What type of endpoint should I use for my AWS SFTP server?

Last updated: 2020-02-27

What type of endpoint should I use for my AWS Transfer for SFTP (AWS SFTP) server?

Short Description

You can use the following types of endpoints with your AWS SFTP server:

  • Public endpoint: AWS SFTP servers with a public endpoint are accessible over the internet. With this endpoint type, AWS SFTP listens over port 22 for traffic. Anyone with the correct credentials can access the server.
  • Amazon Virtual Private Cloud (VPC) endpoint with internal access: AWS SFTP servers configured with a VPC endpoint with internal access are accessible only from within the defined VPC. You can use security groups to allow only certain client IP addresses. To configure this endpoint type, you must specify the VPC and subnets that you want to host the endpoint in.
  • VPC endpoint with internet-facing access: AWS SFTP servers configured with a VPC endpoint with internet-facing access are accessible over the internet. You can use security groups to allow only certain client IP addresses. To configure this endpoint type, you must specify the VPC and subnets that you want to host the endpoint in. Additionally, you must attach Elastic IP addresses to your AWS SFTP server. These IP addresses can be AWS IP addresses or your own IP addresses (BYOIP).
  • VPC_ENDPOINT: This endpoint type is available only when you create a server using the AWS Command Line Interface (AWS CLI) or the AWS SFTP API. Servers with VPC_ENDPOINT are accessible only from within the specified VPC. To make this endpoint type accessible over the internet, you must create a Network Load Balancer and target the VPC_ENDPOINT for AWS SFTP traffic.
    Note: We recommend that you use VPC endpoint with internal access or VPC endpoint with internet-facing access, instead of VPC_ENDPOINT. The VPC endpoint types support the option to directly associate up to three Elastic IP addresses with the endpoint. Additionally, the VPC endpoint types allow you to use the VPC's security groups to filter access by the client’s public IP addresses. These features aren't supported by VPC_ENDPOINT.

In general, you can choose your endpoint type based on the following scenarios:

  • To have a publicly accessible AWS SFTP server without any special configurations, you can use a public endpoint.
  • To have a static IP address for your server, the ability to allow or deny specific client IP addresses, or both, you can use a VPC endpoint with internet-facing access.
  • To allow access from only within a VPC, you can use a VPC endpoint with internal access. With this endpoint type, you can also allow or deny specific client IP addresses.
  • To use a custom port for AWS SFTP traffic, you can use a VPC endpoint with internal access along with a Network Load Balancer. With this configuration, you can allow or deny specific client IP addresses.

Resolution

Based on your use case, it's a best practice to use the following endpoint types and configurations:

I want an AWS SFTP server that's accessible from the internet, and I don't need any special configuration for access to my server

Use a public endpoint. Public endpoints don't require any special configurations (for example, an internet gateway) in your VPC.

I want my AWS SFTP server to be accessible only from within my VPC

Use a VPC endpoint with internal access. This endpoint type allows access to the server from only within the VPC that you specify. You can access the server over the internal IP address that you assign to the endpoint, which you can find in the AWS SFTP console.

I want my AWS SFTP server to be accessible only from within my VPC, and I want to allow access from certain IP addresses

Use a VPC endpoint with internal access. This endpoint type allows access to the server only from within your VPC. Additionally, you can modify the security groups that are attached to the endpoint to allow access from certain IP addresses.

I want an AWS SFTP server that's accessible from the internet, and I want its IP address to be static so that I can allow it on my firewalls

Use a VPC endpoint with internet-facing access. You can attach Elastic IP addresses to the endpoint and allow those IP addresses on your firewalls.

Note: The IP addresses that you allocate to the AWS SFTP server don't change if your server changes between the online and offline statuses.

I want an AWS SFTP server that's accessible from the internet, and I have a specific list of clients that I want to grant server access to

Use a VPC endpoint with internet-facing access. By default, the VPC's default security group is attached to the endpoint. However, you can change the attached security group. Then, you can allow access from the client IP addresses in the security group that you choose. Additionally, because the endpoint is created in a specific subnet, you can allow access from clients on the network access control list (network ACL) that's attached to the subnet.

Note: Security groups have a default quota of 300 rules per network interface. You can request to increase the quota up to 1,000 rules per network interface. Network ACLs have a default quota of 20 rules per ACL. You can request to increase the quota up to 40 rules per ACL.

I want an AWS SFTP server that's accessible from the internet, but I want to deny access to certain IP addresses

Use a VPC endpoint with internet-facing access. Then, deny access to the IP addresses using the associated network ACLs. Security groups don't support deny rules.

Note: When you add the deny rules to your network ACL, you must be sure that the denied IP addresses don't access other resources in the subnet. The network ACL denies access to the entire subnet.

I want an AWS SFTP server that's accessible from the internet, and my clients use a custom port for AWS SFTP traffic

Use a VPC endpoint with internal access, and then attach a Network Load Balancer to the VPC endpoint. AWS SFTP servers listen on port 22 for traffic. When you deploy the Network Load Balancer, you can configure the load balancer listener to listen for traffic over the custom port. Then, the load balancer communicates with the AWS SFTP server on port 22.

To allow or deny access to certain clients, update the network ACLs. Because clients connect to the load balancer instead of directly to the server, client IP addresses aren't preserved with this configuration. This means that you can't use security groups to allow access from client IP addresses.

Note: Network ACLs have fewer rules available in the quota when compared to security groups. Network ACLs have a default quota of 20 rules per ACL. You can request to increase the quota up to 40 rules per ACL.

I want an AWS SFTP server that's accessible from the internet, my clients use a custom port for AWS SFTP traffic, and I want to allow or deny access to certain clients

Use a VPC endpoint with internal access, and then attach a Network Load Balancer to the VPC endpoint. Configure the load balancer to listen for traffic on your clients' custom port. To allow or deny access to certain clients, update the network ACLs. Because clients connect to the load balancer instead of directly to the server, client IP addresses aren't preserved with this configuration. This means that you can't use security groups to allow access from client IP addresses.

Note: Network ACLs have fewer rules available in the quota when compared to security groups. Network ACLs have a default quota of 20 rules per ACL. You can request to increase the quota up to 40 rules per ACL.

I want an AWS SFTP server that's accessible from the internet, my clients use a custom port for AWS SFTP traffic, and I want to have a static IP address for my server

Use a VPC endpoint with internal access, and then attach a Network Load Balancer to the VPC endpoint. Configure the load balancer to listen for traffic on your clients' custom port. The Network Load Balancer prompts you to attach Elastic IP addresses for its public interfaces. This means that clients can allow access to the Elastic IP addresses that are attached to the public interface of the load balancer.

I want to allow access to my AWS SFTP server from a large number of client IP addresses

Use a VPC endpoint with internal access or internet-facing access, so that you can use security groups to allow access from the client IP addresses. Network ACLs offer a maximum of 40 rules. In contrast, security groups allow 300 rules per network interface by default, and you can request to increase the quota up to 1,000 rules. Select either an internal or internet-facing VPC endpoint based on where your clients reside.

I want to increase the security posture of my AWS SFTP server to block potential attackers

You have several options:

  • Use a VPC endpoint with internal access, so that the server is accessible only to clients within your VPC or VPC-connected environments such as an on-premises data center over AWS Direct Connect or VPN.
  • To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet-facing access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.
  • Use a Network Load Balancer in front of a VPC endpoint with internal access. Change the listener port on the load balancer from port 22 to a different port. This can reduce—but not eliminate—the risk of port scanners and bots probing your server, because port 22 is most commonly used for scanning. However, if you use a Network Load Balancer, you can't use security groups to allow access from source IP addresses.

I want to protect my AWS SFTP server from dictionary attacks or brute force attempts

If you require password-based authentication and you use a custom identity provider with your server, we strongly recommend that you set an aggressive password policy that:

  • Prevents users from creating weak passwords
  • Limits the number of failed login attempts for a single account over a period of time