You can use these instructions to deploy BOSH and VMware Tanzu Operations Manager on Azure by using individual commands to create resources. VMware recommends this manual procedure for deploying to Azure China and Azure Government Cloud.
Before you follow the procedures in this topic, you must complete the procedures in Preparing to Deploy Tanzu Operations Manager on Azure.
Sometimes Azure portal displays the names of resources with incorrect capitalization. Always use the Azure CLI to retrieve the correctly capitalized name of a resource.
To create network resources for your deployment:
Go to the Azure portal, click Resource groups, then click Add to create a new resource group for your deployment.
Enter a Resource group name.
Click your Subscription, click a Resource group location, then click Create.
Export the name of your resource group as the environment variable $RESOURCE_GROUP
.
export RESOURCE_GROUP="YOUR-RESOURCE-GROUP-NAME"
If you are on a Microsoft Windows machine, use set
instead of export
.
set RESOURCE_GROUP="YOUR-RESOURCE-GROUP-NAME"
Export your location. For example, westus
.
export LOCATION=westus
For a list of available locations, run az account list-locations
.
Create a network security group named pcf-nsg
.
az network nsg create --name pcf-nsg \
--resource-group $RESOURCE_GROUP \
--location $LOCATION
Add network security group rules to the pcf-nsg
group to enable traffic to known ports from the public Internet.
az network nsg rule create --name ssh \
--nsg-name pcf-nsg --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 100 \
--destination-port-range '22'
az network nsg rule create --name http \
--nsg-name pcf-nsg --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 200 \
--destination-port-range '80'
az network nsg rule create --name https \
--nsg-name pcf-nsg --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 300 \
--destination-port-range '443'
az network nsg rule create --name diego-ssh \
--nsg-name pcf-nsg --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 400 \
--destination-port-range '2222'
--source-address-prefixes AzureLoadBalancer
to enable traffic from only the Azure load balancer or --source-address-prefixes VirtualNetwork
to only enable traffic from the virtual network.--source-address-prefixes AzureLoadBalancer
and one specifying --source-address-prefixes VirtualNetwork
.Create a network security group named opsmgr-nsg
.
az network nsg create --name opsmgr-nsg \
--resource-group $RESOURCE_GROUP \
--location $LOCATION
Add a network security group rule to the opsmgr-nsg
group to enable HTTP traffic to the Tanzu Operations Manager VM.
az network nsg rule create --name http \
--nsg-name opsmgr-nsg --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 100 \
--destination-port-range 80
Add a network security group rule to the opsmgr-nsg
group to enable HTTPS traffic to the Tanzu Operations Manager VM.
az network nsg rule create --name https \
--nsg-name opsmgr-nsg --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 200 \
--destination-port-range 443
Add a network security group rule to the opsmgr-nsg
group to enable SSH traffic to the Tanzu Operations Manager VM.
az network nsg rule create --name ssh \
--nsg-name opsmgr-nsg --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 300 \
--destination-port-range 22
--source-address-prefixes AzureLoadBalancer
to enable traffic from only the Azure load balancer or --source-address-prefixes VirtualNetwork
to only enable traffic from the virtual network.--source-address-prefixes AzureLoadBalancer
and one specifying --source-address-prefixes VirtualNetwork
.Optionally, if you want to use private IP ranges with Tanzu Operations Manager and enable all internal traffic, you can create the Network Security Groups to enable all internal traffic.
az network nsg rule create --name internal-virtual-network \
--nsg-name internal-traffic --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 100 \
--destination-port-range * \
--source-address-prefixes VirtualNetwork
az network nsg rule create --name internal-from-lb \
--nsg-name internal-traffic --resource-group $RESOURCE_GROUP \
--protocol Tcp --priority 110 \
--destination-port-range * \
--source-address-prefixes AzureLoadBalancer
Create a virtual network named pcf-virtual-network
.
az network vnet create --name pcf-virtual-network \
--resource-group $RESOURCE_GROUP --location $LOCATION \
--address-prefixes 10.0.0.0/16
Add subnets to the network for Tanzu Operations Manager, BOSH director, and the VMs for your runtime, and attach the Network Security Group.
az network vnet subnet create --name pcf-infrastructure-subnet \
--vnet-name pcf-virtual-network \
--resource-group $RESOURCE_GROUP \
--address-prefix 10.0.4.0/26 \
--network-security-group pcf-nsg
az network vnet subnet create --name pcf-pas-subnet \
--vnet-name pcf-virtual-network \
--resource-group $RESOURCE_GROUP \
--address-prefix 10.0.12.0/22 \
--network-security-group pcf-nsg
az network vnet subnet create --name pcf-services-subnet \
--vnet-name pcf-virtual-network \
--resource-group $RESOURCE_GROUP \
--address-prefix 10.0.8.0/22 \
--network-security-group pcf-nsg
Tanzu Operations Manager on Azure uses multiple general-purpose Azure storage accounts. The BOSH and Tanzu Operations Manager VMs use one main BOSH account, and the other components share five or more deployment storage accounts.
To create storage accounts for BOSH and your deployment:
Choose a name for your BOSH storage account, and export it as the environment variable $STORAGE_NAME
. Storage account names must be globally unique across Azure, between 3 and 24 characters in length, and contain only lowercase letters and numbers.
export STORAGE_NAME="YOUR-BOSH-STORAGE-ACCOUNT-NAME"
Create a standard storage account for BOSH with the following command. This account is used for BOSH bookkeeping and for running the Tanzu Operations Manager VM, but does not have to be used for running any other VMs.
az storage account create --name $STORAGE_NAME \
--resource-group $RESOURCE_GROUP \
--sku Standard_LRS \
--location $LOCATION
If the command fails, verify that you followed the rules for naming your storage account. Export another new storage account name if necessary.
Standard_LRS
refers to a Standard Azure Storage account. The BOSH Director requires table storage to store stemcell information. Azure Premium Storage does not support table storage and cannot be used for the BOSH storage account.
Configure the Azure CLI to use the BOSH storage account as the default setting.
Retrieve the connection string for the account.
az storage account show-connection-string \
--name $STORAGE_NAME --resource-group $RESOURCE_GROUP
The command returns output similar to the following:
{ "connectionString": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=cfdocsboshstorage;AccountKey=EXAMPLEaaaaabbbrnc5igFxYWsgq016Tu9uGwseOl8bqNBEL/2tp7wX92QMUM19Pz9BYTXt8aq4A==" }
Record the full value of connectionString
from the preceding output, starting with and including DefaultEndpointsProtocol=
.
Export the value of connectionString
as the environment variable $CONNECTION_STRING
.
export CONNECTION_STRING="YOUR-ACCOUNT-KEY-STRING"
Create three blob containers in the BOSH storage account, named opsmanager
, bosh
, and stemcell
.
az storage container create --name opsmanager \
--connection-string $CONNECTION_STRING
az storage container create --name bosh \
--connection-string $CONNECTION_STRING
az storage container create --name stemcell \
--connection-string $CONNECTION\STRING
Create a table named stemcells
.
az storage table create --name stemcells \
--connection-string $CONNECTION_STRING
Choose a set of unique names for 5 or more deployment storage accounts. As with the preceding BOSH storage account, the names must be unique, alphanumeric, lowercase, and 3-24 characters long. The account names must also be sequential or otherwise identical except for the last character. For example: xyzdeploystorage1
, xyzdeploystorage2
, xyzdeploystorage3
, xyzdeploystorage4
, and xyzdeploystorage5
.
Decide which type of storage to use and run the following corresponding command.
VMware recommends five Premium storage accounts, which provides a reasonable amount of initial storage capacity. You can use either Premium or Standard storage accounts, but they have very different scalability metrics. VMware recommends creating 1 Standard storage account for every 30 VMs, or 1 Premium storage account for every 150 VMs. You can increase the number of storage accounts later by provisioning more and following the naming sequence.
To use Premium storage (recommended):
export STORAGE_TYPE="Premium_LRS"
To use Standard storage:
export STORAGE_TYPE="Standard_LRS"
For each deployment storage account you create:
Create the storage account with the following command, replacing MY_DEPLOYMENT_STORAGE_X
with one of your deployment storage account names.
az storage account create --name MY_DEPLOYMENT_STORAGE_X \
--resource-group $RESOURCE_GROUP --sku $STORAGE_TYPE \
--kind Storage --location $LOCATION
If the command fails, try a different set of account names.
Retrieve the connection string for the account.
az storage account show-connection-string \
--name MY_DEPLOYMENT_STORAGE_X --resource-group $RESOURCE_GROUP
The command returns output similar to the following:
{ "connectionString": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=cfdocsdeploystorage1;AccountKey=EXAMPLEaaaaaaaQiSAmqj1OocsGhKBwnMf8wEwdeJMvvonrbmNk27bfkSL8ZFzAhs3Kb78si5CTPHhjHHiK4qPcYzn/8OmFg==" }
Record the full value of connectionString
from the preceding output, starting with and including DefaultEndpointsProtocol=
.
Create two blob containers named bosh
and stemcell
in the account.
az storage container create --name bosh \
--connection-string $CONNECTION_STRING
az storage container create --name stemcell \
--connection-string $CONNECTION_STRING
Your load balancer configuration depends on whether you want apps to be available from public IP addresses, private IP addresses, or both.
To create load balancers:
Required: TAS for VMs Load Balancer
Create a load balancer named pcf-lb
. A static IP address is automatically created for Standard SKU load balancers unless specified otherwise with --public-ip-address-allocation Dynamic
.
az network lb create --name pcf-lb \
--resource-group $RESOURCE_GROUP --location $LOCATION \
--backend-pool-name pcf-lb-be-pool --frontend-ip-name pcf-lb-fe-ip \
--public-ip-address pcf-lb-ip --public-ip-address-allocation Static \
--sku Standard
If the Standard SKU is not available in Azure China, you can use the Basic SKU.
This back end pool is empty when you create it.
Add a probe to the load balancer.
az network lb probe create --lb-name pcf-lb \
--name http8080 --resource-group $RESOURCE_GROUP \
--protocol Http --port 8080 --path health
Add a load balancing rule for HTTP.
az network lb rule create --lb-name pcf-lb \
--name http --resource-group $RESOURCE_GROUP \
--protocol Tcp --frontend-port 80 \
--backend-port 80 --frontend-ip-name pcf-lb-fe-ip \
--backend-pool-name pcf-lb-be-pool \
--probe-name http8080
Add a load balancing rule for HTTPS.
az network lb rule create --lb-name pcf-lb \
--name https --resource-group $RESOURCE_GROUP \
--protocol Tcp --frontend-port 443 \
--backend-port 443 --frontend-ip-name pcf-lb-fe-ip \
--backend-pool-name pcf-lb-be-pool \
--probe-name http8080
(Optional) For private IPs:
Create a load balancer named pcf-lb
.
az network lb create --name pcf-lb \
--resource-group $RESOURCE_GROUP --location $LOCATION \
--backend-pool-name pcf-lb-be-pool --frontend-ip-name pcf-lb-fe-ip \
--private-ip-address 10.0.12.6 --sku Standard \
--vnet-name pcf-virtual-network \
--subnet pcf-pas-subnet
Add a probe to the load balancer.
az network lb probe create --lb-name pcf-lb \
--name http8080 --resource-group $RESOURCE_GROUP \
--protocol Http --port 8080 --path health
Add a load balancing rule for HTTP.
az network lb rule create --lb-name pcf-lb \
--name http --resource-group $RESOURCE_GROUP \
--protocol Tcp --frontend-port 80 \
--backend-port 80 --frontend-ip-name pcf-lb-fe-ip \
--backend-pool-name pcf-lb-be-pool \
--probe-name http8080
Add a load balancing rule for HTTPS.
az network lb rule create --lb-name pcf-lb \
--name https --resource-group $RESOURCE_GROUP \
--protocol Tcp --frontend-port 443 \
--backend-port 443 --frontend-ip-name pcf-lb-fe-ip \
--backend-pool-name pcf-lb-be-pool \
--probe-name http8080
If the Standard SKU is not available in Azure China, use the Basic SKU.
This back end pool is empty when you create it.
Go to your DNS provider and create an entry that points *.YOUR-SUBDOMAIN
to the public IP address of your load balancer. For example, create an entry that points azure.example.com
to 198.51.100.1
. You can retrieve it by running:
az network public-ip show --name pcf-lb-ip --resource-group $RESOURCE_GROUP
Optional: Diego SSH Load Balancer
Create a load balancer named pcf-ssh-lb
. If the Standard SKU is not available in Azure China, you can use the Basic SKU. This back end pool is empty when you create it.
az network lb create --name pcf-ssh-lb \
--resource-group $RESOURCE_GROUP --location $LOCATION \
--backend-pool-name pcf-ssh-lb-be-pool --frontend-ip-name pcf-ssh-lb-fe-ip \
--public-ip-address pcf-ssh-lb-ip --public-ip-address-allocation Static \
--sku Standard
(Optional) For private IPs, create a load balancer named pcf-ssh-lb
. If the Standard SKU is not available in Azure China, you can use the Basic SKU. This back end pool is empty when you create it.
az network lb create --name pcf-ssh-lb \
--resource-group $RESOURCE_GROUP --location $LOCATION \
--backend-pool-name pcf-ssh-lb-be-pool --frontend-ip-name pcf-ssh-lb-fe-ip \
--private-ip-address 10.0.12.7 \
--sku Standard \
--vnet-name pcf-virtual-network \
--subnet pcf-pas-subnet
Add a probe to the load balancer.
az network lb probe create --lb-name pcf-ssh-lb \
--name tcp2222 --resource-group $RESOURCE_GROUP \
--protocol Tcp --port 2222
Add a load balancing rule for SSH.
az network lb rule create --lb-name pcf-ssh-lb \
--name diego-ssh --resource-group $RESOURCE_GROUP \
--protocol Tcp --frontend-port 2222 \
--backend-port 2222 --frontend-ip-name pcf-ssh-lb-fe-ip \
--backend-pool-name pcf-ssh-lb-be-pool \
--probe-name tcp2222
Go to your DNS provider, and create an entry that points ssh.sys.YOUR-SUBDOMAIN
to the public IP address of your load balancer. For example, create an entry that points azure.example.com
to 198.51.100.1
. You can retrieve it by running:
az network public-ip show --name pcf-ssh-lb-ip --resource-group $RESOURCE_GROUP
To boot Tanzu Operations Manager:
Go to the Broadcom Support portal and download the latest release of Tanzu Operations Manager for Azure.
View the downloaded PDF and locate the Tanzu Operations Manager image URL appropriate for your region.
Export the Tanzu Operations Manager image URL as an environment variable.
export OPS_MAN_IMAGE_URL="YOUR-OPS-MAN-IMAGE-URL"
Download the Tanzu Operations Manager image. For compatibility when upgrading to future versions of Tanzu Operations Manager, choose a unique name for the image that includes the Tanzu Operations Manager version number. For example, replace opsman-image-2.6.x
in the following examples with a string containing this release; e.g. opsman-image-3.0.0
.
If you use unmanaged disks, perform the following steps:
Download the Tanzu Operations Manager image to your local machine. The image size is 10 GB.
wget $OPS_MAN_IMAGE_URL -O opsman-image-2.6.x.vhd
Upload the image to your storage account using the Azure CLI:
az storage blob upload --name opsman-image-2.6.x.vhd \
--connection-string $CONNECTION_STRING \
--container-name opsmanager \
--type page \
--file opsman-image-2.6.x.vhd
If you use managed disks:
Copy the Tanzu Operations Manager image into your storage account using the Azure CLI:
az storage blob copy start --source-uri $OPS_MAN_IMAGE_URL \
--connection-string $CONNECTION_STRING \
--destination-container opsmanager \
--destination-blob opsman-image-2.6.x.vhd
Copying the image might take several minutes. Run the following command and examine the output under "copy"
:
az storage blob show --name opsman-image-2.6.x.vhd \
--container-name opsmanager \
--connection-string $CONNECTION_STRING
...
"copy": {
"completionTime": "2017-06-26T22:24:11+00:00",
"id": "b9c8b272-a562-4574-baa6-f1a04afcefdf",
"progress": "53687091712/53687091712",
"source": "https://opsmanagerwestus.blob.core.windows.net/images/opsman-image-2.6.x.vhd",
"status": "success",
"statusDescription": null
},
Wait a few moments and run the preceding command again if status
is pending
. When status
reads success
, continue to the next step.
Create a public IP address named ops-manager-ip
. If you do not want to use a public IP for Tanzu Operations Manager, skip this step.
Record the ipAddress
from the preceding output. This is the public IP address of Tanzu Operations Manager.
az network public-ip create --name ops-manager-ip \
--resource-group $RESOURCE_GROUP --location $LOCATION \
--allocation-method Static
{
"publicIp": {
"dnsSettings": null,
"etag": "W/\"4450ebe2-9e97-4b17-9cf2-44838339c661\"",
"id": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/resourceGroups/cf-docs/providers/Microsoft.Network/publicIPAddresses/ops-manager-ip",
"idleTimeoutInMinutes": 4,
"ipAddress": "40.83.148.183",
"ipConfiguration": null,
"location": "westus",
"name": "ops-manager-ip",
"provisioningState": "Succeeded",
"publicIpAddressVersion": "IPv4",
"publicIpAllocationMethod": "Static",
"resourceGroup": "cf-docs",
"resourceGuid": "950d4831-1bec-42da-8a79-959bcddea9dd",
"tags": null,
"type": "Microsoft.Network/publicIPAddresses"
}
}
Create a network interface for Tanzu Operations Manager. If you do not want use a public IP address for Tanzu Operations Manager, remove the --public-ip-address ops-manager-ip
flag and value.
az network nic create --vnet-name pcf-virtual-network \
--subnet pcf-infrastructure-subnet --network-security-group opsmgr-nsg \
--private-ip-address 10.0.4.4 \
--public-ip-address ops-manager-ip \
--resource-group $RESOURCE_GROUP \
--name opsman-nic --location $LOCATION
Create a keypair on your local machine with the user name ubuntu
. For example, enter the following command:
ssh-keygen -t rsa -f opsman -C ubuntu
When you are prompted for a passphrase, press the enter
key to provide an empty passphrase.
Create the Tanzu Operations Manager VM.
If you are using unmanaged disks, run the following command to create your Tanzu Operations Manager VM, replacing PATH-TO-PUBLIC-KEY
with the path to your public key .pub
file:
az vm create --name opsman-2.6.x --resource-group $RESOURCE_GROUP \
--location $LOCATION \
--nics opsman-nic \
--image https://$STORAGE_NAME.my-azure-instance.com/opsmanager/opsman-image-2.6.x.vhd \
--os-disk-name opsman-2.6.x-osdisk \
--os-disk-size-gb 128 \
--os-type Linux \
--use-unmanaged-disk \
--storage-account $STORAGE_NAME \
--storage-container-name opsmanager \
--admin-username ubuntu \
--ssh-key-value PATH-TO-PUBLIC-KEY
Replace my-azure-instance.com
with the URL of your Azure instance. Find the complete source URL in the Azure UI by viewing the Blob properties of the Tanzu Operations Manager image you created earlier in this procedure.
If you are using Azure managed disks:
Create a managed image from the Tanzu Operations Manager VHD file:
az image create --resource-group $RESOURCE_GROUP \
--name opsman-image-2.6.x \
--source https://$STORAGE_NAME.blob.core.windows.net/opsmanager/image-2.6.x.vhd \
--location $LOCATION \
--os-type Linux
If you are using Azure China or Azure Government Cloud, replace blob.core.windows.net
with the following:
blob.core.chinacloudapi.cn
. For more information, see the Azure documentation for more information.blob.core.usgovcloudapi.net
. For more information, see the Azure documentation for more information.Create your Tanzu Operations Manager VM, replacing PATH-TO-PUBLIC-KEY
with the path to your public key .pub
file.
az vm create --name opsman-2.6.x --resource-group $RESOURCE_GROUP \
--location $LOCATION \
--nics opsman-nic \
--image opsman-image-2.6.x \
--os-disk-size-gb 128 \
--os-disk-name opsman-2.6.x-osdisk \
--admin-username ubuntu \
--size Standard_DS2_v2 \
--storage-sku Standard_LRS \
--ssh-key-value PATH-TO-PUBLIC-KEY
If you plan to install more than one tile in this Tanzu Operations Manager installation, you can increase the size of the Tanzu Operations Manager VM disk. You can repeat this process and increase the disk again at a later time if necessary.
To stop the VM and detach the disk, run:
az vm deallocate --name opsman-2.6.x \
--resource-group $RESOURCE_GROUP
To resize the disk to 128 GB, run:
az disk update --size-gb 128 --name opsman-2.6.x-osdisk \
--resource-group $RESOURCE_GROUP
To start the VM, run:
az vm start --name opsman-2.6.x --resource-group $RESOURCE_GROUP
To finish configuring BOSH Director:
Go to your DNS provider, and create an entry that points a fully qualified domain name (FQDN) to the public IP address of Tanzu Operations Manager. As a best practice, always use the FQDN to access Tanzu Operations Manager.
Continue to Configuring BOSH Director on Azure.