LATEST VERSION: 1.9 - CHANGELOG
Pivotal Cloud Foundry v1.7

Creating a Proxy ELB for Diego SSH without CloudFormation

Page last updated:

If you want to allow SSH connections to application containers, you may want to use an Elastic Load Balancer (ELB) as the SSH proxy.

Users who deploy a Pivotal Cloud Foundry (PCF) 1.6+ installation on Amazon Web Services (AWS) using the CloudFormation template will automatically have this ELB created for them. However, if you are not using the CloudFormation template, or you are upgrading from an earlier version of PCF, perform the following steps to create this ELB in AWS manually:

  1. On the EC2 Dashboard, click Load Balancers.

  2. Click Create Load Balancer, and configure a load balancer with the following information:

    Aws ssh elb step1

    • Enter a load balancer name.
    • Create LB Inside: Select the pcf-vpc VPC where your PCF installation lives.
    • Ensure that the Create an internal load balancer checkbox is not selected.
  3. Under Load Balancer Protocol, ensure that this ELB is listening on TCP port 2222 and forwarding to TCP port 2222.

  4. Under Select Subnets, select the public subnet.

  5. On the Assign Security Groups page, create a new Security Group. This Security Group should allow inbound traffic on TCP port 2222.

    Aws ssh elb securitygroup

  6. The Configure Security Settings page displays a security warning because your load balancer is not using a secure listener. You can ignore this warning.

    Aws ssh elb security warning

  7. Click Next: Configure Health Check.

    Aws ssh elb healthcheck

  8. Select TCP in Ping Protocol on the Configure Health Check page. Ensure that the Ping Port value is 2222 and set the Health Check Interval to 30 seconds.

  9. Click Next: Add EC2 Instances.

  10. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

  11. Accept the defaults on the Add Tags page and click Review and Create.

  12. Review and confirm the load balancer details, and click Create.

  13. With your DNS service (for example, Amazon Route 53), create an ssh.system.YOUR-SYSTEM-DOMAIN DNS record that points to this ELB that you just created.

    Aws ssh elb domain

  14. You can now use this ELB to the SSH Proxy of your Elastic Runtime installation.

  15. In Elastic Runtime, select Resource Config, and enter the ELB that you just created in the Diego Brain row, under the ELB Names column.

    Aws ssh er diego brain config

Was this helpful?
What can we do to improve?
View the source for this page in GitHub