10 Things You Didn’t Know About VMware Tanzu

10 Things You Didn’t Know About VMware Tanzu

While I was working with one of the largest companies in the world during the past year, I learned a lot about VMware Tanzu and NSX Advanced Load Balancer (formerly known as Avi). Application modernization and the containerization of applications are very complex topics.

Customers are looking for ways to “free” their apps from infrastructure and want to go cloud-native by using/building microservices, containers and Kubernetes. VMware has a large portfolio to support you on your application modernization journey, which is the Tanzu portfolio. A lot of people still believe that Tanzu is a product – it’s not a product. Tanzu is more than just a Kubernetes runtime and as soon as people like me from VMware explain you the capabilities and possibilities of Tanzu, one tends to become overwhelmed at first.

Why? VMware’s mission is always to abstract things and make things easier for you but this doesn’t mean you can skip a lot of the questions and topics that should be discussed:

  • Where should your containers and microservices run?
  • Do you have a multi-cloud strategy?
  • How do you want to manage your Kubernetes clusters?
  • How do you build your container images?
  • How do you secure the whole application supply chain?
  • Have you thought about vulnerability scanning for the components you use to build the containers?
  • What kind of policies would you like to set on application, network and storage level?
  • Do you need persistent storage for your containers?
  • Should it be a vSphere platform only or are you also looking at AKS, EKS, GKE etc.?
  • How are you planning to automate and configure “things”?
  • Which kind of databases or data services do you use?
  • Have you already got a tool for observability?

With these kind of questions, you and I would figure out together, which Tanzu edition makes the most sense for you. Looking at the VMware Tanzu website, you’ll find four different Tanzu editions:

VMware Tanzu Editions

If you click on one of the editions, you get the possibility to compare them:

Tanzu Editions Comparison

Based on the capabilities listed above, customers would like to know the differences between Tanzu Standard and Advanced. Believe me, there is a lot of information I can share with you to make your life easier and to understand the Tanzu portfolio better. 🙂

1) VMware Tanzu Standard and Advanced Features and Components

Let’s start looking at the different capabilities and components that come with Tanzu Standard and Advanced:

Tanzu Std vs Adv

Tanzu Standard focuses very much on Kubernetes multi-cloud and multi-cluster management (Tanzu Kubernetes Grid with Tanzu Mission Control aka TMC), Tanzu Advanced adds a lot of capabilities to build your applications (Tanzu Application Catalog, Tanzu Build Service).

2) Tanzu Mission Control Standard and Advanced

Maybe you missed it in the screenshot before. Tanzu Standard comes with Tanzu Mission Control Standard, Tanzu Advanced is equipped with Tanzu Mission Control Advanced.

Note: Announced at VMworld 2021, there is now even a third edition called Tanzu Mission Control Essentials, that was specifically made for VMware Cloud offerings such as VMC on AWS.

I must mention here, that you could leverage the “free tier” of Tanzu Mission Control called TMC Starter. It can be combined with the Tanzu Community Edition (also free) for example or with existing clusters from other providers (AKS, GKE, EKS).

What’s the difference between TMC Standard and Advanced? Let’s check the TMC feature comparison chart:

  • TMC Adv provides “custom roles”
  • TMC Adv lets you configure more policies (security policies – custom, images policies, networking policies, quota policies, custom policies, policy insights)
  • With Tanzu Mission Control Advanced you also get “CIS Benchmark inspections”

What if I want Tanzu Standard (Kubernetes runtime with Tanzu Mission Control and some open- source software) but not the complete feature set of Tanzu Mission Control Advanced? Let me answer that question a little bit later. 🙂

3) NSX Advanced Load Balancer Essentials vs. Enterprise (aka Avi Essentials vs. Enterprise)

Yes, there are also different NSX ALB editions included in Tanzu Standard and Advanced. The NSX ALB Essentials edition is not something that you can buy separately, and it’s only included in the Tanzu Standard edition.

The enterprise edition of NSX ALB is part of Tanzu Advanced but it can also be bought as a standalone product.

Here are the capabilities and differences between NSX ALB Essentials and Enterprise:

NSX ALB Essentials vs. Enterprise

So, the Avi Enterprise edition provides a fully-featured version of NSX Advanced Load Balancer while Avi Essentials only provides L4 LB services for Tanzu.

Note: Customers can create as many NSX ALB / Avi Service Engines (SEs) as required with the Essentials edition and you still have the possibility to set up a 3-node NSX ALB controller cluster.

Important: It is not possible to mix the NSX ALB controllers from the Essentials and Enterprise edition. This means, that a customer, that has NSX ALB Essentials included in Tanzu Standard, and has another department using NSX ALB Enterprise for another use case, needs to run separate controller clusters. While the controllers don’t cost you anything, there is obviously some additional compute footprint coming with this constraint.

FYI, there is also a cloud-managed option for the Avi Controllers with Avi SaaS.

What if I want the complete feature set of NSX ALB Enterprise? Let’s put this question also aside for a moment.

4) Container Ingress with Contour vs. NSX ALB Enterprise

Ingress is a very important component of Kubernetes and let’s you configure how an application can or should be accessed. It is a set of routing rules that describe how traffic is routed to an application inside of a Kubernetes cluster. So, getting an application up and running is only the half side of the story. The application still needs a way for users to access it. If you would like to know more about “ingress”, I can recommend this short introduction video.

While Contour is a great open-source project, Avi provides much more enterprise-grade features like L4 LB, L7 ingress, security/WAF, GSLB and analytics. If stability, enterprise support, resiliency, automation, elasticity and analytics are important to you, then Avi Enterprise is definitely the better fit.

To keep it simple: If you are already thinking about NSX ALB Enterprise, then you could use it for K8s Ingress/LB and so much other use cases and services! 🙂  

5) Observability with Grafana/Prometheus vs. Tanzu Observability

I recently wrote a blog about “modern application monitoring with VMware Tanzu and vRealize“. This article could give you a better understanding if you want to get started with open-source software or something like Tanzu Observability, which provides much more enterprise-grade features. Tanzu Observability is considered to be a fast-moving leader according to the GigaOm Cloud Observability Report.

What if I still want Tanzu Standard only but would like to have Tanzu Observability as well? Let’s park this question as well for another minute.

6) Open-Source Projects Support by VMware Tanzu

The Tanzu Standard edition comes with a lot of leading open-source technologies from the Kubernetes ecosystem. There is Harbor for container registry, Contour for ingress, Grafana and Prometheus for monitoring, Velero for backup and recovery, Fluentbit for logging, Antrea and Calico for container networking, Sonobuoy for conformance testing and Cluster API for cluster lifecycle management.

VMware Open-Source Projects

VMware is actively contributing to these open-source projects and still wants to give customers the flexibility and choice to use and integrate them wherever and whenever you see fit. But how are these open-source projects supported by VMware? To answer this , we can have a look at the Tanzu Toolkit (included in Tanzu Standard and Advanced):

  • Tanzu Toolkit includes enterprise-level support for Harbor, Velero, Contour, and Sonobuoy
  • Tanzu Toolkit provides advisory—or best effort—guidance on Prometheus, Grafana, and Alertmanager for use with Tanzu Kubernetes Grid. Installation, upgrade, initial tooling configuration, and bug fixes are beyond the current scope of VMware’s advisory support.

7) Tanzu Editions Licensing

There are two options how you can license your Tanzu deployments:

  • Per CPU Licensing – Mostly used for on-prem deployments or where standalone installations are planned (dedicated workload domain with VCF). Tanzu Standard is included in all the regular VMware Cloud Foundation editions.
  • Per Core Licensing – For non-standalone on-prem and public cloud deployments, you should license Tanzu Standard and Advanced based on number of cores used by the worker and management nodes delivering K8s clusters. Constructs such as “vCPUs”, “virtual CPUs” and “virtual cores” are proxies (other names) for CPU cores.

Tanzu Advanced is sold as a “pack” of software and VMware Cloud service offerings. Each purchased pack of Tanzu Advanced equals 20 cores. Example of 1 pack:

  • Spring Runtime: 20 cores
  • Tanzu Application Catalog: 20 cores
  • Tanzu SQL: 1 core (part of Tanzu Data Services)
  • Tanzu Build Service: 20 cores
  • Tanzu Observability: 160 PPS (sufficient to collect metrics for the infrastructure)
  • Tanzu Mission Control Advanced: 20 cores
  • Tanzu Service Mesh Advanced: 20 cores
  • NSX ALB Enterprise: 1 CPU = 1/4 Avi Service Core
  • Tanzu Standard Runtime: 20 cores

If you need more details about these subscription licenses, please consult the VMware Product Guide (starting from page 37).

As you can see, a lot of components (I didn’t even list all) form the Tanzu Advanced  edition. The calculation, planning and sizing for the different components require multiple discussions with your Tanzu specialist from VMware.

8) Tanzu Standard Sizing

Disclaimer – This sizing is based on my current understanding, and it is always recommended to do a proper sizing with your Tanzu specialists / consultants.

So, we have learnt before that Tanzu Standard licensing is based on cores, which are “used by the worker and management nodes delivering K8s clusters”.

As you may already know, the so-called “Supervisor Cluster” is currently formed by three control plane VMs. Looking at the validated design for Tanzu for VMware Cloud Foundation workload domains, one can also get a better understanding of the Tanzu Standard runtime sizing for vSphere-only environments.

The three Supervisor Cluster control planes VMs have each 4 vCPUs – this means in total 12 vCPUs (cores).

The three Tanzu Kubernetes Cluster worker nodes (small size) have each 2 vCPUs – this means in total 6 vCPUs (cores).

My conclusion here is that you need to license at least 18 cores to get started with Tanzu Standard.

Caution: William Lam wrote about the possibility to deploy single or dual node Supervisor Cluster control plane VMs. It is technically possible to reduce the numbers of control plane VMs, but it is not officially supported by VMware. We need to wait until this feature becomes available in the future.

It would be very beneficial for customers with a lot of edge locations or smaller locations in general. If you can reduce the Supervisor Cluster down to two control plane VMs only, the initial deployment size would only need 14 vCPUs (cores).

9) NSX Advanced Load Balancer Sizing and Licensing

General licensing instructions for Avi aka NSX ALB (Enterprise) can be found here

NSX ALB is licensed based on cores consumed by the Avi Service Engines. As already said before, you won’t be charged for the Avi Controllers and itt is possible to add new licenses to the ALB Controller at any time. Avi Enterprise licensing is based on so-called Service Cores. This means, one vCPU or core equals one Service Core.

Avi as a standalone product has only one edition, the fully-featured Enterprise edition. Depending on your needs and the features (LB, GSLB, WAF, analytics, K8s ingress, throughput, SSL TPS etc.) you use, you’ll calculate the necessary amount of Service Cores.

It is possible to calculate and assign more or less than 1 Service Core per Avi Service Engine:

  • 25 Mbps throughput (bandwidth) = 0.4 Service Cores
  • 200 Mbps throughput = 0.7 Service Cores

Example: A customer wants to deploy 10 Service Engines with 25MB and 4 Service Engines with 200MB. These numbers would map to 10*0.4 Service Cores + 4*0.7 Services Cores, which give us a total of 6.8 Service Cores. In this case you would by 7 Service Cores. 

10) Tanzu for Kubernetes Operations (TKO)

Now it’s time to answer the questions we parked before:

  • What if I want Tanzu Standard (Kubernetes runtime with Tanzu Mission Control and some open- source software) but not the complete feature set of Tanzu Mission Control Advanced?
  • What if I want the complete feature set of NSX ALB Enterprise?
  • What if I still want Tanzu Standard only but would like to have Tanzu Observability as well?

Before we do that, let me quickly show you one slide from the VMworld 2021 session Make Your Move to Multi-Cloud Kubernetes with VMware Tanzu [APP3117]:

VMworld 2021 Tanzu for Kubernetes Operations Megan Bruce presented this slide and said, that you need a consistent Kubernetes runtime to start your multi-cloud Kubernetes journey with VMware Tanzu, so that you can lifecycle (deploy, manage and upgrade) clusters consistently. This capabilities starts with Tanzu Kubernetes Grid.

The next component you need is a way to manage your platform and having a centralized management plane that provides centralized visibility and control over your platform, that is used and consumed by distributed teams. That is provided by Tanzu Mission Control.

How do you effectively monitor and troubleshoot issues faster, and how do you stitch services together and protect your data both at rest and in transit across cloud? That would be Tanzu Observability and Tanzu Service Mesh.

Finally, VMware can also help you to implement global load balancing and provides advanced traffic routing with NSX Advanced Load Balancer.

The different Tanzu products I just highlighted, are all SaaS based offerings and form the global Tanzu control plane you would get with Tanzu Advanced. But how can you get these components if you want to build this standardized control plane and have a mix of Tanzu Standard and Advanced? What if I want something in between Tanzu Std and Adv before I move later to the complete Tanzu Adv edition?

Well, the answer to this and the questions above is “Tanzu for Kubernetes Ops” (TKO)!

I believe it hasn’t been officially announced at VMworld, but TKO is a new soft-bundle. It does NOT come as one standalone SKU for customers yet, but for sure this is where VMware is heading to. Let me summarize the components of this bundle (it’s not a new edition) for you:

  • Tanzu Standard Runtime (includes Tanzu Kubernetes Grid + open-source software), licensed per core
  • Tanzu Mission Control Advanced, licensed per core
  • Tanzu Observability, licensed based on PPS (minimum of 1000 PPS required)
  • Tanzu Service Mesh Advanced, licensed based on core
  • Antrea Advanced, licensed based on core
  • NSX ALB (Avi) Enterprise, licensed based on service cores

Does this BOM answer all our questions? YES! 🙂

The cool thing about it? You don’t need to choose all the components. Just pick what makes sense for you. Example: You can start with the Tanzu Standard Runtime, TMC Advanced, Tanzu Observability and NSX ALB Enterprise, and go for Tanzu Service Mesh whenever the time is right.

Maybe you already started with the public cloud offerings like AKS, EKS and GKE and need a consistent control plane? Then Tanzu and TKO are still good choices for you. There’s also a pretty new “VMware Tanzu for Kubernetes Operations on vSphere Reference Design” available!


Wherever you are on your application modernization journey, VMware and their Tanzu portfolio got your back covered. Not matter if you want to start small, make your first steps and experiences with open-source projects, or if you want to have a complete set with the Tanzu Advanced edition, VMware offers the right options and flexibility.

I hope my learnings from this customer engagement help you to better understand the Tanzu portfolio and its capabilities.

Please leave your comments and thoughts below. 🙂

Modern Application Monitoring with VMware Tanzu and vRealize

Modern Application Monitoring with VMware Tanzu and vRealize

The complexity of applications has increased because of new cloud technologies and new application architectures. Since organizations adopt and embrace the DevOps mindset, developers and IT operations are closer than ever. Developers are now part of the team operating the distributed systems.

Businesses must figure out how they know about system failures and need to have an understanding “what” is broken (symptom) and “why” (possible cause) something is broken.

Let’s talk about application performance management (APM) and enterprise observability. 🙂


It was around the year 2012 or 2013 when I had to introduce a new monitoring solution for a former employer who was a cloud service provider. I think Nagios was the state-of-the-art technology back then and I replaced it PRTG Network Monitor from Paessler.

When we onboarded a new customer infrastructure or application, the process was always the same. I had to define the metrics to collect and then put those metrics on a dashboard. It was very important to set alerts based on thresholds or conditions. Everyone knew back then that this approach wasn’t the best, but we didn’t have any other choice.

PRTG Sensor View

If an IP was not pingable or a specific port of a server or application was down for 60 seconds, an alert popped up and an e-mail had been sent to the IT helpdesk. And in the dashboard you could see sensors switching from a green to a red state.

To simplify the troubleshooting process and to have some a logical application view, I had to create some dependencies between sensors. This was probably the only way to create something like an application (dependency) mapping.

When users worked on a virtual desktop or on a Windows Terminal Server, we “measured” the user experience and application performance based on network latency and server resource usage based on CPU and RAM mostly.


Observability enables you to drill down into the distributed services and systems (hardware components, containers, microservices) that make up an application.

Monitoring and observability are not the same thing. As described before, monitoring is the process of collection metrics and alerts that one can monitor the health and performance of components like network devices, databases, servers or VMs.

Observability helps you to understand complex architectures and interactions between elements in this architecture. It also allows you to troubleshoot performance issues, identify root causes for failures faster and helps you to optimize your cloud native infrastructure and applications.

In other words, observability can help you to speed up mean time to detection (MTTD) and mean time to resolution (MTTR) for infrastructure and application failures.

There are three golden telemetry signals to achieve observability (source):

  • Logs: Logs are the abiding records of discrete events that can identify unpredictable behavior in a system and provide insight into what changed in the system’s behavior when things went wrong. It’s highly recommended to ingest logs in a structured way, such as in JSON format so that log visualization systems can auto-index and make logs easily queryable.
  • Metrics: Metrics are considered as the foundations of monitoring. They are the measurements or simply the counts that are aggregated over a period of time. Metrics will tell you how much of the total amount of memory is used by a method, or how many requests a service handles per second.
  • Traces: A single trace displays the operation as it moves from one node to another in a distributed system for an individual transaction or request. Traces enable you to dig into the details of particular requests to understand which components cause system errors, monitor flow through the modules, and discover the bottlenecks in the performance of the system.

Tanzu Observability Tracing

When using observability during app development, it can also improve the developer experience and productivity.

Tanzu Observability Services

The VMware Tanzu portfolio currently has four different editions:

Different Tanzu Observability services are available for different components and Tanzu editions.

Tanzu Standard Observability

Tanzu Standard includes the leading open-source projects Prometheus and Grafana for platform monitoring (and Fluent Bit for log forwarding).

Tanzu Kubernetes Grid provides monitoring with the open-source Prometheus and Grafana services. You deploy these services on your cluster and can then take advantage of Grafana visualizations and dashboards. As part of the integration, you can set up Alertmanager to send alerts to Slack or use custom Webhooks alert notifications.

Tanzu Kubernetes Grid architecture

Tanzu Standard Observability is comprised of:

  • Fluent Bit is an open-source log processor and forwarder which allows you to collect any data like metrics and logs from different sources, enrich them with filters and send them to multiple destinations. It’s the preferred choice for containerized environments like Kubernetes.
  • Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
  • Prometheus is a free software application used for event monitoring and alerting. It records real-time metrics in a time series database built using a HTTP pull model, with flexible queries and real-time alerting.

Note: VMware only provides advisory (best effort) guidance on Prometheus and Grafana for use with Tanzu Kubernetes Grid. The installation, configuration and upgrades are beyond the current scope of VMware’s advisory support.

Tanzu Advanced Observability

In May 2017 VMware acquired Wavefront which is now part of the Tanzu portfolio and called “Tanzu Observability” (TO).

TO is a SaaS-based metrics monitoring and analytics platform that handles enterprise-scale requirements of modern cloud native application.

Compared to the Grafana/Prometheus, one would say that Tanzu Observability is a true enterprise-grade observability platform. According to the GigaOm Cloud Observability Report VMware Tanzu Observability is one of the strong leaders among Dynatrace and Splunk just to name a few.

Tanzu Observability is best suited for large organization and provides a consumption-based pricing that is based on the rate at which you send metric data to Tanzu Observability during the course of each month. This gives you the flexibility to start with any size want and scale up/down as needed. It’s not dependent on number of hosts or the number of users. 

Tanzu Observability CIO Dashboard

Tanzu Observability allows you to collect data from different sources and provides integrations to over 250 technologies including different public clouds, web application and services, big data frameworks, data stores, other monitoring tools, operating systems / hosts, and many more.

Tanzu Observability Integrations

While data retention with Prometheus is limited to a maximum of 14 days, VMware allows you to send Prometheus data to Tanzu Observability for long-term data retention (up to 18 months at full granularity).

Just announced at VMworld 2021, VMware has added artificial intelligence and machine learning (AI/ML) root cause capabilities…

Tanzu Observability AI Powered Root Cause Analysis

…and created an integration between Tanzu Observability and vRealize Operations Cloud.

Through this integration, developers and SREs can now view vRealize Operations Cloud metrics alongside all the metrics, histograms, and traces collected by Tanzu Observability from other sources for a more holistic view of business-critical applications and infrastructure.

If you are attending VMworld, check out the sessions below to learn more about Tanzu Observability.

  • APP1308: Observability for Modern Application and Kubernetes Environments
  • APP2648: Implement Observability for Kubernetes Clusters and Workloads in Minutes
  • VI2630: Best Practices and Reference Framework for Implementing Observability
  • UX2551: Move from Traditional Monitoring to Observability and SRE – Design Studio
  • VMTN2810: Lost in Containers? Enhance Observability with Actionable Visualization
  • 2965: Kubernetes Cluster Operations, Monitoring and Observability
  • 2957: Build a Data Analytics Platform in Minutes Using Deployment Blueprints
  • APP2677: Meet the Experts: VMware Tanzu Observability by Wavefront
  • VMTN3230: Observe Application internals Holistically
  • VI1448: Take a Modern Approach to Achieve Application Resiliency
  • APP1319: Transforming Customer Experiences with VMware’s App Modernization Platform

Integration with other Tanzu Products

Tanzu Observability is fully integrated within the Tanzu family with OOTB integrations with:

Kubernetes Monitoring in vRealize Operations

Tanzu Observability provides “Kubernetes Observability” and OOTB integrations with RedHat OpenShift, Azure Kubernetes Service (AKS), Amazon EKS and Google GKE for example.

Tanzu Observability Kubernetes Monitoring

vRealize Operations (vROps) is also able to monitor multiple Kubernetes environments like VMware Tanzu Kubernetes Grid, RedHat OpenShift, Amazon EKS, Azure AKS or Google GKE. That is made possible with the vROps Management Pack for Kubernetes.

Using vRealize Operations Management Pack for Kubernetes (needs vROps 8.1 or later), you can monitor, troubleshoot, and optimize the capacity management for Kubernetes clusters. Below some of the additional capabilities that this management pack delivers:

  • Auto-discovery of Tanzu Kubernetes Grid (TKG) or Tanzu Mission Control (TMC) Kubernetes clusters.
  • Complete visualization of Kubernetes cluster topology, including namespaces, clusters, replica sets, nodes, pods, and containers.
  • Performance monitoring for Kubernetes clusters.
  • Out-of-the-box dashboards for Kubernetes constructs, which include inventory and configuration.
  • Multiple alerts to monitor the Kubernetes clusters.
  • Mapping Kubernetes nodes with virtual machine objects.
  • Report generation for capacity, configuration, and inventory metrics for clusters or pods.

vRealize Operations K8s Monitoring

Note: Kubernetes monitoring is available in vRealize Operations Advanced.

There is also a Prometheus integration, that enables vRealize Operations Manager to retrieve metrics directly from Prometheus:

Diagram Description automatically generated

Note: vRealize Operations can also integrate with your existing application performance management systems. vROps offers integrations with App Dynamics, DataDog, Dynatrace and New Relic.


There are different options available within the VMware Tanzu and vRealize when it comes to Kubernetes operations, monitoring and observability.

Depending on your current needs and toolset you’ll have different options and integration possibilities. 

VMware’s portfolio gives you the choice to use open-source software like Grafana/Prometheus, leverage an existing vRealize Operations deployment or to get an enterprise-grade observability and analytics platform like Tanzu Observability.

If you are looking for and end-to-end monitoring stack aka 360-degree visibility for your K8s environments and clouds, VMware Tanzu and the vRealize Suite give you the following products:

  1. Applications – Tanzu Observability
  2. Kubernetes Cluster – Tanzu Observability, vRealize Operations, vRealize Network Insight, vRealize Log Insight
  3. Network Layer – vRealize Operations, vRealize Network Insight, vRealize Log Insight
  4. Virtualization Layer – vRealize Operations, vRealize Network Insight, vRealize Log Insight