diff --git a/jobs/haproxy/monit b/jobs/haproxy/monit
index 09043121a9..8fef86f756 100644
--- a/jobs/haproxy/monit
+++ b/jobs/haproxy/monit
@@ -1,4 +1,9 @@
-<% if p("cc.allow_app_ssh_access") %>
+<%
+has_link = false
+%>
+
+<% if p("cc.allow_app_ssh_access") && !has_link %>
+<% if_link("ssh_proxy") {  }.else do %>
 check process consul_template
   with pidfile /var/vcap/sys/run/consul_template/pid
   start program "/var/vcap/jobs/haproxy/bin/consul_template_ctl start"
@@ -12,6 +17,7 @@ check file haproxy_config
   group vcap
   depends on haproxy
 <% end %>
+<% end %>
 
 check process haproxy
   with pidfile /var/vcap/sys/run/haproxy/pid
diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec
index c908727cba..a8377b2598 100644
--- a/jobs/haproxy/spec
+++ b/jobs/haproxy/spec
@@ -15,6 +15,11 @@ templates:
   consul_template_ctl:       bin/consul_template_ctl
   cert.pem.erb:              config/cert.pem
 
+consumes:
+  - name: ssh_proxy
+    type: ssh_proxy
+    optional: true
+
 properties:
   ha_proxy.ssl_pem:
     description: "SSL certificate (PEM file)"
diff --git a/jobs/haproxy/templates/haproxy.conf.erb b/jobs/haproxy/templates/haproxy.conf.erb
index 5b825b70c3..92ab11aabf 100644
--- a/jobs/haproxy/templates/haproxy.conf.erb
+++ b/jobs/haproxy/templates/haproxy.conf.erb
@@ -67,3 +67,19 @@ backend tcp-routers
     <% p("router.servers").each_with_index do |ip, index| %>
         server node<%= index %> <%= ip %>:<%= p("router.port") %> check inter 1000
     <% end %>
+
+<% if p("cc.allow_app_ssh_access") %>
+<% if_link("ssh_proxy") do |ssh_proxy| %>
+frontend ssh
+    mode tcp
+    bind :<%= p("app_ssh.port") %>
+    default_backend ssh
+
+backend ssh
+    mode tcp
+    option tcp-check
+    balance leastconn<% ssh_proxy.instances.map do |instance| %>
+    server <%= instance.id %> <%= instance.address %>:2222 check<% end %>
+    timeout server 2h
+<% end %>
+<% end %>