What type of endpoint should I use for my AWS Transfer Family server?

Last updated: 2020-06-08

What type of endpoint should I use for my AWS Transfer Family server?

Resolution

Review the following table to determine which AWS Transfer Family endpoint type best suits your use case:  

Endpoint type Public endpoint Amazon Virtual Private Cloud (Amazon VPC) endpoint with internal access VPC endpoint with internet-facing access VPC_ENDPOINT
Supported protocols SFTP SFTP, FTP, FTPS SFTP, FTPS SFTP
Access From over the internet. This endpoint type doesn't require any special configuration in your VPC. From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. Over the internet and from within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.
Static IP address You can’t attach a static IP address. AWS provides IP addresses that are subject to change. Private IP addresses attached to the endpoint don't change.

You can attach Elastic IP addresses to the endpoint. These can be AWS-owned IP addresses or your own IP addresses (BYOIP). Elastic IP addresses attached to the endpoint don't change.

Private IP addresses attached to the server also don't change.

Private IP addresses attached to the endpoint don't change.
Source IP allow list This endpoint type does not support allow lists by source IP addresses.

The endpoint is publicly accessible and listens for traffic over port 22.
To allow access by source IP address, you can use security groups attached to the server endpoints and network access control lists (network ACLs) attached to the subnet that the endpoint is in. To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in. To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in.
Client firewall allow list You must allow the DNS name of the server.

Because IP addresses are subject to change, avoid using IP addresses for your client firewall allow list.
You can allow the private IP addresses or the DNS name of the endpoints. You can allow the DNS name of the server or the Elastic IP addresses attached to the server. You can allow the private IP addresses or the DNS name of the endpoints.

Note: The VPC_ENDPOINT endpoint type is available only when you create a server using the AWS Command Line Interface (AWS CLI) or the AWS Transfer Family API.

Consider the following options to increase the security posture of your AWS Transfer Family server:

  • Use a VPC endpoint with internal access, so that the server is accessible only to clients within your VPC or VPC-connected environments such as an on-premises data center over AWS Direct Connect or VPN.
  • To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet-facing access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.
  • Use a Network Load Balancer in front of a VPC endpoint with internal access. Change the listener port on the load balancer from port 22 to a different port. This can reduce—but not eliminate—the risk of port scanners and bots probing your server, because port 22 is most commonly used for scanning. However, if you use a Network Load Balancer, you can't use security groups to allow access from source IP addresses.
  • If you require password-based authentication and you use a custom identity provider with your server, we strongly recommend that you set an aggressive password policy. It's a best practice that your password policy prevents users from creating weak passwords and limits the number of failed login attempts.

Did this article help you?

Anything we could improve?


Need more help?