OpenStack Reference Architecture
Page last updated:
This topic describes a reference architecture for VMware Tanzu Application Service for VMs (TAS for VMs) on OpenStack. TAS for VMs runs on VMware Tanzu Operations Manager (Ops Manager), and this architecture is valid for most production-grade Ops Manager deployments in a single project using three availability zones (AZs).
For general requirements for running Ops Manager and specific requirements for running Ops Manager on OpenStack, see OpenStack on Ops Manager Requirements.
An Ops Manager reference architecture describes a proven approach for deploying Ops Manager on a specific IaaS, such as OpenStack, that meets these requirements:
Includes common Ops Manager-managed runtimes and services, such as for TAS for VMs, VMware Tanzu SQL, VMware Tanzu RabbitMQ, and Spring Cloud Services for VMware Tanzu
Can host at least 100 app instances
VMware provides reference architectures to help you determine the best configuration for your Ops Manager deployment.
The table below lists the components that are part of a base reference architecture deployment on OpenStack with three AZs.
|Component||Reference Architecture Notes|
|Domains and DNS||Domain zones and routes in use by the reference architecture include:
|Ops Manager VM||Deployed on the infrastructure network and accessible by fully-qualified domain name (FQDN) or through an optional jumpbox.|
|BOSH Director||Deployed on the infrastructure network.|
|Application Load Balancer||Required. Load balancer that handles incoming HTTP, HTTPS, TCP, and SSL traffic and forwards them to the Gorouters. Load balancers are outside the scope of this topic.|
|SSH Load Balancer||Optional. Load balancer that provides SSH access to app containers for developers. Load balancers are outside the scope of this topic.|
|Gorouters||Accessed through the Application Load Balancer. Deployed on the TAS for VMs network, one per AZ.|
|Diego Brains||This component is required. However, the SSH container access functionality is optional and enabled through the SSH load balancers. Deployed on the TAS for VMs network, one per AZ.|
|TCP Routers||Optional feature for TCP routing. Deployed on the TAS for VMs network, one per AZ.|
|Database||Reference architecture uses internal MySQL.|
|Storage Buckets||Reference architecture uses customer-provided blobstore. Buckets are needed for BOSH and TAS for VMs.|
|Service Tiles||Deployed on the services network.|
|Service Accounts||VMware recommends two service accounts: one for OpenStack “paving,” and the other for Ops Manager and BOSH.
|OpenStack Quota||The default compute quota on a new OpenStack subscription is typically not enough to host a multi-AZ deployment. VMware recommends a quota of 100 for instances. Your OpenStack network quotas may also need to be increased.|
The table below lists the network objects in this reference architecture.
|Network Object||Notes||Estimated Number|
|Floating IP addresses||Two per deployment: one assigned to Ops Manager, the other to your jumpbox.||2|
|Project||One per deployment. A deployment exists within a single project and a single OpenStack region, but should distribute TAS for VMs jobs and service instances across three OpenStack AZs to ensure high availability.||1|
|Networks||The reference architecture requires these Tenant Networks:
Note: In many cases, the public network is an “under the cloud” network that is shared across projects.
|Routers||This reference architecture requires one router attached to all networks:
|Security Groups||The reference architecture requires one Security Groups. The table below describes the Security Group ingress rules:
|Load Balancers||Ops Manager on OpenStack requires a load balancer, which can be configured with multiple listeners to forward HTTP, HTTPS, and TCP traffic. VMware recommends two load balancers: one to forward the traffic to the Gorouters,
The table below describes the required listeners for each load balancer:
Note: In many cases, the load balancers are provided as an “under the cloud” service that is shared across projects.
|Jumpbox||Optional. Provides a way of accessing different network components. For example, you can configure it with your own permissions and then set it up to access to VMware Tanzu network to download tiles. Using a jumpbox is particularly useful in IaaSes where the Ops Manager VM does not have a public IP address. In these cases, you can SSH into the Ops Manager VM or any other component through the jumpbox.||1|