Deploying PCF on Azure Government Cloud

Page last updated:

This topic describes how to install Pivotal Cloud Foundry (PCF) on Azure Government Cloud.

Note: Azure Government Cloud is only supported in PCF 1.10 and later.

The procedures below involve using the Ops Manager API. For more information about the Ops Manager API, see the documentation at https://OPS-MAN-FQDN/docs.

Step 1: Prepare to Deploy

Perform the procedures in the Preparing to Deploy PCF on Azure, but instead of running az cloud set --name AzureCloud, specify the AzureUSGovernment environment:

$ az cloud set --name AzureUSGovernment

Step 2: Launch an Ops Manager Director Instance

Perform the procedures in the Launching an Ops Manager Director Instance on Azure without an ARM Template topic.

Step 3: Configure Authentication

Perform the procedures in the Step 1: Access Ops Manager section of the Configuring Ops Manager Director on Azure topic. Set up your Ops Manager authentication system, but do not continue to the Step 2: Azure Config Page section.

Continue to the Internal Authentication or External Identity Provider section below depending on which authentication system you configured.

Internal Authentication

If you configured your Ops Manager for Internal Authentication, perform the following steps:

  1. SSH into the Ops Manager VM:

    $ ssh -i opsman ubuntu@OPS_MAN_FQDN

    If the private key that you generated in the Launching an Ops Manager Director Instance on Azure without an ARM Template topic is not named opsman, provide the correct filename instead.

  2. From the Ops Manager VM, use the User Account and Authentication Command Line Interface (UAAC) to target your Ops Manager UAA server:

    $ uaac target https://OPS-MAN-FQDN/uaa

    Note: UAA is the Cloud Foundry identity and management service. See the User Account and Authentication (UAA) Server topic for more information.

  3. Retrieve your token to authenticate:

    $ uaac token owner get
    Client ID: opsman
    Client secret: [Leave Blank]
    User name: OPS-MAN-USERNAME
    Password: OPS-MAN-PASSWORD
    

  4. Continue to Step 4: Configure Ops Manager.

External Identity Provider

If you configured your Ops Manager for an external Identity Provider with SAML, perform the following steps:

  1. From your local machine, target your Ops Manager UAA server:

    $ uaac target https://OPS-MAN-FQDN/uaa

  2. Retrieve your token to authenticate. When prompted for a passcode, retrieve it from https://OPS-MAN-FQDN/uaa/passcode.

    $ uaac token sso get
    Client ID: opsman
    Client secret: [Leave Blank]
    Passcode: YOUR-PASSCODE
    
    If authentication is successful, the UAAC displays the following message: Successfully fetched token via owner password grant.

  3. Continue to Step 4: Configure Ops Manager.

Step 4: Configure Ops Manager

Perform the following steps to configure Ops Manager for Azure Government Cloud:

  1. List your tokens.
    $ uaac contexts
    
    Locate the entry for your Ops Manager FQDN. Under client_id: opsman, record the value for access_token.
  2. Use curl to pass in the environment:AzureUSGovernment key to Ops Manager using the API:

    $ curl "https://OPS-MAN-FQDN/api/v0/staged/director/properties" \ 
      -X PUT \ 
      -H "Authorization: Bearer UAA-ACCESS-TOKEN" \ 
      -H "Content-Type: application/json" \ 
      -d '{
        "iaas_configuration": {
          "subscription_id": "SUBSCRIPTION-ID",
          "tenant_id": "TENANT-ID",
          "client_id": "APPLICATION-ID",
          "resource_group_name": "$RESOURCE-GROUP",
          "bosh_storage_account_name": "$STORAGE-NAME",
          "deployments_storage_account_name": "MY-DEPLOYMENT-STORAGE-X",
          "default_security_group": "opsmgr-nsg",
          "ssh_public_key": "ssh-rsa OPS-MAN-PUBLIC-KEY",
          "ssh_private_key": "-----BEGIN RSA PRIVATE KEY-----\OPS-MAN-PRIVATE-KEY",
          "environment": "AzureUSGovernment"
        },
        "director_configuration": {
          "ntp_servers_string": "us.pool.ntp.org",
          "metrics_ip": "1.2.3.4",
          "resurrector_enabled": true,
          "max_threads": 1,
          "database_type": "internal",
          "blobstore_type": "local"
        },
        "security_configuration": {
        "trusted_certificates": "—– BEGIN SSL CERTIFICATE —– ... ",
        "generate_vm_passwords": true
      }
    }'
    

    Replace the placeholder values under iaas_configuration as follows:

    Leave the values under director_configuration and security_configuration. They are designed to be overridden in a subsequent step when you configure Ops Manager using the web interface.

  3. If the curl command returns a 200 OK response, navigate to the Ops Manager FQDN in a browser and log in.

  4. Configure the Ops Manager Director tile by performing the procedures in the Step 2: Azure Config Page section through the Step 6: Security Page section of the Configuring Ops Manager Director on Azure topic. Stop when you reach the Resource Config page in Ops Manager.

  5. Only certain VM types are compatible with Azure Government Cloud. Create a file called vmtypes with the following contents: {"vm_types": [ { "name": "Standard_D1_v2", "ram": 3584, "cpu": 1, "ephemeral_disk": 51200 }, { "name": "Standard_D2_v2", "ram": 7168, "cpu": 2, "ephemeral_disk": 102400 }, { "name": "Standard_D3_v2", "ram": 14336, "cpu": 4, "ephemeral_disk": 204800 }, { "name": "Standard_D4_v2", "ram": 28672, "cpu": 8, "ephemeral_disk": 409600 }, { "name": "Standard_D5_v2", "ram": 57344, "cpu": 8, "ephemeral_disk": 819200 }, { "name": "Standard_D11_v2", "ram": 14336, "cpu": 2, "ephemeral_disk": 102400 }, { "name": "Standard_D12_v2", "ram": 28672, "cpu": 4, "ephemeral_disk": 204800 }, { "name": "Standard_D13_v2", "ram": 57344, "cpu": 8, "ephemeral_disk": 409600 }, { "name": "Standard_D14_v2", "ram": 114688, "cpu": 16, "ephemeral_disk": 819200 }, { "name": "Standard_F1", "ram": 2048, "cpu": 1, "ephemeral_disk": 16384 }, { "name": "Standard_F2", "ram": 4096, "cpu": 2, "ephemeral_disk": 32768 }, { "name": "Standard_F4", "ram": 8192, "cpu": 4, "ephemeral_disk": 65536 }, { "name": "Standard_F8", "ram": 16384, "cpu": 8, "ephemeral_disk": 131072 ]}

  6. Use curl to pass the file with the correct VM types to Ops Manager using the API:

    $ curl "https://OPS-MAN-FQDN/api/v0/vm_types" \ 
      -X PUT \ 
      -H "Authorization: Bearer UAA-ACCESS-TOKEN" \ 
      -H "Content-Type: application/json" \ 
      -d @vmtypes
    

  7. If the curl command returns a 200 OK response, retrieve the current list of VM types to ensure they are the ones you specified in the vmtypes file:

    $ curl "https://OPS-MAN-FQDN/api/v0/vm_types" \
      -H "Authorization: Bearer UAA-ACCESS-TOKEN" 
       
      200 OK
      RESPONSE:
      "vm_types": [ { "name": "Standard_D1_v2", "ram":
      3584, "cpu": 1, "ephemeral_disk": 51200 }, { 
      "name": "Standard_D2_v2", "ram": 7168, "cpu": 2, 
      "ephemeral_disk": 102400 }, { "name": 
      "Standard_D3_v2", "ram": 14336, "cpu": 4, 
      "ephemeral_disk": 204800 },{ "name": 
      "Standard_D4_v2", "ram": 28672, "cpu": 8, 
      "ephemeral_disk": 409600 },{ "name": 
      "Standard_D5_v2", "ram": 57344, "cpu": 8, 
      "ephemeral_disk": 819200 },{ "name": 
      "Standard_D11_v2", "ram": 14336, "cpu": 2, 
      "ephemeral_disk": 102400 },{ "name": 
      "Standard_D12_v2", "ram": 28672, "cpu": 4, 
      "ephemeral_disk": 204800 },{ "name": 
      "Standard_D13_v2", "ram": 57344, "cpu": 8, 
      "ephemeral_disk": 409600 },{ "name": 
      "Standard_D14_v2", "ram": 114688, "cpu": 16,
      "ephemeral_disk": 819200 },{ "name": "Standard_F1",
      "ram": 2048, "cpu": 1, "ephemeral_disk": 16384 },
      { "name": "Standard_F2", "ram": 4096, "cpu": 2,
      "ephemeral_disk": 32768 }, {"name": "Standard_F4",
      "ram": 8192, "cpu": 4, "ephemeral_disk": 65536 },
      { "name": "Standard_F8", "ram": 16384, "cpu": 8, 
      "ephemeral_disk": 131072 ]
    

  8. Return to the Ops Manager Installation Dashboard by navigating to the Ops Manager FQDN in a browser.

  9. Click Apply Changes to redeploy Ops Manager.

  10. When Ops Manager finishes deploying, continue to the Deploying Elastic Runtime on Azure topic to deploy Elastic Runtime and complete your PCF installation.

Create a pull request or raise an issue on the source for this page in GitHub