Configuring SSH Access for PAS

Page last updated:

This topic describes how to configure SSH access for Pivotal Application Service (PAS).


To help troubleshoot apps hosted by a deployment, PAS supports SSH access into running apps. This document describes how to configure a PAS deployment to allow SSH access to app instances, and how to configure load balancing for those app SSH sessions.

Configure PAS SSH Access

This section describes how to configure PAS to enable or disable deployment-wide SSH access to app instances. In addition to this deployment-wide configuration, Space Managers have SSH access control over their Space, and Space Developers have SSH access control over their to their apps. For details about SSH access permissions, see App SSH Overview.

To configure PAS SSH access for app instances:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the PAS tile.

  3. Select App Containers.

  4. Enable or disable the Allow SSH access to app containers checkbox.

  5. Optionally, select the Enable SSH when an app is created checkbox to enable SSH access for new apps by default in spaces that allow SSH. If you deselect this checkbox, developers can still enable SSH after pushing their apps by running cf enable-ssh APP-NAME, where APP-NAME is the name of the app for which they want to enable SSH.

Configure an SSH Load Balancer

For IaaSes where load-balancing is available as a service, you should provision a load balancer to balance load across SSH proxy instances. Configure this load balancer to forward incoming TCP traffic on port 2222 to a target pool where you deploy diego_brain instances.

For AWS, Azure, and GCP IaaSes, you configure SSH load balancers in the Resource Config pane. To register SSH proxies with a load balancer:

  1. Select Resource Config.

  2. In the Diego Brain row, enter your load balancer name in the Load Balancers field.

Ops Manager supports an API-only nsx_lbs field. You can configure load balancers in vSphere using this field.