Tanzu Community Edition


Reference for Azure account

If you encounter issues deploying a cluster to Azure, review the following troubleshooting and reference content.

Network Security Groups on Azure

If you do not specify a VNET when deploying a management cluster, the deployment process creates a new VNET along with the Network Security Groups (NSGs) required for the management cluster.

The following NSGs are required:

  • One control plane NSG shared by the control plane nodes of all clusters, including the management cluster and the workload clusters that it manages.
  • One worker NSG for each cluster, for the cluster’s worker nodes.

If you optionally create a VNET before deploying a management or workload clusters, Azure requires the following NSGs to be defined on their VNET.

  • A subnet for the management cluster control plane node
  • A Network Security Group on the control plane subnet with the following inbound security rules, to enable SSH and Kubernetes API server connections:
    • Allow TCP over port 22 for any source and destination
    • Allow TCP over port 6443 for any source and destination. Port 6443 is where the Kubernetes API is exposed on VMs in the clusters you create.
  • A subnet and Network Security Group for the management cluster worker nodes.

For each workload cluster that you deploy later, you need to create a worker NSG named <CLUSTER-NAME>-node-nsg, where <CLUSTER-NAME> is the name of the workload cluster. This worker NSG must have the same VNET and region as its management cluster.

Microsoft Azure account

Your Microsoft Azure account should have the following permissions and requirements:

  • Permissions required to register an app. See Permissions required for registering an app in the Azure documentation.
  • Sufficient public IP address quotas for your clusters, including the quota for Public IP Addresses - Standard, Public IP Addresses - Basic, and Static Public IP Addresses. A standard Azure account has a quota of 10 public IP addresses per region. Every Tanzu Community Edition cluster requires 2 Public IP addresses regardless of how many control plane nodes and worker nodes it has. For each Kubernetes Service object with type LoadBalancer, 1 Public IP address is required.
  • Run a DNS lookup on all imageRepository values to find their CNAMEs.
  • Sufficient VM core (vCPU) quotas for your clusters. A standard Azure account has a quota of 10 vCPU per region. Tanzu Community Edition clusters require 2 vCPU per node, which translates to:
    • Management cluster:

      • dev plan: 4 vCPU (1 main, 1 worker)
      • prod plan: 8 vCPU (3 main , 1 worker)
    • Each workload cluster:

      • dev plan: 4 vCPU (1 main, 1 worker)
      • prod plan: 12 vCPU (3 main , 3 worker)
    • For example, assuming a single management cluster and all clusters with the same plan:

      PlanWorkload ClustersvCPU for WorkloadvCPU for ManagementTotal vCPU

Join us!

Our open community welcomes all users and contributors