Configuring SSH Access for PAS

Page last updated:

To help troubleshoot apps hosted by a deployment, Pivotal Application Service (PAS) supports SSH access into running apps. This document describes how to configure a PAS deployment to allow SSH access to app instances, and how to configure load balancing for those app SSH sessions.

PAS Configuration

This section describes how to configure PAS to enable or disable deployment-wide SSH access to app instances. In addition to this deployment-wide configuration, Space Managers have SSH access control over their Space, and Space Developers have SSH access control over their to their apps. For details about SSH access permissions, see App SSH Overview.

To configure PAS SSH access for app instances:

  1. Open the PAS tile in Ops Manager.

  2. Select App Containers.

  3. Enable or disable the Allow SSH access to app containers checkbox.

  4. Optionally, enable the Enable SSH when an app is created checkbox to enable SSH access for new apps by default in spaces that allow SSH. If you disable this checkbox, developers can still enable SSH after pushing their apps by running cf enable-ssh APP-NAME.

Ssh config ert

SSH Load Balancer Configuration

For IaaSes where load-balancing is available as a service, you should provision a load balancer to balance load across SSH proxy instances. Configure this load balancer to forward incoming TCP traffic on port 2222 to a target pool where you deploy diego_brain instances.

For AWS, Azure, and GCP IaaSes, you configure SSH load balancers in the Resource Config pane. To register SSH proxies with a load balancer, enter your load balancer name in the Load Balancers field in the Diego Brain row.

Ops Manager supports an API-only nsx_lbs field. You can configure load balancers in vSphere using this field.