While I was working with one of the largest companies in the world during the past year, I learned a lot about VMware Tanzu and NSX Advanced Load Balancer (formerly known as Avi). Application modernization and the containerization of applications are very complex topics.
Customers are looking for ways to “free” their apps from infrastructure and want to go cloud-native by using/building microservices, containers and Kubernetes. VMware has a large portfolio to support you on your application modernization journey, which is the Tanzu portfolio. A lot of people still believe that Tanzu is a product – it’s not a product. Tanzu is more than just a Kubernetes runtime and as soon as people like me from VMware explain you the capabilities and possibilities of Tanzu, one tends to become overwhelmed at first.
Why? VMware’s mission is always to abstract things and make things easier for you but this doesn’t mean you can skip a lot of the questions and topics that should be discussed:
- Where should your containers and microservices run?
- Do you have a multi-cloud strategy?
- How do you want to manage your Kubernetes clusters?
- How do you build your container images?
- How do you secure the whole application supply chain?
- Have you thought about vulnerability scanning for the components you use to build the containers?
- What kind of policies would you like to set on application, network and storage level?
- Do you need persistent storage for your containers?
- Should it be a vSphere platform only or are you also looking at AKS, EKS, GKE etc.?
- How are you planning to automate and configure “things”?
- Which kind of databases or data services do you use?
- Have you already got a tool for observability?
With these kind of questions, you and I would figure out together, which Tanzu edition makes the most sense for you. Looking at the VMware Tanzu website, you’ll find four different Tanzu editions:
If you click on one of the editions, you get the possibility to compare them:
Based on the capabilities listed above, customers would like to know the differences between Tanzu Standard and Advanced. Believe me, there is a lot of information I can share with you to make your life easier and to understand the Tanzu portfolio better. 🙂
1) VMware Tanzu Standard and Advanced Features and Components
Let’s start looking at the different capabilities and components that come with Tanzu Standard and Advanced:
Tanzu Standard focuses very much on Kubernetes multi-cloud and multi-cluster management (Tanzu Kubernetes Grid with Tanzu Mission Control aka TMC), Tanzu Advanced adds a lot of capabilities to build your applications (Tanzu Application Catalog, Tanzu Build Service).
2) Tanzu Mission Control Standard and Advanced
Maybe you missed it in the screenshot before. Tanzu Standard comes with Tanzu Mission Control Standard, Tanzu Advanced is equipped with Tanzu Mission Control Advanced.
Note: Announced at VMworld 2021, there is now even a third edition called Tanzu Mission Control Essentials, that was specifically made for VMware Cloud offerings such as VMC on AWS.
I must mention here, that you could leverage the “free tier” of Tanzu Mission Control called TMC Starter. It can be combined with the Tanzu Community Edition (also free) for example or with existing clusters from other providers (AKS, GKE, EKS).
What’s the difference between TMC Standard and Advanced? Let’s check the TMC feature comparison chart:
- TMC Adv provides “custom roles”
- TMC Adv lets you configure more policies (security policies – custom, images policies, networking policies, quota policies, custom policies, policy insights)
- With Tanzu Mission Control Advanced you also get “CIS Benchmark inspections”
What if I want Tanzu Standard (Kubernetes runtime with Tanzu Mission Control and some open- source software) but not the complete feature set of Tanzu Mission Control Advanced? Let me answer that question a little bit later. 🙂
3) NSX Advanced Load Balancer Essentials vs. Enterprise (aka Avi Essentials vs. Enterprise)
Yes, there are also different NSX ALB editions included in Tanzu Standard and Advanced. The NSX ALB Essentials edition is not something that you can buy separately, and it’s only included in the Tanzu Standard edition.
The enterprise edition of NSX ALB is part of Tanzu Advanced but it can also be bought as a standalone product.
Here are the capabilities and differences between NSX ALB Essentials and Enterprise:
So, the Avi Enterprise edition provides a fully-featured version of NSX Advanced Load Balancer while Avi Essentials only provides L4 LB services for Tanzu.
Note: Customers can create as many NSX ALB / Avi Service Engines (SEs) as required with the Essentials edition and you still have the possibility to set up a 3-node NSX ALB controller cluster.
Important: It is not possible to mix the NSX ALB controllers from the Essentials and Enterprise edition. This means, that a customer, that has NSX ALB Essentials included in Tanzu Standard, and has another department using NSX ALB Enterprise for another use case, needs to run separate controller clusters. While the controllers don’t cost you anything, there is obviously some additional compute footprint coming with this constraint.
FYI, there is also a cloud-managed option for the Avi Controllers with Avi SaaS.
What if I want the complete feature set of NSX ALB Enterprise? Let’s put this question also aside for a moment.
4) Container Ingress with Contour vs. NSX ALB Enterprise
Ingress is a very important component of Kubernetes and let’s you configure how an application can or should be accessed. It is a set of routing rules that describe how traffic is routed to an application inside of a Kubernetes cluster. So, getting an application up and running is only the half side of the story. The application still needs a way for users to access it. If you would like to know more about “ingress”, I can recommend this short introduction video.
While Contour is a great open-source project, Avi provides much more enterprise-grade features like L4 LB, L7 ingress, security/WAF, GSLB and analytics. If stability, enterprise support, resiliency, automation, elasticity and analytics are important to you, then Avi Enterprise is definitely the better fit.
To keep it simple: If you are already thinking about NSX ALB Enterprise, then you could use it for K8s Ingress/LB and so much other use cases and services! 🙂
5) Observability with Grafana/Prometheus vs. Tanzu Observability
I recently wrote a blog about “modern application monitoring with VMware Tanzu and vRealize“. This article could give you a better understanding if you want to get started with open-source software or something like Tanzu Observability, which provides much more enterprise-grade features. Tanzu Observability is considered to be a fast-moving leader according to the GigaOm Cloud Observability Report.
What if I still want Tanzu Standard only but would like to have Tanzu Observability as well? Let’s park this question as well for another minute.
6) Open-Source Projects Support by VMware Tanzu
The Tanzu Standard edition comes with a lot of leading open-source technologies from the Kubernetes ecosystem. There is Harbor for container registry, Contour for ingress, Grafana and Prometheus for monitoring, Velero for backup and recovery, Fluentbit for logging, Antrea and Calico for container networking, Sonobuoy for conformance testing and Cluster API for cluster lifecycle management.
VMware is actively contributing to these open-source projects and still wants to give customers the flexibility and choice to use and integrate them wherever and whenever you see fit. But how are these open-source projects supported by VMware? To answer this , we can have a look at the Tanzu Toolkit (included in Tanzu Standard and Advanced):
- Tanzu Toolkit includes enterprise-level support for Harbor, Velero, Contour, and Sonobuoy
- Tanzu Toolkit provides advisory—or best effort—guidance on Prometheus, Grafana, and Alertmanager for use with Tanzu Kubernetes Grid. Installation, upgrade, initial tooling configuration, and bug fixes are beyond the current scope of VMware’s advisory support.
7) Tanzu Editions Licensing
There are two options how you can license your Tanzu deployments:
- Per CPU Licensing – Mostly used for on-prem deployments or where standalone installations are planned (dedicated workload domain with VCF). Tanzu Standard is included in all the regular VMware Cloud Foundation editions.
- Per Core Licensing – For non-standalone on-prem and public cloud deployments, you should license Tanzu Standard and Advanced based on number of cores used by the worker and management nodes delivering K8s clusters. Constructs such as “vCPUs”, “virtual CPUs” and “virtual cores” are proxies (other names) for CPU cores.
Tanzu Advanced is sold as a “pack” of software and VMware Cloud service offerings. Each purchased pack of Tanzu Advanced equals 20 cores. Example of 1 pack:
- Spring Runtime: 20 cores
- Tanzu Application Catalog: 20 cores
- Tanzu SQL: 1 core (part of Tanzu Data Services)
- Tanzu Build Service: 20 cores
- Tanzu Observability: 160 PPS (sufficient to collect metrics for the infrastructure)
- Tanzu Mission Control Advanced: 20 cores
- Tanzu Service Mesh Advanced: 20 cores
- NSX ALB Enterprise: 1 CPU = 1/4 Avi Service Core
- Tanzu Standard Runtime: 20 cores
If you need more details about these subscription licenses, please consult the VMware Product Guide (starting from page 37).
As you can see, a lot of components (I didn’t even list all) form the Tanzu Advanced edition. The calculation, planning and sizing for the different components require multiple discussions with your Tanzu specialist from VMware.
8) Tanzu Standard Sizing
Disclaimer – This sizing is based on my current understanding, and it is always recommended to do a proper sizing with your Tanzu specialists / consultants.
So, we have learnt before that Tanzu Standard licensing is based on cores, which are “used by the worker and management nodes delivering K8s clusters”.
As you may already know, the so-called “Supervisor Cluster” is currently formed by three control plane VMs. Looking at the validated design for Tanzu for VMware Cloud Foundation workload domains, one can also get a better understanding of the Tanzu Standard runtime sizing for vSphere-only environments.
The three Supervisor Cluster control planes VMs have each 4 vCPUs – this means in total 12 vCPUs (cores).
The three Tanzu Kubernetes Cluster worker nodes (small size) have each 2 vCPUs – this means in total 6 vCPUs (cores).
My conclusion here is that you need to license at least 18 cores to get started with Tanzu Standard.
Caution: William Lam wrote about the possibility to deploy single or dual node Supervisor Cluster control plane VMs. It is technically possible to reduce the numbers of control plane VMs, but it is not officially supported by VMware. We need to wait until this feature becomes available in the future.
It would be very beneficial for customers with a lot of edge locations or smaller locations in general. If you can reduce the Supervisor Cluster down to two control plane VMs only, the initial deployment size would only need 14 vCPUs (cores).
9) NSX Advanced Load Balancer Sizing and Licensing
General licensing instructions for Avi aka NSX ALB (Enterprise) can be found here.
NSX ALB is licensed based on cores consumed by the Avi Service Engines. As already said before, you won’t be charged for the Avi Controllers and itt is possible to add new licenses to the ALB Controller at any time. Avi Enterprise licensing is based on so-called Service Cores. This means, one vCPU or core equals one Service Core.
Avi as a standalone product has only one edition, the fully-featured Enterprise edition. Depending on your needs and the features (LB, GSLB, WAF, analytics, K8s ingress, throughput, SSL TPS etc.) you use, you’ll calculate the necessary amount of Service Cores.
It is possible to calculate and assign more or less than 1 Service Core per Avi Service Engine:
- 25 Mbps throughput (bandwidth) = 0.4 Service Cores
- 200 Mbps throughput = 0.7 Service Cores
Example: A customer wants to deploy 10 Service Engines with 25MB and 4 Service Engines with 200MB. These numbers would map to 10*0.4 Service Cores + 4*0.7 Services Cores, which give us a total of 6.8 Service Cores. In this case you would by 7 Service Cores.
10) Tanzu for Kubernetes Operations (TKO)
Now it’s time to answer the questions we parked before:
- What if I want Tanzu Standard (Kubernetes runtime with Tanzu Mission Control and some open- source software) but not the complete feature set of Tanzu Mission Control Advanced?
- What if I want the complete feature set of NSX ALB Enterprise?
- What if I still want Tanzu Standard only but would like to have Tanzu Observability as well?
Before we do that, let me quickly show you one slide from the VMworld 2021 session Make Your Move to Multi-Cloud Kubernetes with VMware Tanzu [APP3117]:
Megan Bruce presented this slide and said, that you need a consistent Kubernetes runtime to start your multi-cloud Kubernetes journey with VMware Tanzu, so that you can lifecycle (deploy, manage and upgrade) clusters consistently. This capabilities starts with Tanzu Kubernetes Grid.
The next component you need is a way to manage your platform and having a centralized management plane that provides centralized visibility and control over your platform, that is used and consumed by distributed teams. That is provided by Tanzu Mission Control.
How do you effectively monitor and troubleshoot issues faster, and how do you stitch services together and protect your data both at rest and in transit across cloud? That would be Tanzu Observability and Tanzu Service Mesh.
Finally, VMware can also help you to implement global load balancing and provides advanced traffic routing with NSX Advanced Load Balancer.
The different Tanzu products I just highlighted, are all SaaS based offerings and form the global Tanzu control plane you would get with Tanzu Advanced. But how can you get these components if you want to build this standardized control plane and have a mix of Tanzu Standard and Advanced? What if I want something in between Tanzu Std and Adv before I move later to the complete Tanzu Adv edition?
Well, the answer to this and the questions above is “Tanzu for Kubernetes Ops” (TKO)!
I believe it hasn’t been officially announced at VMworld, but TKO is a new soft-bundle. It does NOT come as one standalone SKU for customers yet, but for sure this is where VMware is heading to. Let me summarize the components of this bundle (it’s not a new edition) for you:
- Tanzu Standard Runtime (includes Tanzu Kubernetes Grid + open-source software), licensed per core
- Tanzu Mission Control Advanced, licensed per core
- Tanzu Observability, licensed based on PPS (minimum of 1000 PPS required)
- Tanzu Service Mesh Advanced, licensed based on core
- Antrea Advanced, licensed based on core
- NSX ALB (Avi) Enterprise, licensed based on service cores
Does this BOM answer all our questions? YES! 🙂
The cool thing about it? You don’t need to choose all the components. Just pick what makes sense for you. Example: You can start with the Tanzu Standard Runtime, TMC Advanced, Tanzu Observability and NSX ALB Enterprise, and go for Tanzu Service Mesh whenever the time is right.
Maybe you already started with the public cloud offerings like AKS, EKS and GKE and need a consistent control plane? Then Tanzu and TKO are still good choices for you. There’s also a pretty new “VMware Tanzu for Kubernetes Operations on vSphere Reference Design” available!
Wherever you are on your application modernization journey, VMware and their Tanzu portfolio got your back covered. Not matter if you want to start small, make your first steps and experiences with open-source projects, or if you want to have a complete set with the Tanzu Advanced edition, VMware offers the right options and flexibility.
I hope my learnings from this customer engagement help you to better understand the Tanzu portfolio and its capabilities.
Please leave your comments and thoughts below. 🙂