This topic describes the VMware Managed Cloud for AWS (VMC) reference architecture for VMware Tanzu Operations Manager, including VMware Tanzu Application Service for VMs (TAS for VMs). This architecture builds on the common base architectures described in Platform architecture and Planning overview.

For specific installation instructions for running TAS for VMs on VMC, see Deploying TAS for VMs to VMC.

Networking

This section provides guidance about networking resources.

AWS VPCs

When you deploy Tanzu Operations Manager and TAS for VMs to VMC, VMware recommends creating a dedicated Virtual Private Cloud (VPC) on AWS to connect to your VMC SDDC.

Placing AWS services such as RDS in a dedicated connected VPC allows you to connect them to your SDDC while disallowing access from other networks. The AWS VPC is associated to your SDDC when you connect your AWS account.

For more information, see Connected AWS account in Deploying and Managing a Software-Defined Data Center.

RDS

Provision a single RDS instance to use as the external database for TAS for VMs. For compatibility, VMware recommends using MySQL.

New database instances require several databases to be created. For more information, see External system database configuration in Configuring TAS for VMs.

VMware recommends provisioning your RDS instance in the connected VPC. This allows you to connect to the endpoint for your RDS instance without making your database publicly accessible.

Blobstore storage accounts

TAS for VMs requires S3 buckets for each of the following:

  • Buildpacks
  • Droplets
  • Packages
  • Resources

For better security, use a gateway endpoint so that only requests from your SDDC can access your S3 buckets. To achieve this configuration:

  1. Create a gateway endpoint for S3. Follow Step 1 in Access an S3 Bucket using an S3 endpoint.
  2. Create the S3 buckets required by TAS for VMs.
  3. Add a security rule that disallows requests to the S3 bucket unless they come through the VPC endpoint. For more information, see How can I restrict access to my Amazon S3 bucket using specific VPC endpoints or IP addresses? in the AWS documentation. This can look like the following:

    {
      "Id": "VPCe",
      "Version": "2012-10-17",
      "Statement": [{
        "Sid": "VPCe",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::BUCKET-NAME/*",
        "Condition": {
          "StringNotEquals": {
            "aws:SourceVpce": "vpce-0123456abcdef0123"
          }
        }
      }]
    }
    

    Where:

    • BUCKET-NAME is your S3 bucket’s Amazon Resource Name (ARN)
    • vpce-0123456abcdef0123 is your gateway endpoint ID
check-circle-line exclamation-circle-line close-line
Scroll to top icon