Deploying Ops Manager on AWS Manually

Page last updated:

This topic describes how to deploy Pivotal Operations Manager for Pivotal Platform on Amazon Web Services (AWS).

Note: To install Pivotal Platform with the Enterprise Pivotal Container Service (Enterprise PKS) runtime, you must use Terraform. Manual installation is not currently supported. See Installing and Configuring Ops Manager on AWS in the PKS documentation.

Before you deploy Ops Manager, see the preparation steps in Preparing to Deploy Ops Manager on AWS Manually.

After you complete this procedure, follow the instructions in Configuring BOSH Director on AWS Manually.

Step 1: Launch an Ops Manager AMI

To launch an Amazon Machine Image (AMI) for Ops Manager, do the following:

  1. Navigate to the Pivotal Operations Manager section of Pivotal Network.

  2. Select the version of Ops Manager you want to install from the Releases dropdown.

  3. In the Release Download Files, click the file named Pivotal Ops Manager for AWS to download a PDF.

  4. Open the PDF and identify the AMI ID for your region.

  5. Return to the EC2 Dashboard.

  6. Click AMIs from the Images menu.

  7. Select Public images from the drop-down filter that says Owned by me.

  8. Paste the AMI ID for your region into the search bar and press enter.

    Note: There is a different AMI for each region. If you cannot locate the AMI for your region, verify that you have set your AWS Management Console to your desired region. If you still cannot locate the AMI, log in to the Pivotal Network and file a support ticket.

    Pcf aws ami

  9. (Optional) If you want to encrypt the VM that runs Ops Manager with AWS Key Management Service (KMS), perform the following additional steps:

    1. Right click the row that lists your AMI and click Copy AMI.
    2. Select your Destination region.
    3. Enable Encryption. For more information about AMI encryption, see Encryption and AMI Copy from the Copying an AMI topic in the AWS documentation.
    4. Select your Master Key. To create a new custom key, see Creating Keys in the AWS documentation.
    5. Click Copy AMI. You can use the new AMI you copied for the following steps.
  10. Select the row that lists your Ops Manager AMI and click Launch.

  11. Choose m3.large for your instance type and click Next: Configure Instance Details.

    Aws ami m3large

  12. Configure the following for your instance:

    • Network: Select the VPC that you created.
    • Subnet: Select pcf-public-subnet-az0 to allow traffic from public IP addresses, or pcf-management-subnet-az0 to allow traffic only from private IP addresses.
    • Auto-assign for Public IP: Select Enable to allow traffic from public IP addresses, or Disable to allow traffic only from private IP addresses.
    • IAM role: Select the IAM role associated with your pcf-user profile. If you have not created one, click Create new IAM role and follow the Guidelines for Creating User Roles on AWS.
    • For all other fields, accept the default values.

    Pcf aws configure instance

  13. Click Next: Add Storage and adjust the Size (GiB) value. The default persistent disk value is 50 GB. Pivotal recommends increasing this value to a minimum of 100 GB.

    Pcf aws add storage

  14. Click Next: Tag Instance.

  15. On the Add Tags page, add a tag with the key Name and value pcf-ops-manager.

  16. Click Next: Configure Security Group.

  17. Select the pcf-ops-manager-security-group that you created in Step 5: Configure a Security Group for Ops Manager in Preparing to Deploy Ops Manager on AWS Manually.

  18. Click Review and Launch and confirm the instance launch details.

  19. Click Launch.

  20. Select the pcf-ops-manager-key key pair, confirm that you have access to the private key file, and click Launch Instances. You use this key pair to access the Ops Manager VM.

    Select pcfpem keypair

  21. Click View Instances to access the Instances page on the EC2 Dashboard.

Step 2: Create Web Load Balancer

  1. On the EC2 Dashboard, click Load Balancers.

  2. Click Create Load Balancer.

  3. Under Application Load Balancer, click Create.

  4. For Step 1: Configure Load Balancer, do the following:

    1. Under Basic Configuration, do the following:
      • For Name, enter pcf-web-elb.
      • For Scheme, select internet-facing to allow traffic from public IP addresses, or internal to allow traffic only from private IP addresses.
      • For IP address type, select the type of IP addresses you want to allow.
    2. Under Listeners, click Add listener. For Load Balancer Protocol, select HTTPS.
    3. Under Availability Zones, select all availability zones.
    4. Click Next: Configure Security Settings.
  5. For Step 2: Configure Security Settings, do the following:

    1. Under Select default certificate, do one of the following:
      • If you already have a certificate from AWS Certificate Manager (ACM), select Choose a certicate from ACM.
      • If you do not have a certificate from ACM, select Upload a certificate to ACM. For more information, see Importing Certificates into AWS Certificate Manager in the AWS documentation.

        Note: For a production or production-like environment, use a certificate from a Certificate Authority (CA). This can be an internal certificate or a purchased certificate. For a sandbox environment, you can use a self-signed certificate.

    2. For Certificate Name, select the desired certificate.
    3. For Security Policy, select the policy you created in Step 3: Create an IAM User for Pivotal Platform in Preparing to Deploy Ops Manager on AWS Manually.
    4. Click Next: Configure Security Groups.
  6. For Step 3: Configure Security Groups, do the following:

    1. Under Assign a security group, select Select an existing security group.
    2. From the list of security groups, select the pcf-web-elb-security-group security group that you configured in Step 7: Configure a Security Group for the Web ELB in Preparing to Deploy Ops Manager on AWS Manually.
    3. Click Next: Configure Routing.
  7. For Step 4: Configure Routing, do the following:

    1. Under Target Group, enter the following values:
      • Name: Enter pcf-web-elb-target-group.
      • Protocol: Select HTTP.
    2. Under Health checks, set Path to /health.
    3. Under Advanced health check settings, enter the following values:
      • Port: Set to 8080.
      • Interval: Set to 5 seconds.
      • Timeout: Set to 3 seconds.
      • Unhealthy threshold: Set to 3.
      • Health threshold: Set to 6.
    4. Click Next: Register Targets.
  8. For Step 5: Register Targets, accept the default values and click Next: Review.

  9. For Step 6: Review, review the load balancer details and then click Create. A message appears to confirm AWS successfully created the load balancer.

Step 3: Create SSH Load Balancer

  1. From the Load Balancers page, click Create Load Balancer.

  2. Select Classic Load Balancer.

  3. Configure the load balancer with the following information:

    • Load Balancer name: Enter pcf-ssh-elb.
    • Create LB Inside: Select the pcf-vpc VPC that you created in Step 4: Create a VPC in Preparing to Deploy Ops Manager on AWS Manually.
    • If you want to allow traffic from public IP addresses, ensure that the Create an internal load balancer checkbox is not selected. If you want to allow traffic only from private IP addresses, select this checkbox. Config elb
  4. Under Listener Configuration, add the following rules:

    Load Balancer Protocol Load Balancer Port Instance Protocol Instance Port
    TCP 2222 TCP 2222
  5. Under Select Subnets, select either the public or private subnets you configured in Step 4: Create a VPC in Preparing to Deploy Ops Manager on AWS Manually, and click Next: Assign Security Groups.

  6. On the Assign Security Groups page, select the security group pcf-ssh-elb-security-group you configured in Step 8: Configure a Security Group for the SSH ELB in Preparing to Deploy Ops Manager on AWS Manually, and click Next: Configure Security Settings.

    Lb assign sec groups

  7. On the Configure Security Settings page, ignore the Improve your load balancer’s security error message and click Next: Configure Health Check.

  8. On the Configure Health Check page, enter the following values:

    • Ping Protocol: Select TCP.
    • Ping Port: Set to 2222.
    • Interval: Set to 5 seconds.
    • Response Timeout: Set to 3 seconds.
    • Unhealthy threshold: Set to 3.
    • Health threshold: Set to 6.
  9. Click Next: Add EC2 Instances.

    Lb health check

  10. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

  11. Accept the defaults on the Add Tags page and click Review and Create.

  12. Review and confirm the load balancer details, and click Create.

Step 4: Create TCP Load Balancer

  1. From the Load Balancers page, click Create Load Balancer.

  2. Select Classic Load Balancer.

  3. Configure the load balancer with the following information:

    • Load Balancer name: Enter pcf-tcp-elb.
    • Create LB Inside: Select the pcf-vpc VPC that you created in Step 4: Create a VPC in Preparing to Deploy Ops Manager on AWS Manually.
    • If you want to allow traffic from public IP addresses, ensure that the Create an internal load balancer checkbox is not selected. If you want to allow traffic only from private IP addresses, select this checkbox.

    Config elb

  4. Under Listener Configuration, add the following rules:

    Load Balancer Protocol Load Balancer Port Instance Protocol Instance Port
    TCP 1024 TCP 1024
    TCP 1025 TCP 1025
    TCP 1026 TCP 1026
    TCP 1123 TCP 1123


    The ... entry above indicates that you must add listening rules for each port between 1026 and 1123.

  5. Under Select Subnets, select either the public or private subnets you configured in Step 4: Create a VPC in Preparing to Deploy Ops Manager on AWS Manually, and click Next: Assign Security Groups.

  6. On the Assign Security Groups page, select the security group pcf-tcp-elb-security-group you configured in Step 9: Configure a Security Group for the TCP ELB in Preparing to Deploy Ops Manager on AWS Manually, and click Next: Configure Security Settings.

    Lb assign sec groups

  7. On the Configure Security Settings page, ignore the Improve you load balancer’s security error message and click Next: Configure Health Check.

  8. On the Configure Health Check page, enter the following values:

    • Ping Protocol: Select TCP.
    • Ping Port: Set to 80.
    • Interval: Set to 5 seconds.
    • Response Timeout: Set to 3 seconds.
    • Unhealthy threshold: Set to 3.
    • Health threshold: Set to 6.
  9. Click Next: Add EC2 Instances.

    Lb health check

  10. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

  11. Accept the defaults on the Add Tags page and click Review and Create.

  12. Review and confirm the load balancer details, and click Create.

Step 5: Configure DNS Records

  1. Perform the following steps for all three of the load balancers you created in previous steps, named pcf-web-elb, pcf-ssh-elb, and pcf-tcp-elb:

    1. From the Load Balancers page, select the load balancer.
    2. On the Description tab, locate the Basic Configuration section and record the DNS name of the load balancer.
  2. Click Instances on the left navigation to view your EC2 instances.

  3. Select the PcfOpsManInstance instance created by Cloudformation.

  4. On the Description tab, record the value for IPv4 Public IP.

  5. Navigate to your DNS provider and create the following CNAME and A records:

    • CNAME: *.apps.YOUR-SYSTEM-DOMAIN.com and *.system.YOUR-SYSTEM-DOMAIN.com points to the DNS name of the pcf-web-elb load balancer.
    • CNAME: ssh.YOUR-SYSTEM-DOMAIN.com points to the DNS name of the pcf-ssh-elb load balancer.
    • CNAME: tcp.YOUR-SYSTEM-DOMAIN.com points to the DNS name of the pcf-tcp-elb load balancer.
    • A: pcf.YOUR-SYSTEM-DOMAIN.com points to the public IP address of the pcf-ops-manager EC2 instance.

Step 6: Secure the NAT Instance

  1. On the EC2 Dashboard, click Instances.

  2. Select the NAT instance, which has an instance type of t3.medium.

  3. From the Actions menu, select Networking>Change Security Groups.

  4. Change the NAT security group from the default group to the pcf-nat-security-group NAT security group that you created in Step 10: Configure a Security Group for the Outbound NAT in Preparing to Deploy Ops Manager on AWS Manually. Pcf aws select security group

  5. Click Assign Security Groups.

Step 7: Create RDS Subnet Group

  1. Navigate to the RDS Dashboard.

  2. Perform the following steps to create a RDS Subnet Group for the two RDS subnets:

    1. Click Subnet Groups>Create DB Subnet Group.
    2. Enter the following values:
      • Name: Enter pcf-rds-subnet-group.
      • Description: Enter a description to identify this subnet group.
      • VPC ID: Select pcf-vpc.
      • Availability Zone and Subnet ID: Choose the AZ and subnet for pcf-rds-subnet-az0 and click Add.
    3. Repeat the steps above to add pcf-rds-subnet-az1 and pcf-rds-subnet-az2 to the group.
    4. Click Create.

    The following screenshot shows a completed subnet group.

    Rds pcf subnet group

    Note: On the Subnet Group page, you may need to refresh the page to view the new group.

Step 8: Create a MySQL Database Using AWS RDS

Note: You must have an empty MySQL database when you install or reinstall Pivotal Platform on AWS.

  1. Navigate to the RDS Dashboard.

  2. Click Instances>Launch DB Instance to launch the wizard.

  3. Select MySQL.

  4. Select the MySQL radio button under Production to create a database for production environments.

  5. Click Next Step.

  6. Specify the following database details:

    • DB Instance Class: Select db.m3.large - 2 vCPU, 7.5 GiB RAM.
    • Multi-AZ Deployment: Select Yes.
    • Storage Type: Select Provisioned IOPS (SSD).
    • Allocated Storage: Enter 100 GB.
    • DB Instance Identifier: Enter pcf-ops-manager-director.
    • Enter a secure Master Username and Master Password.

      Note: Record the username and password. You need these credentials later when configuring the Director Config page in the BOSH Director tile.

      Db details
  7. Click Next Step.

  8. On the Configure Advanced Settings page, enter the following values:

    • VPC: Select pcf-vpc.
    • Subnet Group: Select the pcf-rds-subnet-group you created in Step 7: Create RDS Subnet Group.
    • Publicly Accessible: Select No.
    • VPC Security Groups: Select the pcf-rds-security-group that you created in Step 11: Configure a Security Group for MySQL in Preparing to Deploy Ops Manager on AWS Manually.
    • Database Name: Enter bosh.
    • Accept the default values for the remaining fields.

    Advanced db settings

  9. Click Launch DB Instance. Launching the instance may take several minutes.

Next Steps

When the instance has launched, you can do either of the following: