Preparing to Deploy Ops Manager on AWS

Page last updated:

This topic describes how to manually configure the Amazon Web Services (AWS) components that you need to deploy VMware Tanzu Operations Manager (Ops Manager) on AWS.

Overview of Deploying on AWS

To deploy Ops Manager on AWS, you must perform the procedures in this topic to create the objects in the AWS Management Console that Ops Manager requires.

To view the list of AWS objects created by the procedures in this topic, see Required AWS Objects.

To prepare Ops Manager for deployment with AWS:

  1. File a Ticket

  2. Create S3 Buckets

  3. Create a Policy

  4. Create an IAM Role or User

  5. Create a VPC

  6. Create an Internet Gateway

  7. Create a NAT Gateway

  8. Configure a Security Group for Ops Manager

  9. Configure a Security Group for BOSH-Deployed VMs

  10. Configure a Security Group for the Web ELB

  11. Configure a Security Group for the TCP ELB

  12. Configure a Security Group for MySQL

After completing the procedures in this topic, proceed to Deploying Ops Manager on AWS to continue deploying Ops Manager.

File a Ticket

Log in to the AWS Management Console, and file a ticket with Amazon to ensure that your account can launch more than the default 20 instances. In the ticket, ask for a limit of 50 t3.micro instances and 20 c5.large instances in the region you are using.

Note: To deploy Ops Manager to AWS GovCloud (US), log in to the AWS GovCloud (US) Console instead of the standard AWS Management Console.

Note: To deploy Ops Manager to AWS China, set up an AWS China account and contact the Platform Architect assigned for your account.

You can check the limits on your account by visiting the EC2 Dashboard on the AWS Management Console and clicking Limits on the left navigation menu.

Create S3 Buckets

Note:S3 bucket names must be globally unique. When naming buckets, VMware recommends that you prefix the generic names below with an unique and helpfully identifiable string (i.e. ID-STRING-pcf-ops-manager-bucket, MY-IDENTIFIER-pcf-buildpacks-bucket, and so on). Then you should use the same prefix when naming other associated resources, such as IAM policies.

Perform the following steps to create five S3 buckets:

  1. On the S3 Dashboard, click Create Bucket.

  2. In Bucket name, enter ID-STRING-pcf-ops-manager-bucket.

  3. In AWS Region, select your region.

  4. Click Create bucket.

  5. Repeat these steps to create four more S3 buckets:

    • ID-STRING-pcf-buildpacks-bucket
    • ID-STRING-pcf-packages-bucket
    • ID-STRING-pcf-resources-bucket
    • ID-STRING-pcf-droplets-bucket

Create a Policy for Ops Manager

Perform the following steps to create a Amazon Identity and Access Management (IAM) policy with the minimal permissions necessary to run and install Ops Manager:

  1. Click IAM to access the IAM Dashboard.

  2. Click Policies and then click Create Policy.

  3. Copy the policy document included in Ops Manager for AWS Policy Document. You must edit the policy document so the names of the S3 buckets match the ones you created in Create S3 Buckets above.

  4. Paste the policy document into the JSON tab on the Create policy page.

  5. Click Next:Tags and click Next:Review.

  6. In the Name field, enter pcf-iam-policy.

  7. Click Create policy.

Create an IAM Role or User for Ops Manager

Perform the following steps to create an Amazon Identity and Access Management (IAM) user or role with the minimal permissions necessary to run and install Ops Manager:

Note: VMware recommends that you use IAM roles instead of users to improve security.

  1. Click IAM to access the IAM Dashboard.

  2. If you are configuring AWS access using an AWS instance profile, create an IAM role:

    1. Click Roles and then click Create role.
    2. On the Create role page, set:
      • Role type: AWS service
      • Use case: EC2
    3. Click Next.
    4. On the Add permissions page, enter the name of the policy you created in the Permission policies search box. Select the check box next to the policy in the search results.
    5. Click Next.
    6. On the Name, review, and create page, enter a role name. For example, enter pcf-role.
    7. Click Create role.

  3. If you are configuring AWS access using AWS keys, create an IAM user:

    1. Click Users and then click Add users.
    2. Enter a username. For example, enter pcf-user.

    3. In AWS access type, check the Access key - Programmatic access check box.

      Note: If you prefer to create your keys locally and import them into AWS, see the [Amazon documentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html).

    4. Click Next: Permissions.

    5. Click the Attach existing policies directly tab.

    6. In the Filter policies search box, enter the name of the policy you created. Then check the check box next to the policy in the search results.

    7. Click Next: Tags, and then click Next: Review.

    8. Click Create user.

    9. Click Download .csv to download the user security credentials.

      Warning: The credentials.csv contains the IDs for your user security access key and secret access key. Keep the credentials.csv file for your currently active key pairs in a secure directory. You cannot recover a lost key pair.

    10. Click Close.

Create a VPC

  1. Follow the AWS tutorial to create an elastic IP address, a VPC, and additional subnets. To access the tutorial, see the AWS documentation. Refer to the following table when configuring the VPC wizard fields and subnets.

    VPC Wizard Field Instructions
    Resources to create Select VPC and more
    Name tag Enter pcf-vpc
    IPv4 CIDR block Select IPv4 CIDR manual input
    IPv4 CIDR Enter 10.0.0.0/16
    IPv6 CIDR block Select No IPv6 CIDR block
    Number of public subnets Select 0
    Number of private subnets Select 0


    For all other fields, accept the defaults.

  2. Click Create VPC.

  3. On the VPC dashboard, click Subnets, and then Create subnet.

  4. In VPC ID, select the VPC that includes (pcf-vpc).

  5. Add the following subnets. For each subnet, enter the Subnet name, Availability Zone, and IPv4 CIDR block. Then click Add new subnet to add the next subnet in the table:

    Subnet name Availability Zone IPv4 CIDR block
    pcf-public-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.0.0/24
    pcf-public-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.1.0/24
    pcf-public-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.2.0/24
    pcf-management-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.16.0/28
    pcf-management-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.16.16/28
    pcf-management-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.16.32/28
    pcf-tas-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.4.0/24
    pcf-tas-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.5.0/24
    pcf-tas-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.6.0/24
    pcf-services-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.8.0/24
    pcf-services-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.9.0/24
    pcf-services-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.10.0/24
    pcf-rds-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.12.0/24
    pcf-rds-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.13.0/24
    pcf-rds-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.14.0/24

  6. Click Add new subnet.

Create an Internet Gateway

  1. On the VPC dashboard, click Internet gateways.

  2. Click Create internet gateway.

  3. In Name tag, enter pcf-internet-gateway.

  4. Click Create internet gateway.

  5. In Actions, click Attach to VPC.

  6. In Available VPCs, select the VPC that includes pcf-vpc.

  7. Click Attach internet gateway.

Create a NAT Gateway

  1. On the VPC dashboard, click NAT gateways.

  2. Click Create NAT gateway.

  3. In Name, enter pcf-nat-gateway.

  4. In Subnet, select the subnet that includes (pcf-public-subnet-az0).

  5. Click Allocate Elastic IP.

  6. Click Create NAT gateway.

Create Route Table for Public Subnets

  1. On the VPC dashboard, click Route tables.

  2. Click Create route table.

  3. In Name, enter pcf-public-route-table.

  4. In VPC, select the VPC that includes (pcf-vpc).

  5. Click Create route table.

    1. In the Routes section, click Edit routes.
    2. Click Add route.
    3. In Destination, enter 0.0.0.0/0.
    4. In Target, select Internet Gateway, then select the internet gateway that includes (pcf-internet-gateway).\
    5. Click Save changes.

  6. Click the Subnet associations tab.

    1. In the Explicit subnet associations section, click Edit subnet associations.
    2. Select pcf-public-subnet-az0, pcf-public-subnet-az1, and pcf-public-subnet-az2.
    3. Click Save associations.

Create Route Table for Remaining Subnets

  1. On the VPC dashboard, click Route tables.

  2. Click Create route table.

  3. In Name, enter pcf-management-route-table.

    1. In VPC, select the VPC that includes (pcf-vpc).
    2. Click Create route table.

  4. In the Routes section, click Edit routes.

    1. Click Add route.n Destination, enter 0.0.0.0/0.
    2. In Target, select NAT Gateway, then select the NAT gateway that includes (pcf-nat-gateway).
    3. Click Save changes.

  5. Click the Subnet associations tab.

    1. In the Explicit subnet associations section, click Edit subnet associations.
    2. Select pcf-management-subnet-az0, pcf-management-subnet-az1, pcf-management-subnet-az2, pcf-tas-subnet-az0, pcf-tas-subnet-az1, pcf-tas-subnet-az2, pcf-services-subnet-az0, pcf-services-subnet-az1, and pcf-services-subnet-az2.
    3. Click Save associations.

Configure a Security Group for Ops Manager

  1. Return to the EC2 Dashboard.

  2. Select Security Groups>Create Security Group.

  3. In Security group name, enter pcf-ops-manager-security-group.

  4. In Description, enter a description to identify this security group.

  5. In VPC, select the VPC in which you want to deploy Ops Manager.

  6. In the Inbound rules section, add rules using the information in the table below.

    Note: VMware recommends limiting access to Ops Manager to IP ranges within your organization, but you may relax the IP restrictions after configuring authentication for Ops Manager.

    Type Protocol Port Range Source
    HTTP TCP 80 My IP
    HTTPS TCP 443 My IP
    SSH TCP 22 My IP
    Custom TCP (BOSH Agent) TCP 6868 Custom 10.0.0.0/16
    Custom TCP (BOSH Director) TCP 25555 Custom 10.0.0.0/16

  7. Click Create security group.

Configure a Security Group for BOSH-Deployed VMs

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-vms-security-group.

  3. In Description, enter a description to identify this security group.

  4. In VPC, select the VPC where you want to deploy the BOSH-deployed VMs.

  5. In the Inbound rules section, add rules for all traffic from your public and private subnets to your private subnet, as shown in the table. This rule configuration does the following:

    • Enables BOSH to deploy VMware Tanzu Application Service for VMs (TAS for VMs) and other services.
    • Enables app VMs to communicate through the router.
    • Allows the load balancer to send traffic to TAS for VMs.
    Type Protocol Port Range Source
    All traffic All All Custom 10.0.0.0/16
    Custom TCP rule TCP 2222 Anywhere-IPv4 0.0.0.0/0

  6. Click Create security group.

Configure a Security Group for the Web ELB

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-web-elb-security-group.

  3. In Description, enter a description to identify this security group.

  4. In VPC, select the VPC where you want to deploy this Elastic Load Balancer (ELB).

  5. In the Inbound rules section, add rules to allow traffic to ports 80, 443, and 4443 from 0.0.0.0/0, as shown in the table.

    Note: Allow traffic to port `4443` only if you are in an AWS cloud region that does not support AWS ALBs. For example, the GovCloud region. For more information about AWS regoins and availability zones, see AWS Global Infrastructure.

    Note: For finer control over what can reach TAS for VMs, change 0.0.0.0/0 to be more restrictive. This security group governs external access to TAS for VMs from apps such as the cf CLI and app URLs.

    Type Protocol Port Range Source
    Custom TCP TCP 4443 Anywhere-IPv4 0.0.0.0/0
    HTTP TCP 80 Anywhere-IPv4 0.0.0.0/0
    HTTPS TCP 443 Anywhere-IPv4 0.0.0.0/0

  6. Click Create security group.

Configure a Security Group for the TCP ELB

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-tcp-elb-security-group.

  3. In Description, enter a description to identify this security group.

  4. In VPC, select the VPC in which you want to deploy this ELB.

  5. In the Inbound rules section, add the following rule:

    Type Protocol Port Range Source
    Custom TCP rule TCP 1024 - 1123 Anywhere-IPv4 0.0.0.0/0

  6. Click Create security group.

Configure a Security Group for MySQL

Note: If you plan to use an internal database, skip this step. If you are using RDS, you must configure a security group that enables the Ops Manager VM and BOSH Director VM to access the database.

  1. On the Security Groups page, click Create Security Group to create another security group.

  2. In Security group name, enter pcf-mysql-security-group.

  3. In Description, enter a description to identify this security group.

  4. In VPC, select the VPC where you want to deploy MySQL.

  5. In the Inbound rules section, add a rule of type MySQL and specify the subnet of your VPC in Source, as shown in the table.

    Type Protocol Port Range Source
    MYSQL/Aurora TCP 3306 Custom 10.0.0.0/16

  6. In the Outbound rules section, add a rule of type All traffic and specify the subnet of your VPC in Destination, as shown in the table.

    Type Protocol Port Range Destination
    All traffic All All Custom 10.0.0.0/16

  7. Click Create security group.

Next Step

Proceed to the next step, Deploying Ops Manager on AWS.