To deploy Tanzu Operations Manager on AWS, you must follow the procedures in this topic to create the objects in the AWS Management Console that Tanzu Operations Manager requires. You can manually configure the Amazon Web Services (AWS) components that you need to deploy VMware Tanzu Operations Manager on AWS.

To view the list of AWS objects created by the procedures in this topic, see Required AWS Objects.

File an AWS ticket/request

Log in to the AWS Management Console, and file a ticket with Amazon to ensure that your account can launch more than the default 20 instances. In the ticket, ask for these limits:

  • 50 t3.micro instances
  • 20 c5.large instances

You can verify the limits on your account by visiting the EC2 Dashboard on the AWS Management Console and clicking Limits on the left navigation menu.

For specialized deployments:

To deploy to… Instructions
AWS for US Gov Log in to the AWS GovCloud (US) Console instead of the standard AWS Management Console.
AWS China Set up an AWS China account and contact the Platform Architect assigned for your account.

Create S3 buckets

S3 bucket names must be globally unique. When naming buckets, VMware recommends that you prefix the generic names below with an unique and easily identifiable string (For example, ID-STRING-pcf-ops-manager-bucket, MY-IDENTIFIER-pcf-buildpacks-bucket, and so on). Then you should use the same prefix when naming other associated resources, such as IAM policies.

Follow these steps to create five S3 buckets:

  1. On the S3 Dashboard, click Create Bucket.

  2. In Bucket name, enter ID-STRING-pcf-ops-manager-bucket.

  3. In AWS Region, select your region.

  4. Click Create bucket.

  5. Repeat these steps to create 4 more S3 buckets:

    • ID-STRING-pcf-buildpacks-bucket
    • ID-STRING-pcf-packages-bucket
    • ID-STRING-pcf-resources-bucket
    • ID-STRING-pcf-droplets-bucket

Create a policy for Tanzu Operations Manager

Follow these steps to create a Amazon Identity and Access Management (IAM) policy with the minimal permissions necessary to run and install Tanzu Operations Manager:

  1. Click IAM to access the IAM Dashboard.

  2. Click Policies and then click Create Policy.

  3. Copy the policy document included in Tanzu Operations Manager for AWS Policy Document. You must edit the policy document so the names of the S3 buckets match the ones you created in Create S3 Buckets above.

  4. Paste the policy document into the JSON tab on the Create policy page.

  5. Click Next: Tags and click Next: Review.

  6. In the Name text box, enter pcf-iam-policy.

  7. Click Create policy.

Create an IAM role or user for Tanzu Operations Manager

Follow these steps to create an Amazon Identity and Access Management (IAM) user or role with the minimal permissions necessary to run and install Tanzu Operations Manager:

VMware recommends that you use IAM roles instead of users for better security.

Click IAM to access the IAM Dashboard.

  • If you are configuring AWS access using an AWS instance profile, create an IAM role:

    1. Click Roles and then click Create role.
    2. On the Create role page, set:
      • Role type: AWS service
      • Use case: EC2
    3. Click Next.
    4. On the Add permissions page, enter the name of the policy you created in the Permission policies search box. Select the check box next to the policy in the search results.
    5. Click Next.
    6. On the Name, review, and create page, enter a role name. For example, enter pcf-role.
    7. Click Create role.

  • If you are configuring AWS access using AWS keys, create an IAM user:

    1. Click Users and then click Add users.
    2. Enter a user name. For example, enter pcf-user.

    3. In AWS access type, check the Access key - Programmatic access check box.

      If you prefer to create your keys locally and import them into AWS, see the Amazon documentation.

    4. Click Next: Permissions.

    5. Click the Attach existing policies directly tab.
    6. In the Filter policies search box, enter the name of the policy you created. Then, select the check box next to the policy in the search results.
    7. Click Next: Tags, and then click Next: Review.
    8. Click Create user.

    9. Click Download .csv to download the user security credentials.

      The credentials.csv contains the IDs for your user security access key and secret access key. Keep the credentials.csv file for your currently active key pairs in a secure directory. You cannot recover a lost key pair.

    10. Click Close.

Create a VPC

  1. Follow the AWS tutorial to create an elastic IP address, a VPC, and additional subnets. To access the tutorial, see the AWS documentation. Refer to the following table when configuring the VPC wizard fields and subnets.

    VPC wizard field Instructions
    Resources to create Select VPC and more
    Name tag Enter pcf-vpc
    IPv4 CIDR block Select IPv4 CIDR manual input
    IPv4 CIDR Enter 10.0.0.0/16
    IPv6 CIDR block Select No IPv6 CIDR block
    Number of public subnets Select 0
    Number of private subnets Select 0

    For all other fields, accept the defaults.

  2. Click Create VPC.

  3. On the VPC dashboard, click Subnets, and then Create subnet.

  4. In VPC ID, click the VPC that includes (pcf-vpc).

  5. Add the following subnets. For each subnet, enter the Subnet name, Availability Zone, and IPv4 CIDR block. Then click Add new subnet to add the next subnet in the table:

    Subnet name Availability zone IPv4 CIDR block
    pcf-public-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.0.0/24
    pcf-public-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.1.0/24
    pcf-public-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.2.0/24
    pcf-management-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.16.0/28
    pcf-management-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.16.16/28
    pcf-management-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.16.32/28
    pcf-tas-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.4.0/24
    pcf-tas-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.5.0/24
    pcf-tas-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.6.0/24
    pcf-services-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.8.0/24
    pcf-services-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.9.0/24
    pcf-services-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.10.0/24
    pcf-rds-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.12.0/24
    pcf-rds-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.13.0/24
    pcf-rds-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.14.0/24

  6. Click Add new subnet.

Create an internet gateway

  1. On the VPC dashboard, click Internet gateways.

  2. Click Create internet gateway.

  3. In Name, enter pcf-internet-gateway.

  4. Click Create internet gateway.

  5. In Actions, click Attach to VPC.

  6. In Available VPCs, click the VPC that includes pcf-vpc.

  7. Click Attach internet gateway.

Create a NAT gateway

  1. On the VPC dashboard, click NAT gateways.

  2. Click Create NAT gateway.

  3. In Name, enter pcf-nat-gateway.

  4. In Subnet, select the subnet that includes (pcf-public-subnet-az0).

  5. Click Allocate Elastic IP.

  6. Click Create NAT gateway.

Create route table for public subnets

  1. On the VPC dashboard, click Route tables.

  2. Click Create route table.

  3. In Name, enter pcf-public-route-table.

  4. In VPC, click the VPC that includes (pcf-vpc).

  5. Click Create route table.

    1. In the Routes section, click Edit routes.
    2. Click Add route.
    3. In Destination, enter 0.0.0.0/0.
    4. In Target, click Internet Gateway, then click the internet gateway that includes (pcf-internet-gateway).
    5. Click Save changes.

  6. Click the Subnet associations tab.

    1. In the Explicit subnet associations section, click Edit subnet associations.
    2. Select pcf-public-subnet-az0, pcf-public-subnet-az1, and pcf-public-subnet-az2.
    3. Click Save associations.

Create route table for remaining subnets

  1. On the VPC dashboard, click Route tables.

  2. Click Create route table.

  3. In Name, enter pcf-management-route-table.

    1. In VPC, click the VPC that includes (pcf-vpc).
    2. Click Create route table.

  4. In the Routes section, click Edit routes.

    1. Click Add route.n Destination, enter 0.0.0.0/0.
    2. In Target, click NAT Gateway, then click the NAT gateway that includes (pcf-nat-gateway).
    3. Click Save changes.

  5. Click the Subnet associations tab.

    1. In the Explicit subnet associations section, click Edit subnet associations.
    2. Click pcf-management-subnet-az0, pcf-management-subnet-az1, pcf-management-subnet-az2, pcf-tas-subnet-az0, pcf-tas-subnet-az1, pcf-tas-subnet-az2, pcf-services-subnet-az0, pcf-services-subnet-az1, and pcf-services-subnet-az2.
    3. Click Save associations.

Configure a security group for Tanzu Operations Manager

  1. Return to the EC2 Dashboard.

  2. Click Security Groups, then Create Security Group.

  3. In Security group name, enter pcf-ops-manager-security-group.

  4. In Description, enter a description to identify this security group.

  5. In VPC, click the VPC in which you want to deploy Tanzu Operations Manager.

  6. In the Inbound rules section, add rules using the information in the following table.

    VMware recommends limiting access to Tanzu Operations Manager to IP ranges within your organization, but you might reduce the IP restrictions after configuring authentication for Tanzu Operations Manager.

    Type Protocol Port range Source
    HTTP TCP 80 My IP
    HTTPS TCP 443 My IP
    SSH TCP 22 My IP
    Custom TCP (BOSH Agent) TCP 6868 Custom 10.0.0.0/16
    Custom TCP (BOSH Director) TCP 25555 Custom 10.0.0.0/16

  7. Click Create security group.

Configure a security group for BOSH-deployed VMs

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-vms-security-group.

  3. In Description, enter a description to identify this security group.

  4. In VPC, click the VPC where you want to deploy the BOSH-deployed VMs.

  5. In the Inbound rules section, add rules for all traffic from your public and private subnets to your private subnet, as shown in the table. This rule configuration does the following:

    • Enables BOSH to deploy VMware Tanzu Application Service for VMs (TAS for VMs) and other services
    • Enables app VMs to communicate through the router
    • Allows the load balancer to send traffic to TAS for VMs
    Type Protocol Port range Source
    All traffic All All Custom 10.0.0.0/16
    Custom TCP rule TCP 2222 Anywhere-IPv4 0.0.0.0/0

  6. Click Create security group.

Configure a security group for the Web ELB

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-web-elb-security-group.

  3. In the Description text box, enter a description to identify this security group.

  4. In VPC, click the VPC where you want to deploy this Elastic Load Balancer (ELB).

  5. In the Inbound rules section, add rules to allow traffic to ports 80, 443, and 4443 from 0.0.0.0/0, as shown in the table.

    Allow traffic to port 4443 only if you are in an AWS cloud region that does not support AWS ALBs. For example, the GovCloud region. For more information about AWS regions and availability zones, see AWS Global Infrastructure.

    For finer control over what can reach TAS for VMs, change 0.0.0.0/0 to be more restrictive. This security group governs external access to TAS for VMs from apps such as the cf CLI and app URLs.

    Type Protocol Port range Source
    Custom TCP TCP 4443 Anywhere-IPv4 0.0.0.0/0
    HTTP TCP 80 Anywhere-IPv4 0.0.0.0/0
    HTTPS TCP 443 Anywhere-IPv4 0.0.0.0/0

  6. Click Create security group.

Configure a security group for the TCP ELB

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-tcp-elb-security-group.

  3. In Description text box, enter a description to identify this security group.

  4. In VPC, click the VPC in which you want to deploy this ELB.

  5. In the Inbound rules section, add the following rule:

    Type Protocol Port range Source
    Custom TCP rule TCP 1024 - 1123 Anywhere-IPv4 0.0.0.0/0

  6. Click Create security group.

Configure a security group for MySQL

If you plan to use an internal database, skip this step. If you are using RDS, you must configure a security group that enables the Tanzu Operations Manager VM and BOSH Director VM to access the database.

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-mysql-security-group.

  3. In Description text box, enter a description to identify this security group.

  4. In VPC, click the VPC where you want to deploy MySQL.

  5. In the Inbound rules section, add a rule of type MySQL and specify the subnet of your VPC in Source, as shown in the table.

    Type Protocol Port range Source
    MYSQL/Aurora TCP 3306 Custom 10.0.0.0/16

  6. In the Outbound rules section, add a rule of type All traffic and specify the subnet of your VPC in Destination, as shown in the table.

    Type Protocol Port range Source
    All traffic All All Custom 10.0.0.0/16

  7. Click Create security group.

Next step

Proceed to the next step, Deploying Tanzu Operations Manager on AWS.

check-circle-line exclamation-circle-line close-line
Scroll to top icon