This topic describes a reference architecture for VMware Tanzu Operations Manager (Ops Manager), including VMware Tanzu Application Service for VMs (TAS for VMs), on VMware Managed Cloud for AWS (VMC). It builds on the common base architectures described in Platform Architecture and Planning Overview.

For specific installation instructions for running TAS for VMs on VMC, see Deploying TAS for VMs to VMC.


These sections provide guidance about networking resources.

Networks, Subnets, and IP Address Spacing Planning

When planning networks, subnets, and IP address spacing, consider the following:


When deploying Ops Manager and TAS for VMs to VMC, VMware recommends creating a dedicated Virtual Private Cloud (VPC) on AWS to connect to your VMC SDDC.

Placing AWS services such as RDS in a dedicated connected VPC allows you to connect them to your SDDC while disallowing access from other networks. The AWS VPC is associated to your SDDC when you connect your AWS account.

For more information, see Connected AWS Account in Deploying and Managing a Software-Defined Data Center.


Provision a single RDS instance to use as the external database for TAS for VMs. For compatibility, VMware recommends using MySQL.

New database instances require several databases to be created. For more information, see External System Database Configuration in Configuring TAS for VMs.

VMware recommends provisioning your RDS instance in the connected VPC. This allows you to connect to the endpoint for your RDS instance without making your database publicly accessible.

Blobstore Storage Accounts

TAS for VMs requires S3 buckets for each of the following:

  • Buildpacks
  • Droplets
  • Packages
  • Resources

For better security, use a gateway endpoint so that only requests from your SDDC can access your S3 buckets. To achieve this configuration:

  1. Create a gateway endpoint for S3. Follow Step 1 in Access an S3 Bucket Using an S3 Endpoint.
  2. Create the S3 buckets required by TAS for VMs.
  3. Add a security rule that disallows requests to the S3 bucket unless they come through the VPC endpoint. For more information, see How can I restrict access to my Amazon S3 bucket using specific VPC endpoints or IP addresses? in the AWS documentation. This should look like the following:

      "Id": "VPCe",
      "Version": "2012-10-17",
      "Statement": [{
        "Sid": "VPCe",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::BUCKET-NAME/*",
        "Condition": {
          "StringNotEquals": {
            "aws:SourceVpce": "vpce-0123456abcdef0123"

    Where and BUCKET-NAME is your S3 bucket’s Amazon Resource Name (ARN) and vpce-0123456abcdef0123 is your gateway endpoint ID.

check-circle-line exclamation-circle-line close-line
Scroll to top icon