How can I enable Elastic IP addresses on my AWS Transfer for SFTP server endpoint?
Last updated: 2019-08-22
I want to make my AWS Transfer for SFTP server accessible from Elastic IP addresses. How can I do that?
Configure an Amazon Virtual Private Cloud (Amazon VPC) endpoint and a Network Load Balancer to make your SFTP server accessible from Elastic IP addresses. Follow these steps:
- Create a VPC endpoint.
- Configure the VPC endpoint on your AWS SFTP server.
- Create a Network Load Balancer and define the VPC endpoint as the load balancer's target.
- Test access to the server from an Elastic IP address.
Before you begin, you must:
- Create a VPC in the same AWS Region as your AWS SFTP server.
- Allocate three Elastic IP addresses in the same Region as your AWS SFTP server. Or, you can choose to bring your own IP address range (BYOIP).
Create a VPC endpoint
- Open the Amazon VPC console.
- From the navigation pane, choose Endpoints.
- Choose Create Endpoint.
- For the Create Endpoint page, enter the following:
For Service category, select AWS services.
For Service Name, select the service name that ends with transfer.server. For example, if you're in the us-east-1 Region, then select com.amazonaws.us-east-1.transfer.server.
For VPC, select the VPC that you want to use for access to your SFTP server.
For Subnets, select the three subnets that you want to use.
For Enable Private DNS Name, keep Enable for this endpoint selected.
For Security group, you can select existing security groups or you can create a new security group. The security group that you use must allow inbound access on port 22 from your IP addresses.
- Choose Create endpoint.
- Under The following VPC Endpoint was created, choose the link to the endpoint to view its details.
- Choose the Subnets tab.
- Note the private IP addresses associated with each subnet. You need these IP addresses in a later step.
Configure the VPC endpoint on your AWS SFTP server
- Open the AWS SFTP console.
- Select your server. Choose Actions and then choose Stop.
- After the server's State changes to Offline, choose the link for Server ID to view the server's configuration.
- For Server configuration, choose Edit.
- For Edit configuration, enter the following:
For Endpoint type, choose VPC.
For VPC endpoint, select the endpoint that you created.
- Choose Save.
Create a Network Load Balancer and define the VPC endpoint as the load balancer's target
- Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
- From the navigation pane, choose Load Balancers.
- Choose Create Load Balancer.
- Under Network Load Balancer, choose Create.
- For Step 1: Configure Load Balancer, enter the following:
For Name, enter a name for the load balancer.
For Scheme, select internet-facing.
For Listeners, keep Load Balancer Protocol as TCP. Then, change the associated Load Balancer Port to 22, or enter whichever port that you want to use as a listener on the load balancer.
For VPC, select the VPC that you want to use.
For Availability Zones, select the Availability Zones associated with the three subnets that you want to use.
For the IPv4 address of each subnet, select one of the Elastic IP addresses that you allocated.
- Choose Next: Configure Security Settings.
- Choose Next: Configure Routing.
- For Step 3: Configure Routing, enter the following:
For Target group, select New target group.
For Name, enter a name for the target group.
For Target type, select IP.
For Protocol, select TCP.
For Port, enter 22.
Under Health checks, for Protocol, select TCP.
- Choose Next: Register Targets.
- For Step 4: Register Targets, enter the following:
For Network, confirm that the VPC you want to use is selected.
For IP, enter the private IP address of one of your VPC's subnets. You copied these IP addresses when you created the VPC endpoint.
- Choose Add to list.
- Repeat steps 10 and 11 until you've entered the private IP addresses of all three subnets.
- Choose Next: Review.
- Choose Create.
Important: To control access to your server from client IP addresses, use the network access control lists (ACLs) for the subnets configured on the load balancer. Network ACL permissions are set at the subnet level, so access rules apply to all resources using the subnet. You can't control access from client IP addresses using security groups because the load balancer's target type is set to IP instead of Instance. This means that the load balancer won't preserve source IP addresses.
Test access to the server from an Elastic IP address
After you configure the VPC endpoint and the Network Load Balancer, you can test access to your AWS SFTP server. For example, the following OpenSSH command connects to the server from a specific IP address:
Note: Replace 192.0.2.3 with an Elastic IP address that you allocated.
sftp -i sftpuserkey firstname.lastname@example.org
If the Network Load Balancer's health checks fail, this means the load balancer can't connect to the AWS SFTP endpoint. To troubleshoot this, check the following:
- Confirm that the VPC endpoint's associated security group allows inbound connections from the subnets configured on the load balancer. The subnets must be able to connect on port 22.
- Confirm that the AWS SFTP server's State is Online.