations Manager tile from VMware Tanzu Network.

  3. In Tanzu Operations Manager, import the new version of the tile to the Installation Dashboard. For instructions, see Adding and Importing Products.

  4. Click Review Pending Changes and review your changes.

  5. Click Apply Changes.

    Continue with the upgrade of Tanzu Operations Manager, TAS for VMs, or NSX-T Data Center. For more information, see Upgrade NCP in a Operations Manager Environment in the VMware NSX-T Data Center documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon