connect to an internal sftp server from outside private vpc (on prem)


Hi team,

I have a private VPC with all private subnets,

I create an sftp server:

  • Protocols = SFTP
  • Identity provider = Service managed
  • VPC = my private VPC
  • access = Internal
  • Domain = Amazon S3

the objective is to allow the other team from the same corporate to load files into my s3 bucket.

when I finish creating the sftp server, it doesn't give me an endpoint ==> (Endpoint = '-' and Custom hostname = '_')

I just want to know how the other team from the same corporate can interact with the sftp server to put files on my bucket as my sftp server is not publically accessible and I don't have an endpoint URL to give them.

so how can they connect to my server to put files?

can they use clients like FileZilla or putty or winSCP ... to transfer files?

Thank you!

1 Answer
Accepted Answer

Can you please take a look at this AWS Premium Support article -

Your scenario comes under the 2nd column - Amazon Virtual Private Cloud (Amazon VPC) endpoint with internal access

As you can see on the "Access" row, it mentions the following "From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN". This implies that with your configuration, you should be able to connect to the SFTP server using private IP addresses, as long as a network path has been set-up from your corporate network to the AWS VPC using either DirectConnect or IPSec VPN.

You have mentioned that you don't see any Custom Hostname and Endpoint in your AWS Transfer Family server configuration. However, you should see private IP addresses for your SFTP server created under the Endpoint Configuration section.

As per the recommendation of the above referenced Support article, "Use a Network Load Balancer in front of a VPC endpoint with internal access. Change the listener port on the load balancer from port 22 to a different port. This can reduce, but not eliminate, the risk of port scanners and bots probing your server, because port 22 is most commonly used for scanning. However, if you use a Network Load Balancer, you can't use security groups to allow access from source IP addresses."

You should be able to use clients such as Filezilla to FTP the files from your on-prem machines to the SFTP Server in AWS. For a list of supported clients take a look at this -

profile picture
answered 2 months ago
profile picture
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions