How can I enable Elastic IP addresses on my AWS Transfer for SFTP server endpoint with a custom listener port?

Last updated: 2020-06-08

I want to make my AWS Transfer for SFTP server accessible using Elastic IP addresses, and the listener port can't be port 22. How can I do that?

Resolution

If you can use port 22 as your listener port, then create an internet-facing endpoint for your server.

However, if you must change the listener port to a port other than port 22 (for migration), then follow these steps:

Create an Amazon Virtual Private Cloud (Amazon VPC) and allocate IP addresses

  1. Create an Amazon VPC in the same AWS Region as your server.
  2. Create subnets in your VPC within Availability Zones that you want to use your server in.
    Note: One AWS Transfer Family server can support up to three Availability Zones.
  3. Allocate up to three Elastic IP addresses in the same Region as your server. Or, you can choose to bring your own IP address range (BYOIP).
    Note: The number of Elastic IP addresses must match the number of Availability Zones that you use with your server endpoints.

Create an AWS Transfer for SFTP server with an internal VPC endpoint type

  1. Follow the steps to create a server endpoint that's accessible only from within your VPC.
  2. After you create the server, view the server's details from the AWS Transfer Family console. Under Endpoint configuration, note the Private IPv4 Addresses. You need these IP addresses for the steps to create a Network Load Balancer.

Create a Network Load Balancer and define the VPC endpoint of the server as the load balancer's target

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. From the navigation pane, choose Load Balancers.
  3. Choose Create Load Balancer.
  4. Under Network Load Balancer, choose Create.
  5. For Step 1: Configure Load Balancer, enter the following:
    For Name, enter a name for the load balancer.
    For Scheme, select internet-facing.
    For Listeners, keep Load Balancer Protocol as TCP. Then, change the associated Load Balancer Port to your custom listener port.
    For VPC, select the Amazon VPC that you created.
    For Availability Zones, select the Availability Zones associated with the public subnets that are available in the same VPC you use with your server endpoints.
    For the IPv4 address of each subnet, select one of the Elastic IP addresses that you allocated.
  6. Choose Next: Configure Security Settings.
  7. Choose Next: Configure Routing.
  8. For Step 3: Configure Routing, enter the following:
    For Target group, select New target group.
    For Name, enter a name for the target group.
    For Target type, select IP.
    For Protocol, select TCP.
    For Port, enter 22.
    Note: AWS Transfer for SFTP servers support traffic only over port 22. The load balancer must communicate to the server over port 22.
    Under Health checks, for Protocol, select TCP.
  9. Choose Next: Register Targets.
  10. For Step 4: Register Targets, enter the following:
    For Network, confirm that the Amazon VPC you want to use is selected.
    For IP, enter the private IPv4 addresses of your server's endpoints. You copied these IP addresses after creating the server.
  11. Choose Add to list.
  12. Repeat steps 10 and 11 until you've entered the private IP addresses for all of your server's endpoints.
  13. Choose Next: Review.
  14. Choose Create.

After you set up the server and load balancer, clients communicate to the load balancer over the custom port listener. Then, the load balancer communicates to the server over port 22.

Test access to the server from an Elastic IP address

Connect to the server over the custom port using an Elastic IP address or the DNS name of the Network Load Balancer. For example, the following OpenSSH command connects to the server using an Elastic IP address and a custom port:

Note: Replace [port] with your custom port. Then, replace 192.0.2.3 with an Elastic IP address that you allocated.

sftp -i sftpuserkey -P [port] sftpuser@192.0.2.3

Important: Manage access to your server from client IP addresses using the network access control lists (network ACLs) for the subnets configured on the load balancer. Network ACL permissions are set at the subnet level, so the rules apply to all resources using the subnet. You can't control access from client IP addresses using security groups, because the load balancer's target type is set to IP instead of Instance. This means that the load balancer doesn't preserve source IP addresses. If the Network Load Balancer's health checks fail, this means the load balancer can't connect to the server endpoint. To troubleshoot this, check the following:

  • Confirm that the server endpoint's associated security group allows inbound connections from the subnets configured on the load balancer. The load balancer must be able to connect to the server endpoint over port 22.
  • Confirm that the server's State is Online.

Did this article help you?

Anything we could improve?


Need more help?