This topic describes how you can prepare Azure to deploy VMware Tanzu Operations Manager. You must deploy Tanzu Operations Manager before you can deploy VMware Tanzu Application Service for VMs (TAS for VMs) or VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
Install the Azure CLI by following the instructions for your operating system in Install the Azure CLI in the Microsoft Azure documentation.
On the command line, set your cloud with a name
value by running the following command:
az cloud set --name CLOUD-NAME
Where CLOUD-NAME
is one of the following values. Use the value that corresponds to the Azure environment on which you are installing Tanzu Operations Manager:
AzureCloud
AzureChinaCloud
. If log in to AzureChinaCloud
fails with CERT_UNTRUSTED
, use the latest version of node, 4.x or later. For more information about this error, see Failed to login AzureChinaCloud in the Azure/azure-xplat-cli GitHub repository.AzureUSGovernment
For example:
$ az cloud set --name AzureCloud
To log in, run the following command:
az login
Authenticate by going to the URL in the output of the command, entering the provided code, and clicking your account.
To list your Azure subscriptions, run the following command:
az account list
For example:
$ az account list [ { "id": "12345678-1234-5678-1234-567891234567", "name": "Sample Subscription", "user": { "name": "Sample Account", "type": "user" }, "tenantId": "11111111-1234-5678-1234-678912345678", "state": "Enabled", "isDefault": true, "registeredProviders": [], "environmentName": "AzureCloud" }, { "id": "87654321-1234-5678-1234-678912345678", "name": "Sample Subscription1", "user": { "name": "Sample Account1", "type": "user" }, "tenantId": "22222222-1234-5678-1234-678912345678", "state": "Enabled", "isDefault": false, "registeredProviders": [], "environmentName": "AzureCloud" } ]
Identify your default subscription in the output of this command by locating the subscription that has isDefault
set to true
. To deploy Tanzu Operations Manager to a different subscription, you must set the other subscription as the default. To set a new default subscription, run the following command:
az account set --subscription SUBSCRIPTION-ID
Where SUBSCRIPTION-ID
is the value of the id
field of the subscription that you want to set as the default.
Example: The following command sets the default to a subscription that has an id
with the value of "87654321-1234-5678-1234-567891234567"
.
$ az account set --subscription "87654321-1234-5678-1234-567891234567"
Record the value of the id
of the default subscription. You need this value in future configuration steps.
Record the value of tenantID
of the default subscription. This is your TENANT_ID
for creating a service principal. If your tenantID
value is not defined, you might be using a personal account to log in to your Azure subscription.
To create an Azure Active Directory (AAD) application, run the following command:
az ad app create --display-name "Service Principal for BOSH" \
--web-home-page-url "http://BOSHAzureCPI" \
--identifier-uris "http://BOSHAzureCPI"
For example:
$ az ad app create --display-name "Service Principal for BOSH" \ --web-home-page-url "http://BOSHAzureCPI" \ --identifier-uris "http://BOSHAzureCPI"
You can provide any string for the web-home-page-url
and identifier-uris
flags, but the value of identifer-uris
must be unique within the organization associated with your Azure subscription. For the web-home-page-url
, VMware recommends using http://BOSHAzureCPI
, as shown in the preceding example.
From the output of the az ad app create
command that you ran in the previous step, locate and record the value of appId
. This is your APPLICATION_ID
for creating a service principal.
The following example output shows an appId
value of "5c552e8f-b977-45f5-a50b-981cfe17cb9d"
.
{ "appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d", "appPermissions": null, "availableToOtherTenants": false, "displayName": "Service Principal for BOSH", "web": { "homePageUrl": "http://BOSHAzureCIP", }, "identifierUris": [ "http://BOSHAzureCPI" ], "objectId": "f3884df4-7d1d-4894-a78c-c1fe75750436", "objectType": "Application", "replyUrls": [] }
To create a service principal, run the following command:
az ad sp create-for-rbac --display-name "Service Principal for BOSH" \
-n YOUR-APPLICATION-ID \
--role Owner \
--scopes /subscriptions/SUBSCRIPTION-ID
Where YOUR-APPLICATION-ID
is the APPLICATION_ID
that you recorded in Create an AAD Application.
For example:
$ az ad sp create-for-rbac --display-name "Service Principal for BOSH" \ -n 5c552e8f-b977-45f5-a50b-981cfe17cb9d \ --role Owner \ --scopes /subscriptions/1e9249d9-c682-410b-8d50-31fda4736c8b { "appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d", "displayName": "Service Principal for BOSH", "password": "9Hf8Q~4kYUPJ7wDqWoBVM5DctJZ~8xAxg8842axC", "tenant": "b39165ca-3cee-4b8a-a4d6-cd1239dd62f0" }
From the output of az ad sp create-for-rbac
command in the previous step, locate and record the value of password
. This is your CLIENT_SECRET
for creating a service principal.
You must have the Owner
role on your service principal to deploy Tanzu Operations Manager to Azure. If you need to use multiple resource groups for your deployment on Azure, you can define custom roles for your service principal. These roles enable BOSH to deploy to pre-existing network resources outside of the resource group.
For more information about Azure Role-Based Access Control, see Built-in roles for Azure resource the Microsoft Azure documentation.
To verify the role assignment, run the following command:
az role assignment list --assignee "SERVICE-PRINCIPAL-NAME"
Where "SERVICE-PRINCIPAL-NAME"
is any value of servicePrincipalNames
from the preceding output, such as YOUR-APPLICATION-ID
.
For example:
$ az role assignment list --assignee "5c552e8f-b977-45f5-a50b-981cfe17cb9d" [ { "id": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleAssignments/32e644cf-ba1a-4f43-bf7c-68bf4583e463", "name": "32e644cf-ba1a-4f43-bf7c-68bf4583e463", "properties": { "principalId": "cc13c685-4c3b-461e-ae96-7a0563960b83", "principalName": "http://BOSHAzureCPI", "roleDefinitionId": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "roleDefinitionName": "Owner", "scope": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243" }, "type": "Microsoft.Authorization/roleAssignments" } ]
To verify your service principal, run the following command to log in:
az login --username APPLICATION_ID --password CLIENT_SECRET \
--service-principal --tenant TENANT_ID
Where:
APPLICATION_ID
is the APPLICATION_ID
that you recorded in Create an AAD Application.CLIENT_SECRET
is the password that you recorded in Create a service principal.TENANT_ID
is the value of tenantID
of the default subscription that you recorded in Set your Default Subscription.For example:
$ az login --username 5c552e8f-b977-45f5-a50b-981cfe17cb9d \ --password "Swordfish" \ --service-principal --tenant 22222222-1234-5678-1234-678912345678 [ { "cloudName": "AzureCloud", "id": "995b7eed-77ef-45ff-a5c9-1a405ffb8243", "isDefault": true, "name": "my-user-name", "state": "Enabled", "tenantId": "22222222-1234-5678-1234-678912345678", "user": { "name": "5c552e8f-b977-45f5-a50b-981cfe17cb9d", "type": "servicePrincipal" } } ]
If you cannot log in, the service principal is invalid. Create a new service principal and log in again.
To register your subscription with Microsoft.Storage, run:
az provider register --namespace Microsoft.Storage
To register your subscription with Microsoft.Network, run:
az provider register --namespace Microsoft.Network
To register your subscription with Microsoft.Compute, run:
az provider register --namespace Microsoft.Compute
After you complete this procedure, follow the instructions in Deploying Tanzu Operations Manager on Azure.