Aws Transfer family vpc end point not working
0
Hi,
Can anyone please help me to take the below yaml template for aws transfer family with internet facing vpc endpoint? Here I vpc endpoint was not working.
Please any one run the below template as a stack with your testing account and give me the correct template for me.
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
EnvironmentName:
Description: An environment name that is prefixed to resource names
Type: String
VpcCIDR:
Description: Please enter the IP range (CIDR notation) for this VPC
Type: String
Default: 10.192.0.0/16
PublicSubnetCIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
Type: String
Default: 10.192.10.0/24
PrivateSubnetCIDR:
Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
Type: String
Default: 10.192.20.0/24
CreateServer:
AllowedValues:
- 'true'
- 'false'
Type: String
Description: >-
Whether this stack creates a server internally or not. If a server is
created internally, the customer identity provider is automatically
associated with it.
Default: 'true'
Endpointtype:
AllowedValues:
- 'Internal'
- 'Internet facing'
Type: String
Default: 'Internet facing'
Conditions:
CreateServer:
'Fn::Equals':
- Ref: CreateServer
- 'true'
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Resources
CloudWatchLoggingRole:
Description: IAM role used by Transfer to log API requests to CloudWatch
Type: 'AWS::IAM::Role'
Condition: CreateServer
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- transfer.amazonaws.com
Action:
- 'sts:AssumeRole'
GoldcoastTvodUser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectory: "/goldcoast-tvod"
HomeDirectoryType: "PATH"
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::goldcoast-tvod",
"arn:aws:s3:::goldcoast-tvod/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
ssh-rsa
UserName: GoldcoastTvodUser
etcsvoduser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectory: "/etc-svod"
HomeDirectoryType: "PATH"
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
ssh-rsa
UserName: etc-svod-user
etctvoduser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectory: "/tvn-tvod"
HomeDirectoryType: "PATH"
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
UserName: etc-tvod-user
lhtcsvoduser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectory: "/lhtc-svod"
HomeDirectoryType: "PATH"
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
ssh-rsa
UserName: lhtc-svod-user
lhtctvoduser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectory: "/tvn-tvod"
HomeDirectoryType: "PATH"
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
ssh-rsa
UserName: lhtc-tvod-user
mastercopyfoleuser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectory: "/mastercopyfiles"
HomeDirectoryType: "PATH"
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
ssh-rsa
UserName: mastercopyfole-user
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Ref EnvironmentName
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PublicSubnetCIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Public Subnet
PrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnetCIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Private Subnet
NatGatewayEIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Elsatic Ip
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
# Tags:
# - Key: Name
# Value: !Sub ${EnvironmentName} Public Routes
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet
PrivateSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PrivateSubnet
myCarrierRoute:
Type: AWS::EC2::Route
#DependsOn: GatewayToInternetAndCarrierNetwork
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: InternetGateway
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Production Security Group"
GroupDescription: "Security Group with inbound and outbound rule"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 69
ToPort: 69
CidrIp: 96.47.148.171/32
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 3.16.146.0/29
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}
TfVPCInterfaceEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs'
VpcId: !Ref VPC
SubnetIds:
- !Ref PublicSubnet
SecurityGroupIds:
- !Ref SecurityGroup
TransferServer:
Type: 'AWS::Transfer::Server'
Condition: CreateServer
Properties:
EndpointType: 'VPC'
SecurityPolicyName: TransferSecurityPolicy-FIPS-2020-06
LoggingRole:
'Fn::GetAtt': CloudWatchLoggingRole.Arn
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Transferserver
EndpointDetails:
VpcId: !Ref VPC
SubnetIds:
- !Ref PublicSubnet
AddressAllocationIds:
- !GetAtt NatGatewayEIP.AllocationId
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Transferserver
2 Answers
- Newest
- Most votes
- Most comments
1
If the security group is not set in "EndpointDetails" of "TransferServer", the default security group of the VPC will be attached.
If so, it should result in an error because the inbound rule is something that cannot be connected with the default.
You can specify a security group by setting the following.
TransferServer:
Type: 'AWS::Transfer::Server'
Condition: CreateServer
Properties:
EndpointType: 'VPC'
SecurityPolicyName: TransferSecurityPolicy-FIPS-2020-06
LoggingRole:
'Fn::GetAtt': CloudWatchLoggingRole.Arn
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Transferserver
EndpointDetails:
VpcId: !Ref VPC
SubnetIds:
- !Ref PublicSubnet
SecurityGroupIds:
- !Ref SecurityGroup
AddressAllocationIds:
- !GetAtt NatGatewayEIP.AllocationId
I also think your security group settings are a bit wrong.
Modify as follows.
Since we are using this security group to access the VPC endpoints in CloudWatch Logs, we needed to allow HTTPS in an inbound rule.
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Production Security Group"
GroupDescription: "Security Group with inbound and outbound rule"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 69
ToPort: 69
CidrIp: 96.47.148.171/32
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 3.16.146.0/29
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}
0
@Riku_Kobayashi,
Thanks for your valuable guidance, Here i can able to access Sftp using vpc endpoint while configured with network ACL.
answered a year ago
Relevant content
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago
Hai,
After done changes, had the same issue.
[root@etc-vod ~]# telnet s-2c478803ebef4023b.server.transfer.us-east-1.amazonaws.com 22 Trying 54.243.218.117... telnet: connect to address 54.243.218.117: Connection timed out You have new mail in /var/spool/mail/root
Thanks,
In my environment, I am able to make a successful SFTP connection with the following command.
If the security group has been successfully configured, there will be no timeout error.
The AWS Transfer Family VPC endpoints can be found on the VPC Endpoints screen. From there, check to see if the security group has been successfully set up.
Hi @Riku_Kobayashi,
Am really excited to know this.
can you please share me the stack file which you are tried successfully, That i will check from my end.
[root@etc-vod .ssh]# sftp etc-svod-user@s-2c478803ebef4023b.server.transfer.us-east-1.amazonaws.com ssh: connect to host s-2c478803ebef4023b.server.transfer.us-east-1.amazonaws.com port 22: Connection timed out Couldn't read packet: Connection reset by peer
Note: Since now as well am tried, But I got a connectivity error.
Thanks,
Hi @Riku_Kobayashi,
I just have one more clarification, I want to use security type as network acl instead of security group,
Am trying with the below policy but transfer family server has taken default network acl.
How could i want to map a custom network acl from default network acl.
MyNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VPC
InboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: Deny CidrBlock: 0.0.0.0/0 PortRange: From: 22 To: 22
OutboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: -1 Egress: true RuleAction: Deny CidrBlock: 0.0.0.0/0
That is not enough to tie a network ACL to a subnet. Therefore, it is necessary to use "AWS::EC2::SubnetNetworkAclAssociation" to link the network ACL to the subnet where the VPC endpoint of the transfer family is located. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet-network-acl-assoc.html