Creating a server in a virtual private cloud - AWS Transfer Family

Creating a server in a virtual private cloud

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your virtual private cloud (VPC) and a server. You can then use this server to transfer data over your client to and from your Amazon S3 bucket without going over the public internet.

Using Amazon VPC, you can launch AWS resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see What Is Amazon VPC? in the Amazon VPC User Guide.

In the next sections, find instructions on how to create and connect your VPC to a server. As an overview, you do this as follows:

  1. Set up a server using a VPC endpoint.

  2. Connect to your server using a client that is inside your VPC through the VPC endpoint. Doing this enables you to transfer data that is stored in your Amazon S3 bucket over your client using AWS Transfer Family. You can perform this transfer even though the network is disconnected from the public internet.

  3. In addition, if you choose to make your server's endpoint internet-facing, you can associate Elastic IP addresses with your endpoint. Doing this lets clients outside of your VPC connect to your server. You can use VPC security groups to control access to authenticated users whose requests originate from allowed IP addresses only.

Create a server endpoint that can be accessed only within your VPC

In the following procedure, you create a server endpoint that is accessible only to resources within your VPC.

To create a server endpoint inside a VPC

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. Choose Create server.

  3. In the Endpoint configuration section, for Endpoint type, choose VPC to host your server's endpoint.

  4. For Access, choose Internal to make your endpoint only accessible to clients using the endpoint's private IP addresses.

    Note

    For details on the Internet Facing option, see the following section. A server that is created in a VPC for internal access only doesn't support custom hostnames.

  5. For VPC, choose an existing VPC ID or choose Create a VPC to create a new VPC.

  6. In the Availability Zones section, choose up to three Availability Zones and associated subnets.

  7. In the Identity provider section, choose Service managed to store user identities and keys in AWS Transfer Family.

    Note

    This procedure uses the service-managed option. If you choose Custom, you provide an Amazon API Gateway endpoint and an AWS Identity and Access Management (IAM) role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your users. To learn more about working with custom identity providers, see Working with identity providers.

  8. (Optional) For Logging role, choose an IAM role that enables Amazon CloudWatch logging of your user activity.

    For more information about setting up a CloudWatch logging role, see Monitoring server usage.

  9. (Optional) For Key and Value, enter one or more tags as key-value pairs.

    Choose Add tag to add additional tags to your server.

  10. Choose Create server to create your server. The Servers page opens, where your new server is listed. Notice that the endpoint type is VPC.

Create an internet-facing endpoint for your server

In the following procedure, you create a server endpoint. This endpoint is accessible over the internet only to clients whose source IP addresses are allowed in your VPC's default security group. Additionally, by using Elastic IP addresses to make your endpoint internet-facing, your clients can use the Elastic IP address to allow access to your endpoint in their firewalls.

Note

Only SFTP and FTPS can be used on an internet-facing VPC hosted endpoint.

To create an internet-facing endpoint

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. Choose Create server.

  3. In the Endpoint configuration section, for Endpoint type, choose VPC to host your server's endpoint.

  4. For Access, choose Internet Facing to make your endpoint accessible to clients over the internet.

    Note

    When you choose Internet Facing, you can choose an existing Elastic IP address in each subnet or subnets. Or you can go to the VPC console (https://console.aws.amazon.com/vpc/) to allocate one or more new Elastic IP addresses. These addresses can be owned either by AWS or by you. You can't associate Elastic IP addresses that are already in use with your endpoint.

  5. For VPC, choose an existing VPC ID, or choose Create a VPC to create a new VPC.

  6. In the Availability Zones section, choose up to three Availability Zones and associated subnets.

  7. Under IPv4 Addresses, choose an Elastic IP address for each subnet. This is the IP address that your clients can use to allow access to your endpoint in their firewalls.

  8. In the Identity provider section, choose Service managed to store user identities and keys in AWS Transfer Family.

    Note

    This procedure uses the service-managed option. If you choose Custom, you provide an API Gateway endpoint and an IAM role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your users. To learn more about working with custom identity providers, see Working with identity providers.

  9. (Optional) For Logging role, choose an IAM role that enables Amazon CloudWatch logging of your user activity.

    For more information about setting up a CloudWatch logging role, see Monitoring server usage.

  10. (Optional) For Key and Value, enter one or more tags as key-value pairs.

    Choose Add tag to add additional tags to your server.

  11. Choose Create server to create your server. The Servers page opens, where your new server is listed. Notice that the endpoint type is VPC.

    You can choose the server ID to see the detailed settings of the server that you just created. After the column Public IPv4 address has been populated, the Elastic IP addresses that you provided are successfully associated with your server's endpoint.

At this point, your endpoint is assigned with the selected VPC's default security group. To associate additional or change existing security groups, visit the Security Groups section in the https://console.aws.amazon.com/vpc/.

Important

You will need to modify your VPC's default security group to open ports 21 (control channel) and ports 8192-8200 (data channel):

Custom TCP Rule TCP 21 0.0.0.0/0

Custom TCP Rule TCP 8192 - 8200 0.0.0.0/0

Note

When your server in a VPC is online, only the subnets can be modified. You must stop the server to add or change the server endpoint's Elastic IP addresses.

Change the endpoint type for your server

If you have an existing server that is accessible over the internet (that is, has a public endpoint type), you can change its endpoint to a VPC endpoint.

Note

If you have an existing server in a VPC displayed as VPC_ENDPOINT, we recommend that you modify it to the new VPC endpoint type. With this new endpoint type, you no longer need to use a Network Load Balancer (NLB) to associate Elastic IP addresses with your server's endpoint. Also, you can use VPC security groups to restrict access to your server's endpoint. However, you can continue to use the VPC_ENDPOINT endpoint type as needed.

The following procedure assumes that you have a server that uses either the current public endpoint type or the older VPC_ENDPOINT type.

To change the endpoint type for your server

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. Choose Servers.

  3. Select the check box of the server that you want to change the endpoint type for. You must stop the server before you can change its endpoint.

  4. For Actions, choose Stop, and wait for the status of the server to change to Offline. You might have to choose Refresh to see the status change.

  5. Choose the server ID, and then choose Edit.

  6. For Endpoint type, choose VPC.

  7. For Access, choose Internal to make your endpoint only accessible to clients using the endpoint's private IP addresses. Choose Internet Facing to make your endpoint accessible to clients over the public internet.

    Note

    When you choose Internet Facing, you can choose an existing Elastic IP address in each subnet or subnets. Or, you can go to the VPC console (https://console.aws.amazon.com/vpc/) to allocate one or more new Elastic IP addresses. These addresses can be owned either by AWS or by you. You can't associate Elastic IP addresses that are already in use with your endpoint.

  8. For VPC, choose an existing VPC ID, or choose Create a VPC to create a new VPC.

  9. In the Availability Zones section, select up to three Availability Zones and associated subnets. If Internet Facing is chosen, choose an Elastic IP address for each subnet.

    Note

    If you want the maximum of three Availability Zones, but there are not enough available, create them in the VPC console.

    If you modify the subnets or Elastic IP addresses, the server takes a few minutes to update. You can't save your changes until the server update is complete.

  10. Choose Save.

  11. For Actions, choose Start and wait for the status of the server to change to Online.

    Note

    If you changed a public endpoint type to a VPC endpoint type, notice that Endpoint type for your server has changed to VPC.

The default security group is attached to the endpoint. To change or add additional security groups, see Creating Security Groups.