# Configuring an SFTP, FTPS, or FTP server endpoint
You can create a file transfer server by using the AWS Transfer Family service. The following file transfer protocols are available:
+ Secure Shell (SSH) File Transfer Protocol (SFTP) – File transfer over SSH. For details, see [Create an SFTP-enabled server](create-server-sftp.md).
**Note**
We provide an AWS CDK example for creating an SFTP Transfer Family server. The example uses TypeScript, and is available on GitHub [here](https://github.com/aws-samples/aws-cdk-examples/tree/master/typescript/aws-transfer-sftp-server).
+ File Transfer Protocol Secure (FTPS) – File transfer with TLS encryption. For details, see [Create an FTPS-enabled server](create-server-ftps.md).
+ File Transfer Protocol (FTP) – Unencrypted file transfer. For details, see [Create an FTP-enabled server](create-server-ftp.md).
+ Applicability Statement 2 (AS2) – File transfer for transporting structured business-to-business data. For details, see [Configuring AS2](create-b2b-server.md). For AS2, you can quickly create an CloudFormation stack for demonstration purposes. This procedure is described in [Use a template to create a demo Transfer Family AS2 stack](create-as2-transfer-server.md#as2-cfn-demo-template).
You can create a server with multiple protocols.
**Note**
If you have multiple protocols enabled for the same server endpoint and you want to provide access by using the same username over multiple protocols, you can do so as long as the credentials specific to the protocol have been set up in your identity provider. For FTP, we recommend maintaining separate credentials from SFTP and FTPS. This is because, unlike SFTP and FTPS, FTP transmits credentials in clear text. By isolating FTP credentials from SFTP or FTPS, if FTP credentials are shared or exposed, your workloads using SFTP or FTPS remain secure.
When you create a server, you choose a specific AWS Region to perform the file operation requests of users who are assigned to that server. Along with assigning the server one or more protocols, you also assign one of the following identity provider types:
+ **Service managed by using SSH keys**. For details, see [Working with service-managed users](service-managed-users.md).
+ **AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD)**. This method allows you integrate your Microsoft Active Directory groups to provide access to your Transfer Family servers. For details, see [Using AWS Directory Service for Microsoft Active Directory](directory-services-users.md).
+ **A custom identity provider**. Transfer Family offers several options for using a custom identity provider, as described in the [Working with custom identity providers](custom-idp-intro.md) topic.
You also assign the server an endpoint type (publicly accessible or VPC hosted) and a hostname by using the default server endpoint, or a custom hostname by using the Amazon Route 53 service or by using a Domain Name System (DNS) service of your choice. A server hostname must be unique in the AWS Region where it's created.
Additionally, you can assign an Amazon CloudWatch logging role to push events to your CloudWatch logs, choose a security policy that contains the cryptographic algorithms that are enabled for use by your server, and add metadata to the server in the form of tags that are key-value pairs.
**Important**
You incur costs for instantiated servers and for data transfer. For information about pricing and to use AWS Pricing Calculator to get an estimate of the cost to use Transfer Family, see [AWS Transfer Family pricing](https://aws.amazon.com/aws-transfer-family/pricing/).
# Create an SFTP-enabled server
Secure Shell (SSH) File Transfer Protocol (SFTP) is a network protocol used for secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH. It's widely used to exchange data, including sensitive information between business partners in a variety of industries such as financial services, healthcare, retail, and advertising.
**Note the following**
+ SFTP servers for Transfer Family operate over port 22. For VPC-hosted endpoints, SFTP Transfer Family servers can also operate over port 2222, 2223 or 22000. For details, see [Create a server in a virtual private cloud](create-server-in-vpc.md).
+ Public endpoints cannot restrict traffic via security groups. To use security groups with your Transfer Family server, you must host your server's endpoint inside a virtual private cloud (VPC) as described in [Create a server in a virtual private cloud](create-server-in-vpc.md).
**See also**
+ We provide an AWS CDK example for creating an SFTP Transfer Family server. The example uses TypeScript, and is available on GitHub [here](https://github.com/aws-samples/aws-cdk-examples/tree/master/typescript/aws-transfer-sftp-server).
+ For a walkthrough of how to deploy a Transfer Family server inside of a VPC, see [Use IP allow list to secure your AWS Transfer Family servers](https://aws.amazon.com/blogs//storage/use-ip-allow-list-to-secure-your-aws-transfer-for-sftp-servers/).
**To create an SFTP-enabled server**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/) and select **Servers** from the navigation pane, then choose **Create server**.
1. In **Choose protocols**, select **SFTP**, and then choose **Next**.
1. In **Choose an identity provider**, choose the identity provider that you want to use to manage user access. You have the following options:
+ **Service managed** – You store user identities and keys in AWS Transfer Family.
+ **AWS Directory Service for Microsoft Active Directory** – You provide an Directory Service directory to access the endpoint. By doing so, you can use credentials stored in your Active Directory to authenticate your users. To learn more about working with AWS Managed Microsoft AD identity providers, see [Using AWS Directory Service for Microsoft Active Directory](directory-services-users.md).
**Note**
Cross-Account and Shared directories are not supported for AWS Managed Microsoft AD.
To set up a server with Directory Service as your identity provider, you need to add some Directory Service permissions. For details, see [Before you start using AWS Directory Service for Microsoft Active Directory](directory-services-users.md#managed-ad-prereq).
+ **Custom identity provider** – Choose either of the following options:
+ **Use AWS Lambda to connect your identity provider** – You can use an existing identity provider, backed by a Lambda function. You provide the name of the Lambda function. For more information, see [Using AWS Lambda to integrate your identity provider](custom-lambda-idp.md).
+ **Use Amazon API Gateway to connect your identity provider** – You can create an API Gateway method backed by a Lambda function for use as an identity provider. You provide an Amazon API Gateway URL and an invocation role. For more information, see [Using Amazon API Gateway to integrate your identity provider](authentication-api-gateway.md).
![\[The Choose an identity provider console section with Custom identity provider selected. Also has the default value selected, which is that users can authenticate using either their password or key.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/custom-lambda-console.png)
1. Choose **Next**.
1. In **Choose an endpoint**, do the following:
1. For **Endpoint type**, choose the **Publicly accessible** endpoint type. For a **VPC hosted** endpoint, see [Create a server in a virtual private cloud](create-server-in-vpc.md).
1. For **IP address type**, choose **IPv4** (default) for backwards compatibility or **Dual-stack** to enable both IPv4 and IPv6 connections to your endpoint.
**Note**
Dual-stack mode allows your Transfer Family endpoint to communicate with both IPv4 and IPv6 enabled clients. This enables you to gradually transition from IPv4 to IPv6 based systems without needing to switch all at once.
1. (Optional) For **Custom hostname**, choose **None**.
You get a server hostname provided by AWS Transfer Family. The server hostname takes the form `serverId.server.transfer.regionId.amazonaws.com`.
For a custom hostname, you specify a custom alias for your server endpoint. To learn more about working with custom hostnames, see [Working with custom hostnames](requirements-dns.md).
1. (Optional) For **FIPS Enabled**, select the **FIPS Enabled endpoint** check box to ensure that the endpoint complies with Federal Information Processing Standards (FIPS).
**Note**
FIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see [AWS Transfer Family endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) in the *AWS General Reference*. For more information about FIPS, see [ Federal Information Processing Standard (FIPS) 140-2 ](https://aws.amazon.com/compliance/fips/).
1. Choose **Next**.
1. On the **Choose domain** page, choose the AWS storage service that you want to use to store and access your data over the selected protocol:
+ Choose **Amazon S3** to store and access your files as objects over the selected protocol.
+ Choose **Amazon EFS** to store and access your files in your Amazon EFS file system over the selected protocol.
Choose **Next**.
1. In **Configure additional details**, do the following:
1. For logging, specify an existing log group or create a new one (the default option). If you choose an existing log group, you must select one that is associated with your AWS account.
![\[Logging pane for Configure additional details in the Create server wizard. Choose an existing log group is selected.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/logging-server-choose-existing-group.png)
If you choose **Create log group**, the CloudWatch console ([https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/)) opens to the **Create log group** page. For details, see [ Create a log group in CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#Create-Log-Group).
1. (Optional) For **Managed workflows**, choose workflow IDs (and a corresponding role) that Transfer Family should assume when executing the workflow. You can choose one workflow to execute upon a complete upload, and another to execute upon a partial upload. To learn more about processing your files by using managed workflows, see [AWS Transfer Family managed workflows](transfer-workflows.md).
![\[The Managed workflows console section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/workflows-addtoserver.png)
1. For **Cryptographic algorithm options**, choose a security policy that contains the cryptographic algorithms enabled for use by your server. Our latest security policy is the default: for details, see [Security policies for AWS Transfer Family servers](security-policies.md).
1. (Optional) For **Server Host Key**, enter an RSA, ED25519, or ECDSA private key that will be used to identify your server when clients connect to it over SFTP. You can also add a description to differentiate among multiple host keys.
After you create your server, you can add additional host keys. Having multiple host keys is useful if you want to rotate keys or if you want to have different types of keys, such as an RSA key and also an ECDSA key.
**Note**
The **Server Host Key** section is used only for migrating users from an existing SFTP-enabled server.
1. (Optional) For **Tags**, for **Key** and **Value**, enter one or more tags as key-value pairs, and then choose **Add tag**.
1. Choose **Next**.
1. You can optimize performance for your Amazon S3 directories. For example, suppose that you go into your home directory, and you have 10,000 subdirectories. In other words, your Amazon S3 bucket has 10,000 folders. In this scenario, if you run the `ls` (list) command, the list operation takes between six and eight minutes. However, if you optimize your directories, this operation takes only a few seconds.
When you create your server using the console, optimized directories is enabled by default. If you create your server using the API, this behavior is not enabled by default.
![\[The Optimized directories console section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/optimized-directories.png)
1. (Optional) Configure AWS Transfer Family servers to display customized messages such as organizational policies or terms and conditions to your end users. For **Display banner**, in the **Pre-authentication display banner** text box, enter the text message that you want to display to your users before they authenticate.
1. (Optional) You can configure the following additional options.
+ **SetStat option**: enable this option to ignore the error that is generated when a client attempts to use `SETSTAT` on a file you are uploading to an Amazon S3 bucket. For additional details, see the `SetStatOption` documentation in the [ProtocolDetails](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ProtocolDetails.html).
+ **TLS session resumption**: this option is only available if you have enabled FTPS as one of the protocols for this server.
+ **Passive IP**: this option is only available if you have enabled FTPS or FTP as one of the protocols for this server.
![\[Additional options screen for Server details page.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/create-server-configure-additional-items-sftp.png)
1. In **Review and create**, review your choices.
+ If you want to edit any of them, choose **Edit** next to the step.
**Note**
You must review each step after the step that you chose to edit.
+ If you have no changes, choose **Create server** to create your server. You are taken to the **Servers** page, shown following, where your new server is listed.
It can take a couple of minutes before the status for your new server changes to **Online**. At that point, your server can perform file operations, but you'll need to create a user first. For details on creating users, see [Managing users for server endpoints](create-user.md).
# Create an FTPS-enabled server
File Transfer Protocol over SSL (FTPS) is an extension to FTP. It uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols to encrypt traffic. FTPS allows encryption of both the control and data channel connections either concurrently or independently.
**Note**
For important considerations about Network Load Balancers, see [Avoid placing NLBs and NATs in front of AWS Transfer Family servers](infrastructure-security.md#nlb-considerations).
**To create an FTPS-enabled server**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/) and select **Servers** from the navigation pane, then choose **Create server**.
1. In **Choose protocols**, select **FTPS**.
For **Server certificate**, choose a certificate stored in AWS Certificate Manager (ACM) which will be used to identify your server when clients connect to it over FTPS and then choose **Next**.
To request a new public certificate, see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) in the *AWS Certificate Manager User Guide*.
To import an existing certificate into ACM, see [Importing certificates into ACM](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide*.
To request a private certificate to use FTPS through private IP addresses, see [Requesting a Private Certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html) in the *AWS Certificate Manager User Guide*.
Certificates with the following cryptographic algorithms and key sizes are supported:
+ 2048-bit RSA (RSA\$12048)
+ 4096-bit RSA (RSA\$14096)
+ Elliptic Prime Curve 256 bit (EC\$1prime256v1)
+ Elliptic Prime Curve 384 bit (EC\$1secp384r1)
+ Elliptic Prime Curve 521 bit (EC\$1secp521r1)
**Note**
The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and contain information about the issuer.
1. In **Choose an identity provider**, choose the identity provider that you want to use to manage user access. You have the following options:
+ **AWS Directory Service for Microsoft Active Directory** – You provide an Directory Service directory to access the endpoint. By doing so, you can use credentials stored in your Active Directory to authenticate your users. To learn more about working with AWS Managed Microsoft AD identity providers, see [Using AWS Directory Service for Microsoft Active Directory](directory-services-users.md).
**Note**
Cross-Account and Shared directories are not supported for AWS Managed Microsoft AD.
To set up a server with Directory Service as your identity provider, you need to add some Directory Service permissions. For details, see [Before you start using AWS Directory Service for Microsoft Active Directory](directory-services-users.md#managed-ad-prereq).
+ **Custom identity provider** – Choose either of the following options:
+ **Use AWS Lambda to connect your identity provider** – You can use an existing identity provider, backed by a Lambda function. You provide the name of the Lambda function. For more information, see [Using AWS Lambda to integrate your identity provider](custom-lambda-idp.md).
+ **Use Amazon API Gateway to connect your identity provider** – You can create an API Gateway method backed by a Lambda function for use as an identity provider. You provide an Amazon API Gateway URL and an invocation role. For more information, see [Using Amazon API Gateway to integrate your identity provider](authentication-api-gateway.md).
![\[The Choose an identity provider console section with Custom identity provider selected.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/custom-lambda-console-no-sftp.png)
1. Choose **Next**.
1. In **Choose an endpoint**, do the following:
**Note**
FTPS servers for Transfer Family operate over Port 21 (Control Channel) and Port Range 8192–8200 (Data Channel).
1. For **Endpoint type**, choose the **VPC hosted** endpoint type to host your server's endpoint. For information about setting up your VPC hosted endpoint, see [Create a server in a virtual private cloud](create-server-in-vpc.md).
**Note**
Publicly accessible endpoints are not supported.
1. (Optional) For **FIPS Enabled**, select the **FIPS Enabled endpoint** check box to ensure that the endpoint complies with Federal Information Processing Standards (FIPS).
**Note**
FIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see [AWS Transfer Family endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) in the *AWS General Reference*. For more information about FIPS, see [ Federal Information Processing Standard (FIPS) 140-2 ](https://aws.amazon.com/compliance/fips/).
1. Choose **Next**.
![\[The Choose an endpoint console section with VPC hosted selected.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/create-server-choose-endpoint-vpc-internal.png)
1. On the **Choose domain** page, choose the AWS storage service that you want to use to store and access your data over the selected protocol:
+ Choose **Amazon S3** to store and access your files as objects over the selected protocol.
+ Choose **Amazon EFS** to store and access your files in your Amazon EFS file system over the selected protocol.
Choose **Next**.
1. In **Configure additional details**, do the following:
1. For logging, specify an existing log group or create a new one (the default option).
![\[Logging pane for Configure additional details in the Create server wizard. Choose an existing log group is selected.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/logging-server-choose-existing-group.png)
If you choose **Create log group**, the CloudWatch console ([https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/)) opens to the **Create log group** page. For details, see [ Create a log group in CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#Create-Log-Group).
1. (Optional) For **Managed workflows**, choose workflow IDs (and a corresponding role) that Transfer Family should assume when executing the workflow. You can choose one workflow to execute upon a complete upload, and another to execute upon a partial upload. To learn more about processing your files by using managed workflows, see [AWS Transfer Family managed workflows](transfer-workflows.md).
![\[The Managed workflows console section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/workflows-addtoserver.png)
1. For **Cryptographic algorithm options**, choose a security policy that contains the cryptographic algorithms enabled for use by your server. Our latest security policy is the default: for details, see [Security policies for AWS Transfer Family servers](security-policies.md).
1. For **Server Host Key**, keep it blank.
1. (Optional) For **Tags**, for **Key** and **Value**, enter one or more tags as key-value pairs, and then choose **Add tag**.
1. You can optimize performance for your Amazon S3 directories. For example, suppose that you go into your home directory, and you have 10,000 subdirectories. In other words, your Amazon S3 bucket has 10,000 folders. In this scenario, if you run the `ls` (list) command, the list operation takes between six and eight minutes. However, if you optimize your directories, this operation takes only a few seconds.
When you create your server using the console, optimized directories is enabled by default. If you create your server using the API, this behavior is not enabled by default.
![\[The Optimized directories console section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/optimized-directories.png)
1. Choose **Next**.
1. (Optional) You can configure AWS Transfer Family servers to display customized messages such as organizational policies or terms and conditions to your end users. You can also display customized Message of The Day (MOTD) to users who have successfully authenticated.
For **Display banner**, in the **Pre-authentication display banner** text box, enter the text message that you want to display to your users before they authenticate, and in the **Post-authentication display banner** text box, enter the text that you want to display to your users after they successfully authenticate.
1. (Optional) You can configure the following additional options.
+ **SetStat option**: enable this option to ignore the error that is generated when a client attempts to use `SETSTAT` on a file you are uploading to an Amazon S3 bucket. For additional details, see the `SetStatOption` documentation in the [ProtocolDetails](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ProtocolDetails.html) topic.
+ **TLS session resumption**: provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. For additional details, see the `TlsSessionResumptionMode` documentation in the [ProtocolDetails](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ProtocolDetails.html) topic.
+ **Passive IP**: indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For additional details, see the `PassiveIp` documentation in the [ProtocolDetails](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ProtocolDetails.html) topic.
![\[The Additional configuration screen showing the SetStat, TLS session resumption, and Passive IP parameters.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/create-server-configure-additional-items-all.png)
1. In **Review and create**, review your choices.
+ If you want to edit any of them, choose **Edit** next to the step.
**Note**
You must review each step after the step that you chose to edit.
+ If you have no changes, choose **Create server** to create your server. You are taken to the **Servers** page, shown following, where your new server is listed.
It can take a couple of minutes before the status for your new server changes to **Online**. At that point, your server can perform file operations for your users.
**Next steps**: For the next step, continue on to [Working with custom identity providers](custom-idp-intro.md) to set up users.
# Create an FTP-enabled server
File Transfer Protocol (FTP) is a network protocol used for the transfer of data. FTP uses a separate channel for control and data transfers. The control channel is open until terminated or inactivity timeout. The data channel is active for the duration of the transfer. FTP uses clear text and does not support encryption of traffic.
**Note**
When you enable FTP, you must choose the internal access option for the VPC-hosted endpoint. If you need your server to have data traverse the public network, you must use secure protocols, such as SFTP or FTPS.
**Note**
For important considerations about Network Load Balancers, see [Avoid placing NLBs and NATs in front of AWS Transfer Family servers](infrastructure-security.md#nlb-considerations).
**To create an FTP-enabled server**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/) and select **Servers** from the navigation pane, then choose **Create server**.
1. In **Choose protocols**, select **FTP**, and then choose **Next**.
1. In **Choose an identity provider**, choose the identity provider that you want to use to manage user access. You have the following options:
+ **AWS Directory Service for Microsoft Active Directory** – You provide an Directory Service directory to access the endpoint. By doing so, you can use credentials stored in your Active Directory to authenticate your users. To learn more about working with AWS Managed Microsoft AD identity providers, see [Using AWS Directory Service for Microsoft Active Directory](directory-services-users.md).
**Note**
Cross-Account and Shared directories are not supported for AWS Managed Microsoft AD.
To set up a server with Directory Service as your identity provider, you need to add some Directory Service permissions. For details, see [Before you start using AWS Directory Service for Microsoft Active Directory](directory-services-users.md#managed-ad-prereq).
+ **Custom identity provider** – Choose either of the following options:
+ **Use AWS Lambda to connect your identity provider** – You can use an existing identity provider, backed by a Lambda function. You provide the name of the Lambda function. For more information, see [Using AWS Lambda to integrate your identity provider](custom-lambda-idp.md).
+ **Use Amazon API Gateway to connect your identity provider** – You can create an API Gateway method backed by a Lambda function for use as an identity provider. You provide an Amazon API Gateway URL and an invocation role. For more information, see [Using Amazon API Gateway to integrate your identity provider](authentication-api-gateway.md).
![\[The Choose an identity provider console section with Custom identity provider selected.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/custom-lambda-console-no-sftp.png)
1. Choose **Next**.
1. In **Choose an endpoint**, do the following:
**Note**
FTP servers for Transfer Family operate over Port 21 (Control Channel) and Port Range 8192–8200 (Data Channel).
1. For **Endpoint type**, choose **VPC hosted** to host your server's endpoint. For information about setting up your VPC hosted endpoint, see [Create a server in a virtual private cloud](create-server-in-vpc.md).
**Note**
Publicly accessible endpoints are not supported.
1. For **FIPS Enabled**, keep the **FIPS Enabled endpoint** check box cleared.
**Note**
FIPS-enabled endpoints are not supported for FTP servers.
1. Choose **Next**.
![\[The Choose an endpoint console section with VPC hosted selected.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/create-server-choose-endpoint-vpc-internal.png)
1. On the **Choose domain** page, choose the AWS storage service that you want to use to store and access your data over the selected protocol.
+ Choose **Amazon S3** to store and access your files as objects over the selected protocol.
+ Choose **Amazon EFS** to store and access your files in your Amazon EFS file system over the selected protocol.
Choose **Next**.
1. In **Configure additional details**, do the following:
1. For logging, specify an existing log group or create a new one (the default option).
![\[Logging pane for Configure additional details in the Create server wizard. Choose an existing log group is selected.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/logging-server-choose-existing-group.png)
If you choose **Create log group**, the CloudWatch console ([https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/)) opens to the **Create log group** page. For details, see [ Create a log group in CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#Create-Log-Group).
1. (Optional) For **Managed workflows**, choose workflow IDs (and a corresponding role) that Transfer Family should assume when executing the workflow. You can choose one workflow to execute upon a complete upload, and another to execute upon a partial upload. To learn more about processing your files by using managed workflows, see [AWS Transfer Family managed workflows](transfer-workflows.md).
![\[The Managed workflows console section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/workflows-addtoserver.png)
1. For **Cryptographic algorithm options**, choose a security policy that contains the cryptographic algorithms enabled for use by your server.
**Note**
Transfer Family assigns the latest security policy to your FTP server. However, since the FTP protocol doesn't use any encryption, FTP servers do not use any of the security policy algorithms. Unless your server also uses the FTPS or SFTP protocol, the security policy remains unused.
1. For **Server Host Key**, keep it blank.
1. (Optional) For **Tags**, for **Key** and **Value**, enter one or more tags as key-value pairs, and then choose **Add tag**.
1. You can optimize performance for your Amazon S3 directories. For example, suppose that you go into your home directory, and you have 10,000 subdirectories. In other words, your Amazon S3 bucket has 10,000 folders. In this scenario, if you run the `ls` (list) command, the list operation takes between six and eight minutes. However, if you optimize your directories, this operation takes only a few seconds.
When you create your server using the console, optimized directories is enabled by default. If you create your server using the API, this behavior is not enabled by default.
![\[The Optimized directories console section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/optimized-directories.png)
1. Choose **Next**.
1. (Optional) You can configure AWS Transfer Family servers to display customized messages such as organizational policies or terms and conditions to your end users. You can also display customized Message of The Day (MOTD) to users who have successfully authenticated.
For **Display banner**, in the **Pre-authentication display banner** text box, enter the text message that you want to display to your users before they authenticate, and in the **Post-authentication display banner** text box, enter the text that you want to display to your users after they successfully authenticate.
1. (Optional) You can configure the following additional options.
+ **SetStat option**: enable this option to ignore the error that is generated when a client attempts to use `SETSTAT` on a file you are uploading to an Amazon S3 bucket. For additional details, see the `SetStatOption` documentation in the [ProtocolDetails](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ProtocolDetails.html) topic.
+ **TLS session resumption**: provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. For additional details, see the `TlsSessionResumptionMode` documentation in the [ProtocolDetails](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ProtocolDetails.html) topic.
+ **Passive IP**: indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For additional details, see the `PassiveIp` documentation in the [ProtocolDetails](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ProtocolDetails.html) topic.
![\[The Additional configuration screen showing the SetStat, TLS session resumption, and Passive IP parameters.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/create-server-configure-additional-items-all.png)
1. In **Review and create**, review your choices.
+ If you want to edit any of them, choose **Edit** next to the step.
**Note**
You must review each step after the step that you chose to edit.
+ If you have no changes, choose **Create server** to create your server. You are taken to the **Servers** page, shown following, where your new server is listed.
It can take a couple of minutes before the status for your new server changes to **Online**. At that point, your server can perform file operations for your users.
**Next steps** – For the next step, continue on to [Working with custom identity providers](custom-idp-intro.md) to set up users.
# Create a server in a virtual private cloud
You can host your server's endpoint inside a virtual private cloud (VPC) to use for transferring data to and from an Amazon S3 bucket or Amazon EFS file system without going over the public internet.
**Note**
After May 19, 2021, you won't be able to create a server using `EndpointType=VPC_ENDPOINT` in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with `EndpointType=VPC_ENDPOINT` in your AWS account on or before February 21, 2021, you will not be affected. After this date, use `EndpointType`=**VPC**. For more information, see [Discontinuing the use of VPC\$1ENDPOINT](#deprecate-vpc-endpoint).
If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and a server. You can then use this server to transfer data over your client to and from your Amazon S3 bucket without using public IP addressing or requiring an internet gateway.
Using Amazon VPC, you can launch AWS resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see [What Is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) in the *Amazon VPC User Guide*.
In the next sections, find instructions on how to create and connect your VPC to a server. As an overview, you do this as follows:
1. Set up a server using a VPC endpoint.
1. Connect to your server using a client that is inside your VPC through the VPC endpoint. Doing this enables you to transfer data that is stored in your Amazon S3 bucket over your client using AWS Transfer Family. You can perform this transfer even though the network is disconnected from the public internet.
1. In addition, if you choose to make your server's endpoint internet-facing, you can associate Elastic IP addresses with your endpoint. Doing this lets clients outside of your VPC connect to your server. You can use VPC security groups to control access to authenticated users whose requests originate only from allowed addresses.
**Note**
AWS Transfer Family supports dual-stack endpoints, allowing your server to communicate over both IPv4 and IPv6. To enable dual-stack support, select the **Enable DNS dual-stack endpoint** option when creating your VPC endpoint. Note that both your VPC and subnets must be configured to support IPv6 before you can use this feature. Dual-stack support is particularly useful when you have clients that need to connect using either protocol.
For information about dual-stack (IPv4 and IPv6) server endpoints, see [IPv6 support for Transfer Family servers](ipv6-support.md).
**Topics**
+ [Create a server endpoint that can be accessed only within your VPC](#create-server-endpoint-in-vpc)
+ [Create an internet-facing endpoint for your server](#create-internet-facing-endpoint)
+ [Change the endpoint type for your server](#change-server-endpoint-type)
+ [Discontinuing the use of VPC\$1ENDPOINT](#deprecate-vpc-endpoint)
+ [Limiting VPC endpoint access for Transfer Family servers](#limit-vpc-endpoint-access)
+ [Additional networking features](#additional-networking-features)
+ [Updating the AWS Transfer Family server endpoint type from VPC\$1ENDPOINT to VPC](update-endpoint-type-vpc.md)
## Create a server endpoint that can be accessed only within your VPC
In the following procedure, you create a server endpoint that is accessible only to resources within your VPC.
**To create a server endpoint inside a VPC**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. From the navigation pane, select **Servers**, then choose **Create server**.
1. In **Choose protocols**, select one or more protocols, and then choose **Next**. For more information about protocols, see [Step 2: Create an SFTP-enabled server](getting-started.md#getting-started-server).
1. In **Choose an identity provider**, choose **Service managed** to store user identities and keys in AWS Transfer Family, and then choose **Next**.
This procedure uses the service-managed option. If you choose **Custom**, you provide an Amazon API Gateway endpoint and an AWS Identity and Access Management (IAM) role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your users. To learn more about working with custom identity providers, see [Working with custom identity providers](custom-idp-intro.md).
1. In **Choose an endpoint**, do the following:
1. For **Endpoint type**, choose the **VPC hosted** endpoint type to host your server's endpoint.
1. For **Access**, choose **Internal** to make your endpoint only accessible to clients using the endpoint's private IP addresses.
For details on the **Internet Facing** option, see [Create an internet-facing endpoint for your server](#create-internet-facing-endpoint). A server that is created in a VPC for internal access only doesn't support custom hostnames.
1. For **VPC**, choose an existing VPC ID or choose **Create a VPC** to create a new VPC.
1. In the **Availability Zones** section, choose up to three Availability Zones and associated subnets.
1. In the **Security Groups** section, choose an existing security group ID or IDs or choose **Create a security group** to create a new security group. For more information about security groups, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon Virtual Private Cloud User Guide*. To create a security group, see [Creating a security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#CreatingSecurityGroups) in the *Amazon Virtual Private Cloud User Guide*.
**Note**
Your VPC automatically comes with a default security group. If you don't specify a different security group or groups when you launch the server, we associate the default security group with your server.
+ For the inbound rules for the security group, you can configure SSH traffic to use port 22, 2222, 22000, or any combination. Port 22 is configured by default. To use port 2222 or port 22000, you add an inbound rule to your security group. For the type, choose **Custom TCP**, then enter either **2222** or **22000** for **Port range**, and for the source, enter the same CIDR range that you have for your SSH port 22 rule.
+ For the inbound rules for the security group, configure FTP and FTPS traffic to use **Port range** **21** for the control channel and **8192-8200** for the data channel.
**Note**
You can also use port 2223 for clients that require TCP "piggy-back" ACKs, or the ability for the final ack of the TCP 3-way handshake to also contain data.
Some client software may be incompatible with port 2223: for example, a client that requires the server to send the SFTP Identification String before the client does.
![\[The inbound rules for a sample security group, showing a rule for SSH on port 22 and Custom TCP on port 2222.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/alternate-port-rule.png)
1. (Optional) For **FIPS Enabled**, select the **FIPS Enabled endpoint** check box to ensure the endpoint complies with Federal Information Processing Standards (FIPS).
**Note**
FIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see [AWS Transfer Family endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) in the *AWS General Reference*. For more information about FIPS, see [ Federal Information Processing Standard (FIPS) 140-2 ](https://aws.amazon.com/compliance/fips/).
1. Choose **Next**.
1. In **Configure additional details**, do the following:
1. For **CloudWatch logging**, choose one of the following to enable Amazon CloudWatch logging of your user activity:
+ **Create a new role** to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called `AWSTransferLoggingAccess`.
+ **Choose an existing role** to choose an existing IAM role from your account. Under **Logging role**, choose the role. This IAM role should include a trust policy with **Service** set to `transfer.amazonaws.com`.
For more information about CloudWatch logging, see [Configure CloudWatch logging role](configure-cw-logging-role.md).
**Note**
You can't view end-user activity in CloudWatch if you don't specify a logging role.
If you don't want to set up a CloudWatch logging role, select **Choose an existing role**, but don't select a logging role.
1. For **Cryptographic algorithm options**, choose a security policy that contains the cryptographic algorithms enabled for use by your server.
**Note**
By default, the `TransferSecurityPolicy-2024-01` security policy is attached to your server unless you choose a different one.
For more information about security policies, see [Security policies for AWS Transfer Family servers](security-policies.md).
1. (Optional: this section is only for migrating users from an existing SFTP-enabled server.) For **Server Host Key**, enter an RSA, ED25519, or ECDSA private key that will be used to identify your server when clients connect to it over SFTP.
1. (Optional) For **Tags**, for **Key** and **Value**, enter one or more tags as key-value pairs, and then choose **Add tag**.
1. Choose **Next**.
1. In **Review and create**, review your choices. If you:
+ Want to edit any of them, choose **Edit** next to the step.
**Note**
You will need to review each step after the step that you chose to edit.
+ Have no changes, choose **Create server** to create your server. You are taken to the **Servers** page, shown following, where your new server is listed.
It can take a couple of minutes before the status for your new server changes to **Online**. At that point, your server can perform file operations, but you'll need to create a user first. For details on creating users, see [Managing users for server endpoints](create-user.md).
## Create an internet-facing endpoint for your server
In the following procedure, you create a server endpoint. This endpoint is accessible over the internet only to clients whose source IP addresses are allowed in your VPC's default security group. Additionally, by using Elastic IP addresses to make your endpoint internet-facing, your clients can use the Elastic IP address to allow access to your endpoint in their firewalls.
**Note**
Only SFTP and FTPS can be used on an internet-facing VPC hosted endpoint.
**To create an internet-facing endpoint**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. From the navigation pane, select **Servers**, then choose **Create server**.
1. In **Choose protocols**, select one or more protocols, and then choose **Next**. For more information about protocols, see [Step 2: Create an SFTP-enabled server](getting-started.md#getting-started-server).
1. In **Choose an identity provider**, choose **Service managed** to store user identities and keys in AWS Transfer Family, and then choose **Next**.
This procedure uses the service-managed option. If you choose **Custom**, you provide an Amazon API Gateway endpoint and an AWS Identity and Access Management (IAM) role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your users. To learn more about working with custom identity providers, see [Working with custom identity providers](custom-idp-intro.md).
1. In **Choose an endpoint**, do the following:
1. For **Endpoint type**, choose the **VPC hosted** endpoint type to host your server's endpoint.
1. For **Access**, choose **Internet Facing** to make your endpoint accessible to clients over the internet.
**Note**
When you choose **Internet Facing**, you can choose an existing Elastic IP address in each subnet or subnets. Or you can go to the VPC console ([https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/)) to allocate one or more new Elastic IP addresses. These addresses can be owned either by AWS or by you. You can't associate Elastic IP addresses that are already in use with your endpoint.
1. (Optional) For **Custom hostname**, choose one of the following:
**Note**
Customers in AWS GovCloud (US) need to connect via the Elastic IP address directly, or create a hostname record within Commercial Route 53 that points to their EIP. For more information about using Route 53 for GovCloud endpoints, see [Setting up Amazon Route 53 with your AWS GovCloud (US) resources](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53.html) in the *AWS GovCloud (US) User Guide*.
+ **Amazon Route 53 DNS alias** – if the hostname that you want to use is registered with Route 53. You can then enter the hostname.
+ **Other DNS** – if the hostname that you want to use is registered with another DNS provider. You can then enter the hostname.
+ **None** – to use the server's endpoint and not use a custom hostname. The server hostname takes the form `server-id.server.transfer.region.amazonaws.com`.
**Note**
For customers in AWS GovCloud (US), selecting **None** does not create a hostname in this format.
To learn more about working with custom hostnames, see [Working with custom hostnames](requirements-dns.md).
1. For **VPC**, choose an existing VPC ID or choose **Create a VPC** to create a new VPC.
1. In the **Availability Zones** section, choose up to three Availability Zones and associated subnets. For **IPv4 Addresses**, choose an **Elastic IP address** for each subnet. This is the IP address that your clients can use to allow access to your endpoint in their firewalls.
**Tip: **You must use a public subnet for your Availability Zones, or first setup an internet gateway if you want to use a private subnet.
1. In the **Security Groups** section, choose an existing security group ID or IDs or choose **Create a security group** to create a new security group. For more information about security groups, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon Virtual Private Cloud User Guide*. To create a security group, see [Creating a security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#CreatingSecurityGroups) in the *Amazon Virtual Private Cloud User Guide*.
**Note**
Your VPC automatically comes with a default security group. If you don't specify a different security group or groups when you launch the server, we associate the default security group with your server.
+ For the inbound rules for the security group, you can configure SSH traffic to use port 22, 2222, 22000, or any combination. Port 22 is configured by default. To use port 2222 or port 22000, you add an inbound rule to your security group. For the type, choose **Custom TCP**, then enter either **2222** or **22000** for **Port range**, and for the source, enter the same CIDR range that you have for your SSH port 22 rule.
+ For the inbound rules for the security group, configure FTPS traffic to use **Port range** **21** for the control channel and **8192-8200** for the data channel.
**Note**
You can also use port 2223 for clients that require TCP "piggy-back" ACKs, or the ability for the final ack of the TCP 3-way handshake to also contain data.
Some client software may be incompatible with port 2223: for example, a client that requires the server to send the SFTP Identification String before the client does.
![\[The inbound rules for a sample security group, showing a rule for SSH on port 22 and Custom TCP on port 2222.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/alternate-port-rule.png)
1. (Optional) For **FIPS Enabled**, select the **FIPS Enabled endpoint** check box to ensure the endpoint complies with Federal Information Processing Standards (FIPS).
**Note**
FIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see [AWS Transfer Family endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) in the *AWS General Reference*. For more information about FIPS, see [ Federal Information Processing Standard (FIPS) 140-2 ](https://aws.amazon.com/compliance/fips/).
1. Choose **Next**.
1. In **Configure additional details**, do the following:
1. For **CloudWatch logging**, choose one of the following to enable Amazon CloudWatch logging of your user activity:
+ **Create a new role** to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called `AWSTransferLoggingAccess`.
+ **Choose an existing role** to choose an existing IAM role from your account. Under **Logging role**, choose the role. This IAM role should include a trust policy with **Service** set to `transfer.amazonaws.com`.
For more information about CloudWatch logging, see [Configure CloudWatch logging role](configure-cw-logging-role.md).
**Note**
You can't view end-user activity in CloudWatch if you don't specify a logging role.
If you don't want to set up a CloudWatch logging role, select **Choose an existing role**, but don't select a logging role.
1. For **Cryptographic algorithm options**, choose a security policy that contains the cryptographic algorithms enabled for use by your server.
**Note**
By default, the `TransferSecurityPolicy-2024-01` security policy is attached to your server unless you choose a different one.
For more information about security policies, see [Security policies for AWS Transfer Family servers](security-policies.md).
1. (Optional: this section is only for migrating users from an existing SFTP-enabled server.) For **Server Host Key**, enter an RSA, ED25519, or ECDSA private key that will be used to identify your server when clients connect to it over SFTP.
1. (Optional) For **Tags**, for **Key** and **Value**, enter one or more tags as key-value pairs, and then choose **Add tag**.
1. Choose **Next**.
1. (Optional) For **Managed workflows**, choose workflow IDs (and a corresponding role) that Transfer Family should assume when executing the workflow. You can choose one workflow to execute upon a complete upload, and another to execute upon a partial upload. To learn more about processing your files by using managed workflows, see [AWS Transfer Family managed workflows](transfer-workflows.md).
![\[The Managed workflows console section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/workflows-addtoserver.png)
1. In **Review and create**, review your choices. If you:
+ Want to edit any of them, choose **Edit** next to the step.
**Note**
You will need to review each step after the step that you chose to edit.
+ Have no changes, choose **Create server** to create your server. You are taken to the **Servers** page, shown following, where your new server is listed.
You can choose the server ID to see the detailed settings of the server that you just created. After the column **Public IPv4 address** has been populated, the Elastic IP addresses that you provided are successfully associated with your server's endpoint.
**Note**
When your server in a VPC is online, only the subnets can be modified and only through the [UpdateServer](https://docs.aws.amazon.com/transfer/latest/APIReference/API_UpdateServer.html) API. You must [stop the server](edit-server-config.md#edit-online-offline) to add or change the server endpoint's Elastic IP addresses.
## Change the endpoint type for your server
If you have an existing server that is accessible over the internet (that is, has a public endpoint type), you can change its endpoint to a VPC endpoint.
**Note**
If you have an existing server in a VPC displayed as `VPC_ENDPOINT`, we recommend that you modify it to the new VPC endpoint type. With this new endpoint type, you no longer need to use a Network Load Balancer (NLB) to associate Elastic IP addresses with your server's endpoint. Also, you can use VPC security groups to restrict access to your server's endpoint. However, you can continue to use the `VPC_ENDPOINT` endpoint type as needed.
The following procedure assumes that you have a server that uses either the current public endpoint type or the older `VPC_ENDPOINT` type.
**To change the endpoint type for your server**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. In the navigation pane, choose **Servers**.
1. Select the check box of the server that you want to change the endpoint type for.
**Important**
You must stop the server before you can change its endpoint.
1. For **Actions**, choose **Stop**.
1. In the confirmation dialog box that appears, choose **Stop** to confirm that you want to stop the server.
**Note**
Before proceeding to the next step, in **Endpoint details**, wait for the **Status** of the server to change to **Offline**; this can take a couple of minutes. You might have to choose **Refresh** on the **Servers** page to see the status change.
You won't be able to make any edits until the server is **Offline**.
1. In **Endpoint details**, choose **Edit**.
1. In **Edit endpoint configuration**, do the following:
1. For **Edit endpoint type**, choose **VPC hosted**.
1. For **Access**, choose one of the following:
+ **Internal** to make your endpoint only accessible to clients using the endpoint's private IP addresses.
+ **Internet Facing** to make your endpoint accessible to clients over the public internet.
**Note**
When you choose **Internet Facing**, you can choose an existing Elastic IP address in each subnet or subnets. Or, you can go to the VPC console ([https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/)) to allocate one or more new Elastic IP addresses. These addresses can be owned either by AWS or by you. You can't associate Elastic IP addresses that are already in use with your endpoint.
1. (Optional for internet facing access only) For **Custom hostname**, choose one of the following:
+ **Amazon Route 53 DNS alias** – if the hostname that you want to use is registered with Route 53. You can then enter the hostname.
+ **Other DNS** – if the hostname that you want to use is registered with another DNS provider. You can then enter the hostname.
+ **None** – to use the server's endpoint and not use a custom hostname. The server hostname takes the form `serverId.server.transfer.regionId.amazonaws.com`.
To learn more about working with custom hostnames, see [Working with custom hostnames](requirements-dns.md).
1. For **VPC**, choose an existing VPC ID, or choose **Create a VPC** to create a new VPC.
1. In the **Availability Zones** section, select up to three Availability Zones and associated subnets. If **Internet Facing** is chosen, also choose an Elastic IP address for each subnet.
**Note**
If you want the maximum of three Availability Zones, but there are not enough available, create them in the VPC console ([https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/)).
If you modify the subnets or Elastic IP addresses, the server takes a few minutes to update. You can't save your changes until the server update is complete.
1. Choose **Save**.
1. For **Actions**, choose **Start** and wait for the status of the server to change to **Online**; this can take a couple of minutes.
**Note**
If you changed a public endpoint type to a VPC endpoint type, notice that **Endpoint type** for your server has changed to **VPC**.
The default security group is attached to the endpoint. To change or add additional security groups, see [Creating Security Groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#CreatingSecurityGroups).
## Discontinuing the use of VPC\$1ENDPOINT
AWS Transfer Family has discontinued the ability to create servers with `EndpointType=VPC_ENDPOINT` for new AWS accounts. As of May 19, 2021, AWS accounts that don't own AWS Transfer Family servers with an endpoint type of `VPC_ENDPOINT` will not be able to create new servers with `EndpointType=VPC_ENDPOINT`. If you already own servers that use the `VPC_ENDPOINT` endpoint type, we recommend that you start using `EndpointType=VPC` as soon as possible. For details, see[ Update your AWS Transfer Family server endpoint type from VPC\$1ENDPOINT to VPC](https://aws.amazon.com/blogs/storage/update-your-aws-transfer-family-server-endpoint-type-from-vpc_endpoint-to-vpc/).
We launched the new `VPC` endpoint type earlier in 2020. For more information, see [AWS Transfer Family for SFTP supports VPC Security Groups and Elastic IP addresses](https://aws.amazon.com/about-aws/whats-new/2020/01/aws-transfer-for-sftp-supports-vpc-security-groups-and-elastic-ip-addresses/). This new endpoint is more feature rich and cost effective and there are no PrivateLink charges. For more information, see [AWS PrivateLink pricing](https://aws.amazon.com/privatelink/pricing/).
This endpoint type is functionally equivalent to the previous endpoint type (`VPC_ENDPOINT`). You can attach Elastic IP addresses directly to the endpoint to make it internet facing and use security groups for source IP filtering. For more information, see the [Use IP allow listing to secure your AWS Transfer Family for SFTP servers](https://aws.amazon.com/blogs/storage/use-ip-whitelisting-to-secure-your-aws-transfer-for-sftp-servers/) blog post.
You can also host this endpoint in a shared VPC environment. For more information, see [AWS Transfer Family now supports shared services VPC environments](https://aws.amazon.com/about-aws/whats-new/2020/11/aws-transfer-family-now-supports-shared-services-vpc-environments/).
In addition to SFTP, you can use the VPC `EndpointType` to enable FTPS and FTP. We don't plan to add these features and FTPS/FTP support to `EndpointType=VPC_ENDPOINT`. We have also removed this endpoint type as an option from the AWS Transfer Family console.
You can change the endpoint type for your server using the Transfer Family console, AWS CLI, API, SDKs, or CloudFormation. To change your server’s endpoint type, see [Updating the AWS Transfer Family server endpoint type from VPC\$1ENDPOINT to VPC](update-endpoint-type-vpc.md).
If you have any questions, contact AWS Support or your AWS account team.
**Note**
We do not plan to add these features and FTPS or FTP support to EndpointType=VPC\$1ENDPOINT. We are no longer offering it as an option on the AWS Transfer Family Console.
If you have additional questions, you can contact us through AWS Support or your account team.
## Limiting VPC endpoint access for Transfer Family servers
When creating an AWS Transfer Family server with VPC endpoint type, your IAM users and principals need permissions to create and delete VPC endpoints. However, your organization's security policies may restrict these permissions. You can use IAM policies to allow VPC endpoint creation and deletion specifically for Transfer Family while maintaining restrictions for other services.
**Important**
The following IAM policy allows users to create and delete VPC endpoints only for Transfer Family servers while denying these operations for other services:
```
{
"Effect": "Deny",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DeleteVpcEndpoints"
],
"Resource": ["*"],
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:VpceServiceName": [
"com.amazonaws.INPUT-YOUR-REGION.transfer.server.*"
]
},
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/INPUT-YOUR-ROLE"
]
}
}
}
```
Replace *INPUT-YOUR-REGION* with your AWS Region (for example, **us-east-1**) and *INPUT-YOUR-ROLE* with the IAM role you want to grant these permissions to.
## Additional networking features
AWS Transfer Family provides several advanced networking features that enhance security and flexibility when using VPC configurations:
+ **Shared VPC environment support** - You can host your Transfer Family server endpoint in a shared VPC environment. For more information, see [Using VPC hosted endpoints in shared VPCs with AWS Transfer Family](https://aws.amazon.com/blogs/storage/using-vpc-hosted-endpoints-in-shared-vpcs-with-aws-transfer-family/).
+ **Authentication and security** - You can use an AWS Web Application Firewall to protect your Amazon API Gateway endpoint. For more information, see [Securing AWS Transfer Family with AWS Web Application Firewall and Amazon API Gateway](https://aws.amazon.com/blogs/storage/securing-aws-transfer-family-with-aws-web-application-firewall-and-amazon-api-gateway/).
# Updating the AWS Transfer Family server endpoint type from VPC\$1ENDPOINT to VPC
You can use the AWS Management Console, CloudFormation, or the Transfer Family API to update a server's `EndpointType` from `VPC_ENDPOINT` to `VPC`. Detailed procedures and examples for using each of these methods to update a server endpoint type are provided in the following sections. If you have servers in multiple AWS regions and in multiple AWS accounts, you can use the example script provided in the following section, with modifications, to identify servers using the `VPC_ENDPOINT` type that you will need to update.
**Topics**
+ [Identifying servers using the `VPC_ENDPOINT` endpoint type](#id-servers)
+ [Updating the server endpoint type using the AWS Management Console](#update-endpoint-console)
+ [Updating the server endpoint type using CloudFormation](#update-endpoint-cloudformation)
+ [Updating the server EndpointType using the API](#update-endpoint-cli)
## Identifying servers using the `VPC_ENDPOINT` endpoint type
You can identify which servers are using the `VPC_ENDPOINT` using the AWS Management Console.
**To identify servers using the `VPC_ENDPOINT` endpoint type using the console**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. Choose **Servers** in the navigation pane to display the list of servers in your account in that region.
1. Sort the list of servers by the **Endpoint type** to see all servers using `VPC_ENDPOINT`.
**To identify servers using `VPC_ENDPOINT` across multiple AWS Regions and accounts**
If you have servers in multiple AWS regions and in multiple AWS accounts, you can use the following example script, with modifications, to identify servers using the `VPC_ENDPOINT` endpoint type. The example script uses the Amazon EC2 [DescribeRegions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html) and the Transfer Family [https://docs.aws.amazon.com/transfer/latest/APIReference/API_ListServers.html](https://docs.aws.amazon.com/transfer/latest/APIReference/API_ListServers.html) API operations. If you have many AWS accounts, you could loop through your accounts using an IAM Role with read only auditor access if you authenticate using session profiles to your identity provider.
1. Following is a simple example.
```
import boto3
profile = input("Enter the name of the AWS account you'll be working in: ")
session = boto3.Session(profile_name=profile)
ec2 = session.client("ec2")
regions = ec2.describe_regions()
for region in regions['Regions']:
region_name = region['RegionName']
if region_name=='ap-northeast-3': #https://github.com/boto/boto3/issues/1943
continue
transfer = session.client("transfer", region_name=region_name)
servers = transfer.list_servers()
for server in servers['Servers']:
if server['EndpointType']=='VPC_ENDPOINT':
print(server['ServerId'], region_name)
```
1. After you have the list of the servers to update, you can use one of the methods described in the following sections to update the `EndpointType` to `VPC`.
## Updating the server endpoint type using the AWS Management Console
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. In the navigation pane, choose **Servers**.
1. Select the check box of the server that you want to change the endpoint type for.
**Important**
You must stop the server before you can change its endpoint.
1. For **Actions**, choose **Stop**.
1. In the confirmation dialog box that appears, choose **Stop** to confirm that you want to stop the server.
**Note**
Before proceeding to the next step, wait for the **Status** of the server to change to **Offline**; this can take a couple of minutes. You might have to choose **Refresh** on the **Servers** page to see the status change.
1. After the status changes to **Offline**, choose the server to display the server details page.
1. In the **Endpoint details** section, choose **Edit**.
1. Choose **VPC hosted** for the **Endpoint type**.
1. Choose **Save**
1. For **Actions**, choose **Start** and wait for the status of the server to change to **Online**; this can take a couple of minutes.
## Updating the server endpoint type using CloudFormation
This section describes how to use CloudFormation to update a server's `EndpointType` to `VPC`. Use this procedure for Transfer Family servers that you have deployed using CloudFormation. In this example, the original CloudFormation template used to deploy the Transfer Family server is shown as follows:
```
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Create AWS Transfer Server with VPC_ENDPOINT endpoint type'
Parameters:
SecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
SubnetIds:
Type: List
VpcId:
Type: AWS::EC2::VPC::Id
Resources:
TransferServer:
Type: AWS::Transfer::Server
Properties:
Domain: S3
EndpointDetails:
VpcEndpointId: !Ref VPCEndpoint
EndpointType: VPC_ENDPOINT
IdentityProviderType: SERVICE_MANAGED
Protocols:
- SFTP
VPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: com.amazonaws.us-east-1.transfer.server
SecurityGroupIds:
- !Ref SecurityGroupId
SubnetIds:
- !Select [0, !Ref SubnetIds]
- !Select [1, !Ref SubnetIds]
- !Select [2, !Ref SubnetIds]
VpcEndpointType: Interface
VpcId: !Ref VpcId
```
The template is updated with the following changes:
+ The `EndpointType` was changed to `VPC`.
+ The `AWS::EC2::VPCEndpoint` resource is removed.
+ The `SecurityGroupId`, `SubnetIds`, and `VpcId` were moved to the `EndpointDetails` section of the `AWS::Transfer::Server` resource,
+ The `VpcEndpointId` property of `EndpointDetails` was removed.
The updated template looks as follows:
```
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Create AWS Transfer Server with VPC endpoint type'
Parameters:
SecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
SubnetIds:
Type: List
VpcId:
Type: AWS::EC2::VPC::Id
Resources:
TransferServer:
Type: AWS::Transfer::Server
Properties:
Domain: S3
EndpointDetails:
SecurityGroupIds:
- !Ref SecurityGroupId
SubnetIds:
- !Select [0, !Ref SubnetIds]
- !Select [1, !Ref SubnetIds]
- !Select [2, !Ref SubnetIds]
VpcId: !Ref VpcId
EndpointType: VPC
IdentityProviderType: SERVICE_MANAGED
Protocols:
- SFTP
```
**To update the endpoint type of Transfer Family servers deployed using CloudFormation**
1. Stop the server that you want to update using the following steps.
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. In the navigation pane, choose **Servers**.
1. Select the check box of the server that you want to change the endpoint type for.
**Important**
You must stop the server before you can change its endpoint.
1. For **Actions**, choose **Stop**.
1. In the confirmation dialog box that appears, choose **Stop** to confirm that you want to stop the server.
**Note**
Before proceeding to the next step, wait for the **Status** of the server to change to **Offline**; this can take a couple of minutes. You might have to choose **Refresh** on the **Servers** page to see the status change.
1. Update the CloudFormation stack
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. Choose the stack used to create the Transfer Family server.
1. Choose **Update**.
1. Choose **Replace current template**
1. Upload the new template. CloudFormation Change Sets help you understand how template changes will affect running resources before you implement them. In this example, the Transfer server resource will be modified, and the VPCEndpoint resource will be removed. The VPC endpoint type server creates a VPC Endpoint on your behalf, replacing the original `VPCEndpoint` resource.
After uploading the new template, the change set will look similar to the following:
![\[Shows Change set preview page for replacing current CloudFormation template.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/vpc-endpoint-update-cfn.png)
1. Update the stack.
1. Once the stack update is complete, navigate to the Transfer Family management console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. Restart the server. Choose the server you updated in CloudFormation, and then choose **Start** from the **Actions** menu.
## Updating the server EndpointType using the API
You can use the [describe-server](https://docs.aws.amazon.com/cli/latest/reference/transfer/update-server.html) AWS CLI command, or the [UpdateServer](https://docs.aws.amazon.com/transfer/latest/APIReference/API_UpdateServer.html) API command. The following example script stops the Transfer Family server, updates the EndpointType, removes the VPC\$1ENDPOINT, and starts the server.
```
import boto3
import time
profile = input("Enter the name of the AWS account you'll be working in: ")
region_name = input("Enter the AWS Region you're working in: ")
server_id = input("Enter the AWS Transfer Server Id: ")
session = boto3.Session(profile_name=profile)
ec2 = session.client("ec2", region_name=region_name)
transfer = session.client("transfer", region_name=region_name)
group_ids=[]
transfer_description = transfer.describe_server(ServerId=server_id)
if transfer_description['Server']['EndpointType']=='VPC_ENDPOINT':
transfer_vpc_endpoint = transfer_description['Server']['EndpointDetails']['VpcEndpointId']
transfer_vpc_endpoint_descriptions = ec2.describe_vpc_endpoints(VpcEndpointIds=[transfer_vpc_endpoint])
for transfer_vpc_endpoint_description in transfer_vpc_endpoint_descriptions['VpcEndpoints']:
subnet_ids=transfer_vpc_endpoint_description['SubnetIds']
group_id_list=transfer_vpc_endpoint_description['Groups']
vpc_id=transfer_vpc_endpoint_description['VpcId']
for group_id in group_id_list:
group_ids.append(group_id['GroupId'])
if transfer_description['Server']['State']=='ONLINE':
transfer_stop = transfer.stop_server(ServerId=server_id)
print(transfer_stop)
time.sleep(300) #safe
transfer_update = transfer.update_server(ServerId=server_id,EndpointType='VPC',EndpointDetails={'SecurityGroupIds':group_ids,'SubnetIds':subnet_ids,'VpcId':vpc_id})
print(transfer_update)
time.sleep(10)
transfer_start = transfer.start_server(ServerId=server_id)
print(transfer_start)
delete_vpc_endpoint = ec2.delete_vpc_endpoints(VpcEndpointIds=[transfer_vpc_endpoint])
```
# Working with custom hostnames
Your *server host name* is the hostname that your users enter in their clients when they connect to your server. You can use a custom domain that you have registered for your server hostname when you work with AWS Transfer Family. For example, you might use a custom hostname like `mysftpserver.mysubdomain.domain.com`.
To redirect traffic from your registered custom domain to your server endpoint, you can use Amazon Route 53 or any Domain Name System (DNS) provider. Route 53 is the DNS service that AWS Transfer Family natively supports.
**Topics**
+ [Use Amazon Route 53 as your DNS provider](#requirements-use-r53)
+ [Use other DNS providers](#requirements-use-alt-dns)
+ [Custom hostnames for non-console created servers](#tag-custom-hostname-cdk)
On the console, you can choose one of these options for setting up a custom hostname:
+ **Amazon Route 53 DNS alias** – if the hostname that you want to use is registered with Route 53. You can then enter the hostname.
+ **Other DNS** – if the hostname that you want to use is registered with another DNS provider. You can then enter the hostname.
+ **None** – to use the server's endpoint and not use a custom hostname.
You set this option when you create a new server or edit the configuration of an existing server. For more information about creating a new server, see [Step 2: Create an SFTP-enabled server](getting-started.md#getting-started-server). For more information about editing the configuration of an existing server, see [Edit server details](edit-server-config.md).
For more details about using your own domain for the server hostname and how AWS Transfer Family uses Route 53, see the following sections.
## Use Amazon Route 53 as your DNS provider
When you create a server, you can use Amazon Route 53 as your DNS provider. Before you use a domain with Route 53, you register the domain. For more information, see [How Domain registration works](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-domain-registration.html) in the *Amazon Route 53 Developer Guide*.
When you use Route 53 to provide DNS routing to your server, AWS Transfer Family uses the custom hostname that you entered to extract its hosted zone. When AWS Transfer Family extracts a hosted zone, three things can happen:
1. If you're new to Route 53 and don't have a hosted zone, AWS Transfer Family adds a new hosted zone and a `CNAME` record. The value of this `CNAME` record is the endpoint hostname for your server. A *CNAME* is an alternate domain name.
1. If you have a hosted zone in Route 53 without any `CNAME` records, AWS Transfer Family adds a `CNAME` record to the hosted zone.
1. If the service detects that a `CNAME` record already exists in the hosted zone, you see an error indicating that a `CNAME` record already exists. In this case, change the value of the `CNAME` record to the hostname of your server.
For more information about hosted zones in Route 53, see [Hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html) in the *Amazon Route 53 Developer Guide*.
## Use other DNS providers
When you create a server, you can also use DNS providers other than Amazon Route 53. If you use an alternate DNS provider, make sure that traffic from your domain is directed to your server endpoint.
To do so, set your domain to the endpoint hostname for the server.
+ For IPv4 endpoints, the hostname looks like this in the console:
`serverid.server.transfer.region.amazonaws.com`
+ For dual-stack endpoints, the hostname looks like this in the console:
`serverid.transfer-server.region.on.aws`
**Note**
If your server has a VPC endpoint, then the format for the hostname is different from those described above. To find your VPC endpoint, select the VPC on the server's details page, then select the **VPC endpoint ID** on the VPC dashboard. The endpoint is the first DNS name of those listed.
## Custom hostnames for non-console created servers
When you create a server using AWS Cloud Development Kit (AWS CDK), CloudFormation, or through the CLI, you must add a tag if you want that server to have a custom hostname. When you create a Transfer Family server by using the console, the tagging is done automatically.
**Note**
You also need to create a DNS record to redirect traffic from your domain to your server endpoint. For details, see [Working with records](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html) in the *Amazon Route 53 Developer Guide*.
Use the following keys for your custom hostname:
+ Add `transfer:customHostname` to display the custom hostname in the console.
+ If you are using Route 53 as your DNS provider, add `transfer:route53HostedZoneId`. This tag links the custom hostname to your Route 53 Hosted Zone ID.
To add the custom hostname, issue the following CLI command.
```
aws transfer tag-resource --arn arn:aws:transfer:region:AWS account:server/server-ID --tags Key=transfer:customHostname,Value="custom-host-name"
```
For example:
```
aws transfer tag-resource --arn arn:aws:transfer:us-east-1:111122223333:server/s-1234567890abcdef0 --tags Key=transfer:customHostname,Value="abc.example.com"
```
If you are using Route 53, issue the following command to link your custom hostname to your Route 53 Hosted Zone ID.
```
aws transfer tag-resource --arn server-ARN:server/server-ID --tags Key=transfer:route53HostedZoneId,Value=HOSTED-ZONE-ID
```
For example:
```
aws transfer tag-resource --arn arn:aws:transfer:us-east-1:111122223333:server/s-1234567890abcdef0 --tags Key=transfer:route53HostedZoneId,Value=ABCDE1111222233334444
```
Assuming the sample values from the previous command, run the following command to view your tags:
```
aws transfer list-tags-for-resource --arn arn:aws:transfer:us-east-1:111122223333:server/s-1234567890abcdef0
```
```
"Tags": [
{
"Key": "transfer:route53HostedZoneId",
"Value": "/hostedzone/ABCDE1111222233334444"
},
{
"Key": "transfer:customHostname",
"Value": "abc.example.com"
}
]
```
**Note**
Your public, hosted zones and their IDs are available on Amazon Route 53.
Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).