What type of endpoint should I use for my AWS Transfer Family server?

4 minute read

I want to know the type of endpoint that I must use for my AWS Transfer Family server.

Resolution

Review the following table to determine which AWS Transfer Family endpoint type best suits your use case:


Endpoint type	Public endpoint	Amazon Virtual Private Cloud (Amazon VPC) endpoint with internal access	VPC endpoint with internet-facing access	VPC_ENDPOINT (DEPRECATED)
Supported protocols	SFTP	SFTP, FTP, FTPS	SFTP, FTPS	SFTP
Access	From over the internet. This endpoint type doesn't require any special configuration in your VPC.	From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.	Over the internet and from within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.	From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.
Static IP address	You can’t attach a static IP address. AWS provides IP addresses that are subject to change.	Private IP addresses attached to the endpoint don't change.	You can attach Elastic IP addresses to the endpoint. These can be AWS-owned IP addresses or your own IP addresses (BYOIP). Elastic IP addresses attached to the endpoint don't change. Private IP addresses attached to the server also don't change.	Private IP addresses attached to the endpoint don't change.
Source IP allow list	This endpoint type does not support allow lists by source IP addresses. The endpoint is publicly accessible and listens for traffic over port 22.	To allow access by source IP address, you can use security groups attached to the server endpoints and network access control lists (network ACLs) attached to the subnet that the endpoint is in.	To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in.	To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in.
Client firewall allow list	You must allow the DNS name of the server. Because IP addresses are subject to change, avoid using IP addresses for your client firewall allow list.	You can allow the private IP addresses or the DNS name of the endpoints.	You can allow the DNS name of the server or the Elastic IP addresses attached to the server.	You can allow the private IP addresses or the DNS name of the endpoints.

Note: The VPC_ENDPOINT endpoint type is now deprecated and cannot be used to create new Servers. See Discontinuing the use of VPC_ENDPOINT to learn more.

Consider the following options to increase the security posture of your AWS Transfer Family server:

Use a VPC endpoint with internal access, so that the server is accessible only to clients within your VPC or VPC-connected environments such as an on-premises data center over AWS Direct Connect or VPN.
To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet-facing access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.
Use a Network Load Balancer in front of a VPC endpoint with internal access. Change the listener port on the load balancer from port 22 to a different port. This can reduce, but not eliminate, the risk of port scanners and bots probing your server, because port 22 is most commonly used for scanning. However, if you use a Network Load Balancer, you can't use security groups to allow access from source IP addresses.
If you require password-based authentication and you use a custom identity provider with your server, it's a best practice that you set an aggressive password policy. It's a best practice that your password policy prevents users from creating weak passwords and limits the number of failed login attempts.

Related information

Create an internet-facing endpoint for your server

How can I enable Elastic IP addresses on my AWS Transfer Family SFTP-enabled server endpoint?

Topics

Migration & Modernization

Relevant content

AWS Transfer Family Costs
rePost-User-1061696
asked 8 months ago
AWS Transfer Family in multiple AWS accounts
tanvi
asked 4 months ago
AWS Transfer Family: FTP To S3 Cron Job?
Accepted Answer
rePost-User-6238222
asked a month ago
Which SSL certificate should I get for AWS Transfer Family with AS2 HTTPS endpoints?
Max_H
asked 6 months ago
Use Case for VPC Interface Endpoint for S3 and AWS Transfer Family for S3
Accepted Answer
Arunava
asked 8 months ago
How can I enable Elastic IP addresses on my AWS Transfer Family SFTP-enabled server endpoint with a custom listener port?
AWS OFFICIALUpdated 2 years ago
How can I enable Elastic IP addresses on my AWS Transfer Family SFTP-enabled server endpoint?
AWS OFFICIALUpdated 2 years ago
How can I use a Lambda-backed API as the custom identity provider for my Transfer Family server without using CloudFormation?
AWS OFFICIALUpdated 2 years ago
How do I configure my AWS Transfer Family server to use an Amazon S3 bucket that's in another AWS account?
AWS OFFICIALUpdated 2 years ago
Announcing support for multiple host keys and key types for AWS Transfer Family servers
EXPERT
sagarb-aws
published a year ago