Installing and Configuring Tanzu Platform for Cloud Foundry Windows

Last Updated March 13, 2025

You can install and configure the VMware Tanzu Platform for Cloud Foundry [Windows] tile.

The Tanzu Platform for Cloud Foundry [Windows] tile installs Windows Diego Cells in your Operations Manager deployment.

The Tanzu Platform for Cloud Foundry [Windows] tile inherits settings from the VMware Tanzu Platform for Cloud Foundry (Tanzu Platform for Cloud Foundry) tile and also includes additional configuration settings.

To install, configure, and deploy Tanzu Platform for Cloud Foundry [Windows]:

In an environment with Internet access:
1. Complete the prerequisites. See Prerequisites.
2. Download and install the Tanzu Platform for Cloud Foundry [Windows] tile. See Install the tile.
3. Configure required settings for the tile. See Configure the tile.
4. Configure resources for the tile. See Configure tile resources.
5. Upload the Windows stemcell to the tile. See Upload the stemcell.
6. Deploy the tile. See Deploy the tile.
In an air-gapped environment, follow the steps in Install and configure Tanzu Platform for Cloud Foundry [Windows] in an air-gapped environment.

Prerequisites

Before you install and configure the Tanzu Platform for Cloud Foundry [Windows] tile, you must meet the requirements for using the Windows FS Injector tool. For more information, see Windows FS Injector prerequisites.

Windows FS Injector prerequisites

Use the Windows FS Injector tool to install the Tanzu Platform for Cloud Foundry [Windows] tile. The Windows FS Injector tool requires:

The git and tar executable files must be in your %PATH%. If git and tar are not in your %PATH%, either add your git and tar to the locations in your existing %PATH% configuration, or copy the git.exe and tar.exe executable files to a directory in your %PATH%.
Your installation environment must allow the Windows FS Injector tool access to all of the following URLs:
- https://support.broadcom.com/group/ecx/productdownloads?subfamily=Tanzu%20Platform%20for%20Cloud%20Foundry%20Windows to download the Windows FS Injector
- https://github.com/pivotal-cf/winfs-injector
- https://s3.amazonaws.com/
- https://registry.hub.docker.com/
- https://production.cloudflare.docker.com
- https://go.microsoft.com/
- https://winlayers.cdn.mscr.io
- https://mcr.microsoft.com
- https://msecnd.net, or any domain within the Microsoft Windows Azure Content Delivery Network For more information about the Windows Azure Content Delivery Network, see the Microsoft documentation.
To ensure the authenticity of Microsoft container images, Microsoft does not permit the distribution of its base images. This includes Microsoft container images consumed through Docker Hub, which are delivered by an Microsoft CDN endpoint.

Installing the Tanzu Platform for Cloud Foundry [Windows] tile

To install the Tanzu Platform for Cloud Foundry [Windows] tile:

Go to VMware Tanzu Platform for Cloud Foundry [Windows] on Broadcom Support.
Download the VMware Tanzu Platform for Cloud Foundry [Windows] product file.
Download the Windows FS Injector tool for your workstation OS. The Injector tool, winfs-injector, is an executable binary that adds the Windows Server container base image into the product file. This step requires ISnternet access and can take up to 20 minutes.

Caution You need the git and tar executable files in your %PATH% to run winfs-injector.exe. For example, copy git.exe and tar.exe to a directory in your %PATH%.
Add the Windows Server container base image to the product file:
```
winfs-injector ^
  --input-tile TANZU-CF-WIN-DOWNLOAD-PATH ^
  --output-tile TANZU-CF-WIN-IMPORTABLE-PATH
```
Where: * TANZU-CF-WIN-DOWNLOAD-PATH is the path and filename to the Tanzu Platform for Cloud Foundry [Windows] product file you downloaded. * TANZU-CF-WIN-IMPORTABLE-PATH is the output path for the importable product file.
For example:
```
C:\Users\admin\> winfs-injector ^
--input-tile c:\temp\pas-windows-2.9.0-build.1.pivotal ^
--output-tile c:\temp\pas-windows-2.9.0-build.1-INJECTED.pivotal
```
This step takes up to 20 minutes to complete.

If you have the BOSH_ALL_PROXY environment variable set, this can cause the winfs-injector to fail, with an error similar to this:
```
-- Failed downloading 'golang-1-windows/789a42163ee8b705cfcd8a62e590d5cbf01322c773497d6c53247cf6a4e39965' (sha1=sha256:55db4fe9804edfff5f01c5cee0d2541333a71f40c905135912c9c22783e038c1)
```
If this happens, reset the BOSH_ALL_PROXY environment variable, and then try again.
Go to the VMware Tanzu Operations Manager Installation Dashboard and click Import a Product.
To add the Tanzu Platform for Cloud Foundry [Windows] tile to the Import a Product product list, select the importable TANZU-CF-WIN-IMPORTABLE-PATH file on your computer.
To add the Tanzu Platform for Cloud Foundry [Windows] tile to your staging area, click + under the VMware Tanzu Platform for Cloud Foundry [Windows] product listing.

Configuring the Tanzu Platform for Cloud Foundry [Windows] tile

The following sections describe how to configure the settings for the Tanzu Platform for Cloud Foundry [Windows] tile.

Assigning availability zones and networks

In Assign AZ and Networks, you assign jobs to your Availability Zones (AZs) and networks.

To configure AZs and networks:

Click the Tanzu Platform for Cloud Foundry [Windows] tile.
Click Assign AZs and Networks or Assign Networks. The name of the pane varies depending on your IaaS.
Select the first AZ under Place singleton jobs. Tanzu Operations Manager runs any job with a single instance in this AZ.
Select all AZs under Balance other jobs. Tanzu Operations Manager balances instances of jobs with more than one instance across the AZs that you specify.

Important For production deployments, VMware recommends at least three AZs for a highly available installation.
From the Network drop-down menu, choose the runtime network that you created when you configured the BOSH Director tile.
Click Save.

Configuring VMs

In VM Options, you configure settings for accessing your VMs.

To configure VM access:

Click VM Options.
In Administrator passwords, select one of the following:
- To randomize the admin password, select Use randomized password. If you select this option, the admin password is not retrievable by an operator. This is the default selection.
- To set the same admin password for every Windows Diego Cell, select Configure a password and enter a password in the Password check box. If you select this option, this is the password for all VMs that are used to access any Windows Diego Cell.
(Optional) To start the Microsoft beta port of the OpenSSH daemon on port 22 for all VMs, select the Access VMs with BOSH SSH (beta) check box. If you select this option, it allows users to SSH into Windows VMs with the bosh ssh command and enter a CMD terminal as an admin user.
(Optional) To configure a Key Management Service (KMS) that your volume-licensed Windows Diego Cell can register with:
1. Under KMS, select Use.
2. In Hostname, enter the host name for your KMS server.
3. In Port, enter the port number of your KMS server. The default port number is 1688.
Click Save.

Configuring smoke tests

In Smoke Tests, you specify the org and space where smoke tests are run.

In the org and space that you specify, the Smoke Test errand pushes an app to the org. The app runs basic function tests against your Tanzu Platform for Cloud Foundry [Windows] deployment after an installation or update.

The Smoke Test errand is turned on by default. You can turn off the Smoke Test errand in the Errands pane. For more information about settings for errands, see Configure errands.

For help configuring the smoke tests, see Configure smoke tests in Installing and configuring Tanzu Platform for Cloud Foundry Windows in the VMware documentation.

To configure smoke tests:

Click Smoke Tests.
If you have a shared apps domain, select A temporary space within the system org. This creates a temporary space in the system org for running smoke tests and deletes the space afterwards. Otherwise, select Smoke test location and specify the domain, org, and space. To configure where Tanzu Platform for Cloud Foundry [Windows] pushes an app to run smoke tests:
- In Org, enter the org Tanzu Platform for Cloud Foundry [Windows] you can use when pushing an app to run smoke tests.
- In Space, enter the space Tanzu Platform for Cloud Foundry [Windows] you can use when pushing an app to run smoke tests.
- In Apps Domain, enter the domain Tanzu Platform for Cloud Foundry [Windows] you can use when pushing an app to run smoke tests.

Configuring Advanced Features

The Advanced Features screen includes new capability that might have certain constraints. Although these features are fully supported, VMware recommends caution when using them in production environments.

For help filling in these text boxes, see Advanced Features.

The following sections describe how to configure the Advanced Features.

Diego Cell memory and disk overcommit

Use the overcommit settings if your apps do not use the full allocation of disk space and memory set in Resource Config. These settings control the amount to overcommit disk and memory resources to each host VM.

For example, you can use the overcommit if your apps use a small amount of disk and memory capacity compared to the amounts set in the Resource Config settings for Windows Diego Cell.

Because of the risk of app failure and the deployment specific nature of disk and memory use, VMware has no recommendation for how much, if any, memory or disk space to overcommit.

To enable overcommit:

Click Advanced Features.
In the Diego Cell memory capacity text box, enter the value in MB for the total amount of memory to allocate to each Diego Cell. See the Diego Cell row in Resource Config for the current Diego Cell memory capacity settings that this setting overrides.
In the Diego Cell disk capacity text box, enter the value in MB, for the total amount of disk to allocate to each Diego Cell. See the Diego Cell row in Resource Config for the current Diego Cell disk capacity settings that this setting overrides.
Click Save. Entries made to each of these text boxes set the total amount of resources allocated, not the overage.

Gorouter app identity verification (beta)

You can choose the method the Gorouter uses to verify app identity. Verifying app identity using TLS or mutual TLS (mTLS) activates encryption between the Gorouter and application containers, and guards against misrouting during control plane failures. This feature is deactivated by default.

For more information about Gorouter route consistency modes, see Preventing misrouting in HTTP Routing.

To configure app identity verification:

Select Advanced Features.
Under Gorouter and TCP Router app identity verification, select one of the following options:
- Gorouter + TCP Router use TLS to verify app identity: Activates the Gorouter and TCP Router to verify app identity using TLS. This is the default option.
- Gorouter and TCP Router use mutual TLS with apps to verify each other’s identity Activates the Gorouter/TCP Router and your apps to verify each other’s identity using TLS. Before you turn on this option, consider:
- If you activate mTLS in the Tanzu Platform for Cloud Foundry [Windows] tile, you must also activate Enable TLS for TCP Routes in the Networking pane of the Tanzu Platform for Cloud Foundry tile.
- If you activate mTLS in the Tanzu Platform for Cloud Foundry [Windows] tile, you must also activate mTLS in the App Containers pane of the Tanzu Platform for Cloud Foundry tile.
- You need v2.3 or later of both Tanzu Platform for Cloud Foundry and Isolation Segment. The Gorouter and Diego Cell components in Pivotal Cloud Foundry v2.2 and earlier do not support mTLS handshakes.
- Disallow app identity verification and mutual TLS: Deactivates app identity verification and mutual TLS.
Click Save.

Custom Windows Diego Cell overlay subnet

The IP range for the overlay network of your Windows Diego Cell. The default range is 172.30.0.0/22.

IP address space for container networking. If this conflicts with any internal IP addresses that your organization uses, you can customize this subnet. Unlike in Tanzu Platform for Cloud Foundry [Windows] deployments using Linux Diego Cells, you configure this subnet per Diego Cell. When you configure a custom subnet for a Windows Diego Cell, ensure that:

The CIDR range of your custom subnet does not conflict with any resources that your apps might need to use.
The subnet is large enough to accommodate the number of apps you expect to have running on each Diego Cell.

To configure a custom Windows Diego Cell overlay subnet:

In the Tanzu Platform for Cloud Foundry [Windows] tile, click Advanced Features.
For Diego Cell overlay subnet, enter the subnet you want to configure for your Diego Cell.

Caution Setting the subnet too small limits the number of containers that can run on each Windows Diego Cell.
Click Save.

Configuring errands

Errands are scripts that Tanzu Operations Manager runs when it installs or uninstalls a product. For example, a new version of Tanzu Platform for Cloud Foundry [Windows]. There are two types of errands: post-deploy errands run after the product is installed, and pre-delete errands run before the product in uninstalled.

By default, Tanzu Operations Manager runs all errands.

In Errands, you can change these run rules. For each errand, click On to run it each time Tanzu Operations Manager installs or uninstalls a product, or Off to never run it.

For more information about how Tanzu Operations Manager manages errands, see Managing errands in Tanzu Operations Manager.

To configure errands:

Click Errands.
To receive the most up-to-date HWC buildpack, set the Install HWC Buildpack Errand to On.
To ensure that a smoke test is run against your Tanzu Platform for Cloud Foundry [Windows] installation, set the Smoke Test Errand to On.
Click Save.

This beta feature verifies only that the client certificate is signed by the expected CA using mTLS. It does not include SAN (Subject Alternative Name) verification of the presented client certificates.

Configuring isolation segments (optional)

To deploy your Tanzu Platform for Cloud Foundry [Windows] app workloads to an isolation segment, click App Containers and follow the procedure in Assign a tile to an isolation segment in Windows Diego Cells in isolation segments.

Configure Windows authentication (optional)

To configure Windows Diego Cells to allow application containers to perform Windows authentication, click Windows Authentication and follow the procedure in Configuring the tile for Windows authentication in Windows authentication for .Net apps.

Use an isolation segment for Windows Authentication, so that all apps in the Tanzu Platform for Cloud Foundry [Windows] installation have access to the GMSA credentials.

Configuring system logging (optional)

Click System Logging:

(Optional) To configure Windows Diego Cells to send VM logs to an external syslog server, follow the procedure in Forwarding logs to a syslog server in Troubleshooting Windows Diego Cells.
(Optional) For OpenTelemetry Collector Configuration, the default value is empty, which deactivates the OpenTelemetry Collector. To configure Tanzu Platform for Cloud Foundry to send metrics over the OpenTelemetry protocol, enter valid OpenTelemetry Collector YAML configuration in this text box. See Configuring the OpenTelemetry Collector for examples of how to configure OpenTelemetry Collector. Currently Tanzu Platform for Cloud Foundry supports a limited number of OpenTelemetry Collector Exporters and Processors. To use non-GA exporters and processors from the available options, you must enable experimental features by selecting the experimental OpenTelemetry Collector features checkbox.

Note Windows stemcells in the v2019.x line support ephemeral disks.

Configuring DNS search domains (optional)

To configure DNS search domains for your application containers:

Click the VMware Tanzu Platform for Cloud Foundry tile in the Installation dashboard.
Click Networking to open the Networking pane.
In the DNS search domains text box, enter DNS search domains as a comma-separated list.
Click Save.

Configuring tile resources

In Resource Config, you must associate load balancers with the VMs in your deployment to enable traffic.

To configure your tile resources:

Click Resource Config.
Use the drop-down menus to configure the Windows Diego Cell. The table shows the recommended Windows Diego Cell disk size for your IaaS:

IaaS Recommended Windows Diego Cell Disk Size

AWS 100 GB

Azure 150 GB

GCP 150 GB

vSphere 100 GB

Note Windows stemcells in the v2019.x line support ephemeral disks.
Provision your Master Compilation Job with at least 100 GB of disk space.
Click Save.

IaaS	Recommended Windows Diego Cell Disk Size
AWS	100 GB
Azure	150 GB
GCP	150 GB
vSphere	100 GB

Uploading the stemcell

After you configure resources for the Tanzu Platform for Cloud Foundry [Windows] tile, you must upload the Windows stemcell to the tile.

To upload the stemcell:

In the Tanzu Platform for Cloud Foundry [Windows] tile, click Stemcell Library.
Retrieve the stemcell that you downloaded or created in Downloading or creating a Windows stemcell.
Follow the procedure in Importing and managing stemcells to upload the Windows stemcell to Tanzu Platform for Cloud Foundry [Windows].

Important If you use vSphere, you must create your own stemcell. The default root disk size of Windows stemcells v2019.x line is 30 GB.
VMware recommends setting the root disk size of your Windows stemcell for vSphere to 30 GB. For more information, see Creating a Windows stemcell for vSphere using stembuild.

Deploying the tile

After uploading the Windows stemcell to the Tanzu Platform for Cloud Foundry [Windows] tile, you are ready to deploy the tile.

To deploy the Tanzu Platform for Cloud Foundry [Windows] tile:

Go to the Tanzu Operations Manager Installation Dashboard.
Click Review Pending Changes.
Click the Tanzu Platform for Cloud Foundry [Windows] tile and review the changes. For more information, see Reviewing pending product changes.
Click Apply Changes.

Creating more tiles (optional)

To run Windows Diego Cells in multiple isolation segments, you must create and configure additional Tanzu Platform for Cloud Foundry [Windows] tiles. For more information, see Windows Diego Cells in isolation segments.

Install and configure Tanzu Platform for Cloud Foundry [Windows] in an air-gapped environment

To install, configure, and deploy Tanzu Platform for Cloud Foundry [Windows] in an air-gapped environment:

Follow the steps in Prepare a Windows rootfs image in a private registry.
Follow the steps in Install the tile with the following exceptions:
- To add the Windows Server container base image to the product file, replace the Internet-enabled winfs-injector command line earlier in this procedure with the winfs-injector procedure in Add the Windows Server container base image to the product file.
Configure required settings for the tile. See Configure the tile.
Configure resources for the tile. See Configure tile resources.
Upload the Windows stemcell to the tile. See Upload the stemcell.
Deploy the tile. See Deploy the tile.

Preparing a Windows rootfs image in a private registry

To create a Tanzu Platform for Cloud Foundry [Windows] tile, a windows file system container image is typically fetched from a Docker registry. An administrator can fetch the windows file system image from either cloudfoundry/windows2016fs the publicly hosted Docker Hub repository, or a privately hosted container image registry.

To prepare a windows file system container image in a private registry:

Create an accessible Windows Server 2019 machine in your environment.
Install Docker on this Windows Server 2019 machine.
Configure this Windows machine’s Docker daemon to allow non-redistributable artifacts to be pushed to your private registry. For information about configuring your Docker daemon, see the Docker documentation.
Open a command line on the Windows machine.
To download the windows file system container image, run:
```
docker pull cloudfoundry/windows2016fs:2019
```

To tag the Windows container image, run:

docker tag cloudfoundry/windows2016fs:2019  REGISTRY-ROOT/cloudfoundry/windows2016fs:2019

Where REGISTRY-ROOT is your private registry’s URI.

To upload the Windows Container image to your accessible private registry, run:
```
docker push IMAGE-URI
```
Where IMAGE-URI is the URI to the Windows rootfs image in your private registry. Your image URI follows the pattern:

my.private.registry/cloudfoundry/windows2016fs:2019.

Add the Windows Server container base image to the product file

To add the Windows Server container base image to the product file in an air-gapped environment, run:

winfs-injector ^
  --input-tile TANZU-CF-WIN-DOWNLOAD-PATH ^
  --output-tile TANZU-CF-WIN-IMPORTABLE-PATH ^
  --registry TANZU-CF-WIN-REGISTRY-URI

Where:

TANZU-CF-WIN-DOWNLOAD-PATH is the path and filename to the TANZU-CF-WIN product file you downloaded.
TANZU-CF-WIN-IMPORTABLE-PATH is the output path for the importable product file.
TANZU-CF-WIN-REGISTRY-URI is the uri to the container image registry hosting your cloudfoundry/windows2016fs image.

For example:

C:\Users\admin> winfs-injector ^
--input-tile c:\temp\pas-windows-2.6.0-build.1.pivotal ^
--output-tile c:\temp\pas-windows-2.6.0-build.1-INJECTED.pivotal ^
--registry https://my.registry.com

For information about troubleshooting winfs-injector, see Missing local certificates for Windows FS Injector in Troubleshooting Windows Diego Cells.

Content feedback and comments

Tanzu Platform for Cloud Foundry 10.0