Prepare to Deploy Management Clusters to Microsoft Azure

This topic explains how to prepare Microsoft Azure for running Tanzu Kubernetes Grid.

If you are installing Tanzu Kubernetes Grid on Azure VMware Solution (AVS), you are installing to a vSphere environment. See Preparing Azure VMware Solution on Microsoft Azure in Prepare a vSphere Management as a Service Infrastructure to prepare your environment and Prepare to Deploy Management Clusters to vSphere to deploy management clusters.

Installation Process Overview

The following diagram shows the high-level steps for installing a Tanzu Kubernetes Grid management cluster on Azure, and the interfaces you use to perform them.

These steps include the preparations listed below plus the procedures described in either Deploy Management Clusters with the Installer Interface or Deploy Management Clusters from a Configuration File.

Process Diagram: Start, Install the Tanzu CLI, Register a TKG App on Azure, Accept the Base Image License. If first deploy and no advanced config options, deploy with installer interface. Else deploy with config file.

General Requirements

  • The Tanzu CLI installed locally. See Install the Tanzu CLI and Other Tools.
  • A Microsoft Azure account with:
    • Permissions required to register an app. See Permissions required for registering an app in the Azure documentation.
    • Sufficient VM core (vCPU) quotas for your clusters. A standard Azure account has a quota of 10 vCPU per region.
      Tanzu Kubernetes Grid clusters require 2 vCPU per node, which translates to:
      • Management cluster:
        • dev plan: 4 vCPU (1 main, 1 worker)
        • prod plan: 8 vCPU (3 main , 1 worker)
      • Each workload cluster:
        • dev plan: 4 vCPU (1 main, 1 worker)
        • prod plan: 12 vCPU (3 main , 3 worker)
      • For example, assuming a single management cluster and all clusters with the same plan:
        Plan Workload Clusters vCPU for Workload vCPU for Management Total vCPU
        Dev 1 4 4 8
        5 20 24
        Prod 1 12 8 20
        5 60 68
    • Sufficient public IP address quotas for your clusters, including the quota for Public IP Addresses - Standard, Public IP Addresses - Basic, and Static Public IP Addresses. A standard Azure account has a quota of 10 public IP addresses per region. Every Tanzu Kubernetes Grid cluster requires 2 Public IP addresses regardless of how many control plane nodes and worker nodes it has. For each Kubernetes Service object with type LoadBalancer, 1 Public IP address is required.
  • Traffic is allowed between your local bootstrap machine and the image repositories listed in the management cluster Bill of Materials (BoM) file, over port 443, for TCP.*
    • The BoM file is under ~/.tanzu/tkg/bom/, and its name includes the Tanzu Kubernetes Grid version. For example, tkg-bom-v1.3.1+vmware.1.yaml.
    • Run a DNS lookup on all imageRepository values to find their CNAMEs.
  • (Optional) OpenSSL installed locally, to create a new keypair or validate the download package thumbprint. See OpenSSL.
  • (Optional) A VNET with:

    • A subnet for the management cluster control plane node
    • A Network Security Group on the control plane subnet with the following inbound security rules, to enable SSH and Kubernetes API server connections:
      • Allow TCP over port 22 for any source and destination
      • Allow TCP over port 6443 for any source and destination. Port 6443 is where the Kubernetes API is exposed on VMs in the clusters you create.
    • A subnet and Network Security Group for the management cluster worker nodes.

    If you do not use an existing VNET, the installation process creates a new one.

  • The Azure CLI installed locally. See Install the Azure CLI in the Microsoft Azure documentation.

*Or see Deploying Tanzu Kubernetes Grid in an Internet-Restricted Environment for installing without external network access.

Network Security Groups on Azure

Tanzu Kubernetes Grid management and workload clusters on Azure require the following Network Security Groups (NSGs) to be defined on their VNET:

  • One control plane NSG shared by the control plane nodes of all clusters, including the management cluster and the workload clusters that it manages.
  • One worker NSG for each cluster, for the cluster's worker nodes.

If you do not specify a VNET when deploying a management cluster, the deployment process creates a new VNET along with the NSGs required for the management cluster. If you optionally create a VNET for Tanzu Kubernetes Grid before deploying a management cluster, you must also create these NSGs as described in the General Requirements above.

For each workload cluster that you deploy later, you need to create a worker NSG named CLUSTER-NAME-node-nsg, where CLUSTER-NAME is the name of the workload cluster. This worker NSG must have the same VNET and region as its management cluster.

Register Tanzu Kubernetes Grid as an Azure Client App

Tanzu Kubernetes Grid manages Azure resources as a registered client application that accesses Azure through a service principal. The following steps register your Tanzu Kubernetes Grid application with Azure Active Directory, create a client secret for authenticating communications, and record information needed later to deploy a management cluster.

  1. Log in to the Azure Portal.

  2. Record your Tenant ID by hovering over your account name at upper-right, or else browse to Azure Active Directory > <Your Azure Org> > Properties > Tenant ID. The value is a GUID, for example b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0.

  3. Browse to Active Directory > App registrations and click + New registration.

  4. Enter a display name for the app, such as tkg, and select who else can use it. You can leave the Redirect URI (optional) field blank.

  5. Click Register. This registers the application with an Azure service principal account as described in How to: Use the portal to create an Azure AD application and service principal that can access resources in the Azure documentation.

  6. An overview pane for the app appears. Record its Application (client) ID value, which is a GUID.

  7. From the Azure Portal top level, browse to Subscriptions. At the bottom of the pane, select one of the subscriptions you have access to, and record its Subscription ID. Click the subscription listing to open its overview pane.

  8. Select to Access control (IAM) and click Add a role assignment.

  9. In the Add role assignment pane:

    • Select the Owner role if you plan to register your Tanzu Kubernetes Grid clusters with Tanzu Mission Control. Otherwise, select the Contributor role.
    • Set Assign access to to Azure AD user, group, or service principal.
    • Under Select, enter the name of your app, tkg. It appears under Selected Members.
  10. Click Save.

  11. From the Azure Portal > Azure Active Directory > App Registrations, select your tkg app under Owned applications. The app overview pane opens.

  12. From Certificates & secrets > Client secrets click + New client secret.

  13. In the Add a client secret popup, enter a Description, choose an expiration period, and click Add.

  14. Azure lists the new secret with its generated value under Client Secrets. Record the value.

Accept the Base Image License

To run management cluster VMs on Azure, accept the license for their base Kubernetes version and machine OS.

  1. Sign in to the Azure CLI as your tkg client application.

    az login --service-principal --username AZURE_CLIENT_ID --password AZURE_CLIENT_SECRET --tenant AZURE_TENANT_ID

    Where AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID are your tkg app's client ID and secret and your tenant ID, as recorded in Register Tanzu Kubernetes Grid as an Azure Client App.

  2. Run the az vm image terms accept command, specifying the --plan and your Subscription ID.

    In Tanzu Kubernetes Grid v1.3.1, the default cluster image --plan value is k8s-1dot20dot5-ubuntu-2004, based on Kubernetes version 1.20.5 and the machine OS, Ubuntu 20.04. Run the following command:

    az vm image terms accept --publisher vmware-inc --offer tkg-capi --plan k8s-1dot20dot5-ubuntu-2004 --subscription AZURE_SUBSCRIPTION_ID

    Where AZURE_SUBSCRIPTION_ID is your Azure subscription ID.

You must repeat this to accept the base image license for every version of Kubernetes or OS that you want to use when you deploy clusters, and every time that you upgrade to a new version of Tanzu Kubernetes Grid.

Create an SSH Key Pair (Optional)

You deploy management clusters from a machine referred to as the bootstrap machine, using the Tanzu CLI. To connect to Azure, the bootstrap machine must provide the public key part of an SSH key pair. If your bootstrap machine does not already have an SSH key pair, you can use a tool such as ssh-keygen to generate one.

  1. On your bootstrap machine, run the following ssh-keygen command.

    ssh-keygen -t rsa -b 4096 -C ""
  2. At the prompt Enter file in which to save the key (/root/.ssh/id_rsa): press Enter to accept the default.
  3. Enter and repeat a password for the key pair.
  4. Add the private key to the SSH agent running on your machine, and enter the password you created in the previous step.

    ssh-add ~/.ssh/id_rsa
  5. Open the file .ssh/ in a text editor so that you can easily copy and paste it when you deploy a management cluster.

Preparation Checklist

Use this checklist to make sure you are prepared to deploy a Tanzu Kubernetes Grid management cluster to Azure:

  • Tanzu CLI installed

    • Run tanzu version. The output should list version: v1.3.1.
  • Azure account

    • Log in to the Azure web portal at
  • Azure CLI installed

    • Run az version. The output should list the current version of the Azure CLI as listed in Install the Azure CLI, in the Microsoft Azure documentation.
  • Registered tkg app

  • Base VM image license accepted

    • Run az vm image terms show --publisher vmware-inc --offer tkg-capi --plan k8s-1dot20dot5-ubuntu-2004. The output should contain "accepted": true.

What to Do Next

For production deployments, it is strongly recommended to enable identity management for your clusters. For information about the preparatory steps to perform before you deploy a management cluster, see Enabling Identity Management in Tanzu Kubernetes Grid.

If you are using Tanzu Kubernetes Grid in an environment with an external internet connection, once you have set up identity management, you are ready to deploy management clusters to Azure.

check-circle-line exclamation-circle-line close-line
Scroll to top icon