How do I turn on Elastic IP addresses on my AWS Transfer Family SFTP-activated server endpoint with a custom listener port?

4 minute read

I want to use Elastic IP addresses to make my AWS Transfer Family SFTP-activated server accessible. However, the listener port can't be port 22.


If you can use port 22 as your listener port, then create an internet-facing endpoint for your server.

However, if you need to change the listener port to a port other than port 22 (for migration), then follow these steps:

Create an Amazon Virtual Private Cloud (Amazon VPC), and allocate IP addresses

  1. Create an Amazon VPC in the same AWS Region as your server.
  2. Create subnets in your VPC within Availability Zones that you want to use your server in.
    Note: One AWS Transfer Family server can support up to three Availability Zones.
  3. Allocate up to three Elastic IP addresses in the same Region as your server. Or, you can bring your own IP address range (BYOIP).
    Note: The number of Elastic IP addresses must match the number of Availability Zones that you use with your server endpoints.

Create an AWS Transfer Family SFTP-enabled server with an internal VPC endpoint type

  1. Follow the steps to create a server endpoint that's accessible only from within your VPC.
  2. After you create the server, view the server's details from the AWS Transfer Family console. Under Endpoint configuration, note the Private IPv4 Addresses. You need these IP addresses for the steps to create a Network Load Balancer.

Create a Network Load Balancer and define the VPC endpoint of the server as the load balancer's target

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. From the navigation pane, choose Load Balancers.
  3. Choose Create Load Balancer.
  4. Under Network Load Balancer, choose Create.
  5. For Step 1: Configure Load Balancer, enter the following:
    For Name, enter a name for the load balancer.
    For Scheme, select internet-facing.
    For Listeners, keep Load Balancer Protocol as TCP. Then, change the associated Load Balancer Port to your custom listener port.
    For VPC, select the Amazon VPC that you created.
    For Availability Zones, select the Availability Zones associated with the public subnets that are available in the same VPC you use with your server endpoints.
    For the IPv4 address of each subnet, select one of the Elastic IP addresses that you allocated.
  6. Choose Next: Configure Security Settings.
  7. Choose Next: Configure Routing.
  8. For Step 3: Configure Routing, enter the following:
    For Target group, select New target group.
    For Name, enter a name for the target group.
    For Target type, select IP.
    For Protocol, select TCP.
    For Port, enter 22.
    Note: The AWS Transfer Family servers support traffic only over port 22. The load balancer must communicate to the server over port 22.
    Under Health checks, for Protocol, select TCP.
  9. Choose Next: Register Targets.
  10. For Step 4: Register Targets, enter the following:
    For Network, confirm that the Amazon VPC you want to use is selected.
    For IP, enter the private IPv4 addresses of your server's endpoints. You copied these IP addresses after creating the server.
  11. Choose Add to list.
  12. Repeat steps 10 and 11 until you've entered the private IP addresses for all of your server's endpoints.
  13. Choose Next: Review.
  14. Choose Create.

After you set up the server and load balancer, clients communicate to the load balancer over the custom port listener. Then, the load balancer communicates to the server over port 22.

Test access to the server from an Elastic IP address

Connect to the server over the custom port through an Elastic IP address or the DNS name of the Network Load Balancer. For example, the following OpenSSH command connects to the server through an Elastic IP address and a custom port:

Note: Replace [port] with your custom port. Then, replace with an Elastic IP address that you allocated.

sftp -i sftpuserkey -P [port] sftpuser@

Important: To manage access to your server from client IP addresses, use the network access control lists (network ACLs) and security group for the load balancer. If the Network Load Balancer's health checks fail, then the load balancer can't connect to the server endpoint. To troubleshoot this, check the following conditions:

  • Confirm that the server endpoint's associated security group allows inbound connections from the load balancer's subnets. The load balancer must be able to connect to the server endpoint over port 22.
  • Confirm that the server's State is Online.

Related information

Lift and shift migration of SFTP servers to AWS

AWS OFFICIALUpdated 7 months ago