Prepare to Deploy Management Clusters to Microsoft Azure

This topic explains how to prepare Microsoft Azure for running Tanzu Kubernetes Grid.

If you are installing Tanzu Kubernetes Grid on Azure VMware Solution (AVS), you are installing to a vSphere environment. See Preparing Azure VMware Solution on Microsoft Azure in Prepare a vSphere Management as a Service Infrastructure to prepare your environment and Prepare to Deploy Management Clusters to vSphere to deploy management clusters.

Installation Process Overview

The following diagram shows the high-level steps for installing a Tanzu Kubernetes Grid management cluster on Azure, and the interfaces you use to perform them.

These steps include the preparations listed below plus the procedures described in either Deploy Management Clusters with the Installer Interface or Deploy Management Clusters from a Configuration File.

Process Diagram: Start, Install the Tanzu CLI, Register a TKG App on Azure, Accept the Base Image License. If first deploy and no advanced config options, deploy with installer interface. Else deploy with config file.

For your convenience, a Preparation Checklist is available at the end of this page to ensure you are prepared to deploy a Tanzu Kubernetes Grid management cluster to Azure.

General Requirements

The Tanzu CLI installed locally. See Install the Tanzu CLI and Other Tools.

A Microsoft Azure account with the following:

Permissions required to create a service principal and assign the Virtual Machine Contributor and Network Contributor or Owner roles to it.
For more information about the roles, see Azure built-in roles.

Sufficient VM core (vCPU) quotas for your clusters. A standard Azure account has a quota of 10 vCPU per region. The vCPU requirements will depend on whether you will use prod or dev plan. To learn more about the plans, see Tanzu Kubernetes Cluster Plans.
Tanzu Kubernetes Grid clusters require 2 vCPU per node, which translates to:

Management cluster:
- dev plan: 4 vCPU (1 main, 1 worker)
- prod plan: 8 vCPU (3 main , 1 worker)
Each workload cluster:
- dev plan: 4 vCPU (1 main, 1 worker)
- prod plan: 12 vCPU (3 main , 3 worker)

For example, assuming a single management cluster and all clusters with the same plan:

Plan	Workload Clusters	vCPU for Workload	vCPU for Management	Total vCPU
Dev	1	4	4	8
Dev	5	20	4	24
Prod	1	12	8	20
Prod	5	60	8	68

Sufficient public IP address quotas for your clusters, including the quota for Public IP Addresses - Standard, Public IP Addresses - Basic, and Static Public IP Addresses. A standard Azure account has a quota of 10 public IP addresses per region. Every Tanzu Kubernetes Grid cluster requires 2 Public IP addresses regardless of how many control plane nodes and worker nodes it has. For each Kubernetes Service object with type LoadBalancer, 1 Public IP address is required.

Traffic is allowed between your local bootstrap machine and the image repositories listed in the management cluster Bill of Materials (BoM) file, over port 443, for TCP.*
- The BoM file is under ~/.config/tanzu/tkg/bom/, and its name includes the Tanzu Kubernetes Grid version. For example, tkg-bom-v1.5.4+vmware.1 .yaml.
- Run a DNS lookup on all imageRepository values to find their CNAMEs.
(Optional) OpenSSL installed locally, to create a new key-pair or validate the download package thumbprint. See OpenSSL.
(Optional) A Virtual Network (VNet) with:
- A subnet for the management cluster control plane node
- A Network Security Group (NSG) in the cluster’s VNet resource group that is on the control plane subnet and has the following inbound security rules, to enable SSH and Kubernetes API server connections:
  - Allow TCP over port 22 for any source and destination
  - Allow TCP over port 6443 for any source and destination Port 6443 is where the Kubernetes API is exposed on VMs in the clusters you create. To change this port for a management or a workload cluster, set the CLUSTER_API_SERVER_PORT variable when deploying the cluster.
- A subnet for the management cluster worker nodes
- An NSG for the management cluster worker nodes that is in the cluster’s VNet resource group and on the cluster’s worker node subnet
If you do not use an existing VNet, the installation process creates a new one.
The Azure CLI installed locally. See Install the Azure CLI in the Microsoft Azure documentation.

*Or see Prepare an Internet-Restricted Environment for installing without external network access.

Management Cluster Sizing Examples

The table below describes sizing examples for management clusters on Azure. Use this data as guidance to ensure your management cluster is scaled to handle the number of workload clusters that you plan to deploy. The Workload cluster VM size column lists the VM sizes that were used for the examples in the Can manage… column.

Management cluster plan	Management cluster VM size	Can manage …	Workload cluster VM size
3 control plane nodes and 3 worker nodes	Control plane nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB) Worker nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB)	Examples: 5 workload clusters, each cluster deployed with 3 control plane and 200 worker nodes; or 10 workload clusters, each cluster deployed with 3 control plane and 50 worker nodes	Control plane nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB) Worker nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB)
3 control plane nodes and 3 worker nodes	Control plane nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB) Worker nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB)	Example: One workload cluster, deployed with 3 control plane and 250 worker nodes	Control plane nodes: `Standard_D4s_v3` (CPU: 4; memory: 16 GB; SSD: 32 GB) Worker nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB)
3 control plane nodes and 3 worker nodes	Control plane nodes: `Standard_D4s_v3` (CPU: 4; memory: 16 GB; SSD: 32 GB) Worker nodes: `Standard_D4s_v3` (CPU: 4; memory: 16 GB; SSD: 32 GB)	Example: 199 workload clusters, each deployed with 3 control plane and 3 worker nodes	Control plane nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB) Worker nodes: `Standard_D2s_v3` (CPU: 2; memory: 8 GB; SSD: 16 GB)

Create Azure NSGs for Existing VNet

Tanzu Kubernetes Grid management and workload clusters on Azure require two Network Security Groups (NSGs) to be defined on their VNet and in their VNet resource group:

An NSG named CLUSTER-NAME-controlplane-nsg and associated with the cluster’s control plane subnet
An NSG named CLUSTER-NAME-node-nsg An NSG named CLUSTER-NAME-node-nsg and associated with the cluster’s worker node subnet

Where CLUSTER-NAME is the name of the cluster.

If you specify an existing VNet for the management cluster, you must create these NSGs as described in the General Requirements above. An existing VNet for a management cluster is specified with Select an existing VNET in the installer interface or AZURE_VNET_NAME in its configuration file.

If you do not specify an existing VNet for the cluster, the deployment process creates a new VNet and the required NSGs.

See the Microsoft Azure table in the Tanzu CLI Configuration File Variable Reference for how to configure the cluster’s VNet, resource groups, and subnets.

Register Tanzu Kubernetes Grid as an Azure Client App

Tanzu Kubernetes Grid manages Azure resources as a registered client application that accesses Azure through a service principal. To create the service principal and configure its access to Azure resources, you can use the az ad sp create-for-rbac command.

Create the service principal and assign the the Owner role to it if you plan to register your Tanzu Kubernetes Grid clusters with Tanzu Mission Control, or the Virtual Machine Contributor and Network Contributor roles otherwise. The example below creates a service principal named tkg with the Virtual Machine Contributor and Network Contributor roles.

az ad sp create-for-rbac --role "Network Contributor" --name "<ServicePrincipalName>"
az role assignment create --assignee <APP_ID> --role "Virtual Machine Contributor"

The following example creates a service principal named tkg and assigns the Network Contributor and Virtual Machine Contributor roles to tkg.

az ad sp create-for-rbac --role "Network Contributor" --name "tkg"
Creating 'Network Contributor' role assignment under scope '/subscriptions/c789uce3-aaaa-bbbb-cccc-a51b6b0gb405'
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
'name' property in the output is deprecated and will be removed in the future. Use 'appId' instead.
{
"appId": "c407cfd4-aaaa-bbbb-cccc-80af703eb0ed",
"displayName": "tkg",
"name": "c407cfd4-aaaa-bbbb-cccc-80af703eb0ed",
"password": "R6yM_.aaaabbbbccccdddd111122223333",
"tenant": "9c117323-aaaa-bbbb-cccc-9ee430723ba3"
}
az role assignment create --assignee c407cfd4-aaaa-bbbb-cccc-80af703eb0ed --role "Virtual Machine Contributor"

Record the output. You will use this information in following Accept the Base Image License steps and later when deploying a management cluster. For the full list of options that are supported by az ad sp create-for-rbac, see az ad sp create-for-rbac in the Azure documentation.

Accept the Base Image License

To run management cluster VMs on Azure, accept the license for their base Kubernetes version and machine OS.

Run the az vm image terms accept command, specifying the --plan and your subscription ID.

In Tanzu Kubernetes Grid v1.5.4, the default cluster image --plan value is k8s-1dot22dot9-ubuntu-2004, based on Kubernetes version 1.22.9 and the machine OS, Ubuntu 20.04. Run the following command:

az vm image terms accept --publisher vmware-inc --offer tkg-capi --plan k8s-1dot22dot9-ubuntu-2004 --subscription AZURE_SUBSCRIPTION_ID

Where AZURE_SUBSCRIPTION_ID is your Azure subscription ID.

You must repeat this to accept the base image license for every version of Kubernetes or OS that you want to use when you deploy clusters, and every time that you upgrade to a new version of Tanzu Kubernetes Grid.

Create an SSH Key Pair (Optional)

You deploy management clusters from a machine referred to as the bootstrap machine, using the Tanzu CLI. To connect to Azure, the bootstrap machine must provide the public key part of an SSH key pair. If your bootstrap machine does not already have an SSH key pair, you can use a tool such as ssh-keygen to generate one.

On your bootstrap machine, run the following ssh-keygen command.
```
ssh-keygen -t rsa -b 4096 -C "email@example.com"
```
At the prompt Enter file in which to save the key (/root/.ssh/id_rsa): press Enter to accept the default.
Enter and repeat a password for the key pair.
Add the private key to the SSH agent running on your machine, and enter the password you created in the previous step.
```
ssh-add ~/.ssh/id_rsa
```
Open the file .ssh/id_rsa.pub in a text editor so that you can easily copy and paste it when you deploy a management cluster.

Preparation Checklist

Use this checklist to make sure you are prepared to deploy a Tanzu Kubernetes Grid management cluster to Azure:

Tanzu CLI installed
- Run tanzu version. The output should list version: v0.11.6, which is the Tanzu Framework version in Tanzu Kubernetes Grid v1.5.4.
Azure account
- Log in to the Azure web portal at https://portal.azure.com.
Azure CLI installed
- Run az version. The output should list the current version of the Azure CLI as listed in Install the Azure CLI, in the Microsoft Azure documentation.
Registered tkg app
- In the Azure portal, select Active Directory > App Registrations > Owned applications and confirm that your tkg app is listed as configured in Register Tanzu Kubernetes Grid as an Azure Client App above, and with a current secret.
- Alternatively, in the Azure CLI, run az ad sp show --id.
Base VM image license accepted
- Run az vm image terms show --publisher vmware-inc --offer tkg-capi --plan k8s-1dot22dot9-ubuntu-2004. The output should contain "accepted": true.

What to Do Next

For production deployments, it is strongly recommended to enable identity management for your clusters: * For information about the preparatory steps to perform before you deploy a management cluster, see Obtain Your Identity Provider Details in Configure Identity Management. * For conceptual information about identity management and access control in Tanzu Kubernetes Grid, see About Identity and Access Management.

If you are using Tanzu Kubernetes Grid in an environment with an external internet connection, once you have set up identity management, you are ready to deploy management clusters to Azure.

Deploy Management Clusters with the Installer Interface. This is the preferred option for first deployments.
Deploy Management Clusters from a Configuration File. This is the more complicated method, that allows greater flexibility of configuration.
If you want to deploy clusters to vSphere and Amazon EC2 as well as to Azure, see Prepare to Deploy Management Clusters to vSphere and Prepare to Deploy Management Clusters to Amazon EC2 for the required setup for those platforms.