Configuring SSH Access for PCF
Page last updated:
To help troubleshoot applications hosted by a deployment, Pivotal Cloud Foundry (PCF) supports SSH access into running applications. This document describes how to configure a PCF deployment to allow SSH access to application instances, and how to configure load balancing for those application SSH sessions.
This section describes how to configure Elastic Runtime to enable or disable deployment-wide SSH access to application instances. In addition to this deployment-wide configuration, Space Managers have SSH access control over their Space, and Space Developers have SSH access control over their to their Applications. For details about SSH access permissions, see the Application SSH Overview topic.
To configure Elastic Runtime SSH access for application instances:
Open the Pivotal Elastic Runtime tile in Ops Manager.
Under the Settings tab, select the Application Containers section.
Enable or disable the Allow SSH access to app containers checkbox.
Optionally, select Enable SSH when an app is created to enable SSH access for new apps by default in spaces that allow SSH. If you deselect this checkbox, developers can still enable SSH after pushing their apps by running
cf enable-ssh APP-NAME.
If you use HAProxy as a load balancer and SSH access is enabled, SSH requests are load balanced by HAProxy. This configuration relies on the presence of the same Consul server cluster that Diego components use for service discovery. This configuration also works well for deployments where all traffic on the system domain and its subdomains is directed towards the HAProxy job, as is the case for a BOSH-Lite Cloud Foundry deployment on the default
For AWS deployments, where the infrastructure offers load-balancing as a service through ELBs, the deployment operator can provision an ELB to balance load across the SSH proxy instances. You should configure this ELB to listen to TCP traffic on the port given in
app_ssh.port and to send it to port 2222.
To register the SSH proxies with this ELB, add the ELB identifier to the
elbs property in the
cloud_properties hash of the Diego manifest
access_zN resource pools. If you used the Spiff-based manifest-generation templates to produce the Diego manifest, specify these
cloud_properties hashes in the
iaas_settings.resource_pool_cloud_properties section of the