This topic describes how to deploy VMware Tanzu Operations Manager (Ops Manager) on Amazon Web Services (AWS).

Before you deploy Ops Manager, see the preparation steps in Preparing to Deploy Ops Manager on AWS.

After you complete this procedure, follow the instructions in Configuring BOSH Director on AWS.

Step 1: Launch an Ops Manager AMI

To launch an Amazon Machine Image (AMI) for Ops Manager:

1. Navigate to the Ops Manager section of VMware Tanzu Network.

2. Select the version of Ops Manager you want to install from the Releases drop-down menu.

3. In the Release Download Files, click the file named Ops Manager for AWS to download a PDF.

4. Open the PDF and identify the AMI ID for your region.

5. Return to the EC2 Dashboard.

6. Click AMIs from the Images menu.

7. Using the Owned by me drop-down filter, select Public images .

8. Paste the AMI ID for your region into the search bar and press enter.

   Note: There is a different AMI for each region. If you cannot locate the AMI for your region, verify that you have set your AWS Management Console to your desired region. If you still cannot locate the AMI, log in to the VMware Tanzu Network and file a Support ticket.

9. (Optional) If you want to encrypt the VM that runs Ops Manager with AWS Key Management Service (KMS), perform the following additional steps:

   1. Right click the row that lists your AMI and click Copy AMI.
   2. Select your Destination region.
   3. Select Encryption. For more information about AMI encryption, see Encryption and AMI Copy from the Copying an AMI topic in the AWS documentation.
   4. Select your Master Key. To create a new custom key, see Creating Keys in the AWS documentation.
   5. Click Copy AMI. You can use the new AMI you copied for the following steps.

10. Select the row that lists your Ops Manager AMI and click Launch instance from AMI.

11. On the Launch an instance page, for Name, enter a name for the Ops Manager VM. For example, enter pcf-ops-manager.

12. Select m5.large for your instance type.

13. Select the pcf-ops-manager-key key pair, and confirm that you have access to the private key file. You use this key pair to access the Ops Manager VM.

14. In the Network settings section, click Edit and configure the following for your instance:

    • Network: Select the VPC that you created.
    • Subnet: Select pcf-public-subnet-az0 to allow traffic from public IP addresses, or pcf-management-subnet-az0 to allow traffic only from private IP addresses.
    • Auto-assign for Public IP: Select Enable to allow traffic from public IP addresses, or Disable to allow traffic only from private IP addresses.
    • Firewall (security groups): Click Select an existing security group and select the pcf-ops-manager-security-group that you created in Configure a Security Group for Ops Manager in Preparing to Deploy Ops Manager on AWS.
    • For all other fields, accept the default values.

15. In the Configure storage section, adjust the Size (GiB) value. The default persistent disk value is 8 GB. VMware recommends increasing this value to a minimum of 100 GB.

16. (Optional) If you are using IAM roles, perform the following additional steps:

    1. Click Advanced details to expand the section.
    2. Select the IAM role associated with the role created in Create an IAM Role or User for Ops Manager in Preparing to Deploy Ops Manager.
    3. For all other fields, accept the default values.

17. In the Summary section, ensure that the number of instances is 1.

18. Click Launch instance.

19. Click View all instances to access the Instances page on the EC2 Dashboard.

Step 2: Create Web Load Balancer

1. On the EC2 Dashboard, click Load Balancers.

2. Click Create Load Balancer.

3. Under Application Load Balancer, click Create.

4. For Step 1: Configure Load Balancer, do the following:

   1. Under Basic Configuration, do the following:

      • For Name, enter pcf-web-elb.
      • For Scheme, select internet-facing to allow traffic from public IP addresses, or internal to allow traffic only from private IP addresses.
      • For IP address type, select the type of IP addresses that you want to allow.
   2. Under Listeners, click Add listener. For Load Balancer Protocol, select HTTPS.
   3. Under Availability Zones, select your VPC.
   4. Check all availability zones. For each availability zone, select pcf-public-subnet-az0 to allow traffic from public IP addresses, or pcf-management-subnet-az0 to allow traffic only from private IP addresses.
   5. Click Next: Configure Security Settings.

5. For Step 2: Configure Security Settings, do the following:

   1. Under Select default certificate, do one of the following:

      • If you already have a certificate from AWS Certificate Manager (ACM), select Choose a certificate from ACM.
      • If you do not have a certificate from ACM, select Upload a certificate to ACM. For more information, see Importing Certificates into AWS Certificate Manager in the AWS documentation.

      Note: For a production or production-like environment, use a certificate from a Certificate Authority (CA). This can be an internal certificate or a purchased certificate. For a sandbox environment, you can use a self-signed certificate, leaving the Certificate chain entry blank.

   2. Click Next: Configure Security Groups.

6. For Step 3: Configure Security Groups, do the following:

   1. Under Assign a security group, select Select an existing security group.
   2. From the list of security groups, select the pcf-web-elb-security-group security group that you configured in Configure a Security Group for the Web ELB in Preparing to Deploy Ops Manager on AWS.
   3. Click Next: Configure Routing.

7. For Step 4: Configure Routing, do the following:

   1. Under Target Group, enter the following values:

      • Name: Enter pcf-web-elb-target-group.
      • Target type: Select Instance.
      • Protocol: Select HTTP.
      • Port: Enter 80.

   2. Under Health checks, enter the following values:

      • Protocol: Select HTTP.
      • Path: Enter /health.

   3. Under Advanced health check settings, enter the following values:

      • Port: Select override and enter 8080.
      • Healthy threshold: Enter 6.
      • Unhealthy threshold: Enter 3.
      • Timeout: Enter 3.
      • Interval: Enter 5.
      • Success codes: Enter 200.

   4. Click Next: Register Targets.

8. For Step 5: Register Targets, accept the default values and click Next: Review.

9. For Step 6: Review, review the load balancer details and then click Create. A message appears to confirm that AWS has successfully created the load balancer.

Step 3: Create SSH Load Balancer

1. From the Load Balancers page, click Create Load Balancer.

2. Select Network Load Balancer.

3. For Step 1: Configure Load Balancer, do the following:

   1. Under Basic Configuration, do the following:

      • For Name, enter pcf-ssh-elb.
      • For Scheme, select internet-facing to allow traffic from public IP addresses, or internal to allow traffic only from private IP addresses.
      • For IP address type, select the type of IP addresses that you want to allow.

   2. Under Listeners, edit the existing listener. For Load Balancer Protocol, select TCP, for Load Balancer Port, enter 2222.

   3. Under Availability Zones, select your VPC.
   4. Check all availability zones. For each availability zone, select pcf-public-subnet-az0 to allow traffic from public IP addresses, or pcf-management-subnet-az0 to allow traffic only from private IP addresses.
   5. Click Next: Configure Security Settings.

4. On the Configure Security Settings page, ignore the Improve your load balancer’s security error message and click Next: Configure Routing.

5. For Step 3: Configure Routing, do the following:

   1. Under Target Group, enter the following values:

      • Name: Enter pcf-ssh-elb-target-group.
      • Target type: Select Instance.
      • Protocol: Select TCP.
      • Port: Enter 2222.

   2. Under Health checks, enter the following values:

      • Protocol: Select TCP.

   3. Under Advanced health check settings, enter the following values:

      • Port: Select traffic port.
      • Healthy threshold: Enter 6.
      • Interval: Select 10 seconds.

   4. Click Next: Register Targets.

6. For Step 4: Register Targets, accept the default values and click Next: Review.

7. For Step 5: Review, review the load balancer details and then click Create. A message appears to confirm that AWS has successfully created the load balancer.

Step 4: Create TCP Load Balancer

1. On the Load Balancers page, click Create Load Balancer.

2. Select Classic Load Balancer.

3. Configure the load balancer with the following information:

   • Load Balancer name: Enter pcf-tcp-elb.
   • Create LB Inside: Select the pcf-vpc VPC that you created in Create a VPC in Preparing to Deploy Ops Manager on AWS.
   • If you want to allow traffic from public IP addresses, ensure that the Create an internal load balancer check box is not selected. If you want to allow traffic only from private IP addresses, select this check box.

4. Under Listener Configuration, add the following rules:

   Load Balancer Protocol	Load Balancer Port	Instance Protocol	Instance Port
   TCP	1024	TCP	1024
   TCP	1025	TCP	1025
   TCP	1026	TCP	1026
   ...	...	...	...
   TCP	1123	TCP	1123

   The ... entry above indicates that you must add listening rules for each port between 1026 and 1123.

5. Under Select Subnets, select either the public or private subnets you configured in Create a VPC in Preparing to Deploy Ops Manager on AWS, and click Next: Assign Security Groups.

6. On the Assign Security Groups page, select the security group pcf-tcp-elb-security-group you configured in Configure a Security Group for the TCP ELB in Preparing to Deploy Ops Manager on AWS, and click Next: Configure Security Settings.

7. On the Configure Security Settings page, ignore the Improve your load balancer’s security error message and click Next: Configure Health Check.

8. On the Configure Health Check page, enter the following values:

   • Ping Protocol: Select TCP.
   • Ping Port: Set to 80.
   • Response Timeout: Set to 3 seconds.
   • Interval: Set to 5 seconds.
   • Unhealthy threshold: Set to 3.
   • Health threshold: Set to 6.

9. Click Next: Add EC2 Instances.

10. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

11. Accept the defaults on the Add Tags page and click Review and Create.

12. Review and confirm the load balancer details, and click Create.

Step 5: Configure DNS Records

1. Perform the following steps for all three of the load balancers you created in previous steps, named pcf-web-elb, pcf-ssh-elb, and pcf-tcp-elb:

   1. From the Load Balancers page, select the load balancer.
   2. On the Description tab, locate the Basic Configuration section and record the DNS name of the load balancer.

2. Click Instances on the left navigation menu to view your EC2 instances.

3. Select the pcf-ops-manager instance created in Step 1: Launch an Ops Manager AMI.

4. On the Description tab, record the value for IPv4 Public IP.

5. Navigate to your DNS provider and create the following CNAME and A records:

   • CNAME: *.apps.DOMAIN.com and *.system.DOMAIN.com points to the DNS name of the pcf-web-elb load balancer.
   • CNAME: ssh.system.DOMAIN.com points to the DNS name of the pcf-ssh-elb load balancer.
   • CNAME: tcp.system.DOMAIN.com points to the DNS name of the pcf-tcp-elb load balancer.
   • A: pcf.DOMAIN.com points to the public IP address of the pcf-ops-manager EC2 instance.

   Where DOMAIN is a domain name. VMware recommends that you use the same domain name for each record.

6. Click Assign Security Groups.

Step 6: Create RDS Subnet Group

1. Navigate to the RDS Dashboard.

2. Perform the following steps to create a RDS Subnet Group for the two RDS subnets:

   1. Click Subnet Groups>Create DB Subnet Group.

   2. Enter the following values:

      • Name: Enter pcf-rds-subnet-group.
      • Description: Enter a description to identify this subnet group.
      • VPC ID: Select pcf-vpc.
      • Availability Zone and Subnet ID: Choose the AZ and subnet for pcf-rds-subnet-az0 and click Add.

   3. Repeat the steps above to add pcf-rds-subnet-az1 and pcf-rds-subnet-az2 to the group.

   4. Click Create.

   Note: On the Subnet Group page, you may need to refresh the page to view the new group.

   Note: On the Subnet Group page, you may need to refresh the page to view the new group.

Step 7: Create a MySQL Database Using AWS RDS

Note: You must have an empty MySQL database when you install or reinstall Ops Manager on AWS.

1. Navigate to the RDS Dashboard.

2. Click Create database to launch the wizard.

3. Under Engine type, select MySQL.

4. Under Templates, select Production to create a database for production environments.

5. Specify the following database details:

   • DB Instance Identifier: Enter pcf-ops-manager-director.

   • Enter a secure Master Username and Master Password.

     Note: Record the username and password. You need these credentials later when configuring the Director Config page in the BOSH Director tile.

   • DB Instance Class: Select db.m5.large - 2 vCPU, 7.5 GiB RAM.

   • Storage Type: Select Provisioned IOPS SSD.
   • Allocated Storage: Enter 100 GB.
   • Multi-AZ Deployment: Select Create a standby instance.

6. In the Connectivity section, enter the following values:

   • VPC: Select pcf-vpc.
   • Subnet Group: Select the pcf-rds-subnet-group you created in Step 6: Create RDS Subnet Group.
   • Publicly Accessible: Select No.
   • VPC Security Groups: Select the pcf-mysql-security-group that you created in Configure a Security Group for MySQL in Preparing to Deploy Ops Manager on AWS.
   • Accept the default values for the remaining fields.

7. In the Additional configuration section, enter the following values:

   • Initial Database Name: Enter bosh.
   • Accept the default values for the remaining fields.

8. Click Launch DB Instance. Launching the instance may take several minutes.

Next Steps

When the instance has launched, you the following:

• Review Required AWS Objects to verify that you created the correct resources in AWS.
• Proceed to Configuring BOSH Director on AWS to continue deploying Ops Manager.