Install Tanzu Application Platform on EKS using Tanzu Mission Control


On following this blog post you will by the end have successfully created an AWS EKS cluster and installed Tanzu Application Platform (commonly known as TAP) on it all via the Tanzu Mission Control UI (commonly known as TMC).

AWS and Tanzu Application Platform are both highly configurable solutions but for this blog post, it will use the following configuration so can have a working environment stood up as quickly as possible to test drive Tanzu Application Platform with as few input parameters and steps as possible using the Tanzu Mission Control UI. For a production install, please see the following document


  • EKS
    • Kubernetes v1.28
    • 5x t3.xlarge (4x vCPU & 16GB mem) compute nodes
    • 120GB disk for each compute node
    • Public & private endpoint access (external Doc)
    • EBS CSI driver
  • ECR for registry
  • Route 53 for DNS


Tanzu Application Platform

  • Version 1.7
  • Single cluster install using the “full” profile
    • Full profile is the only profile available for single cluster installs. You can learn more about profiles here
  • Self-signed certificates
  • Guest access enabled
    • Guest access can be disabled and authentication providers can be configured following additional steps
  • Testing and Scanning supply chain
    • Learn more about the available out-of-the-box supply chains here
  • Controller mode for namespace provisioning
    • Learn more about GitOps mode here


Please complete all the prerequisites below before proceeding to the next section.

  • TMC
    • TMC access. Learn more here
    • TMC access level. Learn more here
      • cluster.admin
      • organization.credential.admin (to add AWS account, otherwise have .view access)
    • AWS account credential created, so can LCM EKS clusters. Learn more here
    • A cluster group created. Learn more here
  • AWS
    • AWS management console access
    • VPC created for the EKS cluster. Learn more here
    • ECR repositories for platform and workloads created. Learn more here
    • Route 53 hosted zone created/available (or alternative DNS service). Learn more here
  • CLIs
    • Tanzu CLI and Tanzu Mission Control plugins for Tanzu CLI installed. Learn more here
    • AWS CLI installed. Learn more here
    • Kubectl CLI installed. Learn more here
  • Other
    • An ingress domain/sub-domain
    • Optional: ClusterIssuer for public/private CA (otherwise install will use self-signed). Learn more here

Create an EKS Cluster

Using Tanzu Mission Control we will create a single EKS cluster that will meet the requirements for installing Tanzu Application Platform.

  1. In the Tanzu Mission Control console, click “Clusters” in the left navigation pane.
  2. Click “Add cluster”, and then choose “Create EKS cluster” from the dropdown.
  3. Create EKS cluster flow
    1. Name, location, and metadata
      • Enter a name for the cluster
      • Specify an existing cluster group from the drop-down
      • Optional: Add a description and labels
      • Click “Next”
    2. Configure control plane.
      • Select the AWS EKS account credential for the account in which you want to create the cluster.
      • Select the version of Kubernetes to use for the cluster eg 1.28
        • We will be installing Tanzu Application Platform 1.7 later which requires Kubernetes 1.26 to 1.28
      • Optional: Add EKS tags
      • Select the region where your pre-created VPC is configured
      • Select your pre-created VPC
      • Expand “Advanced settings”
        • Select “Public and private” for Cluster endpoint access
        • Optional: Add a CIDR block for access. Otherwise, the endpoint will be open to all traffic (
      • Click “Next”
    3. Add node pools
      • Optional: Add a description, tags, and labels
      • Delete the “t3.medium” instance type
      • Select instance type “t3.xlarge” from the drop-down and then click “Add instance type”
      • Increase the desired number of nodes from 2 to 5
      • Expand “Advanced compute settings”
        • Increase “Root disk size” from 20 GiB to 120 GiB
      • Click “Next”
    4. Proxy configuration
      • Optional: Select a proxy
    5. Click “Create”
  4. Cluster creation takes approximately 15 minutes.
    1. During this process, it creates the cluster and the compute nodes, installs the aws-ebs-csi-driver, and installs the Tanzu Mission Control agents and extensions.
      • Note: During creation, you may see a warning that the aws-ebs-csi-driver is degraded/unhealthy. This state is temporary while the compute nodes are created.

Create IAM Roles

By default, the EKS cluster is provisioned with an EC2 instance profile that provides read-only access for the entire EKS cluster to the ECR registry within your AWS account. However, some of the services within Tanzu Application Platform require write access or batch read access to the container repositories. To provide that access, we need to create IAM roles and add the ARN to the Kubernetes service accounts that those services use. This ensures that only the required services have access to write container images to ECR and the ability for batch read access, rather than a blanket policy that applies to the entire cluster.

  • Set the following environment variables of AWS_ACCOUNT_ID, AWS_REGION, and EKS_CLUSTER_NAME for your specific environment, for example
    • export AWS_ACCOUNT_ID=012345678901	
      export AWS_REGION=us-east-2
      export EKS_CLUSTER_NAME=tap-on-aws
  • Follow only the “Create IAM roles” section in this document
    • Note: To perform the steps in this document you need to have AWS CLI installed and configured as per the prerequisites at the top of this blog post. 

Install Tanzu Application Platform

  1. In the Tanzu Mission Control console, click “Catalog” in the left navigation pane
  2. Click the “Solutions” tab
  3. Select “Single Cluster” if not already selected
  4. Click “Install Tanzu Application Platform”
  5. Install Tanzu Application Platform flow
    • Name and Describe
      • Enter a name for the TAP installation
      • Optional: Add a description
      • Click “Next”
    • Configure Profile
      • Select the latest release of 1.7 from the version drop-down
      • Click “Select Cluster” to select the EKS cluster we just previously created. Once have selected the EKS cluster, click “Select Cluster”
        • Note: On selecting the cluster, TMC will verify if it satisfies the resource requirements for the installation of TAP, on which it should as long as followed the EKS cluster creation steps above.
      • Specify the Ingress domain
        • To access the Tanzu Developer Portal (a GUI for TAP) and deployed workloads using a public URL, you must specify an ingress domain. We will create the DNS record after completing the TAP installation.
        • For example, if specify “”, then the Tanzu Developer Portal will be available at
      • Select “testing_scanning” from the Supply Chain drop-down 
        • Note: You can learn more about the out-of-the-box supply chains here
      • Select “ECR” for the Image Registry Provider and then enter the following four parameters
        • Build service configuration
          • Enter the “Repository path” in the form of “”
            • Example:
            • This repository for the build service was created while fulfilling the prerequisites at the start of this blog post.
          • Enter the “Repository iam role arn” in the form of “arn:aws:iam::AWS_ACCOUNT_ID:role/tap-build-service”
            • Example: arn:aws:iam::012345678901:role/tap-build-service
            • This IAM Role ARN for the build service was created in the section above titled “Create IAM roles”
        • Supply chain configuration
          • Enter the “Registry server URL” in the form of “”
            • Example:
          • Leave “Repository path” as “tanzu-application-platform” unless you changed it when creating the repositories while fulfilling the prerequisites at the start of this blog post.
      • Select the “Developer Namespace provisioner mode” of “Controller”
      • Enter the IAM role ARN for workloads in the form of “arn:aws:iam::AWS_ACCOUNT_ID:role/tap-workload”
        • Example: arn:aws:iam::012345678901:role/tap-workload
        • This IAM Role ARN for the workloads was created in the section above titled “Create IAM roles”
      • Optional: Enter your customer entitlement account number (EAN).
      • Leave “Enable guest login” enabled.
        • By default, unauthenticated guest user access is enabled to the Tanzu Developer Portal. You can optionally disable guest access and configure an alternative authentication provider at the time of installation or post-installation in the Advanced configuration section. For more information, see Set up authentication for Tanzu Developer Portal in the VMware Tanzu Application Platform Documentation.
      • Optional: You can expand the “Advanced Configuration” section of the page to configure additional parameters in the configuration form or YAML format. One example would be to configure the TAP installation to use a pre-configured clusterIssuer for your public/private CA.
      • Click “Done”
      • Click “Next”
    • Accept General Terms
      • Click “View License Agreement” to read the agreement, then click “Close and Accept” to agree to the license terms.
        • You must accept the VMware license agreement to continue with the installation.
      • The option for inclusion in the Customer Experience Improvement Program (CEIP) must also be enabled for the TAP installation to proceed. You can opt out of CEIP telemetry post-installation following this document.
    • Click “Install TAP”
  6. Installation of TAP takes approximately 5 to 10 minutes to complete. Once the installation is complete, the status will change from reconciling to succeeded.

Post Install Steps

Configure DNS

Before we can access the Tanzu Developer Portal or access workloads pushed to the platform, we need to configure DNS.

  • Access the cluster to retrieve the external IP/URL for the loadbalancer used for ingress
    • In the Tanzu Mission Control console, click “Clusters” in the left navigation pane.
    • Click the name of the EKS cluster previously provisioned
    • Click “Actions” and then “Access this cluster”
    • Click “Download kubeconfig file” then “Download kubeconfig for tanzu CLI”
    • Using the downloaded kubeconfig file, retrieve the external ip for the loadbalancer used for ingress for TAP
      • kubectl --kubeconfig=<path/to>/kubeconfig.yml get services -n tanzu-system-ingress
        • kubectl get services -n tanzu-system-ingress
          NAME   TYPE        CLUSTER-IP   EXTERNAL-IP                                                            PORT(S)                   AGE
          contour   ClusterIP   <none>                                                                 8001/TCP                  1h
          envoy  LoadBalancer   80:32702/TCP,443:32277/TCP   1h
  • Create DNS record
    • Note: The following steps are using AWS Route 53 DNS web service. For other DNS solutions, please consult their own documentation on adding a CNAME.
    • Open the Route 53 console in the AWS Management Console
    • Click “Hosted zones”
    • Click the Hosted zone name for the domain you will be using
    • Click “Create record”
    • Enter a wild card subdomain for the record name. This subdomain, without the wildcard, was entered during the installation of TAP above when specifying ingress domain. 
    • Change “Record type” from A to CNAME
    • Enter in the “Value” field the url from the External-IP column for the loadbalancer retrieved above using kubectl.
    • Click “Create records”
    • After approximately a minute, the record should have propagated to the Route 53 authoritative DNS servers.

Verify DNS

  • In the Tanzu Mission Control console, click “Catalog” in the left navigation pane.
  • Click the “Solutions” tab
  • Click “Installed Tanzu Application Platforms”
  • Click the TAP deployment name
  • Click the link beside “Tanzu Developer Portal URL”
  • The Tanzu Developer Portal will open up with a prompt to enter as a guest user.
    • Note: As TAP, following this blog post, was installed using self-signed certs you will receive a warning that you will have to accept. See the prerequisites at the top of this blog post on how can create and use a clusterIssuer for a public/private CA.
    • Note: You can disable guest access and configure authentication for Tanzu Developer Portal following this document which details how to configure authentication providers such as  AuthO, Azure, Bitbucket, GitHub, GitLab, Google, Okta, OneLogin.

Deploy an App

Follow this how to guide to deploy an app with Tanzu Application Platform

Wrap Up

Thank you for following along

If interested in learning more about Tanzu Application Platform, check out our free courses on Tanzu Academy

If you wish to take Tanzu Application Platform for a test drive but don’t have access to resources to install and run it, you can get access to a short-lived environment here

If you wish to contact Tanzu with further questions, please use this form

Filter Tags

Tanzu Tanzu Application Platform Tanzu Mission Control Document Overview Intermediate Advanced AWS