Creating a Proxy ELB for Diego SSH

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

If you want to allow SSH connections to application containers, you may want to use an Elastic Load Balancer (ELB) as the SSH proxy.

Perform the steps below to create this ELB:

  1. On the EC2 Dashboard, click Load Balancers.

  2. Click Create Load Balancer, and configure a classic load balancer with the following information:

    Aws ssh elb step1

    • Enter a load balancer name.
    • Create LB Inside: Select the pcf-vpc VPC where your PCF installation lives.
    • Ensure that the Create an internal load balancer checkbox is not selected.

  3. Under Load Balancer Protocol, ensure that this ELB is listening on TCP port 2222 and forwarding to TCP port 2222.

  4. Under Select Subnets, select the public subnet.

  5. On the Assign Security Groups page, create a new Security Group. This Security Group should allow inbound traffic on TCP port 2222.

    Aws ssh elb securitygroup

  6. The Configure Security Settings page displays a security warning because your load balancer is not using a secure listener. You can ignore this warning.

    Aws ssh elb security warning

  7. Click Next: Configure Health Check.

    Aws ssh elb healthcheck

  8. Select TCP in Ping Protocol on the Configure Health Check page. Ensure that the Ping Port value is 2222 and set the Health Check Interval to 30 seconds.

  9. Click Next: Add EC2 Instances.

  10. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

  11. Accept the defaults on the Add Tags page and click Review and Create.

  12. Review and confirm the load balancer details, and click Create.

  13. With your DNS service (for example, Amazon Route 53), create an ssh.system.YOUR-SYSTEM-DOMAIN DNS record that points to this ELB that you just created.

    Aws ssh elb domain

  14. You can now use this ELB to the SSH Proxy of your Pivotal Application Service (PAS) installation.

  15. In PAS, select Resource Config, and enter the ELB that you just created in the Diego Brain row, under the Load Balancers column.

    Aws ssh er diego brain config