Configuring SSH Access for PCF
Page last updated:
To help troubleshoot applications hosted by a deployment, Pivotal Cloud Foundry (PCF) supports SSH access into running applications. This document describes how to configure a PCF deployment to allow SSH access to application instances, and how to configure load balancing for those application SSH sessions.
This section describes how to configure Pivotal Application Service (PAS) to enable or disable deployment-wide SSH access to application instances. In addition to this deployment-wide configuration, Space Managers have SSH access control over their Space, and Space Developers have SSH access control over their to their Applications. For details about SSH access permissions, see the Application SSH Overview topic.
Note: If you have mutual TLS app identity verification enabled, app containers accept incoming communication only from the Gorouter. This disables
To configure PAS SSH access for app instances:
Open the PAS tile in Ops Manager.
Under the Settings tab, select the Application Containers section.
Enable or disable the Allow SSH access to app containers checkbox.
Optionally, select Enable SSH when an app is created to enable SSH access for new apps by default in spaces that allow SSH. If you deselect this checkbox, developers can still enable SSH after pushing their apps by running
cf enable-ssh APP-NAME.
For IaaSes where load-balancing is available as a service, you should provision a load balancer to balance load across SSH proxy instances. Configure this load balancer to forward incoming TCP traffic on port
2222 to a target pool where you deploy
For AWS, Azure, and GCP IaaSes, you configure SSH load balancers in the Resource Config pane. To register SSH proxies with a load balancer, enter your load balancer name in the Load Balancers field in the Diego Brain row.
Ops Manager supports an API-only
nsx_lbs field. You can configure load balancers in vSphere using this field.