How do I turn on Elastic IP addresses on my Transfer Family SFTP-activated server endpoint with a custom listener port?

4 minute read

I want to use Elastic IP addresses to make my AWS Transfer Family SFTP-activated server accessible through a custom listener port.

Resolution

If you can use port 22, 2222, 22000, or 2223 as your listener port, then create an internet-facing endpoint for your server.

To change the listener port to a port other than port 22, 2222, 22000, or 2223, then follow these steps.

Create an Amazon Virtual Private Cloud (Amazon VPC), and allocate IP addresses

Complete the following steps:

Create an Amazon VPC in the same AWS Region as your server.
Create subnets in your VPC within Availability Zones that you want to use your server in.
Note: A single Transfer Family server can support up to three Availability Zones.
Allocate up to three Elastic IP addresses in the same Region as your server. Or, you can bring your own IP address range (BYOIP).
Note: The number of Elastic IP addresses must match the number of Availability Zones that you use with your server endpoints.

Create an AWS Transfer Family SFTP-enabled server with an internal VPC endpoint type

Complete the following steps:

Follow the steps to create a server endpoint that's accessible only from within your VPC.
After you create the server, view the server's details from the AWS Transfer Family console. Under Endpoint configuration, note the Private IPv4 Addresses. You use these IP addresses when you create a Network Load Balancer.

Create a Network Load Balancer and define the VPC endpoint of the server as the load balancer's target

Complete the following steps:

Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
From the navigation pane, choose Load Balancers.
Choose Create Load Balancer.
Under Network Load Balancer, choose Create.
For Step 1: Configure Load Balancer, enter the following:
For Name, enter a name for the load balancer.
For Scheme, select internet-facing.
For Listeners, keep Load Balancer Protocol as TCP. Then, change the associated Load Balancer Port to your custom listener port.
For VPC, select the Amazon VPC that you created.
For Availability Zones, select the Availability Zones associated with the public subnets that are available in the same VPC you use with your server endpoints.
For the IPv4 address of each subnet, select one of the Elastic IP addresses that you allocated.
Choose Next: Configure Security Settings.
Choose Next: Configure Routing.
For Step 3: Configure Routing, enter the following:
For Target group, select New target group.
For Name, enter a name for the target group.
For Target type, select IP.
For Protocol, select TCP.
For Port, enter 22.
Note: The Transfer Family servers support traffic only over port 22. The load balancer must communicate to the server over port 22.
Under Health checks, for Protocol, select TCP.
Choose Next: Register Targets.
For Step 4: Register Targets, enter the following:
For Network, confirm that the Amazon VPC that you want to use is selected.
For IP, enter the private IPv4 addresses of your server's endpoints. You copied these IP addresses after creating the server.
Choose Add to list.
Repeat steps 10 and 11 until you entered the private IP addresses for all your server's endpoints.
Choose Next: Review.
Choose Create.

After you set up the server and load balancer, clients communicate to the load balancer over the custom port listener. Then, the load balancer communicates to the server over port 22.

Test access to the server from an Elastic IP address

Connect to the server over the custom port through an Elastic IP address or the DNS name of the Network Load Balancer. For example, the following OpenSSH command connects to the server through an Elastic IP address and a custom port:

Note: Replace portNumber with your custom port number. Then, replace 192.0.2.3 with an Elastic IP address that you allocated.

sftp -i sftpuserkey -P portNumber sftpuser@192.0.2.3

Important: To manage access to your server from client IP addresses, use the network access control lists (network ACLs) and security group for the load balancer. If the Network Load Balancer health checks fail, then the load balancer can't connect to the server endpoint. To troubleshoot connection issues, check the following conditions:

Confirm that the server endpoint's associated security group allows inbound connections from the load balancer's subnets. The load balancer must be able to connect to the server endpoint over port 22.
Confirm that the server's State is Online.

Related information

Lift and shift migration of SFTP servers to AWS

Topics

Migration & Modernization

Relevant content

Custom port possible with Transfer for SFTP?
Accepted Answer
Tully-BNS
asked 5 years ago
connect to an internal sftp server from outside private vpc (on prem)
Accepted Answer
Jess
asked 3 years ago
Transfer Family AS2 IP address
rePost-User-0167519
asked 2 years ago
AWS Transfer Family FTPS (Public Endpoint, Custom Hostname) - Connection Reset During TLS Handshake - No CloudWatch Logs
Tom
asked 14 days ago
Using Transfer Family to send and receive messages over HTTPS - Health status for ALB
Vlad
asked 9 months ago
How do I activate a static Elastic IP address for my Transfer Family server?
AWS OFFICIALUpdated 9 months ago
What type of endpoint is appropriate for my Transfer Family server?
AWS OFFICIALUpdated 5 months ago
How can I use a Lambda-backed API as the custom identity provider for my Transfer Family server without using CloudFormation?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot an "Access Denied" or "Permission Denied" error for operations on my AWS Transfer Family server?
AWS OFFICIALUpdated 4 months ago
AWS Transfer Family announces an alternate port for SFTP servers
EXPERT
rePost-User-8149119
published a year ago