Deploying TAS for VMs to VMC

Page last updated:

This topic describes how to install VMware Tanzu Application Service for VMs (TAS for VMs) to VMware Cloud (VMC) on Amazon Web Services (AWS).

Overview

VMC provides Software Defined Data Centers (SDDCs) that run on AWS with a high-level management console to configure networking rules. This topic describes the procedures for configuring and installing TAS for VMs on VMC using public IP addresses for ingress.

To install and configure TAS for VMs on VMC:

  1. Install Ops Manager

  2. Configure BOSH Director

  3. Install and Configure TAS for VMs

Prerequisites

Before you install and configure TAS for VMs on VMC:

(Optional) If you plan to connect to the VMC SDDC using a VPN or Direct Connect Virtual Interfaces (VIFs):

Enable Browser Access to vCenter

By default, ingress to vCenter is not enabled. If you are not using a VPN or other network, you must create a firewall rule in SDDC to allow vCenter access from your workstation’s public IP address.

To enable browser access to vCenter:

  1. Navigate to the VMC console.
  2. Select SDDCs.
  3. Click View Details on your datacenter tile.
  4. Select Networking & Security, and then select Security.
  5. Click Gateway Firewall.
  6. Click Management Gateway.
  7. Click + Add Rule.
    • Name: Enter vCenter Browser Inbound Rule.
    • Sources:
      1. Click User Defined Groups.
      2. Click Add Group.
        • For Group name, enter public ip address.
        • Click Set Members.
        • Select IP Addresses.
        • Enter your public IP address. For example, 66.170.99.1.

          Note: You can locate your public IP address by navigating to https://ifconfig.me/.

        • Press Enter.
        • Click Apply.
      3. Click Save.
    • Destinations: Select vCenter and then click Apply.
    • Services: Enter HTTPS, ICMP, SSO.
  8. Click Publish.

Record vCenter Credentials

To gather login credentials for the vCenter instance in your SDDC:

  1. Navigate to the VMC console.
  2. Select SDDCs.
  3. Click Open vCenter on your datacenter tile.
  4. A dialog box appears with the text: Before you can log into vCenter, you must open network access to vCenter through the management gateway. Choose an option for opening network access.
  5. Click Show Credentials.
  6. Record the credentials.

After enabling browser access and recording your vCenter credentials, you can access and authenticate with your cluster’s vCenter server.

Install Ops Manager

To install Ops Manager on VMC:

  1. Find the VMC pre-installed network to use for the BOSH infrastructure network:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security.
    5. Select Network, and then select Segments.
    6. Record the segment name for sddc-cgw-nework-1.
    7. Record the subnet 192.168.1.1/24. SDDC combines the gateway IP address and CIDR into a single value.
  2. If nothing has changed, create a file named options.json with the following contents:

    {
      "NetworkMapping": [
        {
          "Name": "Network 1",
          "Network": "sddc-cgw-network-1"
        }
      ],
      "PropertyMapping": [
        {
          "Key": "ip0",
          "Value": "192.168.1.10"
        },
        {
          "Key": "netmask0",
          "Value": "255.255.255.0"
        },
        {
          "Key": "gateway",
          "Value": "192.168.1.1"
        },
        {
          "Key": "DNS",
          "Value": "8.8.8.8"
        },
        {
          "Key": "ntp_servers",
          "Value": "time.google.com"
        }
      ]
    }
    
  3. Replace the following example text in the code below, then run the commands to upload the Ops Manager file to VMC:

    • EXAMPLE-PASSWORD: the vCenter password you recorded in Record vCenter Credentials.
    • www.example.com: your vCenter URL.
    • PATH-TO-OPS-MANAGER: the path to your Ops Manager OVA file.
    export GOVC_DATACENTER=SDDC-Datacenter
    export GOVC_DATASTORE=WorkloadDatastore
    export GOVC_RESOURCE_POOL=Compute-ResourcePool
    
    export GOVC_URL='cloudadmin@vmc.local':'EXAMPLE-PASSWORD©'@www.example.com
    
    govc library.create tas
    govc library.import tas PATH-TO-OPS-MANAGER
    govc library.deploy -options options.json /tas/ops-manager-vsphere-2.##.#-build.### ops-manager
    govc pool.create /SDDC-Datacenter/host/Cluster-1/Resources/az{1,2,3}
    

    Note: VMware recommends using govc library.* commands instead of govc import.ova.

    The govc import.ova commands depend on access to the ESXi hosts, which is not configured by default in VMC. Using these commands can cause errors like the following: govc: Post "https://10.2.32.4/nfc/5224a51f-114e-4627-8ca8-547c2e2e9488/disk-0.vmdk": dial tcp 10.2.32.4:443: i/o timeout

  4. Log in to vCenter:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click Open vCenter on your datacenter tile.
    4. Select Show Credentials, and then click Open vCenter.
    5. Find the Ops Manager VM.
    6. Open the Hosts & Clusters view.
    7. Open the Compute-ResourcePool and select the ops-manager VM.
    8. Click ▶ to power on the Ops Manager VM.
  5. Create public IP addresses for Ops Manager and HAProxy:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security.
    5. Select Public IPs, and then select Request New IP.
      1. For Notes, enter ops-manager and click Save.
      2. Record the IP address. For example, 54.190.190.190.
    6. Click Request New IP.
      1. For Notes, enter HAProxy and click Save.
      2. Record the IP address. For example, 54.180.180.180.
  6. Create a second network segment to use as the BOSH deployment network:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security.
    5. Select Network, and then select Segments.
    6. Click Add Segment:
      1. For Segment Name, enter bosh-network.
      2. For Type, enter routed.
      3. For Subnets, enter a subnet. For example, 192.168.2.1/24.
  7. Assign public IP addresses to Ops Manager and HAProxy:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security.
    5. Select NAT, and then click Add NAT Rule.
      1. For Rule Name, enter ops-manager.
      2. For Public IP, enter the IP address you created for Ops Manager in a previous step. For example, 54.190.190.190.
      3. For Internal IP, enter 192.168.1.10.
      4. Click Save.
    6. Select Add NAT Rule.
      1. For Rule Name, enter HAProxy.
      2. For Public IP, enter the IP address you created for HAProxy in a previous step. For example, 54.180.180.180.
      3. For Internal IP, enter 192.168.2.2.
      4. Click Save.
  8. Add firewall rules that allow ingress to Ops Manager and HAProxy:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security, and then select Security.
    5. Select Gateway Firewall, and then Compute Gateway.
    6. Click Add Rule.
    7. Select the newly-created rule:
      1. For Rule Name, enter opsman-ingress.
      2. For Sources, select Any.
      3. Configure Destinations:
        • Click Add Group.
          • For Group name, enter OM.
          • Click Set Members.
          • Select IP Addresses.
          • Enter the Ops Manager internal IP address, 192.168.1.10.
          • Press Enter.
          • Click Apply.
        • Click Save.
        • Click Apply.
        • Click Publish.
    8. Click Add Rule.
    9. Select the newly-created rule:
      1. For Rule Name, enter HAProxy-ingress.
      2. For Sources, select Any.
      3. Configure Destinations:
        • Click Add Group.
          • For Group name, enter HAProxy.
          • Click Set Members.
          • Select IP Addresses.
          • Enter the HAProxy internal IP address, 192.168.2.2.
          • Press Enter.
          • Click Apply.
        • Click Save.
        • Click Apply.
        • Click Publish.
  9. Add a firewall rule that allows egress for the 192.168.1.x and 192.168.2.x subnets:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security, and then select Security.
    5. Select Gateway Firewall, and then select Compute Gateway.
    6. Click Add Rule.
    7. Select the newly-created rule:
      1. For Rule Name, enter tas-egress.
      2. Edit Sources.
        • Click Add Group.
          • For Group name, enter tas.
          • Click Set Members.
          • Select IP Addresses.
          • Enter the first subnet CIDR, 192.168.1.0/24.
          • Press Enter.
          • Enter the second subnet CIDR, 192.168.2.0/24.
          • Press Enter.
          • Click Apply.
        • Click Save.
      3. Click Apply.
      4. For Destinations, select Any.
    8. Click Publish.
  10. Add a firewall rule that allows ingress to vCenter from the TAS for VMs control plane:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security, and then select Security.
    5. Click Gateway Firewall, and then select Management Gateway.
    6. Click Add Rule.
    7. Select the newly-created rule:
      1. For Rule Name, enter vCenter Inbound Rule.
      2. Edit Sources:
        • Click User Defined Groups.
        • Click Add Group.
          • For Group name, enter Ops Manager public IP.
          • Click Set Members.
          • Select IP Addresses.
          • Enter your Ops Manager public IP address. For example, 54.190.190.190.
          • Press Enter.
          • Click Apply.
        • Click Save.
        • Click Add Group.
          • For Group name, enter Workloads Compute NAT public IP.
          • Click Set Members.
          • Select IP Addresses.
          • Enter your Workloads Compute NAT public IP address. For example, 44.232.216.160.

            Note: You can locate your Workloads Compute NAT public IP address in the Networking & Security Overview.

          • Press Enter.
          • Click Apply.
        • Click Save.
      3. Edit Destinations: Select vCenter and then click Apply.
      4. Edit Services: Enter HTTPS, ICMP, SSO.
    8. Click Publish.
  11. Add a firewall rule that allows ingress to ESXi from the TAS for VMs control plane:

    1. Navigate to the VMC console.
    2. Select SDDCs.
    3. Click View Details on your datacenter tile.
    4. Select Networking & Security, and then select Security.
    5. Click Gateway Firewall, and then select Management Gateway.
    6. Click Add Rule.
    7. Select the newly-created rule:
      1. For Rule Name, enter ESXi Inbound Rule.
      2. Edit Sources:
        • Click User Defined Groups.
        • Click Add Group.
          • For Group name, enter Ops Manager private IP.
          • Click Set Members.
          • Select IP Addresses.
          • Enter the Ops Manager private IP address, 192.168.1.10.
          • Press Enter.
          • Click Apply.
        • Click Save.
        • Click Add Group.
          • For Group name, enter BOSH Director private IP.
          • Click Set Members.
          • Select IP Addresses.
          • Enter the BOSH Director private IP address, 192.168.1.11.
          • Press Enter.
          • Click Apply.
        • Click Save.
      3. Edit Destinations: Select vCenter and then click Apply.
      4. Edit Services: Enter HTTPS, ICMP, SSO.
    8. Click Publish.

Configure BOSH Director

Note: The procedure in this section contains only the configuration information that is specific to VMC. For more information about configuring BOSH on vSphere, see Configuring BOSH Director on vSphere.

To configure BOSH Director for VMC:

  1. Log in to Ops Manager:

    • Navigate to the IP address you configured for Ops Manager above. For example, https://54.190.190.190/.
    • Enter a Username, Password, and Password confirmation to create an Admin user.
    • Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Ops Manager datastore and is not recoverable.
  2. Select the BOSH Director for vSphere tile and configure BOSH as follows:

    • Settings → vCenter Config
      • vCenter Host: your vCenter URL. For example, vcenter.sddc-35-162-72-214.vmwarevmc.com.
      • vCenter Username: cloudadmin@vmc.local
      • vCenter Password: Enter the password you gathered from the SDDC.
      • Datacenter Name: Enter SDDC-Datacenter.
      • Virtual Disk Type: Select Thin.
      • Ephemeral Datastore Names: Enter WorkloadDatastore.
      • Persistent Datastore Names: Enter WorkloadDatastore.
      • Select Standard vCenter Networking.
    • Settings → Director Config
      • NTP Servers: Enter an NTP server of your choice. For example, time.google.com.
    • Settings → Create Availability Zones
      • az1:
        • Name: az1
        • Clusters:
          • Cluster: Cluster-1
          • Resource Pool: az1
      • az2:
        • Name: az2
        • Clusters:
          • Cluster: Cluster-1
          • Resource Pool: az2
      • az3:
        • Name: az3
        • Clusters:
          • Cluster: Cluster-1
          • Resource Pool: az3
    • Settings → Create Networks → Networks
      • infra:
        • Name: infra
        • Subnets:
          • vSphere Network Name: sddc-cgw-network-1
          • CIDR: 192.168.1.0/24
          • Reserved IP Ranges: 192.168.1.1-192.168.1.10
          • DNS: 8.8.8.8
          • Gateway: 192.168.1.1
          • Availability Zones: az1, az2, az3
      • deployment:
        • Name: deployment
        • Subnets:
          • vSphere Network Name: bosh-network
          • CIDR: 192.168.2.0/24
          • Reserved IP Ranges: 192.168.2.1
          • DNS: 8.8.8.8
          • Gateway: 192.168.2.1
          • Availability Zones: az1, az2, az3
    • Settings → Assign AZs and Networks
      • Singleton Availability Zone: az1
      • Network: infra
    • Settings → Security
      • Include Tanzu Ops Manager Root CA in Trusted Certs: Select the checkbox.
  3. After you finish configuration, click Apply Changes. The following warning appears: 'Review Pending Changes' in Ops Manager. A warning at the top of the image reads, 'Please review the warnings below. IaaS default: Could not log in. Required Datacenter privileges not available.'

    Click Ignore Warnings & Apply Changes. EditCluster permission is not required.

Install TAS for VMs

To configure TAS for VMs for VMC:

  1. Configure the TAS for VMs tile as follows:

    • Settings → Assign AZs and Networks
      • Network: Select deployment.
      • Click Save.
    • Settings → Domains
      • Set up a wildcard domain and ensure that it maps to the HAProxy public IP address you configured earlier. For example:
        • System domain: sys.54.180.180.180.nip.io
        • Apps domain: run.54.180.180.180.nip.io
    • Settings → Networking
      • Set the HAProxy IP address to the one you specified in the NAT rule above. This is the first available IP address in the deployment network.
        • HAProxy IPs: 192.168.2.2
      • Generate a certificate for the Gorouter and HAProxy:
        • Certificates and private keys for the Gorouter and HAProxy: Click Add.
          • Name: haproxy cert
          • Click Generate RSA Certificate.
          • Add *. domains for your system and apps domain above, separated by a comma. For example, *.**sys.54.180.180.180.nip.io,*.run.54.180.180.180.nip.io.
      • Set HAProxy as the TLS termination point:
        • TLS Termination: HA Proxy
      • Disable TLS forwarding for HAProxy:
        • HAProxy forwards all requests to the Gorouter over TLS: Click Disable.
    • Settings → UAA
      • For UAA configuration, generate a SAML certificate for *.login.SYSTEM-DOMAIN:
        • → SAML service provider credentials
          • Click Generate RSA Certificate.
          • Enter your domain. For example, *.login.sys.54.180.180.180.nip.io
          • Click Generate.
    • Settings → Resource Config:
      • Scale the HAProxy instances up to 1.
      • → HAProxy
        • Set Instances to 1.
        • Click Save.
  2. After you finish configuration, click Apply Changes. The following warning appears: 'Review Pending Changes' in Ops Manager. A warning at the top of the image reads, 'Please review the warnings below. IaaS default: Could not log in. Required Datacenter privileges not available.'

    Click Ignore Warnings & Apply Changes. EditCluster permission is not required.