AWS Transfer Family Endpoint
Overview
AWS Transfer Family is a secure transfer service that enables you to transfer files into and out of AWS storage services.
Below is the summary of AWS transfer family endpoint type:
- Public endpoint
- VPC endpoint for internal access
- VPC endpoint with internet facing access and
- VPC_ENDPOINT
Except public endpoint, all other patterns are backed by AWS PrivateLink.
Early 2021, AWS provided new VPC endpoint type for PrivateLink integration. Sharing data using AWS transfer family over internet is simplified. The new VPC endpoint type replaced VPC_ENDPOINT type, after May 19, 2021 you are no longer able to create SFTP server using VPC_ENDPOINT type.
We will explore more about the new VPC endpoint type, outline design options and potential use cases for the design.
VPC endpoint with internet-facing access
Feature Highlight
- Support SFTP and FTPS protocols
- Access Over the internet
- Static Elastic IP address
- Security group and network ACL for inbound control in server side VPC
- Client firewall allow list — DNS name of the server or EIP
- The VPC endpoint subnet should be public subnet
Use Case
This design works if you have external client, and your client does not run their workload from AWS VPC, and both sides are comfortable to do file transfer over internet.
VPC endpoint internal access from your VPC
Feature Highlight
- Supported protocols, SFTP/FTP/ FTPS
- From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.
- All traffic remains in your private network and AWS backbone.
- Static private IP address
- Both security group and network ACL can be applied as inbound control in server side VPC/subnet
- Client firewall allow list can be applied for outbound control
Use Case
This design works for file transfer within VPC and VPC-connected environment, in other words, you have the networking connectivity to the VPC endpoint private IP and you are part of the private network.
VPC endpoint internal access from customer’s VPC
Use Case
This design works in case you have third party client, the client workload runs from their own AWS account and VPC, and you don’t want to traverse over public network for compliance reason in regulated industries.
VPC endpoint service is utilized in this solution in addition to AWS transfer family VPC endpoint.
VPC Endpoint in Shared VPC
Use Case
Based on AWS document, AWS Transfer Family supports creating Amazon Virtual Private Cloud (Amazon VPC) hosted server endpoints in centrally managed and shared Amazon VPC environments, potentially reducing the overall complexity of your networking and deployments in cross account scenarios.
AWS blog has an example to create internet facing VPC endpoint in shared VPC and the VPC is shared within the organization. I would think it works for internal access pattern as well.
Technically your client could also share their VPC with you, and you will be able to create AWS transfer family server using VPC endpoint in the shared VPC for your S3. I will understand more about security best practice for VPC sharing and come back later on this option.
Conclusion
We discussed internet facing and internal access pattern for AWS transfer family VPC endpoint, we also covered the VPC endpoint in shared VPC.
In future blog post, I will design labs and get to know more details on these endpoint types.
References
New — AWS Transfer Family support for Amazon Elastic File System | AWS News Blog
Configure an AWS Transfer for SFTP server to use an S3 bucket in another account (amazon.com)
