This topic tells you about the OpenStack reference architecture for VMware Tanzu Application Service for VMs (TAS for VMs), which runs on VMware Tanzu Operations Manager. This architecture is valid for most production grade Tanzu Operations Manager deployments in a single project using three availability zones (AZs).
For general requirements for running Tanzu Operations Manager and specific requirements for running Tanzu Operations Manager on OpenStack, see OpenStack on Tanzu Operations Manager requirements.
a Tanzu Operations Manager reference architecture describes a proven approach for deploying Tanzu Operations Manager on a specific IaaS, such as OpenStack, that meets these requirements:
Secure
Publicly-accessible
Includes common Tanzu Operations Manager-managed runtimes and services, such as for TAS for VMs, VMware Tanzu SQL, VMware Tanzu RabbitMQ, and Spring Cloud Services for VMware Tanzu
Can host at least 100 app instances
VMware provides reference architectures to help you determine the best configuration for your Tanzu Operations Manager deployment.
The following table lists the components of a base reference architecture deployment on OpenStack with three AZs:
Component | Reference architecture notes |
---|---|
Domains and DNS | Domain zones and routes in use by the reference architecture include:
|
Tanzu Operations Manager VM | Deployed on the infrastructure network and accessible by fully-qualified domain name (FQDN) or through an optional jumpbox. |
BOSH Director | Deployed on the infrastructure network. |
Application load balancer | Required. Load balancer that handles incoming HTTP, HTTPS, TCP, and SSL traffic and forwards them to the Gorouters. Load balancers are outside the scope of this topic. |
SSH Load Balancer | Optional. Load balancer that provides SSH access to app containers for developers. Load balancers are outside the scope of this topic. |
Gorouters | Accessed through the Application Load Balancer. Deployed on the TAS for VMs network, one per AZ. |
Diego Brains | This component is required. However, the SSH container access functionality is optional and enabled through the SSH load balancers. Deployed on the TAS for VMs network, one per AZ. |
TCP Routers | Optional feature for TCP routing. Deployed on the TAS for VMs network, one per AZ. |
Database | Reference architecture uses internal MySQL. |
Storage Buckets | Reference architecture uses customer-provided blobstore. Buckets are needed for BOSH and TAS for VMs. |
Service Tiles | Deployed on the services network. |
Service Accounts | VMware recommends two service accounts: one for OpenStack "paving," and the other for Tanzu Operations Manager and BOSH.
|
OpenStack Quota | The default compute quota on a new OpenStack subscription is typically not enough to host a multi-AZ deployment. VMware recommends a quota of 100 for instances. Your OpenStack network quotas may also need to be increased. |
The following table lists the network objects in this reference architecture:
Network Object | Notes | Estimated Number | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Floating IP addresses | Two per deployment: one assigned to Tanzu Operations Manager, the other to your jumpbox. | 2 | ||||||||||||||||||||
Project | One per deployment. A deployment exists within a single project and a single OpenStack region, but should distribute TAS for VMs jobs and service instances across three OpenStack AZs to ensure high availability. | 1 | ||||||||||||||||||||
Networks | The reference architecture requires these Tenant Networks:
In many cases, the public network is an "under the cloud" network that is shared across projects. |
5 | ||||||||||||||||||||
Routers | One router attached to all networks:
|
1 | ||||||||||||||||||||
Security groups | The reference architecture requires one Security Group. The following table describes the Security Group ingress rules:
|
5 | ||||||||||||||||||||
Load Balancers | Tanzu Operations Manager on OpenStack requires a load balancer, which can be configured with multiple listeners to forward HTTP, HTTPS, and TCP traffic. VMware recommends two load balancers: one to forward the traffic to the Gorouters, AppsLB ; and the other to forward the traffic to the Diego Brain SSH proxy, SSHLB . The following table describes the required listeners for each load balancer:
In many cases, the load balancers are provided as an "under the cloud" service that is shared across projects. |
2 | ||||||||||||||||||||
Jumpbox | Optional. Provides a way of accessing different network components. For example, you can configure it with your own permissions, and then set it up to access to Broadcom Support portal to download tiles. Using a jumpbox is particularly useful in IaaSes where the Tanzu Operations Manager VM does not have a public IP address. In these cases, you can SSH into the Tanzu Operations Manager VM or any other component through the jumpbox. | 1 |