AVS Reference Architecture

Page last updated:

This topic describes a reference architecture for Ops Manager and any runtime products, including VMware Tanzu Application Service for VMs (TAS for VMs), on Azure VMware Solution (AVS). It builds on the common base architectures described in Platform Architecture and Planning.

For additional requirements and installation instructions for Ops Manager on AVS, see Deploying TAS for VMs to AVS.

Overview

The AVS reference architecture for the TAS for VMs runtime tiles is based on software-defined networking (SDN) infrastructure. AVS offers NSX-T to support SDN infrastructure.

Ops Manager supports these configurations for AVS deployments:

TAS for VMs on AVS with NSX-T

These sections describe the reference architecture for Ops Manager with TAS for VMs on AVS with NSX-T deployments. They also provide requirements and recommendations for deploying Ops Manager with TAS for VMs on AVS with NSX-T, such as network, load balancing, and storage capacity requirements and recommendations.

TAS for VMs on AVS with NSX-T supports these following SDN features:

  • Virtualized, encapsulated networks and encapsulated broadcast domains

  • VLAN exhaustion avoidance with the use of virtualized Logical Networks

  • DNAT/SNAT services to create separate, non-routable network spaces for the TAS for VMs installation

  • Load balancing services to pass traffic through Layer 4 to pools of platform routers at Layer 7

  • SSL termination at the load balancer at Layer 7 with the option to forward on at Layer 4 or 7 with unique certificates

  • Virtual, distributed routing and firewall services native to the hypervisor

Architecture

The diagram below illustrates reference architecture for TAS for VMs on AVS with NSX-T deployments:

The diagram shows the architecture for a TAS for VMs on AVS with NSX-T deployment. For more information about the components and networking demonstrated by the diagram, read the description below this diagram.

View a larger version of this diagram.

TAS for VMs deployments with NSX-T are deployed with three clusters and three availability zones (AZs).

An NSX-T Tier-0 router is on the front end of the TAS for VMs deployment. This router is a central logical router into the TAS for VMs platform. You can configure static or dynamic routing using BGP from the routed IP address backbone through the Tier-0 router with the edge gateway.

Several Tier-1 routers, such as the router for the TAS for VMs and infrastructure subnets, connect to the Tier-0 router.

NSX-T Container Plugin Requirement

TAS for VMs deployments require the VMware NSX-T Container Plugin to enable the SDN features available through NSX-T.

The NSX-T Container Plugin enables a container networking stack and integrates with NSX-T.

Note: To use NSX-T with TAS for VMs, the NSX-T Container Plugin must be installed, configured, and deployed at the same time as the TAS for VMs tile. To download the NSX-T Container Plugin, go to the VMware NSX-T Container Plug-in page on VMware Tanzu Network.

Networking

These sections describe networking requirements and recommendations for TAS for VMs on AVS with NSX-T deployments.

Routable IPs

The Tier-0 router must have routable external IP address space to advertise on the BGP network with its peers. Select a network range for the Tier-0 router with enough space so that you can separate the network into these two jobs:

  • Routing incoming and outgoing traffic
  • DNATs and SNATs, load balancer VIPs, and other platform components

Note: Compared to NSX-V, NSX-T consumes much more address space for SNATs.

Firewall

Ops Manager requires that the NSX firewall routes are not blocked. All communication between Ops Manager VMs and vCenter or ESXi hosts route through the NSX firewall and are blocked by default. For more information on which ports to allow, see VMware Ports and Protocols for vSphere.

DNS

TAS for VMs requires a system domain, app domain, and several wildcard domains.

For more information about DNS requirements for TAS for VMs, see Domain Names in Platform Planning and Architecture.

Load Balancing

The load balancing requirements and recommendations for TAS for VMs on AVS with NSX-T deployments are:

  • You must configure NSX-T load balancers for the Gorouters.

    • The domains for the TAS for VMs system and apps must resolve to the load balancer VIP.
    • You must assign either a private or a public IP address assigned to the domains for the TAS for VMs system and apps.
  • VMware recommends that you configure Layer 4 NSX-V load balancers for the Gorouters. With Layer 4 load balancers, traffic passes through the load balancers and SSL is terminated at the Gorouters. This approach reduces overhead processing.

    Note: You can use Layer 7 load balancers and terminate SSL at the load balancers. However, VMware discourages this approach because it adds additional overhead processing.

  • Any TCP Gorouters and SSH Proxies within the platform also require NSX-T load balancers.

  • Layer 4 and Layer 7 NSX-T load balancers are created automatically during app deployment.

Networking, Subnets, and IP Address Spacing

The requirements and recommendations related to networks, subnets, and IP address spacing for TAS for VMs on AVS with NSX-T deployments are:

  • TAS for VMs requires statically-defined networks to host its component VMs.

  • The client side of an NSX-T deployment uses a series of non-routable address blocks when using DNAT/SNAT at the Tier-0 interface.

  • The reference architecture for TAS for VMs on AVS with NSX-T deployments uses a pattern in which all networks are calculated on the /24 8-bit network boundary. The network octet is numerically sequential.

  • NSX-T dynamically assigns TAS for VMs org networks and adds a Tier-1 router. These org networks are automatically instantiated based on a non-overlapping block of address space. You can configure the block of address space in the NCP Configuration section of the NSX-T tile in Ops Manager. The default is /24. This means that every org in TAS for VMs is assigned a new /24 network.

For more information about TAS for VMs subnets, see Required Subnets in Platform Architecture and Planning Overview.

High Availability

AVS deploys a NSX-T with Active/Active HA.

For information about high availability (HA) requirements and recommendations for TAS for VMs on AVS, see High Availability in Platform Architecture and Planning Overview.

Shared Storage

TAS for VMs requires shared storage. By default, AVS deploys with vSAN configured.

For information about storage on AVS, see Hosts in the Microsoft AVS documentation.

SQL Server

An internal MySQL database is sufficient for use in production environments.

However, an external database provides more control over database management for large environments that require multiple data centers.

For information about configuring system databases on TAS for VMs, see Configure System Databases in Configuring TAS for VMs.

Security

For information about security requirements and recommendations for TAS for VMs deployments, see Security in Platform Architecture and Planning Overview.

Blobstore Storage

Use Azure Blob Storage as the external file storage option for Ops Manager. This provides redundancy for high-availability deployments of Ops Manager and unlimited scaling. Azure Blob Storage provides fully-redundant hot, cold, or archival storage in either local, regional, or global offerings.

Ops Manager requires a bucket for the BOSH blobstore.

TAS for VMs requires the following buckets:

  • Buildpacks

  • Droplets

  • Packages

  • Resources

These buckets require an associated role for read/write access.

HCX Migrations

HCX Migration of Ops Manager and any runtime products, including TAS for VMs, on AVS is not supported at this time.