2

I'm trying to set up an SFTP server managed by AWS that has a fixed IP address which external clients can whitelist in a firewall. Based on this FAQ this is what I should do:

You can enable fixed IPs for your server endpoint by selecting the VPC endpoint for your server and choosing the internet-facing option. This will allow you to attach Elastic IPs (including BYO IPs) to your server’s endpoint, which is assigned as the endpoint’s IP address

So I followed the official instructions here under "Creating an Internet-Facing Endpoint for Your SFTP Server". The creation settings look like this:

Server configuration 1

Server configuration 2

The result looks like this:

Server result

Compare with the result screenshot from the docs:

docs
(source: amazon.com)

My result is almost the same, except that under the table "Endpoint Configuration" the last column says "Private IPv4 Address" instead of 'Public'. That's the first red flag. I have no idea why it's a private address. It doesn't look like one, it's the IP address of the Elastic IP that I created, and the endpoint DNS name s-******.server.transfer.eu-west-1.amazonaws.com resolves to that IP address on my local machine.

If I ping the endpoint or the IP address, it doesn't work:

451 packets transmitted, 0 received, 100% packet loss, time 460776ms

If I try connecting with sftp or ssh it hangs for a while before failing:

ssh: connect to host 34.****** port 22: Connection timed out
Connection closed

The other potential problem is security groups:

At this point, your endpoint is assigned with the selected VPC's default security group. To associate additional or change existing security groups, visit the Security Groups section in the https://console.aws.amazon.com/vpc/.

These instructions don't make sense to me because there's nowhere in the Security Groups interface that I can assign a group to another entity such as a transfer server. And there's nowhere in the transfer server configuration that mentions security groups. How do I set a new security group?

I tried changing the security group of the Network Interface of the Elastic IP, but I got a permission error even though I'm an administrator. Apparently I don't actually own ENIs? In any case I don't know if this is the right path.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Alex Hall
  • 34,833
  • 5
  • 57
  • 89

2 Answers2

1

The solution was to find the endpoint that was created for the server in the "Endpoints" section of the VPC console. The security groups of the endpoint can be edited.

The "Private IPv4 address" seems to be irrelevant.

Alex Hall
  • 34,833
  • 5
  • 57
  • 89
0

The default security group controls access to the internet-facing endpoint for the new sftp server in a vpc. Mess around with the default security group ingress rules for the vpc selected for the sftp server. Or, white list the exact ip address connecting to the sftp endpoint in the default security group.

If the admin says ho hum, create a second vpc for the sftp server if isolation is absolutely necessary. Fiddle with the default group in the new, isolated vpc.

Link: Creating an Internet-Facing endpoint for Your sftp server

Happy transferring!

starpebble
  • 504
  • 3
  • 7