After you create the server, view the server's details from the AWS Transfer Family console. Under Endpoint configuration, note the Private IPv4 Addresses. You need these IP addresses for the steps to create a Network Load Balancer.
Create a Network Load Balancer and define the VPC endpoint of the server as the load balancer's target
For Step 1: Configure Load Balancer, enter the following:
For Name, enter a name for the load balancer.
For Scheme, select internet-facing.
For Listeners, keep Load Balancer Protocol as TCP. Then, change the associated Load Balancer Port to your custom listener port.
For VPC, select the Amazon VPC that you created.
For Availability Zones, select the Availability Zones associated with the public subnets that are available in the same VPC you use with your server endpoints.
For the IPv4 address of each subnet, select one of the Elastic IP addresses that you allocated.
Choose Next: Configure Security Settings.
Choose Next: Configure Routing.
For Step 3: Configure Routing, enter the following:
For Target group, select New target group.
For Name, enter a name for the target group.
For Target type, select IP.
For Protocol, select TCP.
For Port, enter 22. Note: The AWS Transfer Family servers support traffic only over port 22. The load balancer must communicate to the server over port 22.
Under Health checks, for Protocol, select TCP.
Choose Next: Register Targets.
For Step 4: Register Targets, enter the following:
For Network, confirm that the Amazon VPC you want to use is selected.
For IP, enter the private IPv4 addresses of your server's endpoints. You copied these IP addresses after creating the server.
Choose Add to list.
Repeat steps 10 and 11 until you've entered the private IP addresses for all of your server's endpoints.
Choose Next: Review.
After you set up the server and load balancer, clients communicate to the load balancer over the custom port listener. Then, the load balancer communicates to the server over port 22.
Test access to the server from an Elastic IP address
Connect to the server over the custom port using an Elastic IP address or the DNS name of the Network Load Balancer. For example, the following OpenSSH command connects to the server using an Elastic IP address and a custom port:
Note: Replace [port] with your custom port. Then, replace 192.0.2.3 with an Elastic IP address that you allocated.
sftp -i sftpuserkey -P [port] firstname.lastname@example.org
Important: Manage access to your server from client IP addresses using the network access control lists (network ACLs) for the subnets configured on the load balancer. Network ACL permissions are set at the subnet level, so the rules apply to all resources using the subnet. You can't control access from client IP addresses using security groups because the load balancer's target type is set to IP instead of Instance. This means that the load balancer doesn't preserve source IP addresses. If the Network Load Balancer's health checks fail, this means the load balancer can't connect to the server endpoint. To troubleshoot this, check the following:
Confirm that the server endpoint's associated security group allows inbound connections from the subnets configured on the load balancer. The load balancer must be able to connect to the server endpoint over port 22.