Tanzu Platform for Cloud Foundry 4.0

10.0 6.0 4.0

Configuring load balancing for TAS for VMs

Last Updated March 13, 2025

You can configure load balancing for VMware Tanzu Application Service for VMs (TAS for VMs) by entering the names of your Load Balancers in the Resource Config pane of the TAS for VMs tile. This procedure varies by your IaaS and how you prepared (“paved”) it for installing TAS for VMs. See the following section that corresponds to your use case.

AWS

AWS with Terraform

To set up load balancing for TAS for VMs on AWS using Terraform:

  1. Create a file named vm_extensions_config.yml with the following content, depending on which release you are using:

    • VMware Tanzu Application Service for VMs (TAS for VMs):

      ---
product-name: cf
resource-config:
  diego_brain:
    elb_names:
    - alb:SSH_TARGET_GROUP_1
    - alb:SSH_TARGET_GROUP_2
    additional_vm_extensions:
    - ssh-lb-security-groups
  router:
    elb_names:
    - alb:WEB_TARGET_GROUPS_1
    - alb:WEB_TARGET_GROUPS_2
    additional_vm_extensions:
    - web-lb-security-groups
  tcp_router:
    elb_names:
    - alb:TCP_TARGET_GROUP_1
    - alb:TCP_TARGET_GROUP_2
    additional_vm_extensions:
    - tcp-lb-security-groups

    • Small Footprint TAS for VMs:

      ---
product-name: cf
resource-config:
  control:
    elb_names:
    - alb:SSH_TARGET_GROUP_1
    - alb:SSH_TARGET_GROUP_2
    additional_vm_extensions:
    - ssh-lb-security-groups
  router:
    elb_names:
    - alb:WEB_TARGET_GROUPS_1
    - alb:WEB_TARGET_GROUPS_2
    additional_vm_extensions:
    - web-lb-security-groups
  tcp_router:
    elb_names:
    - alb:TCP_TARGET_GROUP_1
    - alb:TCP_TARGET_GROUP_2
    additional_vm_extensions:
    - tcp-lb-security-groups

  2. Replace values in the file as follows:

    • SSH_TARGET_GROUP_X: Enter your SSH target groups. You can find these values by running:

      terraform output ssh_target_groups

    • WEB_TARGET_GROUPS_X: Enter your web target groups. You can find these values by running:

      terraform output web_target_groups

    • TCP_TARGET_GROUP_X: Enter your TCP target groups. You can find these values by running:

      terraform output tcp_target_groups

  3. Apply the VM extension configuration using the om CLI. For more information about om, see the Om repository on GitHub.

    om -k \
  -t "OPS-MANAGER-FQDN" \
  -u "USERNAME" \
  -p "PASSWORD" \
  configure-product \
  -c vm_extensions_config.yml

    Where:

    • OPS-MANAGER-FQDN is the URL at which you access your Tanzu Operations Manager instance. This corresponds to ops_manager_dns in the Terraform output.
    • USERNAME is the user name you entered when configuring internal authentication.
    • PASSWORD is the password you entered when configuring internal authentication. If you did not configure internal authentication, you must modify this command to use a client ID and secret instead of user name and password. For more information, see Authentication in the Om repository on GitHub.

AWS paved manually

To configure the Gorouter to use AWS Elastic Load Balancers:

  1. Record the names of your ELBs. If you followed the procedures in Preparing to deploy Tanzu Operations Manager on AWS, you created:

  2. -ssh-elb: An SSH load balancer. This is a Classic Load Balancer.

  3. -tcp-elb: A TCP load balancer. This is a Classic Load Balancer.

  4. -web-elb: A web load balancer. This is an Application Load Balancer.

    • -web-elb-target-group: A target group for the web load balancer.

  5. In the TAS for VMs tile, select Resource Config.

  6. Enter the name of your SSH load balancer.

    1. Show the Load Balancers field underneath the job that handles SSH requests. This depends on the TAS for VMs release you are using:
      • TAS for VMs: Click the icon next to the Diego Brain job name to expand the row.
      • Small Footprint TAS for VMs: Click the icon next to the Control job name to expand the row.
    2. In the Load Balancers field, enter the name of your SSH load balancer: -ssh-elb.

  7. Click to expand the Router row, and fill in the Load Balancers field with a value determined by the type of load balancer you are using:

    • Application Load Balancer: Enter a comma-separated list of the names of the target group of your web load balancer, prefixed with alb:: alb:-web-elb-target-group. The prefix indicates to Tanzu Operations Manager that you entered the name of a target group. The prefix is required for AWS Application Load Balancers and Network Load Balancers.
    • Classic Load Balancer: Enter the name of the load balancer: -web-elb.

  8. If you enabled TCP routing, expand the TCP Router row and enter the name of your TCP load balancer: -tcp-elb.

Azure

Azure with Terraform

To configure the Gorouter to use Azure Load Balancers:

  1. Select Resource Config.

  2. Ensure a Standard VM type is selected for the Router VM. The TAS for VMs deployment fails if you select a Basic VM type.

  3. Click the icon next to the Router job name to expand the row, showing a Load Balancers field and INTERNET CONNECTED check box underneath.

  4. Enter the value of web_lb_name from your Terraform output in the Resource Config pane under Load Balancers for the Router job.

  5. Click to expand the row for the job that handles SSH requests. This depends on the TAS for VMs release you are using:

    • TAS for VMs: Click the icon next to Diego Brain.
    • Small Footprint TAS for VMs: Click the icon next to Control.

  6. For the SSH load balancer, enter the value of diego_ssh_lb_name from your Terraform output.

  7. Ensure that the INTERNET CONNECTED check boxes are deselected for all jobs.

  8. Scale the number of instances as appropriate for your deployment.

    Note For a high availability deployment of Tanzu Operations Manager on Azure, VMware recommends scaling the number of each TAS for VMs job to a minimum of three instances. Using three or more instances for each job creates a sufficient number of availability sets and fault domains for your deployment. For more information, see Azure reference architecture

Azure paved manually

To configure the Gorouter to use Azure Load Balancers:

  1. Select Resource Config.

  2. Ensure a Standard VM type is selected for the Router VM. The TAS for VMs deployment fails if you select a Basic VM type.

  3. Retrieve the names of your external Azure Load Balancer (ALB) by navigating to the Azure portal, clicking All resources, and locating your Load balancer resource.

    ImportantThe Azure portal sometimes displays the names of resources with incorrect capitalization. Always use the Azure CLI to retrieve the correctly capitalized name of a resource. To see the list of resources, run az network lb list.

  4. In the Resource Config pane of the TAS for VMs tile, click the icon next to the Router job name to expand the row, showing a Load Balancers field and INTERNET CONNECTED check box underneath.

  5. Enter the name of your external ALB in the field under Load Balancers. If you have multiple external ALBs this field accepts a comma-separated list.

  6. Retrieve the name of your Diego SSH Load Balancer by navigating to the Azure portal, clicking All resources, and locating your Load balancer resource.

  7. In the Resource Config pane of the TAS for VMs tile, expand the row for the job that handles SSH requests. This depends on the TAS for VMs release you are using:

    • TAS for VMs: Click the icon next to Diego Brain.
    • Small Footprint TAS for VMs: Click the icon next to Control.

  8. Enter the name of the Diego SSH Load Balancer in the field under Load Balancers.

  9. Ensure that the INTERNET CONNECTED check boxes are deselected for all jobs.

  10. Scale the number of instances as appropriate for your deployment.

Note For a high availability deployment of Tanzu Operations Manager on Azure, VMware recommends scaling the number of each TAS for VMs job to a minimum of three instances. Using three or more instances for each job creates a sufficient number of availability sets and fault domains for your deployment. For more information, see Azure reference architecture.

GCP with Terraform

To configure the Gorouter to use GCP Load Balancers:

  1. Select Resource Config.

  2. Click the icon next to the Router job name to expand the row, showing a Load Balancers field and INTERNET CONNECTED check box underneath.

  3. In the Load Balancers field, enter a comma-separated list consisting of the values of ws_router_pool and http_lb_backend_name from your Terraform output. For example, tcp:-cf-ws,http:-httpslb. These are the names of the TCP WebSockets and HTTP(S) Load Balancers for your deployment.

    ImportantDo not add a space between key and value pairs in the LOAD BALANCER field, or it fails.

  4. If you activated TCP routing in the Networking pane of the TAS for VMs tile, add the value of tcp_router_pool from your Terraform output, prepended with tcp:, to the Load Balancers column of the TCP Router row. For example, tcp:-cf-tcp.

  5. Expand the row for the job that handles SSH requests. This depends on the TAS for VMs release you are using:

    • TAS for VMs: Click the icon next to Diego Brain.
    • Small Footprint TAS for VMs: Click the icon next to Control.

  6. Under Load Balancers for the SSH job, enter the value of ssh_router_pool from your Terraform output, prepended with tcp:. For example, tcp:PCF-ssh-proxy.

  7. Verify that the Internet Connected check box for every job is enabled. The Terraform templates do not provision a Network Address Translation (NAT) box for Internet connectivity to your VMs, so they are provided with ephemeral public IP addresses to allow the jobs to reach the Internet.

    NoteIf you want to provision a Network Address Translation (NAT) box to provide Internet connectivity to your VMs instead of providing them with public IP addresses, deactivate the Internet Connected check boxes. For more information about using NAT in GCP, see VPC network overview in the GCP documentation.

  8. Click Save.

GCP paved manually

To configure the Gorouter to use GCP Load Balancers:

  1. Navigate to the GCP Console and select Load balancing.

    You can see the SSH load balancer, the HTTP(S) load balancer, the TCP WebSockets load balancer, and the TCP router that you created in Preparing to Deploy Tanzu Operations Manager on GCP.

  2. Record the name of your SSH load balancer and your TCP WebSockets load balancer, PCF-wss-logs and PCF-ssh-proxy.

  3. Click your HTTP(S) load balancer, PCF-global-.

    The Load balancer details are displayed for the pcf-router and load balancer.

  4. Under Backend services, record the name of the back end service of the HTTP(S) load balancer, PCF-http-lb-backend.

  5. In the TAS for VMs tile, select Resource Config.

  6. Click the icon next to the Router job name to expand the row, showing a Load Balancers field and INTERNET CONNECTED check box underneath.

  7. In the LOAD BALANCERS field, enter a comma-separated list consisting of the name of your TCP WebSockets load balancer and the name of your HTTP(S) load balancer back end with the protocol prepended. For example, tcp:PCF-wss-logs,http:PCF-http-lb-backend.

  8. In the Load Balancers field, enter consisting of the name of your TCP WebSockets load balancer and the name of your HTTP(S) load balancer back end with the protocol prepended. For example, tcp:PCF-wss-logs,http:PCF-http-lb-backend.

    ImportantDo not add a space between key and value pairs in the LOAD BALANCER field, or it fails.

  9. If you activated TCP routing in the Networking pane of the TAS for VMs tile and set up the TCP load balancer in GCP, add the name of your TCP load balancer, prepended with tcp:, to the Load Balancers column of the TCP Router row. For example, tcp:-tcp-router.

  10. Expand the row for the job that handles SSH requests. This depends on the TAS for VMs release you are using:

    • TAS for VMs: Click the icon next to Diego Brain.
    • Small Footprint TAS for VMs: Click the icon next to Control.

  11. Under Load Balancers for the SSH job, enter the value of ssh_router_pool from your Terraform output, prepended with tcp:. For example, tcp:PCF-ssh-proxy.

  12. Verify that the Internet Connected check box for every job is disabled. When preparing your GCP environment, you provisioned a Network Address Translation (NAT) box to provide Internet connectivity to your VMs instead of providing them with public IP addresses to allow the jobs to reach the Internet.

    Note If you want to provision a Network Address Translation (NAT) box to provide Internet connectivity to your VMs instead of providing them with public IP addresses, disable the Internet Connected check boxes. For more information about using NAT in GCP, see VPC network overview in the GCP documentation.

  13. Click Save.

vSphere with NSX-T or NSX-V

In the Resource Config pane of the TAS for VMs tile, you configure vSphere NSX-T or NSX-V load balancing and security group membership for TAS for VMs jobs.

To configure load balancing and security group membership for TAS for VMs jobs:

  1. Select Resource Config.

  2. For each TAS for VMs job that you want to load-balance, click the down-arrow to reveal its configuration fields. The external-facing job instance groups in TAS for VMs are:

    • Diego Brain in TAS for VMs, or Control in Small Footprint TAS for VMs, for SSH traffic
    • Router for web traffic
    • TCP Router for TCP traffic

  3. Enter a load balancer configuration for each job:

    • NSX-T:
      1. In the vSphere NSX Manager > Advanced Networks & Security > Groups pane, define an NSGroup to include VMs running each load-balanced job, such as pas-ssh-group, pas-tcp-group, and pas-web-group.
      2. In the NS Groups field in Resource Config, enter a comma-separated list of the NSGroups you defined.
      3. In the Logical Load Balancer: Enter a JSON-formatted structure defining a list of server_pools as pairs of name and port definitions.
    • NSX-V:
      1. Security Groups: Enter a comma-separated list of Security Groups defined in NSX-V to include each load-balanced job, such as pas-ssh-group, pas-tcp-group, and pas-web-group.
      2. Edge Load Balancers: Enter a JSON-formatted structure listing edge load balancers, each defined by edge_name, pool_name, security_group, port, and monitor_port definitions.

  4. Click Save.