What type of endpoint should I use for my AWS Transfer Family server?

4 minute read
0

I want to know the type of endpoint that I must use for my AWS Transfer Family server.

Resolution

Review the following table to determine which AWS Transfer Family endpoint type best suits your use case:

Endpoint typePublic endpointAmazon Virtual Private Cloud (Amazon VPC) endpoint with internal accessVPC endpoint with internet-facing accessVPC_ENDPOINT (DEPRECATED)
Supported protocolsSFTPSFTP, FTP, FTPSSFTP, FTPSSFTP
AccessFrom over the internet. This endpoint type doesn't require any special configuration in your VPC.From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.Over the internet and from within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.
Static IP addressYou can’t attach a static IP address. AWS provides IP addresses that are subject to change.Private IP addresses attached to the endpoint don't change.You can attach Elastic IP addresses to the endpoint. These can be AWS-owned IP addresses or your own IP addresses (BYOIP). Elastic IP addresses attached to the endpoint don't change. Private IP addresses attached to the server also don't change.Private IP addresses attached to the endpoint don't change.
Source IP allow listThis endpoint type does not support allow lists by source IP addresses. The endpoint is publicly accessible and listens for traffic over port 22.To allow access by source IP address, you can use security groups attached to the server endpoints and network access control lists (network ACLs) attached to the subnet that the endpoint is in.To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in.To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in.
Client firewall allow listYou must allow the DNS name of the server. Because IP addresses are subject to change, avoid using IP addresses for your client firewall allow list.You can allow the private IP addresses or the DNS name of the endpoints.You can allow the DNS name of the server or the Elastic IP addresses attached to the server.You can allow the private IP addresses or the DNS name of the endpoints.

Note: The VPC_ENDPOINT endpoint type is now deprecated and cannot be used to create new Servers. See Discontinuing the use of VPC_ENDPOINT to learn more.

Consider the following options to increase the security posture of your AWS Transfer Family server:

  • Use a VPC endpoint with internal access, so that the server is accessible only to clients within your VPC or VPC-connected environments such as an on-premises data center over AWS Direct Connect or VPN.
  • To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet-facing access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.
  • Use a Network Load Balancer in front of a VPC endpoint with internal access. Change the listener port on the load balancer from port 22 to a different port. This can reduce, but not eliminate, the risk of port scanners and bots probing your server, because port 22 is most commonly used for scanning. However, if you use a Network Load Balancer, you can't use security groups to allow access from source IP addresses.
  • If you require password-based authentication and you use a custom identity provider with your server, it's a best practice that you set an aggressive password policy. It's a best practice that your password policy prevents users from creating weak passwords and limits the number of failed login attempts.

Related information

Create an internet-facing endpoint for your server

How can I enable Elastic IP addresses on my AWS Transfer Family SFTP-enabled server endpoint?

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago