SFTP Gateway Support

3.0

Deploying into a private subnet

Overview

Some environments require that SFTP Gateway be deployed in a private subnet. This article covers this configuration scenario.

Set up a VPC with private subnet

If you don't already have a VPC with private subnet, AWS makes it easy to create one with their Launch VPC Wizard.

In the AWS console, search for the VPC service.

Before you create a VPC, you need to first create an Elastic IP (which is needed by the NAT Gateway).

On the left menu, go to Elastic IPs and click the button Allocate Elastic IP Address.

Then go to the VPC Dashboard, and click the orange button that says Launch VPC Wizard.

Choose the second option: VPC with Public and Private Subnets

Give the VPC a name, choose your Elastic IP Allocation ID from the drop-down, and use the defaults.

Finally, click Create VPC.

Deploy SFTP Gateway into the private subnet

When deploying SFTP Gateway from the AWS Marketplace, pick the CloudFormation template named SFTP Gateway (Single Instance - Existing Network)

This template lets you select a VPC and subnet. Choose the VPC you just created, and the private subnet in this VPC. It should be easy to tell which subnet is private, based on the name.

Use SSM to connect to the web interface

SFTP Gateway 3.x relies on the web admin portal to configure SFTP users and settings. When deployed into a private subnet, you need to somehow access the web interface.

Normally, this would be quite challenging. Even if you had a Linux bastion host, you would only have SSH access, and have to figure out a way to proxy web traffic.

Fortunately, you can use AWS System Manager Session Manager to connect your local machine's browser directly to the private EC2 instance. There's no need to set up a bastion host or any EC2 Security Group rules.

Here's an AWS article that shows you how to do this: https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/

There are a lot of steps involved. So, the next section will cover some of the milestones along the way.

Setup steps

SFTP Gateway 3.x is based on Amazon Linux 2, so it already has the SSM agent installed.

yum info amazon-ssm-agent

What's missing are IAM permissions for SSM. So, add the following managed policy to the EC2 Instance's IAM role:

AmazonSSMManagedInstanceCore

Next, on your desktop machine, check your version of the AWS CLI and make sure it's at least 1.16.220:

aws --version

If it's out of date, follow these instructions to update it: https://aws.amazon.com/cli/

Also on your desktop, install the System Manager CLI extension: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

Finally, try connecting:

aws ssm start-session \
  --target i-0a40ae24290000b6e \
  --document-name AWS-StartPortForwardingSession \
  --parameters '{"portNumber":["443"],"localPortNumber":["9999"]}'

This command uses SSM to create a tunnel to the EC2 instance. Your desktop listens on port 9999, and tunnels this to the EC2 instance's port 443. Make sure you replace the EC2 instance ID.

If successful, you should see the following output:

Starting session with SessionId: rchen-05a7b2c80c3662515
Port 9999 opened for sessionId rchen-05a7b2c80c3662515.
Waiting for connections...

Connection accepted for session [rchen-05a7b2c80c3662515]

Try connecting to localhost port 9999 from a web browser:

https://localhost:9999/index.html

You should see an SSL warning, followed by the first launch experience for SFTP Gateway.

Troubleshooting

If you run into issues along the way, here are some things you can try.

  • Set the correct --region, since the aws command may default to a different region.
  • Set the --profile using the aws command, if you're not using the default AWS profile.
  • When connecting via the web browser, make sure the URL has https and localhost:9999. Sometimes redirects will change these values.
Sharing With External VendorsMultiple SSH keys