LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.7

Configuring SSH Access for PCF

Page last updated:

To help troubleshoot applications hosted by a deployment, Pivotal Cloud Foundry (PCF) supports SSH access into running applications. This document describes how to configure a PCF deployment to allow SSH access to application instances, and how to configure load balancing for those application SSH sessions.

Elastic Runtime Configuration

This section describes how to configure Elastic Runtime to enable or disable deployment-wide SSH access to application instances. Space administrators and app developers and can also control SSH access to the space and app scope, respectively. See Application SSH Overview for details on SSH access permissions.

To configure Elastic Runtime SSH access for application instances:

  1. Open the Pivotal Elastic Runtime tile in Ops Manager.

  2. Under the Settings tab, select the Application Containers section.

  3. Enable or disable the Allow SSH access to app containers checkbox.

Diego config

SSH Load Balancer Configuration

If you are using HAProxy as a load balancer and SSH access is enabled, SSH requests are load balanced by HAProxy. This configuration relies on the presence of the same consul server cluster that Diego components use for service discovery. This configuration also works well for deployments where all traffic on the system domain and its subdomains is directed towards the HAproxy job, as is the case for a BOSH-Lite Cloud Foundry deployment on the default 192.0.2.34.xip.io domain.

For AWS deployments, where the infrastructure offers load-balancing as a service through ELBs, the deployment operator can provision an ELB to balance load across the SSH proxy instances. You should configure this ELB to listen to TCP traffic on the port given in app_ssh.port and to send it to port 2222.

In order to register the SSH proxies with this ELB, you should then add the ELB identifier to the elbs property in the cloud_properties hash of the Diego manifest access_zN resource pools. If you used the spiff-based manifest-generation templates to produce the Diego manifest, specify these cloud_properties hashes in the iaas_settings.resource_pool_cloud_properties section of the iaas-settings.yml stub.

Create a pull request or raise an issue on the source for this page in GitHub