Aws Transfer family - Vpc hosted

0

Hi,

Under Vpc hosted category i want to choose internet-facing using cloud formation template.

I have yaml file for internal but can't code for internet-facing.

5 個答案
1
已接受的答案

Hello Mahendra Kumar V,

To create Internet Facing VPC type servers, you have to provide Elastic-IPs or AddressAllocation-IDs when you are creating the server. Within your template, I see that is missing which is why Transfer service is creating an Internal VPC type server. Following is an example template:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  SFTPServer:
    Type: 'AWS::Transfer::Server'
    Properties:
      EndpointType: 'VPC'
      EndpointDetails:
        VpcId: '<vpc-id>'
        SubnetIds: 
          - '<subnet-id>'
        AddressAllocationIds:
          - '<Elastic IP allocation Id>'
      LoggingRole: '<logging-role-ARN>'

Note: You have to provide the Allocation ID for the Elastic IP and not the IP itself. Allocation Ids look like this - eipalloc-0fb1a029axxxxxx

The above should help you in creating Internet-Facing VPC type servers.

Do let us know if you have further questions.

-- Sagar

AWS
專家
已回答 1 年前
1

You can use the following example YAML code as a starting point:

yaml

Resources:
  TransferServer:
    Type: AWS::Transfer::Server
    Properties:
      EndpointType: PUBLIC
      IdentityProviderType: SERVICE_MANAGED
      LoggingRole: <logging-role-arn>
      ProtocolDetails:
        PassivePorts: "30000-30009"
      SecurityPolicyName: TLS_1_2
      Tags:
        - Key: Name
          Value: my-transfer-server
      VpcId: <vpc-id>
      EndpointDetails:
        VpcEndpointId: <vpc-endpoint-id>
        SubnetIds:
          - <subnet-id-1>
          - <subnet-id-2>
        SecurityGroupIds:
          - <security-group-id>

Outputs:
  TransferServerArn:
    Value: !GetAtt TransferServer.Arn
    Export:
      Name: MyTransferServerArn

Note that you will need to replace the placeholder values (<logging-role-arn>, <vpc-id>, <vpc-endpoint-id>, <subnet-id-1>, <subnet-id-2>, and <security-group-id>) with actual values that are relevant to your setup.

已回答 1 年前
0

Description:  This template create aws transfer family with add user and deploys a VPC and security group, with a pair of public and private subnets spread
  across Single Availability Zones. It deploys an internet gateway, with a default
  route on the public subnets. It deploys a pair of NAT gateways (one AZ),
  and default routes for them in the private subnets, 

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  EnvironmentName:
    Description: An environment name that is prefixed to resource names
    Type: String

  VpcCIDR:
    Description: Please enter the IP range (CIDR notation) for this VPC
    Type: String
    Default: 10.192.0.0/16

  PublicSubnetCIDR:
    Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
    Type: String
    Default: 10.192.10.0/24

  PrivateSubnetCIDR:
    Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
    Type: String
    Default: 10.192.20.0/24

  CreateServer:
    AllowedValues:
      - 'true'
      - 'false'
    Type: String
    Description: >-
      Whether this stack creates a server internally or not. If a server is
      created internally, the customer identity provider is automatically
      associated with it.
    Default: 'true'
  
  Endpointtype:
    AllowedValues:
      - 'Internal'
      - 'Internet facing'
    Type: String
    Default: 'Internet facing'

Conditions:
  CreateServer:
    'Fn::Equals':
      - Ref: CreateServer
      - 'true'  
    
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCIDR
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Resource  

  TransferServer:
    Type: 'AWS::Transfer::Server'
    Condition: CreateServer
    Properties:
      EndpointDetails:
        SubnetIds:
          - !Ref PublicSubnet
        VpcId: !Ref VPC
        SecurityGroupIds:
          - !Ref SecurityGroup
      EndpointType: VPC
      LoggingRole:
        'Fn::GetAtt': CloudWatchLoggingRole.Arn
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Transferserver 

  CloudWatchLoggingRole:
    Description: IAM role used by Transfer  to log API requests to CloudWatch
    Type: 'AWS::IAM::Role'
    Condition: CreateServer
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - transfer.amazonaws.com
            Action:
              - 'sts:AssumeRole'  
   
  GoldcoastTvodUser:
    Type: 'AWS::Transfer::User'
    Properties:
      HomeDirectoryMappings:
        - Entry: /
          Target: /goldcoast-tvod
      HomeDirectoryType: LOGICAL
      Policy:
        'Fn::Sub': |
          {
            "Version": "2012-10-17",
            "Statement": {
              "Sid": "AllowFullAccessToBucket",
              "Action": "s3:*",
              "Effect": "Allow", 
              "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
              ]
            }
          }
      Role:
        'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/Admin'
      ServerId:
        'Fn::GetAtt': TransferServer.ServerId
      SshPublicKeys:
        - >-
          ssh-rsa
          AAAAB3NzaC1yc2EAAAABIwAAAQEAvVu6cIeB4W80XEr1XHEKjc/JLb69Eqhz4j50ntDjWRP8Gn0wlSDh85YwxksnR/wJYVHOXW8Y6tRG3EFSpq7gjb7sd8B/2lEYtJgXujAJA7JBC6I3V0o+ZdfLCX1oBeP9j5yi6zjSAWxWBVqpvXUDYEFYNTMkfyDnPr0bs9iLOMNec0ZIAQyEXCMMwGqxuyYLHwuS4EQb9A4aiS2hI7fMO/nDzIBZJVoMiNvtguodqWFac9wVuTn23AKnN1lw5iO9sxwRexFv9Fl8HyprLcuGSM4k5/EecBf9/E5d6haBtuDQJJxCoYge4fCAVu4tLMY63Z3ECL/eBbjySwzv3WID5Q==
      UserName: GoldcoastTvodUser

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: !Ref EnvironmentName

  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      CidrBlock: !Ref PublicSubnetCIDR
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Public Subnet

  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [ 0, !GetAZs  '' ]
      CidrBlock: !Ref PrivateSubnetCIDR
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Private Subnet

  NatGatewayEIP:
    Type: AWS::EC2::EIP
    DependsOn: InternetGatewayAttachment
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Elsatic Ip

  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NatGatewayEIP.AllocationId
      SubnetId: !Ref PublicSubnet
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} NatGateway

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Public Routes

  DefaultPublicRoute:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet

  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Private Routes

  DefaultPrivateRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway

  PrivateSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      SubnetId: !Ref PrivateSubnet

  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "Production Security Group"
      GroupDescription: "Security Group with inbound and outbound rule" 
      VpcId: !Ref VPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 0.0.0.0/0
      - IpProtocol: udp
        FromPort: 69
        ToPort: 69
        CidrIp: 96.47.148.171/32
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 3.16.146.0/29
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}

  TfVPCInterfaceEndpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      VpcEndpointType: Interface
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs'
      VpcId: !Ref VPC
      SubnetIds: 
        - !Ref PublicSubnet
      SecurityGroupIds:
        - !Ref SecurityGroup


Hai,

I was tried with this yaml file, That was cretaed transfer family server witth Internal access.

Custom hostname

Endpoint

AccessInfo Internal

FIPS enabled No

profile picture
已回答 1 年前
0

Hello,

Thanks for your perfect and valuable replay..

I have tried as per your comments It's working as expected.

`TransferServer:
    Type: 'AWS::Transfer::Server'
    Properties:
      EndpointType: 'VPC'
      EndpointDetails:
        VpcId: !Ref VPC
        SubnetIds: 
          - !Ref PublicSubnet
        AddressAllocationIds:
          - !GetAtt NatGatewayEIP.AllocationId
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName} Transferserver `

Enter image description here

profile picture
已回答 1 年前
0

So good most detar

已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南