Preparing to Deploy Ops Manager on Azure Manually
Page last updated:
Warning: Pivotal Operations Manager v2.2 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes how to prepare Azure to deploy Ops Manager. You must deploy Ops Manager to deploy Pivotal Application Service (PAS) or Pivotal Container Service (PKS).
After you complete this procedure, follow the instructions in one of the following topics:
- Deploying Ops Manager to Azure Using Terraform
- Launching a BOSH Director Instance with an ARM Template
- Deploying Ops Manager on Azure Manually
Step 1: Install and Configure the Azure CLI
Install the Azure CLI 2.0 by following the instructions for your operating system in the Azure documentation.
Set your cloud with the
--name
value corresponding to the Azure environment on which you are installing Ops Manager:- Azure:
AzureCloud
. - Azure China:
AzureChinaCloud
. If logging in toAzureChinaCloud
fails with aCERT_UNTRUSTED
error, use the latest version of node, 4.x or later. - Azure Government Cloud:
AzureUSGovernment
. Azure Government Cloud is only supported in Ops Manager v1.10 and later. - Azure Germany:
AzureGermanCloud
.
$ az cloud set --name AzureCloud
Note: For more information about installing Ops Manager in the China Region, see Install in the China Region in Installing PCF in Airgapped Environments in the Pivotal documentation.
- Azure:
Log in:
$ az login
Authenticate by navigating to the URL in the output, entering the provided code, and clicking your account.
Step 2: Set Your Default Subscription
To list your Azure subscriptions, run the following command:
$ az account list [ { "id": "12345678-1234-5678-1234-567891234567", "name": "Sample Subscription", "user": { "name": "Sample Account", "type": "user" }, "tenantId": "11111111-1234-5678-1234-678912345678", "state": "Enabled", "isDefault": true, "registeredProviders": [], "environmentName": "AzureCloud" }, { "id": "87654321-1234-5678-1234-678912345678", "name": "Sample Subscription1", "user": { "name": "Sample Account1", "type": "user" }, "tenantId": "22222222-1234-5678-1234-678912345678", "state": "Enabled", "isDefault": false, "registeredProviders": [], "environmentName": "AzureCloud" } ]
- Identify your default subscription in the output of this command by locating the subscription
listed that has
isDefault
set totrue
. To deploy Ops Manager to a different subscription, you must set the other subscription as the default. To set a new default subscription, run the following command:
$ az account set --subscription SUBSCRIPTION_ID
- Identify your default subscription in the output of this command by locating the subscription
listed that has
Record the value of the
id
set as the default. You use this value in future configuration steps.Record the value of
tenantID
for your default subscription. This is yourTENANT_ID
for creating a service principal. If yourtenantID
value is not defined, you may be using a personal account to log in to your Azure subscription.
Step 3: Create an Azure Active Directory (AAD) Application
Run the following command to create an AAD application, replacing
PASSWORD
with a password of your choice. This is yourCLIENT_SECRET
for creating a service principal.$ az ad app create --display-name "Service Principal for BOSH" \ --password "PASSWORD" --homepage "http://BOSHAzureCPI" \ --identifier-uris "http://BOSHAzureCPI"
Note: You can provide any string for the
homepage
andidentifier-uris
flags, but the value ofidentifer-uris
must be unique within the organization associated with your Azure subscription. For thehomepage
, Pivotal recommends usinghttp://BOSHAzureCPI
as shown in the example above.Record the value of
appId
from the output. This is yourAPPLICATION_ID
for creating a service principal.{ "appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d", "appPermissions": null, "availableToOtherTenants": false, "displayName": "Service Principal for BOSH", "homepage": "http://BOSHAzureCIP", "identifierUris": [ "http://BOSHAzureCPI" ], "objectId": "f3884df4-7d1d-4894-a78c-c1fe75750436", "objectType": "Application", "replyUrls": [] }
Step 4: Create and Configure a Service Principal
To create a service principal, run
az ad sp create --id YOUR-APPLICATION-ID
, replacingYOUR-APPLICATION-ID
with theAPPLICATION_ID
you recorded in the previous step:$ az ad sp create --id YOUR-APPLICATION-ID { "appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d", "displayName": "Service Principal for BOSH", "objectId": "cc13c685-4c3b-461e-ae96-7a0563960b83", "objectType": "ServicePrincipal", "servicePrincipalNames": [ "5c552e8f-b977-45f5-a50b-981cfe17cb9d", "http://BOSHAzureCPI" ] }
You must have the Contributor role on your service principal to deploy Ops Manager to Azure. To assign the Contributor role on your service principal, run the following command:
$ az role assignment create --assignee "SERVICE-PRINCIPAL-NAME" \ --role "Contributor" --scope /subscriptions/SUBSCRIPTION-ID
- For
SERVICE-PRINCIPAL-NAME
, use any value ofService Principal Names
from the output above, such asYOUR-APPLICATION-ID
. - For
SUBSCRIPTION-ID
, use the ID of the default subscription that you recorded in Step 2.
Note: If you need to use multiple resource groups for your deployment on Azure, you can define custom roles for your Service Principal. These roles allow BOSH to deploy to pre-existing network resources outside of the resource group. For more information, see Multiple Resource Group Deployment in Reference Architecture for Pivotal Cloud Foundry on Azure in the Pivotal documentation.
For more information about Azure Role-Based Access Control, refer to the RBAC: Built-in roles topic in the Azure documentation.
- For
Verify the assignment by running the following command:
$ az role assignment list --assignee "SERVICE-PRINCIPAL-NAME" [ { "id": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleAssignments/32e644cf-ba1a-4f43-bf7c-68bf4583e463", "name": "32e644cf-ba1a-4f43-bf7c-68bf4583e463", "properties": { "principalId": "cc13c685-4c3b-461e-ae96-7a0563960b83", "principalName": "http://BOSHAzureCPI", "roleDefinitionId": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "roleDefinitionName": "Contributor", "scope": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243" }, "type": "Microsoft.Authorization/roleAssignments" } ]
Step 5: Verify Your Service Principal
To verify your service principal, log in to your service principal with your APPLICATION_ID
, CLIENT_SECRET
, and TENANT_ID
.
$ az login --username APPLICATION_ID --password CLIENT_SECRET \ --service-principal --tenant TENANT_ID [ { "cloudName": "AzureCloud", "id": "995b7eed-77ef-45ff-a5c9-1a405ffb8243", "isDefault": true, "name": "CF-Docs", "state": "Enabled", "tenantId": "29248f74-371f-4db2-9a50-c62a6877a0c1", "user": { "name": "5c552e8f-b977-45f5-a50b-981cfe17cb9d", "type": "servicePrincipal" } } ]
If you cannot log in, the service principal is invalid. Create a new service principal and try again.
Step 6: Perform Registrations
Register your subscription with Microsoft.Storage:
$ az provider register --namespace Microsoft.Storage
Register your subscription with Microsoft.Network:
$ az provider register --namespace Microsoft.Network
Register your subscription with Microsoft.Compute:
$ az provider register --namespace Microsoft.Compute
Next Steps
After you complete this topic, continue to one of the following topics:
- Launching a BOSH Director Instance on Azure using Terraform: Perform the procedures in this topic to deploy BOSH Director using Terraform. Pivotal recommends using Terraform.
- Launching a BOSH Director Instance with an ARM Template: Perform the procedures in this topic to deploy BOSH Director with an Azure Resource Manager (ARM) template.
- Deploying Ops Manager on Azure Manually: Perform the procedures in this topic to deploy Ops Manager manually.