Network load balancer and privatelink for static ip


I'm trying to set up this new functionality to have a static IP:
"Additionally, you can now deploy a network load balancer (NLB) that uses your SFTP server’s VPC endpoint to associate Elastic IPs, enabling your end users to whitelist your SFTP server’s IP addresses."

I have setup a vpce and configured the sftp server following this guide

But when I configure the NLB I get stuck at how to set the target to the vpce.
I've tried adding the vpce IP, but only get target "unhealthy". Should I address the vpce target in some other way, or should I apply some special security group settings (I currently use the vpc default group)? Or is there something else that I should be looking into?

asked 5 years ago2277 views
1 Answer
Accepted Answer

If the NLB isn't able to communicate with your endpoint, the health check won't pass. Make sure the security group around your endpoint and NACLs on the endpoint's subnet allows the NLB to access it. For more details on troubleshooting your NLB, refer to the following documentation:

Additionally, here are detailed steps to enable Elastic IP on your NLB and use it to access your SFTP server endpoint. The flow of the request would be following:

SFTP Client User -> NLB -> VPC-endpoint -> Transfer SFTP


a) Allocate three(1 per AZ) elastic IP address in the region where you want to have this setup. Here's the documentation on working with Elastic IP addresses:
b) Steps to create a VPC endpoint interface for AWS Transfer Server: (Also available here with screenshots:

  1. Open VPC console
  2. Select Endpoints
  3. Click Create Endpoint
  4. Select Service category > AWS services
  5. Select Service Name > com.amazonaws.region.transfer.server
  6. Select the subnets and Security Groups for this endpoint.
  7. Click Create Endpoint.
  8. Once endpoint is created, select the endpoint and click on subnets to get the private IP addresses. These will be used later on.

c) Enable VPC endpoint on Transfer SFTP.

  1. Open Transfer SFTP console in the same region.
  2. Check the server > Actions -> Stop
  3. Once server is stopped, Click the server ID.
  4. Click "Edit" in server configuration.
  5. Select "VPC" as Endpoint type.
  6. Select the VPC endpoint created in part B.

After this step, the SFTP server should be accessible from within the VPC over private IP addresses you got from step (b)(8).

d) Create an NLB and define this endpoint as target. Visit the documentation on Getting Started page on detailed steps to Create a Network Load Balancer and associated Target Group:

  1. Go to Load Balancer console.
  2. Create new load balancer.
  3. Select Network Load Balancer.
  4. Select internet facing and edit the TCP port to 22.
  5. Select the VPC, Availability zone and subnets so they match with the ones you selected earlier in b(6).
  6. In subnets, select the elastic IP addresses created in (1).
  7. Click Next to select and configure the target groups.
    Visit the documentation to register an IP address for the target group:
  8. Add name, select port=22, target type = IP.
  9. Click next and add the IP addresses from step b(8).(i.e. your VPC endpoint's private IP)
  10. Click Review and create.

Testing with OpenSSH
sftp -i sftpuserkey sftpuser@ELASTIC-IP

Please let me know if you have any questions

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions