- Newest
- Most votes
- Most comments
When you create SFTP endpoint into VPC I believe you must provide EIP(s) for it. Details are shown in this blog post. https://aws.amazon.com/blogs/storage/use-ip-whitelisting-to-secure-your-aws-transfer-for-sftp-servers/
Can you use a VPC endpoint with internet-facing access?
According to the above blog, if you choose a VPC endpoint with internet-facing access you can attach Elastic IP addresses to the endpoint. These can be AWS-owned IP addresses or your own IP addresses (BYOIP). Elastic IP addresses attached to the endpoint don't change.
Note that as of today (January 2023) static IP addresses for AWS Transfer Family connectors are now available: https://aws.amazon.com/about-aws/whats-new/2024/01/aws-transfer-family-static-ip-sftp-connectors/
Relevant content
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated 5 months ago
Hi, thanks. I was trying to avoid to have to redeploy the cloudformation, since originally it seems to have been deployed as Public Endpoint type. I get 3 different addresses from nslookup, but i am afraid if i provide them with this (or even a range/subnet) they can be altered anytime in the future. So this means that for customers to be able to whitelist, the only solution seems to be with VPC if i undestood correctly.
You're right. Public endpoint IPs can change. Here is the summary of different endpoint types. https://aws.amazon.com/premiumsupport/knowledge-center/aws-sftp-endpoint-type/