Create a server in a virtual private cloud - AWS Transfer Family

Create a server in a virtual private cloud

You can host your server's endpoint inside a virtual private cloud (VPC) to use for transferring data to and from an Amazon S3 bucket or Amazon EFS file system without going over the public internet.

Note

After May 19, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT in your AWS account on or before February 21, 2021, you will not be affected. After this date, use EndpointType=VPC. For more information, see Discontinuing the use of VPC_ENDPOINT.

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and a server. You can then use this server to transfer data over your client to and from your Amazon S3 bucket without using public IP addressing or requiring an internet gateway.

Using Amazon VPC, you can launch AWS resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see What Is Amazon VPC? in the Amazon VPC User Guide.

In the next sections, find instructions on how to create and connect your VPC to a server. As an overview, you do this as follows:

  1. Set up a server using a VPC endpoint.

  2. Connect to your server using a client that is inside your VPC through the VPC endpoint. Doing this enables you to transfer data that is stored in your Amazon S3 bucket over your client using AWS Transfer Family. You can perform this transfer even though the network is disconnected from the public internet.

  3. In addition, if you choose to make your server's endpoint internet-facing, you can associate Elastic IP addresses with your endpoint. Doing this lets clients outside of your VPC connect to your server. You can use VPC security groups to control access to authenticated users whose requests originate only from allowed addresses.

Create a server endpoint that can be accessed only within your VPC

In the following procedure, you create a server endpoint that is accessible only to resources within your VPC.

To create a server endpoint inside a VPC
  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. From the navigation pane, select Servers, then choose Create server.

  3. In Choose protocols, select one or more protocols, and then choose Next. For more information about protocols, see Step 2: Create an SFTP-enabled server.

  4. In Choose an identity provider, choose Service managed to store user identities and keys in AWS Transfer Family, and then choose Next.

    Note

    This procedure uses the service-managed option. If you choose Custom, you provide an Amazon API Gateway endpoint and an AWS Identity and Access Management (IAM) role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your users. To learn more about working with custom identity providers, see Other custom identity provider options.

  5. In Choose an endpoint, do the following:

    Note

    FTP and FTPS servers for Transfer Family operate over Port 21 (Control Channel) and Port Range 8192-8200 (Data Channel).

    1. For Endpoint type, choose the VPC hosted endpoint type to host your server's endpoint.

    2. For Access, choose Internal to make your endpoint only accessible to clients using the endpoint's private IP addresses.

      Note

      For details on the Internet Facing option, see Create an internet-facing endpoint for your server. A server that is created in a VPC for internal access only doesn't support custom hostnames.

    3. For VPC, choose an existing VPC ID or choose Create a VPC to create a new VPC.

    4. In the Availability Zones section, choose up to three Availability Zones and associated subnets.

    5. In the Security Groups section, choose an existing security group ID or IDs or choose Create a security group to create a new security group. For more information about security groups, see Security groups for your VPC in the Amazon Virtual Private Cloud User Guide. To create a security group, see Creating a security group in the Amazon Virtual Private Cloud User Guide.

      Note

      Your VPC automatically comes with a default security group. If you don't specify a different security group or groups when you launch the server, we associate the default security group with your server.

      For the inbound rules for the security group, you can configure SSH traffic to use port 22, 2222, 22000, or any combination. Port 22 is configured by default. To use port 2222 or port 22000, you add an inbound rule to your security group. For the type, choose Custom TCP, then enter either 2222 or 22000 for Port range, and for the source, enter the same CIDR range that you have for your SSH port 22 rule.

      Note

      You can also use port 2223 for clients that require TCP "piggy-back" ACKs, or the ability for the final ack of the TCP 3-way handshake to also contain data.

      Some client software may be incompatible with port 2223: for example, a client that requires the server to send the SFTP Identification String before the client does.

      The inbound rules for a sample security group, showing a rule for SSH on port 22 and Custom TCP on port 2222.
    6. (Optional) For FIPS Enabled, select the FIPS Enabled endpoint check box to ensure the endpoint complies with Federal Information Processing Standards (FIPS).

      Note

      FIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see AWS Transfer Family endpoints and quotas in the AWS General Reference. For more information about FIPS, see Federal Information Processing Standard (FIPS) 140-2 .

    7. Choose Next.

  6. In Configure additional details, do the following:

    1. For CloudWatch logging, choose one of the following to enable Amazon CloudWatch logging of your user activity:

      • Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

      • Choose an existing role to choose an existing IAM role from your account. Under Logging role, choose the role. This IAM role should include a trust policy with Service set to transfer.amazonaws.com.

        For more information about CloudWatch logging, see Configure CloudWatch logging role.

      Note
      • You can't view end-user activity in CloudWatch if you don't specify a logging role.

      • If you don't want to set up a CloudWatch logging role, select Choose an existing role, but don't select a logging role.

    2. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server.

      Note

      By default, the TransferSecurityPolicy-2020-06 security policy is attached to your server unless you choose a different one.

      For more information about security policies, see Security policies for AWS Transfer Family servers.

    3. (Optional: this section is only for migrating users from an existing SFTP-enabled server.) For Server Host Key, enter an RSA, ED25519, or ECDSA private key that will be used to identify your server when clients connect to it over SFTP.

    4. (Optional) For Tags, for Key and Value, enter one or more tags as key-value pairs, and then choose Add tag.

    5. Choose Next.

  7. In Review and create, review your choices. If you:

    • Want to edit any of them, choose Edit next to the step.

      Note

      You will need to review each step after the step that you chose to edit.

    • Have no changes, choose Create server to create your server. You are taken to the Servers page, shown following, where your new server is listed.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform file operations, but you'll need to create a user first. For details on creating users, see Managing users for server endpoints.

Create an internet-facing endpoint for your server

In the following procedure, you create a server endpoint. This endpoint is accessible over the internet only to clients whose source IP addresses are allowed in your VPC's default security group. Additionally, by using Elastic IP addresses to make your endpoint internet-facing, your clients can use the Elastic IP address to allow access to your endpoint in their firewalls.

Note

Only SFTP and FTPS can be used on an internet-facing VPC hosted endpoint.

To create an internet-facing endpoint
  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. From the navigation pane, select Servers, then choose Create server.

  3. In Choose protocols, select one or more protocols, and then choose Next. For more information about protocols, see Step 2: Create an SFTP-enabled server.

  4. In Choose an identity provider, choose Service managed to store user identities and keys in AWS Transfer Family, and then choose Next.

    Note

    This procedure uses the service-managed option. If you choose Custom, you provide an Amazon API Gateway endpoint and an AWS Identity and Access Management (IAM) role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your users. To learn more about working with custom identity providers, see Other custom identity provider options.

  5. In Choose an endpoint, do the following:

    1. For Endpoint type, choose the VPC hosted endpoint type to host your server's endpoint.

    2. For Access, choose Internet Facing to make your endpoint accessible to clients over the internet.

      Note

      When you choose Internet Facing, you can choose an existing Elastic IP address in each subnet or subnets. Or you can go to the VPC console (https://console.aws.amazon.com/vpc/) to allocate one or more new Elastic IP addresses. These addresses can be owned either by AWS or by you. You can't associate Elastic IP addresses that are already in use with your endpoint.

    3. (Optional) For Custom hostname, choose one of the following:

      Note

      Customers in AWS GovCloud (US) need to connect via the Elastic IP address directly, or create a hostname record within Commercial Route 53 that points to their EIP. For more information about using Route 53 for GovCloud endpoints, see Setting up Amazon Route 53 with your AWS GovCloud (US) resources in the AWS GovCloud (US) User Guide.

      • Amazon Route 53 DNS alias – if the hostname that you want to use is registered with Route 53. You can then enter the hostname.

      • Other DNS – if the hostname that you want to use is registered with another DNS provider. You can then enter the hostname.

      • None – to use the server's endpoint and not use a custom hostname. The server hostname takes the form server-id.server.transfer.region.amazonaws.com.

        Note

        For customers in AWS GovCloud (US), selecting None does not create a hostname in this format.

      To learn more about working with custom hostnames, see Working with custom hostnames.

    4. For VPC, choose an existing VPC ID or choose Create a VPC to create a new VPC.

    5. In the Availability Zones section, choose up to three Availability Zones and associated subnets. For IPv4 Addresses, choose an Elastic IP address for each subnet. This is the IP address that your clients can use to allow access to your endpoint in their firewalls.

    6. In the Security Groups section, choose an existing security group ID or IDs or choose Create a security group to create a new security group. For more information about security groups, see Security groups for your VPC in the Amazon Virtual Private Cloud User Guide. To create a security group, see Creating a security group in the Amazon Virtual Private Cloud User Guide.

      Note

      Your VPC automatically comes with a default security group. If you don't specify a different security group or groups when you launch the server, we associate the default security group with your server.

      For the inbound rules for the security group, you can configure SSH traffic to use port 22, 2222, 22000, or any combination. Port 22 is configured by default. To use port 2222 or port 22000, you add an inbound rule to your security group. For the type, choose Custom TCP, then enter either 2222 or 22000 for Port range, and for the source, enter the same CIDR range that you have for your SSH port 22 rule.

      Note

      You can also use port 2223 for clients that require TCP "piggy-back" ACKs, or the ability for the final ack of the TCP 3-way handshake to also contain data.

      Some client software may be incompatible with port 2223: for example, a client that requires the server to send the SFTP Identification String before the client does.

      The inbound rules for a sample security group, showing a rule for SSH on port 22 and Custom TCP on port 2222.
    7. (Optional) For FIPS Enabled, select the FIPS Enabled endpoint check box to ensure the endpoint complies with Federal Information Processing Standards (FIPS).

      Note

      FIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see AWS Transfer Family endpoints and quotas in the AWS General Reference. For more information about FIPS, see Federal Information Processing Standard (FIPS) 140-2 .

    8. Choose Next.

  6. In Configure additional details, do the following:

    1. For CloudWatch logging, choose one of the following to enable Amazon CloudWatch logging of your user activity:

      • Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

      • Choose an existing role to choose an existing IAM role from your account. Under Logging role, choose the role. This IAM role should include a trust policy with Service set to transfer.amazonaws.com.

        For more information about CloudWatch logging, see Configure CloudWatch logging role.

      Note
      • You can't view end-user activity in CloudWatch if you don't specify a logging role.

      • If you don't want to set up a CloudWatch logging role, select Choose an existing role, but don't select a logging role.

    2. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server.

      Note

      By default, the TransferSecurityPolicy-2020-06 security policy is attached to your server unless you choose a different one.

      For more information about security policies, see Security policies for AWS Transfer Family servers.

    3. (Optional: this section is only for migrating users from an existing SFTP-enabled server.) For Server Host Key, enter an RSA, ED25519, or ECDSA private key that will be used to identify your server when clients connect to it over SFTP.

    4. (Optional) For Tags, for Key and Value, enter one or more tags as key-value pairs, and then choose Add tag.

    5. Choose Next.

    6. (Optional) For Managed workflows, choose workflow IDs (and a corresponding role) that Transfer Family should assume when executing the workflow. You can choose one workflow to execute upon a complete upload, and another to execute upon a partial upload. To learn more about processing your files by using managed workflows, see AWS Transfer Family managed workflows.

      The Managed workflows console section.
  7. In Review and create, review your choices. If you:

    • Want to edit any of them, choose Edit next to the step.

      Note

      You will need to review each step after the step that you chose to edit.

    • Have no changes, choose Create server to create your server. You are taken to the Servers page, shown following, where your new server is listed.

You can choose the server ID to see the detailed settings of the server that you just created. After the column Public IPv4 address has been populated, the Elastic IP addresses that you provided are successfully associated with your server's endpoint.

Note

When your server in a VPC is online, only the subnets can be modified and only through the UpdateServer API. You must stop the server to add or change the server endpoint's Elastic IP addresses.

Change the endpoint type for your server

If you have an existing server that is accessible over the internet (that is, has a public endpoint type), you can change its endpoint to a VPC endpoint.

Note

If you have an existing server in a VPC displayed as VPC_ENDPOINT, we recommend that you modify it to the new VPC endpoint type. With this new endpoint type, you no longer need to use a Network Load Balancer (NLB) to associate Elastic IP addresses with your server's endpoint. Also, you can use VPC security groups to restrict access to your server's endpoint. However, you can continue to use the VPC_ENDPOINT endpoint type as needed.

The following procedure assumes that you have a server that uses either the current public endpoint type or the older VPC_ENDPOINT type.

To change the endpoint type for your server
  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. In the navigation pane, choose Servers.

  3. Select the check box of the server that you want to change the endpoint type for.

    Important

    You must stop the server before you can change its endpoint.

  4. For Actions, choose Stop.

  5. In the confirmation dialog box that appears, choose Stop to confirm that you want to stop the server.

    Note

    Before proceeding to the next step, in Endpoint details, wait for the Status of the server to change to Offline; this can take a couple of minutes. You might have to choose Refresh on the Servers page to see the status change.

    You won't be able to make any edits until the server is Offline.

  6. In Endpoint details, choose Edit.

  7. In Edit endpoint configuration, do the following:

    1. For Edit endpoint type, choose VPC hosted.

    2. For Access, choose one of the following:

      • Internal to make your endpoint only accessible to clients using the endpoint's private IP addresses.

      • Internet Facing to make your endpoint accessible to clients over the public internet.

        Note

        When you choose Internet Facing, you can choose an existing Elastic IP address in each subnet or subnets. Or, you can go to the VPC console (https://console.aws.amazon.com/vpc/) to allocate one or more new Elastic IP addresses. These addresses can be owned either by AWS or by you. You can't associate Elastic IP addresses that are already in use with your endpoint.

    3. (Optional for internet facing access only) For Custom hostname, choose one of the following:

      • Amazon Route 53 DNS alias – if the hostname that you want to use is registered with Route 53. You can then enter the hostname.

      • Other DNS – if the hostname that you want to use is registered with another DNS provider. You can then enter the hostname.

      • None – to use the server's endpoint and not use a custom hostname. The server hostname takes the form serverId.server.transfer.regionId.amazonaws.com.

        To learn more about working with custom hostnames, see Working with custom hostnames.

    4. For VPC, choose an existing VPC ID, or choose Create a VPC to create a new VPC.

    5. In the Availability Zones section, select up to three Availability Zones and associated subnets. If Internet Facing is chosen, also choose an Elastic IP address for each subnet.

      Note

      If you want the maximum of three Availability Zones, but there are not enough available, create them in the VPC console (https://console.aws.amazon.com/vpc/).

      If you modify the subnets or Elastic IP addresses, the server takes a few minutes to update. You can't save your changes until the server update is complete.

    6. Choose Save.

  8. For Actions, choose Start and wait for the status of the server to change to Online; this can take a couple of minutes.

    Note

    If you changed a public endpoint type to a VPC endpoint type, notice that Endpoint type for your server has changed to VPC.

The default security group is attached to the endpoint. To change or add additional security groups, see Creating Security Groups.

Discontinuing the use of VPC_ENDPOINT

AWS Transfer Family is discontinuing the ability to create servers with EndpointType=VPC_ENDPOINT for new AWS accounts. As of May 19, 2021, AWS accounts that don't own AWS Transfer Family servers with an endpoint type of VPC_ENDPOINT will not be able to create new servers with EndpointType=VPC_ENDPOINT. If you already own servers that use the VPC_ENDPOINT endpoint type, we recommend that you start using EndpointType=VPC as soon as possible. For details, see Update your AWS Transfer Family server endpoint type from VPC_ENDPOINT to VPC.

We launched the new VPC endpoint type earlier in 2020. For more information, see AWS Transfer Family for SFTP supports VPC Security Groups and Elastic IP addresses. This new endpoint is more feature rich and cost effective and there are no PrivateLink charges. For more information, see AWS PrivateLink pricing.

This endpoint type is functionally equivalent to the previous endpoint type (VPC_ENDPOINT). You can attach Elastic IP addresses directly to the endpoint to make it internet facing and use security groups for source IP filtering. For more information, see the Use IP allow listing to secure your AWS Transfer Family for SFTP servers blog post.

You can also host this endpoint in a shared VPC environment. For more information, see AWS Transfer Family now supports shared services VPC environments.

In addition to SFTP, you can use the VPC EndpointType to enable FTPS and FTP. We don't plan to add these features and FTPS/FTP support to EndpointType=VPC_ENDPOINT. We have also removed this endpoint type as an option from the AWS Transfer Family console.

You can change the endpoint type for your server using the Transfer Family console, AWS CLI, API, SDKs, or AWS CloudFormation. To change your server’s endpoint type, see Updating the AWS Transfer Family server endpoint type from VPC_ENDPOINT to VPC.

If you have any questions, contact AWS Support or your AWS account team.

Note

We do not plan to add these features and FTPS or FTP support to EndpointType=VPC_ENDPOINT. We are no longer offering it as an option on the AWS Transfer Family Console.

If you have additional questions, you can contact us through AWS Support or your account team.