Skip to main content
Table of contents

This is for internal use by the PaaS team. Public-facing documentation is located at


We use BOSH for software packaging, release management, and virtual machine (VM) lifecycle management.

BOSH runs as a single instance per environment and runs the following components:


Architecture diagram showing BOSH director and colocated components: sshd, Director, UAA, CredHub


BOSH Director

The BOSH director is has API which we connect to via a reverse proxy (nginx) through a SOCKS proxy managed by SSH.


CredHub has an API which we connect to through a SOCKS proxy managed by SSH.


UAA is used by components on the BOSH director, and by operators directly.

Colocated components talk to UAA directly using the TLS certificate generated by BOSH.

Operators use Google single sign-on to authenticate with UAA, using an Amazon load balancer. The load balancer is accessible via the VPN or office. The SOCKS proxy is not used because a web browser is needed to sign in.


Review Accessing BOSH, Credhub, and UAA.