4 Answers
1
Accepted Answer
Hello Mahendra Kumar V,
To create Internet Facing VPC type servers, you have to provide Elastic-IPs or AddressAllocation-IDs when you are creating the server. Within your template, I see that is missing which is why Transfer service is creating an Internal VPC type server. Following is an example template:
AWSTemplateFormatVersion: 2010-09-09
Resources:
SFTPServer:
Type: 'AWS::Transfer::Server'
Properties:
EndpointType: 'VPC'
EndpointDetails:
VpcId: '<vpc-id>'
SubnetIds:
- '<subnet-id>'
AddressAllocationIds:
- '<Elastic IP allocation Id>'
LoggingRole: '<logging-role-ARN>'
Note: You have to provide the Allocation ID for the Elastic IP and not the IP itself. Allocation Ids look like this - eipalloc-0fb1a029axxxxxx
The above should help you in creating Internet-Facing VPC type servers.
Do let us know if you have further questions.
-- Sagar
1
You can use the following example YAML code as a starting point:
yaml
Resources:
TransferServer:
Type: AWS::Transfer::Server
Properties:
EndpointType: PUBLIC
IdentityProviderType: SERVICE_MANAGED
LoggingRole: <logging-role-arn>
ProtocolDetails:
PassivePorts: "30000-30009"
SecurityPolicyName: TLS_1_2
Tags:
- Key: Name
Value: my-transfer-server
VpcId: <vpc-id>
EndpointDetails:
VpcEndpointId: <vpc-endpoint-id>
SubnetIds:
- <subnet-id-1>
- <subnet-id-2>
SecurityGroupIds:
- <security-group-id>
Outputs:
TransferServerArn:
Value: !GetAtt TransferServer.Arn
Export:
Name: MyTransferServerArn
Note that you will need to replace the placeholder values (<logging-role-arn>, <vpc-id>, <vpc-endpoint-id>, <subnet-id-1>, <subnet-id-2>, and <security-group-id>) with actual values that are relevant to your setup.
answered 21 days ago
0
Description: This template create aws transfer family with add user and deploys a VPC and security group, with a pair of public and private subnets spread
across Single Availability Zones. It deploys an internet gateway, with a default
route on the public subnets. It deploys a pair of NAT gateways (one AZ),
and default routes for them in the private subnets,
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
EnvironmentName:
Description: An environment name that is prefixed to resource names
Type: String
VpcCIDR:
Description: Please enter the IP range (CIDR notation) for this VPC
Type: String
Default: 10.192.0.0/16
PublicSubnetCIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
Type: String
Default: 10.192.10.0/24
PrivateSubnetCIDR:
Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
Type: String
Default: 10.192.20.0/24
CreateServer:
AllowedValues:
- 'true'
- 'false'
Type: String
Description: >-
Whether this stack creates a server internally or not. If a server is
created internally, the customer identity provider is automatically
associated with it.
Default: 'true'
Endpointtype:
AllowedValues:
- 'Internal'
- 'Internet facing'
Type: String
Default: 'Internet facing'
Conditions:
CreateServer:
'Fn::Equals':
- Ref: CreateServer
- 'true'
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Resource
TransferServer:
Type: 'AWS::Transfer::Server'
Condition: CreateServer
Properties:
EndpointDetails:
SubnetIds:
- !Ref PublicSubnet
VpcId: !Ref VPC
SecurityGroupIds:
- !Ref SecurityGroup
EndpointType: VPC
LoggingRole:
'Fn::GetAtt': CloudWatchLoggingRole.Arn
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Transferserver
CloudWatchLoggingRole:
Description: IAM role used by Transfer to log API requests to CloudWatch
Type: 'AWS::IAM::Role'
Condition: CreateServer
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- transfer.amazonaws.com
Action:
- 'sts:AssumeRole'
GoldcoastTvodUser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectoryMappings:
- Entry: /
Target: /goldcoast-tvod
HomeDirectoryType: LOGICAL
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/Admin'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAvVu6cIeB4W80XEr1XHEKjc/JLb69Eqhz4j50ntDjWRP8Gn0wlSDh85YwxksnR/wJYVHOXW8Y6tRG3EFSpq7gjb7sd8B/2lEYtJgXujAJA7JBC6I3V0o+ZdfLCX1oBeP9j5yi6zjSAWxWBVqpvXUDYEFYNTMkfyDnPr0bs9iLOMNec0ZIAQyEXCMMwGqxuyYLHwuS4EQb9A4aiS2hI7fMO/nDzIBZJVoMiNvtguodqWFac9wVuTn23AKnN1lw5iO9sxwRexFv9Fl8HyprLcuGSM4k5/EecBf9/E5d6haBtuDQJJxCoYge4fCAVu4tLMY63Z3ECL/eBbjySwzv3WID5Q==
UserName: GoldcoastTvodUser
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Ref EnvironmentName
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PublicSubnetCIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Public Subnet
PrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnetCIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Private Subnet
NatGatewayEIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Elsatic Ip
NatGateway:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGatewayEIP.AllocationId
SubnetId: !Ref PublicSubnet
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} NatGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Public Routes
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Private Routes
DefaultPrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
PrivateSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnet
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Production Security Group"
GroupDescription: "Security Group with inbound and outbound rule"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 69
ToPort: 69
CidrIp: 96.47.148.171/32
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 3.16.146.0/29
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}
TfVPCInterfaceEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs'
VpcId: !Ref VPC
SubnetIds:
- !Ref PublicSubnet
SecurityGroupIds:
- !Ref SecurityGroup
Hai,
I was tried with this yaml file, That was cretaed transfer family server witth Internal access.
Custom hostname
Endpoint
AccessInfo Internal
FIPS enabled No
answered 21 days ago
0
Hello,
Thanks for your perfect and valuable replay..
I have tried as per your comments It's working as expected.
`TransferServer:
Type: 'AWS::Transfer::Server'
Properties:
EndpointType: 'VPC'
EndpointDetails:
VpcId: !Ref VPC
SubnetIds:
- !Ref PublicSubnet
AddressAllocationIds:
- !GetAtt NatGatewayEIP.AllocationId
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Transferserver `
answered 18 days ago
Relevant content
- Accepted Answerasked 2 months ago
- Accepted Answerasked 10 days ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
