- Newest
- Most votes
- Most comments
What is in the security group for your EC2 instance? When you turn on "Preserve client IP address" the EC2 instance will receive connections from the source IP address - not the NLB. So you need to change the inbound rules to allow connections from the networks that you want to be able to connect to your application (SFTP in this case). If the SFTP server is public (i.e. accessible from the internet) and you want clients to connect from the internet then you need from all IP addresses (0.0.0.0/0).
Hello.
This is not a troubleshooting of not being able to connect to SFTP with NLB, but how about the following measures?
What if I use SFTP with port forwarding in Systems Manager?
This eliminates the need to create an NLB.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/
In my case the Ec2 instance is running in private subnet and the security group inbound rule allows all traffic from 0.0.0.0/0. When i enable in target group where ec2 is registered Preserver Client IP I can not reach anymore SFTP trough NLB.
Relevant content
- asked 4 years ago
- asked 10 months ago
- asked 3 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
The current Security Group that only allows all traffic from inside our VPC, and TCP connections from the port 22 in some specific IP addresses, but the Network Load Balancer forwards to the target group where the the target is the EC2 machine is connected.
This set up used to work without a problem, the client could connect to the SFTP server and put the files there so they were stored in the S3 without a problem, and I could connect to the SFTP, using FileZila, without any problem, but when I turned on "Preserve client IP addresses" it no longer was possible to do this, so I that setting is the problem, but I need to have it "On"
When you turn on "Preserve client IP" the targets will see connections from the client IP address. That's what the setting means. Your security group needs to allow connections from the client IP address, not IP addresses within the VPC.
Ok, that makes sense. I imagine the best way to allow connections from the client IP address is to add them to the Security Group, correct? I think that's it, but I want to make sure.
I really appreciate the answer @Brettski-AWS
Yes, you need to put the client IP address(es) in the security group.
In my case the Ec2 instance is running in private subnet and the security group inbound rule allows all traffic from 0.0.0.0/0. When i enable in target group where ec2 is registered Preserver Client IP I can not reach anymore SFTP trough NLB.