AWS Transfer for SFTP
User Guide

Creating an SFTP Server in a Virtual Private Cloud

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a connection between your virtual private cloud (VPC) and AWS SFTP. You can use this connection to create a Secure File Transfer Protocol (SFTP) server. You can then use this server to transfer data over SFTP to and from your Amazon S3 bucket using AWS SFTP without going over the public internet.

Using Amazon VPC, you can launch AWS resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see What Is Amazon VPC? in the Amazon VPC User Guide.

In the next section, you can find instructions on how to connect your VPC to an AWS SFTP server. First, you define an interface VPC endpoint, which enables you to connect your VPC to other AWS services. The endpoint provides reliable, scalable connectivity to services without requiring an internet gateway, network address translation (NAT) instance, or virtual private network (VPN) connection. For more information, see Interface VPC Endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

In the next section, you can also see how to set up an AWS SFTP server using a VPC endpoint. In addition, you can see how to transfer data to your Amazon S3 bucket over a secure private network. You can then connect to your AWS SFTP server using an SFTP client that is inside your VPC through the VPC endpoint. Doing this enables you to transfer data that is stored in your S3 bucket over SFTP using AWS SFTP, even though the network is disconnected from the public internet.

Important

When you configure AWS SFTP to send messages from Amazon VPC, make sure that you enable private Domain Name System (DNS) and use only endpoints in the following format: server.transfer.region.amazonaws.com

In this format, region stands for the AWS Region that you're working in.

Create a VPC Endpoint

In the following walkthrough, you create an SFTP server that is in a VPC and not accessible over the public internet. To do this, you take the following steps:

  • Create a VPC endpoint.

  • Create and configure your SFTP server to use the VPC endpoint.

To create a VPC endpoint for AWS SFTP

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints, and then choose Create Endpoint.

  3. On the Create Endpoint page, choose AWS Services for Service category.

  4. For Service Name, choose com.amazonaws.region.transfer.server , and then choose Create endpoint.

  5. For VPC, choose your VPC and note its Availability Zones and subnets.

  6. Verify that Enable Private DNS Name is selected.

  7. For Security group, choose the security group that you want to use for your VPC. You can accept the default security group.

  8. Choose Create endpoint. The initial state of the endpoint is pending. When the endpoint is created, take note of the ID of the VPC endpoint that you just created.

  9. In the navigation pane, choose Endpoints and copy your endpoint.

Now that you have a VPC endpoint, you can create your SFTP server. The following instructions show you how to create an SFTP server using a VPC endpoint.

To create an SFTP server using a VPC endpoint

  1. Sign in to the AWS Management Console and open the AWS SFTP console at https://console.aws.amazon.com/transfer/.

  2. Choose Create server.

  3. In the Endpoint configuration section, choose VPC for Endpoint type, and choose your VPC endpoint from the list.

    Note

    You can associate a VPC endpoint with one SFTP server at a time.

  4. In the Identity provider section, choose Service managed to store user identities and keys in AWS SFTP.

    This walkthrough uses the service-managed option. If you choose Custom, you provide an API Gateway endpoint and an IAM role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your SFTP users. To learn more about working with custom identity providers, see Working with Identity Providers.

  5. (Optional) For Logging role, choose an IAM role that enables Amazon CloudWatch logging of your SFTP user activity.

    For more information about setting up a CloudWatch logging role, see Monitoring Usage.

  6. (Optional) For Key and Value, enter one or more tags as key-value pairs.

    Choose Add tag to add additional tags to your server.

  7. Choose Create to create your server. You are taken to the Servers page, where your new server is listed. Notice that the endpoint type is VPC.

    You can choose the server ID to see the detail settings of the server you just created.

    Note

    An SFTP server that is created in a VPC doesn't support custom hostnames.

Change the Endpoint Type for Your SFTP Server

If you have an existing SFTP server that is accessible over the internet (that is, has a public endpoint type), you can change its endpoint to a VPC endpoint.

The following procedure assumes that you have an SFTP server that has a public endpoint type and that you have created a VPC endpoint. If you haven't created a VPC endpoint yet, create one. For instructions, see To create a VPC endpoint for AWS SFTP.

To change the endpoint type for your SFTP server

  1. Sign in to the AWS Management Console and open the AWS SFTP console at https://console.aws.amazon.com/transfer/.

  2. Choose Servers.

  3. Choose the server that you want to change the endpoint type for, and choose Stop for Actions to stop the server. You must stop the server before you can change its endpoint.

  4. Wait for the status of the server to change to offline. You might have to choose Refresh to see the status change.

  5. Choose the server ID, choose Edit, choose VPC for Endpoint type, choose your VPC endpoint from the list, and then choose Save.

  6. For Actions, choose Start to bring the server back online. Notice that Endpoint type for your server has changed to VPC.

On this page: