What type of endpoint is appropriate for my Transfer Family server?

4 minute read
0

I want to know what type of endpoint to use for my AWS Transfer Family server.

Resolution

Endpoint typePublic endpointAmazon VPC endpoint with internal accessVPC endpoint with internet access
Supported protocolsSFTPSFTP, FTP, FTPSSFTP, FTPS
AccessYou can access public endpoints over the internet. You don't need a special configuration in Amazon Virtual Private Cloud (Amazon VPC).You can access a VPC endpoint within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.You can access VPC endpoints over the internet and within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.
Static IP addressYou can't attach a static IP address. AWS provides IP addresses that are subject to change.Private IP addresses that are attached to the endpoint don't change.You can attach Elastic IP addresses to the endpoint, such as AWS owned IP addresses or your own IP addresses (BYOIP). Elastic IP addresses that are attached to the endpoint don't change. Private IP addresses that are attached to the server also don't change.
Source IP allowlistPublic endpoints don't support allowlists by source IP addresses. Public endpoints are publicly accessible and listen for traffic over port 22.Use security groups that are attached to the server endpoints and network access control lists (network ACLs) attached to the endpoint's subnet.Use security groups that are attached to the server endpoints and network ACLs that are attached to the subnet that the endpoint is in.
Client firewall allowlistYou must allow the server's DNS name. Because IP addresses are subject to change, it's a best practice not to use IP addresses for your client firewall allowlist.You can allow the private IP addresses or the endpoint's DNS name.You can allow the server's DNS name or the Elastic IP addresses that are attached to the server.

Note: The VPC_ENDPOINT endpoint type is discontinued. You can't use this endpoint type to create new servers.

To increase the security of your Transfer Family server, take the following actions:

  • Use a VPC endpoint with internal access so that the server is accessible only to clients within your VPC or VPC-connected environments.
  • To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.
  • Use a Network Load Balancer in front of a VPC endpoint with internal access. Change your load balancer's listener port from port 22 to a different port so that it's harder for port scanners and bots to probe your server. However, if you use a Network Load Balancer, then you can't use security groups to allow access from source IP addresses.
    Note: For SFTP servers, Transfer Family supports custom ports 2222, 22000, and 2223 without the need to configure an Network Load Balancer.
  • If you require password-based authentication and you use a custom identity provider with your server, then enforce a strong password policy. Require users to create a secure password, and limit the number of failed login attempts.

Related information

Create an internet-facing endpoint for your server

How do I activate a static Elastic IP address for my Transfer Family server?

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago