AWS Transfer Family Endpoint

Cloud Journey
4 min readAug 1, 2021

--

Overview

AWS Transfer Family is a secure transfer service that enables you to transfer files into and out of AWS storage services.

Below is the summary of AWS transfer family endpoint type:

  • Public endpoint
  • VPC endpoint for internal access
  • VPC endpoint with internet facing access and
  • VPC_ENDPOINT

Except public endpoint, all other patterns are backed by AWS PrivateLink.

Early 2021, AWS provided new VPC endpoint type for PrivateLink integration. Sharing data using AWS transfer family over internet is simplified. The new VPC endpoint type replaced VPC_ENDPOINT type, after May 19, 2021 you are no longer able to create SFTP server using VPC_ENDPOINT type.

We will explore more about the new VPC endpoint type, outline design options and potential use cases for the design.

VPC endpoint with internet-facing access

Feature Highlight

  • Support SFTP and FTPS protocols
  • Access Over the internet
  • Static Elastic IP address
  • Security group and network ACL for inbound control in server side VPC
  • Client firewall allow list — DNS name of the server or EIP
  • The VPC endpoint subnet should be public subnet

Use Case

This design works if you have external client, and your client does not run their workload from AWS VPC, and both sides are comfortable to do file transfer over internet.

VPC endpoint internal access from your VPC

Feature Highlight

  • Supported protocols, SFTP/FTP/ FTPS
  • From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.
  • All traffic remains in your private network and AWS backbone.
  • Static private IP address
  • Both security group and network ACL can be applied as inbound control in server side VPC/subnet
  • Client firewall allow list can be applied for outbound control

Use Case

This design works for file transfer within VPC and VPC-connected environment, in other words, you have the networking connectivity to the VPC endpoint private IP and you are part of the private network.

VPC endpoint internal access from customer’s VPC

Use Case

This design works in case you have third party client, the client workload runs from their own AWS account and VPC, and you don’t want to traverse over public network for compliance reason in regulated industries.

VPC endpoint service is utilized in this solution in addition to AWS transfer family VPC endpoint.

VPC Endpoint in Shared VPC

Use Case

Based on AWS document, AWS Transfer Family supports creating Amazon Virtual Private Cloud (Amazon VPC) hosted server endpoints in centrally managed and shared Amazon VPC environments, potentially reducing the overall complexity of your networking and deployments in cross account scenarios.

AWS blog has an example to create internet facing VPC endpoint in shared VPC and the VPC is shared within the organization. I would think it works for internal access pattern as well.

Technically your client could also share their VPC with you, and you will be able to create AWS transfer family server using VPC endpoint in the shared VPC for your S3. I will understand more about security best practice for VPC sharing and come back later on this option.

Conclusion

We discussed internet facing and internal access pattern for AWS transfer family VPC endpoint, we also covered the VPC endpoint in shared VPC.

In future blog post, I will design labs and get to know more details on these endpoint types.

References

How to Use AWS Transfer Family to Replace and Scale SFTP Servers | AWS Partner Network (APN) Blog (amazon.com)

New — AWS Transfer Family support for Amazon Elastic File System | AWS News Blog

Update your AWS Transfer Family server endpoint type from VPC_ENDPOINT to VPC | AWS Storage Blog (amazon.com)

Improve throughput for internet facing file transfers using AWS Global Accelerator and AWS Transfer Family services | Networking & Content Delivery (amazon.com)

Securing AWS Transfer Family with AWS Web Application Firewall and Amazon API Gateway | AWS Storage Blog

How Discover Financial secures file transfers with AWS Transfer Family | AWS Storage Blog (amazon.com)

Configure an AWS Transfer for SFTP server to use an S3 bucket in another account (amazon.com)

--

--

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer. https://github.com/Ronnie-personal