By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Turning On "Preserve client IP addresses" for a specif Target Group makes it so that I can no longer access an SFTP server

0

I have the need to turn On the "Preserve client IP addresses" for a specif Target Group related to an EC2.

In this EC2 I have an SFTP server running where one can put files in it and they appear in an S3 bucket, and when I turn On the "Preserve client IP addresses" it makes so that I can no longer access my SFTP server and do to that.

To check that I can access the SFTP I use FileZila to connect to it, doing the "Logon type" Key file

I have the configurations for the SFTP server, in the EC2 machine, in /etc/ssh/sshd_config.

We are putting a Load Balancer in front of an STFP server because I need to host this server in an EC2 machine, and due to company policy, I need to have all EC2 machines created inside a private subnet in the VPC. The Load Balancer is so that we have a way the SFTP can be accessed from, in this case, it is usually accessed using FileZilla, and the way to access it is by doing the login using Key file, but the server is also accessible via SSH. The Target Group we have set up to use TCP: 22

When looking around for potencial solutions, I saw that adding UseDNS no to the config file in /etc/ssh/sshd_config could be a potencial solution, but it did not work.

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Network Load Balancer
Language
English
tomsantos
asked 5 months ago416 views
3 Answers
0
Accepted Answer

What is in the security group for your EC2 instance? When you turn on "Preserve client IP address" the EC2 instance will receive connections from the source IP address - not the NLB. So you need to change the inbound rules to allow connections from the networks that you want to be able to connect to your application (SFTP in this case). If the SFTP server is public (i.e. accessible from the internet) and you want clients to connect from the internet then you need from all IP addresses (0.0.0.0/0).

profile pictureAWS
EXPERT
Brettski-AWS
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • tomsantos
    5 months ago

    The current Security Group that only allows all traffic from inside our VPC, and TCP connections from the port 22 in some specific IP addresses, but the Network Load Balancer forwards to the target group where the the target is the EC2 machine is connected.

    This set up used to work without a problem, the client could connect to the SFTP server and put the files there so they were stored in the S3 without a problem, and I could connect to the SFTP, using FileZila, without any problem, but when I turned on "Preserve client IP addresses" it no longer was possible to do this, so I that setting is the problem, but I need to have it "On"

  • Brettski-AWS EXPERT
    5 months ago

    When you turn on "Preserve client IP" the targets will see connections from the client IP address. That's what the setting means. Your security group needs to allow connections from the client IP address, not IP addresses within the VPC.

  • tomsantos
    5 months ago

    Ok, that makes sense. I imagine the best way to allow connections from the client IP address is to add them to the Security Group, correct? I think that's it, but I want to make sure.

    I really appreciate the answer @Brettski-AWS

  • Brettski-AWS EXPERT
    5 months ago

    Yes, you need to put the client IP address(es) in the security group.

  • dragosa83
    3 months ago

    In my case the Ec2 instance is running in private subnet and the security group inbound rule allows all traffic from 0.0.0.0/0. When i enable in target group where ec2 is registered Preserver Client IP I can not reach anymore SFTP trough NLB.

0

Hello.

This is not a troubleshooting of not being able to connect to SFTP with NLB, but how about the following measures?
What if I use SFTP with port forwarding in Systems Manager?
This eliminates the need to create an NLB.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/

profile picture
EXPERT
Riku_Kobayashi
answered 5 months ago
0

In my case the Ec2 instance is running in private subnet and the security group inbound rule allows all traffic from 0.0.0.0/0. When i enable in target group where ec2 is registered Preserver Client IP I can not reach anymore SFTP trough NLB.

dragosa83
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content