- Newest
- Most votes
- Most comments
I disagree with the other answer here - FTP (being a complex protocol that uses multiple ports) may not (and by that I mean: probably will not) work well with NLB. It is highly likely that traffic on port 20 (transfer data) will not hit the same server as that on port 21 (control data).
The exception is when you only have a single FTP server behind the load balancer but that kind of defeats the purpose of using NLB in the first place.
Also: FTP is not really secure - all commands, usernames, passwords and data are transferred without encryption. I strongly recommend using more advanced (and secure) protocols. You might consider using the AWS Transfer Family.
Hello.
Yes, it is possible to do FTP using NLB.
If you do not want to open the port, consider using Systems Manager's Session Manager.
This one has a port forwarding function.
This allows file transfers using SCP and other methods without having to set permissions on the security group.
The following document connects to RDS, but this can be replaced with EC2.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/
Agree here. If for a public facing service then yes nlb will be needed. Note you’ll likely need port 20 also for ftp
Thank you for the answer. Can we put firewall or inspect the packet between the "NLB" and "actual FTP server target" for the incoming request for additional security ?
If you plan to use NLB, it would be a good idea to set up a security group in NLB. NLB has been able to set up security groups in a recent update. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html
Hi,
I'd strongly encourage you to use AWS Transfer Family: https://aws.amazon.com/aws-transfer-family/features/?nc=sn&loc=2&dn=1
It's a fuly managed service doing all the heavyweight lifting (security, patching, operations, scaling, HA, etc.) for you. It's cost-efficient (pay-as-you use)
With it, your users will upload to S3 buckets also accessible by your apps.
Best,
Didier
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 5 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
Hello.
Can the AWS Transfer Family upload directly to EC2? My understanding is that it is used to upload files to EFS and S3. Therefore, if NLB is not used, we think it is better to use Session Manager's port forwarding function.
Valid point here.. FTP Port 20 is the source port for outbound from the FTP Server and not inbound so shouldnt be needed on the NLB as a listner
thanks all, i see diff opinion here and there is not the one solution on AWS for FTP on EC2. what if i manage to replace FTP with SFTP on EC2? will that work with NLB ?
Fair point about port 20; but if the NLB isn't in the network path for port 20 traffic then the IP address on the FTP server end will be the EC2 instance (which will need to be public in that case) as the outbound traffic won't be routed through the NLB. You'd need to run FTP in PASV mode (some older clients don't support that). In either case NLB is not a good fit here.