Preparing to Deploy Ops Manager on AWS Manually

Page last updated:

This topic describes how to manually configure the Amazon Web Services (AWS) components that you need to deploy Ops Manager on AWS.

Note: To install Ops Manager with the VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) runtime on AWS, you must use Terraform. Manual installation is not currently supported. See Installing and Configuring Ops Manager on AWS in the TKGI documentation.

To deploy Ops Manager on AWS, you must perform the procedures in this topic to create objects in the AWS Management Console that Ops Manager requires.

To view the list of AWS objects created by the procedures in this topic, see Required AWS Objects.

After completing the procedures in this topic, proceed to Deploying Ops Manager on AWS Manually to continue deploying Ops Manager.

Step 1: File a Ticket

Log in to the AWS Management Console, and file a ticket with Amazon to ensure that your account can launch more than the default 20 instances. In the ticket, ask for a limit of 50 t3.micro instances and 20 c5.large instances in the region you are using.

Note: To deploy Ops Manager to AWS GovCloud (US), log in to the AWS GovCloud (US) Console instead of the standard AWS Management Console and select the us-gov-west-1 region.

Note: To deploy Ops Manager to AWS China, set up an AWS China account and contact the Platform Architect assigned for your account.

You can check the limits on your account by visiting the EC2 Dashboard on the AWS Management Console and clicking Limits on the left navigation.

Step 2: Create S3 Buckets

  1. Navigate to the S3 Dashboard.

    Note:S3 bucket names must be globally unique. When naming buckets, recommends that you prefix the generic names below with an unique and helpfully identifiable string (i.e. ID-STRING-pcf-ops-manager-bucket, MY-IDENTIFIER-pcf-buildpacks-bucket, and so on). Then you should use the same prefix when naming other associated resources, such as IAM policies.

  2. Perform the following steps to create five S3 buckets:

    • Click Create Bucket.
    • For Bucket name, enter ID-STRING-pcf-ops-manager-bucket.
    • For Region, select your region.
    • Click Next three times.
    • Click Create bucket.
    • Repeat the above steps to create four more S3 buckets:
      1. ID-STRING-pcf-buildpacks-bucket
      2. ID-STRING-pcf-packages-bucket
      3. ID-STRING-pcf-resources-bucket
      4. ID-STRING-pcf-droplets-bucket

Step 3: Create an IAM User for Ops Manager

Perform the following steps to create an Amazon Identity and Access Management (IAM) user with the minimal permissions necessary to run and install Ops Manager:

  1. Click IAM to access the IAM Dashboard.

  2. Click Users and then click Add user.

    Screenshot of IAM configuration page 1. The page is titled 'Add user'. It has two sections: 'Set User details' and 'Select AWS access type'.

  3. Enter a user name, such as pcf-user.

  4. For AWS access type, select Programmatic access.

    Note: If you prefer to create your keys locally and import them into AWS, see the Amazon documentation.

  5. Click Next: Permissions.

  6. Click Next: Review and review your choices.

    Note: On the Review page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.

  7. Click Create user.

  8. Click Download .csv to download the user security credentials.

    WARNING: The credentials.csv contains the IDs for your user security access key and secret access key. Keep the credentials.csv file for your currently active key pairs in a secure directory. You cannot recover a lost key pair.

  9. Click Close.

  10. On the Users page, click the user name to access the user details page.

    Note: On the Users page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.

  11. Click Add inline policy. You can review your existing inline policies by clicking the down arrow.

    Screenshot of the user details page. The page is titled 'Create policy'. It has a 'Visual editor' and 'JSON'tab.

  12. On the Create policy page, define a policy:

    1. Copy the policy document included in Ops Manager for AWS Policy Document. You must edit the policy document so the names of the S3 buckets match the ones you created in Step 2: Create S3 Buckets above.
    2. Paste the policy document into the JSON tab on the Create policy page.
  13. Click Review policy.

  14. In the Name field, enter pcf-iam-policy.

  15. Click Create policy. The Summary page displays a list of available policies and actions.

Step 4: Create a VPC

  1. Navigate to the VPC Dashboard.

  2. Click Start VPC Wizard.

    Screenshot of the VCP Dashboard. The dashboard has a 'Start VCP Dashboard' and 'Launch EC2 Instances'.

  3. Select VPC with Public and Private Subnets and click Select.

  4. Specify the following details for your VPC:

    • IPv4 CIDR block: Enter 10.0.0.0/16.
    • IPv6 CIDR block: Select No IPv6 CIDR Block.
    • VPC name: pcf-vpc.
    • Public subnet’s IPv4 CIDR: Enter 10.0.0.0/24.
    • Set the Availability Zone fields for both subnets to REGION-#a. For example, us-west-2a.
    • Public subnet name: Enter pcf-public-subnet-az0.
    • Private subnet’s IPv4 CIDR: Enter 10.0.16.0/28.
    • Private subnet name: Enter pcf-management-subnet-az0.
    • Click Use a NAT instance instead and do the following:
      • Under Specify the details of your NAT instance, set the Instance type to t3.medium
      • Create a key pair titled pcf-ops-manager-key. For more information about creating the key pair, see Amazon EC2 Key Pairs in the AWS documentation.
      • Select your newly-created pcf-ops-manager-key for the Key Pair name.
    • Enable DNS hostnames: Click Yes.
    • Hardware tenancy: Select Default.
    • Click Create VPC.
  5. After the VPC is successfully created, click Subnets in the left navigation.

  6. Click Create Subnet.

  7. Add the following subnets to the pcf-vpc VPC:

    Note: You created the first two subnets in the previous step: pcf-public-subnet-az0 and pcf-management-subnet-az0.

    Name AZ IPv4 CIDR block
    pcf-public-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.1.0/24
    pcf-public-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.2.0/24
    pcf-management-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.16.16/28
    pcf-management-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.16.32/28
    pcf-tas-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.4.0/24
    pcf-tas-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.5.0/24
    pcf-tas-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.6.0/24
    pcf-services-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.8.0/24
    pcf-services-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.9.0/24
    pcf-services-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.10.0/24
    pcf-rds-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.12.0/24
    pcf-rds-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.13.0/24
    pcf-rds-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.14.0/24

Step 5: Configure a Security Group for Ops Manager

  1. Return to the EC2 Dashboard.

  2. Select Security Groups>Create Security Group.

  3. For Security group name, enter pcf-ops-manager-security-group.

  4. For Description, enter a description to identify this security group.

  5. For VPC, select the VPC where you want to deploy Ops Manager.

  6. Click the Inbound tab and add rules according to the table below.

    Note: VMware recommends limiting access to Ops Manager to IP ranges within your organization, but you may relax the IP restrictions after configuring authentication for Ops Manager.

    Type Protocol Port Range Source
    HTTP TCP 80 My IP
    HTTPS TCP 443 My IP
    SSH TCP 22 My IP
    BOSH Agent TCP 6868 10.0.0.0/16
    BOSH Director TCP 25555 10.0.0.0/16
  7. Click Create.

Step 6: Configure a Security Group for BOSH-Deployed VMs

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-vms-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy the BOSH-deployed VMs.

  5. Click the Inbound tab and add rules for all traffic from your public and private subnets to your private subnet, as the table and image show. This rule configuration does the following:

    • Enables BOSH to deploy VMware Tanzu Application Service for VMs (TAS for VMs) and other services.
    • Enables app VMs to communicate through the router.
    • Allows the load balancer to send traffic to TAS for VMs.
    Type Protocol Port Range Source
    All traffic All 0 - 65535 Custom IP 10.0.0.0/16
  6. Click Create.

Step 7: Configure a Security Group for the Web ELB

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-web-elb-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy this Elastic Load Balancer (ELB).

  5. Click the Inbound tab and add rules to allow traffic to ports 80, 443, and 4443 from 0.0.0.0/0, as the table and image show.

    Note: Allow traffic to port 4443 only if you are in an AWS cloud region that does not support AWS ALBs. For example, the GovCloud region. For more information about AWS regoins and availability zones, see AWS Global Infrastructure.

    Note: For finer control over what can reach TAS for VMs, change 0.0.0.0/0 to be more restrictive. This security group governs external access to TAS for VMs from apps such as the cf CLI and app URLs.

    Type Protocol Port Range Source
    Custom TCP rule TCP 4443 Anywhere 0.0.0.0/0
    HTTP TCP 80 Anywhere 0.0.0.0/0
    HTTPS TCP 443 Anywhere 0.0.0.0/0
  6. Click Create.

    Screenshot of the Create Security Group wizard. The wizard includes 'Inbound' and 'Outbound' security group rules.

Step 8: Configure a Security Group for the SSH ELB

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-ssh-elb-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy this ELB.

  5. Click the Inbound tab and add the following rule:

    Type Protocol Port Range Source
    Custom TCP rule TCP 2222 Anywhere 0.0.0.0/0

  6. Click Create.

Step 9: Configure a Security Group for the TCP ELB

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-tcp-elb-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy this ELB.

  5. Click the Inbound tab and add the following rule:

    Type Protocol Port Range Source
    Custom TCP rule TCP 1024 - 1123 Anywhere 0.0.0.0/0

  6. Click Create.

Step 10: Configure a Security Group for the Outbound NAT

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-nat-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy the Outbound NAT.

  5. Click the Inbound tab and add a rule to allow all traffic from your VPCs, as the table and image show.

    Type Protocol Port Range Source
    All traffic All All Custom IP 10.0.0.0/16
  6. Click Create.

Step 11: Configure a Security Group for MySQL

Note: If you plan to use an internal database, skip this step. If you are using RDS, you must configure a security group that enables the Ops Manager VM and BOSH Director VM to access the database.

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-mysql-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy MySQL.

  5. Click the Inbound tab. Add a rule of type MySQL and specify the subnet of your VPC in Source, as the table and image show.

    Type Protocol Port Range Source
    MySQL TCP 3306 Custom IP 10.0.0.0/16

  6. Click the Outbound tab. Add a rule of type All traffic and specify the subnet of your VPC in Destination, as the table and image show.

    Type Protocol Port Range Destination
    All traffic All All Custom IP 10.0.0.0/16

  7. Click Create.

Next Step

Proceed to the next step, Deploying Ops Manager on AWS Manually.