This topic describes the VMware Managed Cloud for AWS (VMC) reference architecture for VMware Tanzu Operations Manager, including VMware Tanzu Application Service for VMs (TAS for VMs). This architecture builds on the common base architectures described in Platform architecture and Planning overview.
For specific installation instructions for running TAS for VMs on VMC, see Deploying TAS for VMs to VMC.
This section provides guidance about networking resources.
VMC SDDCs initially provision an NSX-T segment that provides a single class C subnet for workload VMs. Depending on your IP address requirements, you can use this subnet for your entire TAS for VMs deployment, or add additional segments from the VMC Console.
If you want the front end of TAS for VMs to be accessible from your corporate network or you need the services running on TAS for VMs to be able to access corporate resources, you must do one of the following:
When you deploy Tanzu Operations Manager and TAS for VMs to VMC, VMware recommends creating a dedicated Virtual Private Cloud (VPC) on AWS to connect to your VMC SDDC.
Placing AWS services such as RDS in a dedicated connected VPC allows you to connect them to your SDDC while disallowing access from other networks. The AWS VPC is associated to your SDDC when you connect your AWS account.
For more information, see Connected AWS account in Deploying and Managing a Software-Defined Data Center.
Provision a single RDS instance to use as the external database for TAS for VMs. For compatibility, VMware recommends using MySQL.
New database instances require several databases to be created. For more information, see External system database configuration in Configuring TAS for VMs.
VMware recommends provisioning your RDS instance in the connected VPC. This allows you to connect to the endpoint for your RDS instance without making your database publicly accessible.
TAS for VMs requires S3 buckets for each of the following:
For better security, use a gateway endpoint so that only requests from your SDDC can access your S3 buckets. To achieve this configuration:
Add a security rule that disallows requests to the S3 bucket unless they come through the VPC endpoint. For more information, see How can I restrict access to my Amazon S3 bucket using specific VPC endpoints or IP addresses? in the AWS documentation. This can look like the following:
{
"Id": "VPCe",
"Version": "2012-10-17",
"Statement": [{
"Sid": "VPCe",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKET-NAME/*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-0123456abcdef0123"
}
}
}]
}
Where:
BUCKET-NAME
is your S3 bucket’s Amazon Resource Name (ARN)vpce-0123456abcdef0123
is your gateway endpoint ID