This topic tells you about the OpenStack reference architecture for VMware Tanzu Application Service for VMs (TAS for VMs), which runs on VMware Tanzu Operations Manager. This architecture is valid for most production grade Tanzu Operations Manager deployments in a single project using three availability zones (AZs).

For general requirements for running Tanzu Operations Manager and specific requirements for running Tanzu Operations Manager on OpenStack, see OpenStack on Tanzu Operations Manager requirements.

Tanzu Operations Manager reference architectures

a Tanzu Operations Manager reference architecture describes a proven approach for deploying Tanzu Operations Manager on a specific IaaS, such as OpenStack, that meets these requirements:

  • Secure

  • Publicly-accessible

  • Includes common Tanzu Operations Manager-managed runtimes and services, such as for TAS for VMs, VMware Tanzu SQL, VMware Tanzu RabbitMQ, and Spring Cloud Services for VMware Tanzu

  • Can host at least 100 app instances

VMware provides reference architectures to help you determine the best configuration for your Tanzu Operations Manager deployment.

Base reference architecture components

The following table lists the components of a base reference architecture deployment on OpenStack with three AZs:

Component Reference architecture notes
Domains and DNS Domain zones and routes in use by the reference architecture include:

  • Zones for *.apps and *.sys (required)
  • A route for Tanzu Operations Manager (required)
  • A route for Doppler (required)
  • A route for Loggregator (required)
  • A route for SSH access to app containers (optional)
  • A route for TCP access to TCP routers (optional)
Tanzu Operations Manager VM Deployed on the infrastructure network and accessible by fully-qualified domain name (FQDN) or through an optional jumpbox.
BOSH Director Deployed on the infrastructure network.
Application load balancer Required. Load balancer that handles incoming HTTP, HTTPS, TCP, and SSL traffic and forwards them to the Gorouters. Load balancers are outside the scope of this topic.
SSH Load Balancer Optional. Load balancer that provides SSH access to app containers for developers. Load balancers are outside the scope of this topic.
Gorouters Accessed through the Application Load Balancer. Deployed on the TAS for VMs network, one per AZ.
Diego Brains This component is required. However, the SSH container access functionality is optional and enabled through the SSH load balancers. Deployed on the TAS for VMs network, one per AZ.
TCP Routers Optional feature for TCP routing. Deployed on the TAS for VMs network, one per AZ.
Database Reference architecture uses internal MySQL.
Storage Buckets Reference architecture uses customer-provided blobstore. Buckets are needed for BOSH and TAS for VMs.
Service Tiles Deployed on the services network.
Service Accounts VMware recommends two service accounts: one for OpenStack "paving," and the other for Tanzu Operations Manager and BOSH.

  • Admin account: Concourse uses this account to provision required OpenStack resources as well as a Keystone service account.
  • Keystone service account: This service account is automatically provisioned with access restricted to only resources needed by Tanzu Operations Manager and BOSH.
OpenStack Quota The default compute quota on a new OpenStack subscription is typically not enough to host a multi-AZ deployment. VMware recommends a quota of 100 for instances. Your OpenStack network quotas may also need to be increased.

OpenStack objects

The following table lists the network objects in this reference architecture:

Network Object Notes Estimated Number
Floating IP addresses Two per deployment: one assigned to Tanzu Operations Manager, the other to your jumpbox. 2
Project One per deployment. A deployment exists within a single project and a single OpenStack region, but should distribute TAS for VMs jobs and service instances across three OpenStack AZs to ensure high availability. 1
Networks The reference architecture requires these Tenant Networks:
  • 1 x (/24) Infrastructure (Tanzu Operations Manager, BOSH Director, Jumpbox).
  • 1 x (/20) TAS for VMs (Gorouters, Diego Cells, Cloud Controllers, etc.).
  • 1 x (/20) Services (VMware Tanzu SQL, VMware Tanzu RabbitMQ, and Spring Cloud Services for VMware Tanzu, etc.)
  • 1 x (/24) On-demand services (various)
An internet-facing network is also required:
  • One Public network.

In many cases, the public network is an "under the cloud" network that is shared across projects.

5
Routers One router attached to all networks:
  • VirtualRouter: This router table enables the ingress and egress routes to and from the internet to the project networks and provides SNAT services.
1
Security groups The reference architecture requires one Security Group. The following table describes the Security Group ingress rules:
Security Group Port From CIDR Protocol Description
OpsMgrSG 22 0.0.0.0/0 TCP Tanzu Operations Manager VM SSH access
OpsMgrSG 443 0.0.0.0/0 TCP Tanzu Operations Manager VM HTTP access
VmsSG ALL VPC_CIDR ALL To open connections among BOSH-deployed VMs
Additional security groups might be needed, specific to your chosen load balancing solution.
5
Load Balancers Tanzu Operations Manager on OpenStack requires a load balancer, which can be configured with multiple listeners to forward HTTP, HTTPS, and TCP traffic. VMware recommends two load balancers: one to forward the traffic to the Gorouters, AppsLB; and the other to forward the traffic to the Diego Brain SSH proxy, SSHLB.

The following table describes the required listeners for each load balancer:
Name Instance/Port Load Balancer Port Protocol Description
AppsLB gorouter/80 80 HTTP Forward traffic to Gorouters
AppsLB gorouter/80 443 HTTPS SSL termination and forward traffic to Gorouters
SSHLB diego-brain/2222 2222 TCP Forward traffic to Diego Brain for container SSH connections
Each load balancer needs a check to validate the health of the back end instances:
  • AppsLB checks the health on Gorouter port 80 with TCP.
  • SSHLB checks the health on Diego Brain port 2222 with TCP.

In many cases, the load balancers are provided as an "under the cloud" service that is shared across projects.

2
Jumpbox Optional. Provides a way of accessing different network components. For example, you can configure it with your own permissions, and then set it up to access to Broadcom Support portal to download tiles. Using a jumpbox is particularly useful in IaaSes where the Tanzu Operations Manager VM does not have a public IP address. In these cases, you can SSH into the Tanzu Operations Manager VM or any other component through the jumpbox. 1
check-circle-line exclamation-circle-line close-line
Scroll to top icon