This topic describes the VMware Managed Cloud for AWS (VMC) reference architecture for VMware Tanzu Operations Manager, including VMware Tanzu Application Service for VMs (TAS for VMs). This architecture builds on the common base architectures described in Platform architecture and Planning overview.

For specific installation instructions for running TAS for VMs on VMC, see Deploying TAS for VMs to VMC.

Networking

This section provides guidance about networking resources.

• VMC SDDCs initially provision an NSX-T segment that provides a single class C subnet for workload VMs. Depending on your IP address requirements, you can use this subnet for your entire TAS for VMs deployment, or add additional segments from the VMC Console.

• If you want the front end of TAS for VMs to be accessible from your corporate network or you need the services running on TAS for VMs to be able to access corporate resources, you must do one of the following:

  • Provision public IP addresses from the SDDC console. For more information, see Request or Release a Public IP Address.
  • Connect your SDDC to your on-premises data center with Direct Connect. For more information, see Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center.
  • Connect your SDDC to your on-premises data center with a VPN. For more information, see Configure a VPN Connection Between Your SDDC and On-Premises Data Center.

AWS VPCs

When you deploy Tanzu Operations Manager and TAS for VMs to VMC, VMware recommends creating a dedicated Virtual Private Cloud (VPC) on AWS to connect to your VMC SDDC.

Placing AWS services such as RDS in a dedicated connected VPC allows you to connect them to your SDDC while disallowing access from other networks. The AWS VPC is associated to your SDDC when you connect your AWS account.

For more information, see Connected AWS account in Deploying and Managing a Software-Defined Data Center.

RDS

Provision a single RDS instance to use as the external database for TAS for VMs. For compatibility, VMware recommends using MySQL.

New database instances require several databases to be created. For more information, see External system database configuration in Configuring TAS for VMs.

VMware recommends provisioning your RDS instance in the connected VPC. This allows you to connect to the endpoint for your RDS instance without making your database publicly accessible.

Blobstore storage accounts

TAS for VMs requires S3 buckets for each of the following:

• Buildpacks
• Droplets
• Packages
• Resources

For better security, use a gateway endpoint so that only requests from your SDDC can access your S3 buckets. To achieve this configuration:

1. Create a gateway endpoint for S3. Follow Step 1 in Access an S3 Bucket using an S3 endpoint.
2. Create the S3 buckets required by TAS for VMs.

3. Add a security rule that disallows requests to the S3 bucket unless they come through the VPC endpoint. For more information, see How can I restrict access to my Amazon S3 bucket using specific VPC endpoints or IP addresses? in the AWS documentation. This can look like the following:

   {
     "Id": "VPCe",
     "Version": "2012-10-17",
     "Statement": [{
       "Sid": "VPCe",
       "Effect": "Deny",
       "Principal": "*",
       "Action": "s3:*",
       "Resource": "arn:aws:s3:::BUCKET-NAME/*",
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpce": "vpce-0123456abcdef0123"
         }
       }
     }]
   }
   

   Where:

   • BUCKET-NAME is your S3 bucket’s Amazon Resource Name (ARN)
   • vpce-0123456abcdef0123 is your gateway endpoint ID