I want to know what type of endpoint to use for my AWS Transfer Family server.
Resolution
| | | |
---|
Endpoint type | Public endpoint | Amazon VPC endpoint with internal access | VPC endpoint with internet access |
Supported protocols | SFTP | SFTP, FTP, FTPS | SFTP, FTPS |
Access | You can access public endpoints over the internet. You don't need a special configuration in Amazon Virtual Private Cloud (Amazon VPC). | You can access a VPC endpoint within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. | You can access VPC endpoints over the internet and within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. |
Static IP address | You can't attach a static IP address. AWS provides IP addresses that are subject to change. | Private IP addresses that are attached to the endpoint don't change. | You can attach Elastic IP addresses to the endpoint, such as AWS owned IP addresses or your own IP addresses (BYOIP). Elastic IP addresses that are attached to the endpoint don't change. Private IP addresses that are attached to the server also don't change. |
Source IP allowlist | Public endpoints don't support allowlists by source IP addresses. Public endpoints are publicly accessible and listen for traffic over port 22. | Use security groups that are attached to the server endpoints and network access control lists (network ACLs) attached to the endpoint's subnet. | Use security groups that are attached to the server endpoints and network ACLs that are attached to the subnet that the endpoint is in. |
Client firewall allowlist | You must allow the server's DNS name. Because IP addresses are subject to change, it's a best practice not to use IP addresses for your client firewall allowlist. | You can allow the private IP addresses or the endpoint's DNS name. | You can allow the server's DNS name or the Elastic IP addresses that are attached to the server. |
Note: The VPC_ENDPOINT endpoint type is discontinued. You can't use this endpoint type to create new servers.
To increase the security of your Transfer Family server, take the following actions:
- Use a VPC endpoint with internal access so that the server is accessible only to clients within your VPC or VPC-connected environments.
- To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.
- Use a Network Load Balancer in front of a VPC endpoint with internal access. Change your load balancer's listener port from port 22 to a different port so that it's harder for port scanners and bots to probe your server. However, if you use a Network Load Balancer, then you can't use security groups to allow access from source IP addresses.
Note: For SFTP servers, Transfer Family supports custom ports 2222, 22000, and 2223 without the need to configure an Network Load Balancer.
- If you require password-based authentication and you use a custom identity provider with your server, then enforce a strong password policy. Require users to create a secure password, and limit the number of failed login attempts.
Related information
Create an internet-facing endpoint for your server
How do I activate a static Elastic IP address for my Transfer Family server?