To make your AWS SFTP server accessible using Elastic IP addresses, create an internet-facing endpoint for your server.
However, if you must change the listener port to a port other than port 22 (for migration), then follow these steps:
Important: Don’t proceed with the following steps if your listener port can be port 22. Instead, create an internet-facing endpoint for your server.
Create an Amazon VPC and allocate IP addresses
- 1. Create an Amazon Virtual Private Cloud (Amazon VPC) in the same AWS Region as your AWS SFTP server.
- 2. Allocate three Elastic IP addresses in the same Region as your AWS SFTP server. Or, you can choose to bring your own IP address range (BYOIP).
Create an Amazon VPC endpoint
- 1. Open the Amazon VPC console.
- 2. From the navigation pane, choose Endpoints.
- 3. Choose Create Endpoint.
- 4. For the Create Endpoint page, enter the following:
For Service category, select AWS services.
For Service Name, select the service name that ends with transfer.server. For example, if you’re in the us-east-1 Region, then select com.amazonaws.us-east-1.transfer.server.
For VPC, select the Amazon VPC that you want to use for access to your SFTP server.
For Subnets, select the three subnets that you want to use.
For Enable Private DNS Name, keep Enable for this endpoint selected.
For Security group, you can select existing security groups or you can create a new security group.
Note: The security group that you use must allow inbound access on port 22 from the subnets of the load balancer that you’ll create in a later step.
- 5. Choose Create endpoint.
- 6. Under The following VPC Endpoint was created, choose the link to the endpoint to view its details.
- 7. Choose the Subnets tab.
- 8. Note the private IP addresses associated with each subnet. You need these IP addresses in a later step.
Configure the VPC endpoint on your AWS SFTP server
- 1. Open the AWS SFTP console.
- 2. Select your server. Choose Actions and then choose Stop.
- 3. After the server’s State changes to Offline, choose the link for Server ID to view the server’s configuration.
- 4. For Server configuration, choose Edit.
- 5. For Edit configuration, enter the following:
For Endpoint type, choose VPC Endpoint.
For VPC endpoint, select the endpoint that you created.
- 6. Choose Save.
Create a Network Load Balancer and define the Amazon VPC endpoint as the load balancer’s target
- 1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
- 2. From the navigation pane, choose Load Balancers.
- 3. Choose Create Load Balancer.
- 4. Under Network Load Balancer, choose Create.
- 5. For Step 1: Configure Load Balancer, enter the following:
For Name, enter a name for the load balancer.
For Scheme, select internet-facing.
For Listeners, keep Load Balancer Protocol as TCP. Then, change the associated Load Balancer Port to your custom listener port.
For VPC, select the Amazon VPC that you want to use.
For Availability Zones, select the Availability Zones associated with the three subnets that you want to use.
For the IPv4 address of each subnet, select one of the Elastic IP addresses that you allocated.
- Choose Next: Configure Security Settings.
- 7. Choose Next: Configure Routing.
- 8. For Step 3: Configure Routing, enter the following:
For Target group, select New target group.
For Name, enter a name for the target group.
For Target type, select IP.
For Protocol, select TCP.
For Port, enter 22.
Under Health checks, for Protocol, select TCP.
- 9. Choose Next: Register Targets.
- 10. For Step 4: Register Targets, enter the following:
For Network, confirm that the Amazon VPC you want to use is selected.
For IP, enter the private IP address of one of your Amazon VPC’s subnets. You copied these IP addresses when you created the Amazon VPC endpoint.
- 11. Choose Add to list.
- 12. Repeat steps 10 and 11 until you’ve entered the private IP addresses of all three subnets.
- 13. Choose Next: Review.
- 14. Choose Create.
Important: To control access to your server from client IP addresses, use the network access control lists (ACLs) for the subnets configured on the load balancer. Network ACL permissions are set at the subnet level, so access rules apply to all resources using the subnet. You can’t control access from client IP addresses using security groups, because the load balancer’s target type is set to IP instead of Instance. This means that the load balancer doesn’t preserve source IP addresses.
Test access to the server from an Elastic IP address
After you configure the Amazon VPC endpoint and the Network Load Balancer, you can test access to your AWS SFTP server. For example, the following OpenSSH command connects to the server from a specific IP address:
Note: Replace 192.0.2.3 with an Elastic IP address that you allocated.
sftp -i sftpuserkey -P [port] email@example.com
If the Network Load Balancer’s health checks fail, this means the load balancer can’t connect to the AWS SFTP endpoint. To troubleshoot this, check the following:
- 1) Confirm that the VPC endpoint’s associated security group allows inbound connections from the subnets configured on the load balancer. The load balancer must be able to connect to the Amazon VPC endpoint over port 22.
- 2) Confirm that the AWS SFTP server’s State is Online.