Deploying TAS for VMs with NSX-T Networking

Overview
Prerequisites
Architecture
Install and Configure TAS for VMs and NSX-T
Upgrade TAS for VMs with NSX-T Networking

Page last updated:

This topic describes how to install VMware Tanzu Application Service for VMs (TAS for VMs) on vSphere with NSX-T internal networking, using the VMware NSX-T Container Plug-in for Ops Manager.

Overview

TAS for VMs uses a Container Network Interface (CNI) plugin to support secure and direct internal communication between containers. This plugin can be:

The internal Silk plugin that comes packaged with TAS for VMs, or
On vSphere, NSX-T Container Plug-in (NCP), which installs as the VMware NSX-T Container Plug-in for Ops Manager tile in Ops Manager.

Prerequisites

Before deploying TAS for VMs with NSX-T networking, you must have the following:

An NSX-T environment with NSX-T components installed and configured. The NSX-T version must support the versions of NCP and TAS for VMs you intend to use. Verify the compatibility between NSX-T, NCP and TAS for VMs with the following documentation:
- Product Interoperability Matrix: TAS for VMs, VMware NSX-T, and VMware NSX-T Container Plug-in for Ops Manager for supported version combinations.
- VMware NSX-T Data Center Documentation. In particular, review the NSX Container Plug-in (NCP) Release Notes and NSX-T Data Center Installation Guide for the versions of NCP and NSX-T that you want to install.
BOSH and Ops Manager installed and configured on vSphere. For more information, see Deploying Ops Manager on vSphere and Configuring BOSH Director on vSphere.
The VMware NSX-T Container Plug-in for Ops Manager tile downloaded from VMware Tanzu Network and imported to the Ops Manager Installation Dashboard. For information about downloading and importing VMware Tanzu products to the Installation Dashboard, see Adding and Importing Products.
The TAS for VMs tile downloaded from VMware Tanzu Network and imported to the Ops Manager Installation Dashboard. The TAS for VMs tile must be in one of the following two states:
- Configured but not deployed yet; you have not yet clicked Review Pending Changes, then Apply Changes on this version of TAS for VMs.
- Deployed previously, with the Container network interface plugin field set to External in the Networking pane of the TAS for VMs tile.
  Note: Deploying TAS for VMs with its container network interface (CNI) set to Silk configures Diego Cells to use an internally-managed container network. Subsequently switching the CNI interface to External NSX-T leads to errors.

Architecture

The following diagram shows how to deploy an NSX-T machine to run TAS for VMs across multiple vSphere hardware clusters. NSX-T runs a Tier-0 (T0) router and multiple Tier-1 (T1) routers, each connecting to a network within Ops Manager. Each vSphere hardware column cluster corresponds to an Availability Zone in Ops Manager:

NSX-T & TAS for VMs Overview

When a developer pushes an app to a new org for the first time, the NSX-T plugin triggers NSX-T to create a new T1 router and allocate an address range for the org, on demand.

Install and Configure TAS for VMs and NSX-T

Installing NSX-T to run with TAS for VMs requires:

Configure NSX-T to Integrate with TAS for VMs
Enable NSX-T Mode in the BOSH Director
Configure TAS for VMs for External Container Networking
Install and Configure the NSX-T Tile

Set Up NSX-T to Integrate with TAS for VMs

To set up NSX-T to integrate with TAS for VMs, complete these procedures:

Configure Logical Switches
Configure Routers
Configure Load Balancer

Configure Logical Switches

To configure logical switches:

In vSphere, create logical network switches to correspond to the networks that Ops Manager uses.
1. Log in to the NSX-T Manager Dashboard.
2. Go to Advanced Networking & Security.
3. Go to the Switching pane.
4. For each of these networks…
  - Infrastructure (BOSH and Ops Manager, defined in the Assign AZs and Networks pane of the BOSH Director tile)
  - Deployment (TAS for VMs, defined in the Assign AZs and Networks pane of the TAS for VMs tile)
  - Services and Dynamic Services (marketplace services and on-demand services, also defined in the TAS for VMs tile)
  - Isolation Segment (optional, defined in the Assign AZs and Networks pane of the Isolation Segment tile) …do the following:
    1. Click +ADD.
    2. Enter a name for the logical switch (such as TAS for VMs-Infrastructure, TAS for VMs-Deployment).
    3. Click ADD.

Configure Routers

To configure routers:

Create T0 network address translation (NAT) rules to communicate with Ops Manager:
1. Go to Advanced Networking & Security.
2. Go to the Routers pane.
3. Select your T0 router.
4. From the Services dropdown, choose NAT.
5. Add a rule for destination NAT (DNAT) with:
  - The externally-specified destination IP address of incoming requests. If your Ops Manager has a DNS entry (for example, opsmgr.example.com), this is its IP address.
  - The Ops Manager internal network address.
6. Add the corresponding source NAT (SNAT) rule with:
  - The externally-specified destination IP address.
  - The Ops Manager internal network address.
7. Add a rule for source NAT (SNAT) for the infrastructure and deployment networks:
  - The externally-specified destination IP address.
  - The internal network address in CIDR notation.
Create T1 routers for TAS for VMs, to connect from the T0 router. For each Ops Manager network, Infrastructure, Deployment, and so on, create a T1 router as follows:
In the NSX-T Manager UI, navigate to Advanced Networking & Security > Routing > Routers.
1. Click +ADD > Tier-1 Router.
2. Configure the router. Include the Edge Cluster and Edge Cluster Members; they are required to enable the Load Balancer. The Infrastructure network router configuration might look like the following diagram:
Create T1 router downlink ports for TAS for VMs. For each T1 router you created, add a New Router Port as follows, to allow traffic in and out:
1. In the NSX-T Manager UI, select the T1 router.
2. In Configuration > Router Ports, click +ADD to add a new router port.
3. For Logical Switch, enter the name of the logical switch you defined for the network in Add New Logical Switch, above.
4. For IP Address, use the first IP of the appropriate subnet. In this example, 192.168.1.0/24 is set aside for Infrastructure (Ops Manager and BOSH Director), and 192.168.2.0/24 for the Deployment, so 192.168.1.1 and 192.168.2.1 are used respectively.
Advertise the routes of the T1 routers to the T0 router, so the T0 router can correctly route incoming requests based on their destination IP address:
1. Select your T1 Router and navigate to Routing > Route Advertisement.
2. Under Edit Route Advertisement Configuration, enable route advertisement by setting Status to Enabled.
3. Set Advertise All Connected Routes to Yes.
4. Set Advertise All LB VIP Routes to Yes (necessary if Load Balancing service is configured).
Allocate an IP block for TAS for VMs orgs.
1. From the NSX-T Manager, navigate to Advanced Networking & Security > Networking > IPAM and click +ADD.
2. Enter a name (for example, TAS for VMs-container-ip-block). This IP block name is also used in the VMware NSX-T tile in the NCP section under IP Blocks of Container Networks.
3. Enter a description, such as Subnets are allocated from this pool to each newly-created org.
4. Enter a CIDR to allocate an address block large enough to accommodate all TAS for VMs apps. A /14 CIDR is large enough for ~1,000 Orgs with ~250 apps each. If you are planning such a large foundation, see VMware NSX-T TAS for VMs limits in the VMware documentation.
Create an external SNAT IP pool.
1. Navigate to Advanced Networking & Security > Inventory > Groups > IP Pools and click +ADD.
2. Enter a name (such as external-ip-pool) and a description (such as IP pool that provides 1 public IP for each TAS for VMs Org). Later, you will enter this pool name on the VMware NSX-T tile in the NCP section under IP Pools used to provide External (NAT) IP Addresses to Org Networks.

Configure Load Balancer

To configure a load balancer:

Create Active Health Monitors (health checks) for use by the virtual server later on:
1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Monitors > Active Health Monitors.
2. Create the health monitor for web load balancing:
3. Click +ADD.
4. Enter Monitor Properties:
  - Name: pas-web-monitor
  - Health Check Protocol: LbHttpMonitor
  - Monitoring Port: 8080
5. Click Next.
6. Enter Health Check Parameters:
  - HTTP Method: GET
  - HTTP Request URL: /health
  - HTTP Response Code: 200
7. Click Finish.
8. Create the health monitor for TCP load balancing:
9. Click +ADD.
10. Enter Monitor Properties:
  - Name: pas-tcp-monitor
  - Health Check Protocol: LbHttpMonitor
  - Monitoring Port: 80
11. Click Next.
12. Enter Health Check Parameters:
  - HTTP Method: GET
  - HTTP Request URL: /health
  - HTTP Response Code: 200
13. Create the health monitor for SSH load balancing:
14. Click +ADD.
15. Enter Monitor Properties:
  - Name: pas-ssh-monitor
  - Health Check Protocol: LbTcpMonitor
  - Monitoring Port: 2222
16. Click Next, then click Finish.
Create server pools (collections of VMs which handle traffic) for use by the virtual server:
1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Server Pools.
2. Create the server pool for web load balancing:
3. Click +ADD to add a new pool.
4. Enter General Properties:
  - Name: pas-web-pool
5. Click Next.
6. Enter SNAT Translation:
  - Translation Mode: IP List
  - Enter a range of available IPs for SNAT translation. By default, ports from 4000 to 64000 are for all configured SNAT IP addresses. Allocate enough IPs to handle your traffic load. Without enough IPs, the SNAT port is exhausted.
7. Click Next.
8. Enter Pool Members:
  - Membership Type: Static
9. Click Next.
10. Enter Health Monitors:
  - Active Health Monitor: pas-web-monitor
11. Click Finish.
12. Create the server pool for TCP load balancing:
13. Click +ADD to add new pool.
14. Enter General Properties:
  - Name: pas-tcp-pool
15. Click Next.
16. Enter SNAT Translation:
  - Translation Mode: Transparent
17. Click Next.
18. Enter Pool Members:
  - Membership Type: Static
19. Click Next.
20. Enter Health Monitors:
  - Active Health Monitor: pas-tcp-monitor
21. Click Finish.
22. Create the server pool for SSH load balancing:
23. Click +ADD to add new pool.
24. Enter General Properties:
  - Name: pas-ssh-pool
25. Click Next.
26. Enter SNAT Translation:
  - Translation Mode: Transparent
27. Click Next.
28. Enter Pool Members:
  - Membership Type: Static
29. Click Next.
30. Enter Health Monitors:
  - Active Health Monitor: pas-ssh-monitor
31. Click Finish.
Create virtual servers:
1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Virtual Servers.
2. Create the virtual server which forwards unencrypted web (HTTP) traffic to the foundation:
  Note: Foundations requiring end-to-end encryption should not enable the virtual server on port 80, or, if enabled, should configure it to redirect traffic to the encrypted port (443).
3. Click +ADD.
4. Enter General Properties:
  - Name: pas-web-vs
  - Application Type: Layer 4 (TCP)
  - Application Profile: nsx-default-lb-fast-tcp-profile
5. Click Next.
6. Enter Virtual Server Identifiers:
  - IP Address: use the address of the DNS record of *.system.YOUR-SYSTEM-DOMAIN.com
  - Port: 80,443
7. Enter Server Pool and Rules:
  - Default Server Pool: pas-web-pool
8. Click Next several times, then click Finish.
9. Create the virtual server which forwards traffic to apps with custom ports to the foundation:
10. Click +ADD to add a new virtual server.
11. Enter General Properties:
  - Name: pas-tcp-vs
  - Application Type: Layer 4 (TCP)
  - Application Profile: nsx-default-lb-fast-tcp-profile
12. Click Next.
13. Enter Virtual Server Identifiers:
  - IP Address: use the address of the DNS record of tcp.apps.YOUR-SYSTEM-DOMAIN.com
  - Port: use the same ports as configured in the TAS for VMs Tile > Networking > TCP Routing Ports, e.g. 1024-1123,5900
14. Click Next.
15. Enter Server Pool and Rules:
  - Default Server Pool: pas-tcp-pool
16. Click Next, then click Finish.
17. Create the virtual server which forwards SSH traffic to the foundation:
18. Click +ADD to add a new virtual server.
19. Enter General Properties:
  - Name: pas-ssh-vs
  - Application Type: Layer 4 (TCP)
  - Application Profile: nsx-default-lb-fast-tcp-profile
20. Click Next.
21. Enter Virtual Server Identifiers:
  - IP Address: use the address of the DNS record of ssh.system.YOUR-SYSTEM-DOMAIN.com
  - Port: 2222
22. Click Next.
23. Enter Server Pool and Rules:
  - Default Server Pool: pas-ssh-pool
24. Click Next, then click Finish.
Create the load balancer:
1. In the NSX-T Manager UI, navigate to Advanced Networking & Security > Networking > Load Balancing > Load Balancers.
2. Click +ADD.
3. Enter the fields:
  - Name: pas-lb
  - Load Balancer Size: Choose Small unless you have a larger Foundation
4. Click OK.
5. Select pas-lb.
6. Click Actions > Attach to a Virtual Server, and then select pas-web-vs. Repeat this procedure for the Virtual Servers pas-tcp-vs and pas-ssh-vs.
7. Click Action > Attach to a Logical Router, and then select T1-Router-TAS for VMs-Deployment.

Enable NSX-T Mode in the BOSH Director

To enable NSX-T mode in the BOSH Director:

From the Ops Manager Installation Dashboard, open the BOSH Director tile.
In the vCenter Configs pane, click the pencil icon for the vCenter Config you want to edit.
Select NSX Networking below.
Configure BOSH Director authentication to the NSX Manager by following the NSX Networking instructions in the Step 2: Configure vCenter section of Configuring BOSH Director on vSphere.

Configure TAS for VMs for External Container Networking

To configure TAS for VMs for external container networking:

If you have not already done so, download the TAS for VMs tile from VMware Tanzu Network and import it to the Installation Dashboard. For instructions, see Adding and Importing Products.
Configure TAS for VMs, following the directions in Configuring TAS for VMs. When you configure Networking, select External under Container networking interface plugin.
Update the server pool membership for the NSX-T load balancers:
1. Open the BOSH Director for vSphere tile > Resource Config pane.
2. Click the arrow next to each job to reveal the NSX-T CONFIGURATION column. See Step 10: Resource Config Pane in Configuring BOSH Director on vSphere.
3. Under Logical Load Balancer, enter a JSON-formatted structure to defining a list of server_pools a VM extension for each of the three server pools: pas-web-pool, pas-tcp-pool, and pas-ssh-pool.

Install and Configure the NSX-T Container Plug-In

To install and configure the tile:

If you have not already done so, download the VMware NSX-T Container Plug-in for Ops Manager tile from VMware Tanzu Network and import it to the Installation Dashboard. For instructions, see Adding and Importing Products.
Click the VMware NSX-T tile to open its Settings tab, and configure the NSX Manager pane as follows:
- NSX Manager Address: The NSX-T Manager host address or IP address.
- Use Client Certificates or Username/Password: Configure this setting as follows:
  1. If you are using VMware Workspace ONE Access, formerly called VMware Identity Manager (vIDM), then select Client Certificate Authentication.
  2. Otherwise, select Basic Authentication with Username and Password and enter NSX Manager Admin Username and Admin Password credentials in the fields underneath.
- NSX Manager CA Cert: Obtain this certificate from NSX-T Manager as follows:
  1. ssh into NSX-T Manager using the admin account that you created when you deployed NSX-T Manager.
  2. From the NSX-T Manager command line, run get certificate api to retrieve the certificate.
Open and configure the NCP (NSX-T Container Plugin) pane as follows:
- TAS for VMs Foundation Name: If unsure, use TAS for VMs. If multiple foundations co-exist on the same NSX-T Manager, choose a unique string, such as TAS for VMs-beta. NCP creates artifacts, such as T1 routers and prefixes their names with this string for easy identification.
- Overlay Transport Zone: A uniquely identifying string for the Transport Zone that you chose when you created logical switches for each network. This can be the name of the transport zone if no other zones in NSX-T share the same name, or else the UUID for the transport zone.
- Tier-0 Router: A uniquely identifying string for the T0 router. This can be the tag string that you gave the router in NSX-T Manager if no other T0 routers in NSX-T share the same name, or else the UUID for the router.
- Subnet Prefix of Container Networks: Subnet mask to set the address range size for apps in a single org. Defaults to 24. This number must be higher than the mask for all TAS for VMs orgs in the NSX-T Manager New IP Block pane, to define each org’s fraction of the total TAS for VMs address space.
- Enable SNAT for Container Network: Enable this checkbox.
In the NSX Node Agent pane, enable the Enable Debug Level of Logging for NSX Node Agent checkbox.
Click Save and return to the Installation Dashboard.
After you have configured both the TAS for VMs tile and the VMware NSX-T tile, click Review Pending Changes, then Apply Changes to deploy TAS for VMs with NSX-T networking.

Upgrade TAS for VMs with NSX-T Networking

After you have deployed TAS for VMs with NSX-T, you may need to upgrade either Ops Manager, TAS for VMs, the NSX-T Container Plug-in or NSX-T Data Center. If you upgrade one of these components, you may need to upgrade the other components as well.

For example, if you want to upgrade NSX-T Data Center, you may need to upgrade the NSX-T Container Plug-in first.

To upgrade TAS for VMs with NSX-T Networking:

Plan the upgrade by determining the compatibility of NCP, NSX-T and TAS for VMs by checking the following documentation:
- See Product Interoperability Matrix: TAS for VMs, VMware NSX-T, and VMware NSX-T Container Plug-in for Ops Manager for supported version combinations.
- See VMware NSX-T Data Center Documentation. In particular, review the NSX Container Plug-in (NCP) Release Notes and NSX-T Data Center Installation Guide for the versions of NCP and NSX-T that you want to install.
Download the desired version of VMware NSX-T Container Plug-in for Ops Manager tile from VMware Tanzu Network.
In Ops Manager, import the new version of the tile to the Installation Dashboard. For instructions, see Adding and Importing Products.
Click Review Pending Changes and review your changes.
Click Apply Changes.
Continue with the upgrade of Ops Manager, TAS for VMs, or NSX-T Data Center. For more information, see Upgrade NCP in a Ops Manager Environment in the VMware NSX-T Data Center documentation.

Create a pull request or raise an issue on the source for this page in GitHub