- Newest
- Most votes
- Most comments
If the NLB isn't able to communicate with your endpoint, the health check won't pass. Make sure the security group around your endpoint and NACLs on the endpoint's subnet allows the NLB to access it. For more details on troubleshooting your NLB, refer to the following documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-troubleshooting.html
Additionally, here are detailed steps to enable Elastic IP on your NLB and use it to access your SFTP server endpoint. The flow of the request would be following:
SFTP Client User -> NLB -> VPC-endpoint -> Transfer SFTP
Steps:
a) Allocate three(1 per AZ) elastic IP address in the region where you want to have this setup. Here's the documentation on working with Elastic IP addresses: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
b) Steps to create a VPC endpoint interface for AWS Transfer Server: (Also available here with screenshots: https://docs.aws.amazon.com/transfer/latest/userguide/create-server-vpc.html)
- Open VPC console
- Select Endpoints
- Click Create Endpoint
- Select Service category > AWS services
- Select Service Name > com.amazonaws.region.transfer.server
- Select the subnets and Security Groups for this endpoint.
- Click Create Endpoint.
- Once endpoint is created, select the endpoint and click on subnets to get the private IP addresses. These will be used later on.
c) Enable VPC endpoint on Transfer SFTP.
- Open Transfer SFTP console in the same region.
- Check the server > Actions -> Stop
- Once server is stopped, Click the server ID.
- Click "Edit" in server configuration.
- Select "VPC" as Endpoint type.
- Select the VPC endpoint created in part B.
After this step, the SFTP server should be accessible from within the VPC over private IP addresses you got from step (b)(8).
d) Create an NLB and define this endpoint as target. Visit the documentation on Getting Started page on detailed steps to Create a Network Load Balancer and associated Target Group: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancer-getting-started.html
- Go to Load Balancer console.
- Create new load balancer.
- Select Network Load Balancer.
- Select internet facing and edit the TCP port to 22.
- Select the VPC, Availability zone and subnets so they match with the ones you selected earlier in b(6).
- In subnets, select the elastic IP addresses created in (1).
- Click Next to select and configure the target groups.
Visit the documentation to register an IP address for the target group: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html - Add name, select port=22, target type = IP.
- Click next and add the IP addresses from step b(8).(i.e. your VPC endpoint's private IP)
- Click Review and create.
Testing with OpenSSH
sftp -i sftpuserkey sftpuser@ELASTIC-IP
Please let me know if you have any questions
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 21 days ago