Configuring SSH Access for PCF

Page last updated:

To help troubleshoot applications hosted by a deployment, Pivotal Cloud Foundry (PCF) supports SSH access into running applications. This document describes how to configure a PCF deployment to allow SSH access to application instances, and how to configure load balancing for those application SSH sessions.

Elastic Runtime Configuration

This section describes how to configure Elastic Runtime to enable or disable deployment-wide SSH access to application instances. In addition to this deployment-wide configuration, Space Managers have SSH access control over their Space, and Space Developers have SSH access control over their to their Applications. For details about SSH access permissions, see the Application SSH Overview topic.

To configure Elastic Runtime SSH access for application instances:

  1. Open the Pivotal Elastic Runtime tile in Ops Manager.

  2. Under the Settings tab, select the Application Containers section.

  3. Enable or disable the Allow SSH access to app containers checkbox.

  4. Optionally, select Enable SSH when an app is created to enable SSH access for new apps by default in spaces that allow SSH. If you deselect this checkbox, developers can still enable SSH after pushing their apps by running cf enable-ssh APP-NAME.

Er config app containers

SSH Load Balancer Configuration

If you use HAProxy as a load balancer and SSH access is enabled, SSH requests are load balanced by HAProxy. This configuration relies on the presence of the same Consul server cluster that Diego components use for service discovery. This configuration also works well for deployments where all traffic on the system domain and its subdomains is directed towards the HAProxy job, as is the case for a BOSH-Lite Cloud Foundry deployment on the default domain.

For AWS deployments, where the infrastructure offers load-balancing as a service through ELBs, the deployment operator can provision an ELB to balance load across the SSH proxy instances. You should configure this ELB to listen to TCP traffic on the port given in app_ssh.port and to send it to port 2222.

To register the SSH proxies with this ELB, add the ELB identifier to the elbs property in the cloud_properties hash of the Diego manifest access_zN resource pools. If you used the Spiff-based manifest-generation templates to produce the Diego manifest, specify these cloud_properties hashes in the iaas_settings.resource_pool_cloud_properties section of the iaas-settings.yml stub.

Create a pull request or raise an issue on the source for this page in GitHub