forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure-er-config.html.md.erb
288 lines (182 loc) · 16.5 KB
/
azure-er-config.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
---
title: Deploying Elastic Runtime on Azure
owner: Ops Manager
---
<strong><%= modified_date %></strong>
<html class="list-style-none"></html>
This topic describes how to install and configure Elastic Runtime on Azure.
Before you perform the procedures in this topic, you must have completed the procedures in the [Preparing to Deploy PCF on Azure](azure-prepare-env.html) topic, either the [Launching an Ops Manager Director Instance with an ARM Template](azure-arm-template.html) topic or the [Launching an Ops Manager Director Instance on Azure without an ARM Template](azure-om-deploy.html) topic, and the [Configuring Ops Manager Director on Azure](azure-om-config.html) topic.
<p class="note"><strong>Note</strong>: If you plan to <a href="http://docs.pivotal.io/addon-ipsec/installing.html">install the PCF IPsec add-on</a>, you must do so before installing any other tiles. Pivotal recommends installing IPsec immediately after Ops Manager, and before installing the Elastic Runtime tile.</p>
<p class="note"><strong>Note</strong>: The Azure portal sometimes displays the names of resources with incorrect capitalization. Always use the Azure CLI to retrieve the correctly capitalized name of a resource.</p>
## <a id='add-er'></a>Step 1: Add Elastic Runtime to Ops Manager ##
1. If you have not already downloaded Elastic Runtime, log in to [Pivotal Network](https://network.pivotal.io/products/pivotal-cf), and click on **Pivotal Cloud Foundry Elastic Runtime**.
1. From the **Releases** drop-down, select the release to install and choose one of the following:
1. Click **PCF Elastic Runtime** to download the Elastic Runtime `.pivotal` file
1. Click **PCF Small Footprint Runtime** to download the Small Footprint Runtime `.pivotal` file. For more information, see [Getting Started with Small Footprint Runtime](./small-footprint.html).
1. Navigate to the Ops Manager Installation Dashboard.
1. Click **Import a Product** and select the downloaded `.pivotal` file. For more information, refer to the [Adding and Deleting Products](./add-delete.html) topic.
1. Click the plus button next to the imported tile to add it to the Installation Dashboard.
<%= image_tag("azure/add-ert.png") %>
1. Click the **Elastic Runtime** tile in the Installation Dashboard.
<%= image_tag("images/er-tile.png") %>
## <a id='assign-networks'></a>Step 2: Assign Networks ##
1. Select **Assign Networks**.
1. From the **Network** dropdown menu, select the network on which you want to run Elastic Runtime.
<%= image_tag("azure/assign-networks.png") %>
1. Click **Save**.
## <a id='domains'></a>Step 3: Configure Domains ##
1. Select **Domains**.
<%= image_tag("domains.png") %>
1. Enter the system and application domains.
* The **System Domain** defines your target when you push apps to Elastic
Runtime. For example, `system.example.com`.
* The **Apps Domain** defines where Elastic Runtime should serve your apps. For example, `apps.example.com`.
<p class="note"><strong>Note</strong>: Pivotal recommends that you use the same domain name but different subdomain names for your system and app domains. Doing so allows you to use a single wildcard certificate for the domain while preventing apps from creating routes that overlap with system routes.</p>
1. Navigate to your DNS provider to create A records that point from your wildcard system and apps domains to the public IP address of your load balancer. For example, if the IP address of your load balancer is <%= vars.example_ip_2 %>, then create an A record that points `*.system.example.com` to that address and another A record that points `*.apps.example.com` to that address.
<p class="note"><strong>Note</strong>: To retrieve the IP address of your load balancer, navigate to the Azure portal, click **All resources**, and click the **Public IP address** resource that ends with `pcf-lb-ip`.</pre>
1. Click **Save**.
## <a id='networking'></a>Step 4: Configure Networking ##
1. Select **Networking**.
1. Leave the **Router IPs**, **SSH Proxy IPs**, **HAProxy IPs**, and **TCP Router IPs** fields blank. You do not need to complete these fields when deploying PCF to Azure.
<p class="note"><strong>Note</strong>: You specify load balancers in the **Resource Config** section of Elastic Runtime later on in the installation process. See the <a href="#resources">Configuring Resources</a> section.</p>
1. <%= partial 'haproxy_router_cert_config' %>
1. <%= partial 'min_tls_version' %>
1. <%= partial 'tls_cipher_suites_router' %>
1. <%= partial 'tls_cipher_suites_haproxy' %>
1. <%= partial 'haproxy_router_tls_forward' %>
1. <%= partial 'ssl_verification' %>
1. <%= partial 'http_disable' %>
1. <%= partial 'insecure_cookies' %>
1. <%= partial 'zipkin_enable' %>
1. By default, the Elastic Runtime routers handle traffic for applications deployed to an isolation segment created by the PCF Isolation Segment tile. To configure the Elastic Runtime routers to reject requests for applications within isolation segments, select the **Routers reject requests for Isolation Segments** checkbox.
<%= image_tag 'isolate-network.png' %>
Do not enable this option without deploying routers for each isolation segment. See the following topics for more information:
* [Installing PCF Isolation Segment](../customizing/installing-pcf-is.html)
* [Sharding Routers for Isolation Segments](../adminguide/routing-is.html#sharding-routers-isolation-segment)
1. <%= partial 'xforwarded_client_cert_xfcc' %>
1. <%= partial 'route_services' %>
1. <%= partial 'max_connections_backend' %>
1. Enter a value for **Router Max Idle Keepalive Connections**. See [Considerations for Configuring max\_idle\_connections](../adminguide/routing-keepalive.html#considerations).
<%= image_tag 'images/keepalive.png' %>
1. (Optional) Increase the number of seconds in the **Router Timeout to Backends** field to accommodate larger uploads over connections with high latency. Set this value to less than or equal to the idle timeout value of the Azure load balancer, which defaults to 4 minutes.
<p class="note"><strong>Note</strong>: If the router timeout value exceeds the Azure LB timeout, you may experience intermittent TCP resets. For more information about configuring Azure load balancer idle timeout, see the <a href="https://azure.microsoft.com/en-us/documentation/articles/load-balancer-tcp-idle-timeout/">Azure documentation</a>.</p>
1. <%= partial 'frontend_idle_timeout' %>
1. <%= partial 'lb_unhealthy_threshold' %>
1. <%= partial 'lb_healthy_threshold' %>
<%= image_tag 'images/router_lb_thresholds.png' %>
1. <%= partial 'http_headers_to_log' %>
![Http Headers to Log](images/headers_to_log.png)
1. <%= partial 'haproxy_request_max_buffer' %>
1. <%= partial 'protected_domains' %>
1. <%= partial 'app_mtu' %>
1. The **Loggregator Port** defaults to `443` if left blank. Leave this field blank.
1. <%= partial 'c2c-overlay' %>
1. <%= partial 'c2c-vxlan' %>
1. <%= partial 'log-app-traffic-enable' %>
<%= image_tag 'images/log-app-traffic-enable.png' %>
1. <%= partial 'tcp_routing_enable' %>
1. For Azure, you also need to specify the name of Azure load balancer in the LOAD BALANCER column of TCP Router job of the <b>Resource Config</b> screen. You configure this later on in Elastic Runtime. See <a href="#resources">Configuring Resources</a>.</p>
1. <%= partial 'tcp_routing_disable' %>
1. Click **Save**.
## <a id='containers'></a>Step 5: Configure Application Containers ##
<%= partial 'application_container_config' %>
## <a id='er-appdevctrl-config'></a>Step 6: Configure Application Developer Controls ##
<%= partial 'application_developer_controls' %>
## <a id='app-security'></a>Step 7: Review Application Security Group ##
<%= partial 'application_security_group' %>
## <a id='uaa'></a>Step 8: Configure UAA ##
<%= partial 'uaa' %>
## <a id='er-auth-config'></a>Step 9: Configure Authentication and Enterprise SSO ##
<%= partial 'authsso_config' %>
## <a id='er-db-config'></a>Step 10: Configure System Databases ##
You can configure Elastic Runtime to use the internal MySQL database provided with PCF, or you can configure an external database provider for the databases required by Elastic Runtime.
<p class="note"><strong>Note</strong>: If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data first before changing the configuration. Contact Pivotal Support for help. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information.</p>
###<a id='internal-db'></a> Internal Database Configuration
<%= partial 'ert_database_internal' %>
Then proceed to [Step 11: (Optional) Configure Internal MySQL](#internal-mysql) to configure high availability and automatic backups for your internal MySQL databases.
###<a id='create-dbs'></a> External Database Configuration
<%= partial 'ert_database_external' %>
## <a id='internal-mysql'></a> Step 11: (Optional) Configure Internal MySQL ##
<%= partial 'mysql_proxy_config' %>
## <a id='filestore-config'></a>Step 12: Configure File Storage ##
<%= partial 'filestore_config' %>
For production-level PCF deployments on Azure, the recommended selection is Azure Storage. For more information about production-level PCF deployments on Azure, see the [Reference Architecture for Pivotal Cloud Foundry on Azure](../refarch/azure/azure_ref_arch.html).
For more factors to consider when selecting file storage, see <a href="../opsguide/storage_considerations.html">Considerations for Selecting File Storage in Pivotal Cloud Foundry</a>.
### <a id='internal_filestore'></a> Internal Filestore
<%= partial 'filestore_internal' %>
### <a id='external_azure'></a> External Azure Storage
<%= partial 'filestore_azure_config' %>
### <a id='other'></a> Other IaaS Storage Options
[Google Cloud Storage](./gcp-er-config.html#external_gcp) and [External S3-Compatible File Storage](./pcf-aws-manual-er-config.html#external_s3) are also available as file storage options but are not recommended for typical PCF on Azure installations.
## <a id='external-endpoints'></a>Step 13: (Optional) Configure System Logging ##
If you are forwarding logging messages to an external Reliable Event Logging Protocol (RELP) server, complete the following steps:
1. Select the **System Logging** section that is located within your Pivotal Elastic Runtime **Settings** tab.
<%= image_tag("updated-system-logging.png") %>
1. Enter the IP address of your syslog server in **Address**.
1. Enter the port of your syslog server in **Port**. The default port for a syslog server is `514`.
<p class="note"><strong>Note</strong>: The host must be reachable from the Elastic Runtime network, accept TCP connections, and use the RELP protocol. Ensure your syslog server listens on external interfaces.</p>
1. Select a **Transport Protocol** to use when forwarding logs.
1. If you plan to use TLS encryption when sending logs to the remote server, select **Yes** when answering the **Encrypt syslog using TLS?** question.
1. In the **Permitted Peer** field, enter either the name or SHA1 fingerprint of the remote peer.
1. In the **TLS CA Certificate** field, enter the TLS CA Certificate for the remote server.
1. For the **Syslog Drain Buffer Size**, enter the number of messages the Doppler server can hold from Metron agents before the server starts to drop them. See the [Loggregator Guide for Cloud Foundry Operators](../loggregator/log-ops-guide.html) topic for more details.
1. If you want to include security events in your log stream, select the **Enable Cloud Controller security event logging** checkbox. This logs all API requests, including the endpoint, user, source IP address, and request result, in the Common Event Format (CEF).
1. Click **Save**.
## <a id='customize-apps-man'></a>Step 14: (Optional) Customize Apps Manager##
<%= partial 'custombranding' %>
## <a id='smtp'></a>Step 15: (Optional) Configure Email Notifications ##
Elastic Runtime uses SMTP to send invitations and confirmations to Apps Manager
users.
You must complete the **Email Notifications** page if you want to enable end-user
self-registration.
1. Select **Email Notifications**.
<%= image_tag("cloudform/smtp.png") %>
1. Enter your reply-to and SMTP email information
1. Verify your authentication requirements with your email administrator and use
the **SMTP Authentication Mechanism** drop-down menu to select `None`, `Plain`,
or `CRAMMD5`.
If you have no SMTP authentication requirements, select `None`.
1. Click **Save**.
<p class="note"><strong>Note</strong>: If you do not configure the SMTP settings using this form, the administrator must create orgs and users using the cf CLI. See <a href="../adminguide/cli-user-management.html">Creating and Managing Users with the cf CLI</a> for more information.</p>
## <a id='config-cc'></a>Step 16: Configure Cloud Controller##
<%= partial 'cloud-controller' %>
## <a id='config-smoke-test'></a>Step 17: Configure Smoke Tests ##
<%= partial '_smoketests' %>
## <a id='er-advanced'></a>Step 18: (Optional) Enable Advanced Features ##
<%= partial 'advanced-features' %>
## <a id='er-errands'></a>Step 19: Configure Errands ##
<%= partial 'errands' %>
## <a id='resources'></a>Step 20: Configure Resources ##
1. Select **Resource Config**.
<%= image_tag("azure/resource-config.png") %>
1. Retrieve the name(s) of your external ALB by navigating to the Azure portal, clicking **All resources**, and locating your **Load balancer** resource. The name of the load balancer should be `pcf-lb`.
<p class="note"><strong>Note</strong>: The Azure portal sometimes displays the names of resources with incorrect capitalization. Always use the Azure CLI to retrieve the correctly capitalized name of a resource.</p>
1. Locate the **HAProxy** job in the **Resource Config** pane and enter the name of your external ALB in the field under **Load Balancers**.
<p class="note"><strong>Note</strong>: Do not enter a load balancer for the **Diego Brain** component.</p>
1. Ensure that the **Internet Connected** checkboxes are deselected for all jobs.
1. Scale the number of instances as appropriate for your deployment.
<p class="note"><strong>Note</strong>: For a high availability deployment of PCF on Azure, Pivotal recommends scaling the number of each Elastic Runtime job to a minimum of three (3) instances. Using three or more instances for each job creates a sufficient number of availability sets and fault domains for your deployment. For more information, see <a href="../refarch/azure/azure_ref_arch.html">Reference Architecture for Pivotal Cloud Foundry on Azure</a>.</p>
## <a id='disable-resources'></a>Step 21: (Optional) Scale Down and Disable Resources ##
<%= partial 'disable_resources_azure' %>
## <a id='stemcell'></a>Step 22: Configure Stemcell ##
Verify whether Ops Manager is providing the stemcell version required by Elastic Runtime. If the correct version is already present, you do not need to download a new stemcell.
1. In the Elastic Runtime tile, select **Stemcell**.
1. Verify that the version indicated in the filename matches the version of stemcell required by Elastic Runtime.
* If Elastic Runtime detects that a stemcell `.tgz` file is present in the Ops Manager Director VM at `/var/tempest/stemcells/`, the Stemcell screen displays filename information.
<%= image_tag("stemcell_18.png") %>
* If Elastic Runtime cannot detect a stemcell `.tgz` file, the following message displays:
<%= image_tag("stemcell_not_found.png") %>
1. If the version of the stemcell file that is loaded does not match the required version listed in the <a href="http://network.pivotal.io">Pivotal Network</a> download page for Elastic Runtime, or cannot be found by Ops Manager, perform the following steps to download and import a new stemcell file:
1. Log in to the [Pivotal Network](https://network.pivotal.io/products/pivotal-cf) and click **Stemcells**.
1. Download the appropriate stemcell version targeted for your IaaS.
1. In the **Stemcell** section of the Elastic Runtime tile, click **Import Stemcell** to import the downloaded stemcell <code>.tgz</code> file.
## <a id='complete'></a>Step 23: Complete the Elastic Runtime Installation ##
1. Click the **Installation Dashboard** link to return to the Installation
Dashboard.
1. Click **Apply Changes**. If the following ICMP error message appears, click
**Ignore errors and start the install**.
<%= image_tag("cloudform/install-error.png") %>
The install process generally requires a minimum of 90 minutes to complete.
The image shows the Changes Applied window that displays when the
installation process successfully completes.
<%= image_tag("cloudform/ops-manager-complete.png") %>