SFTP Gateway Support

3.0

Firewall Inbound Rules

Overview

This article goes over the Firewall inbound rules for SFTP Gateway.

SFTP runs on port 22 which is open to the world. You can restrict IP address ranges on a per-user basis from within the web admin portal.

The SSH protocol (port 2222) and the web admin portal (80 and 443) should be restricted to System Administrators.

TCP Ports

SFTP Gateway exposes the following ports and protocols:

  • 22: SFTP
  • 2222: SSH
  • 80: HTTP
  • 443: HTTPS

The SFTP protocol runs on TCP port 22. By default, this is open to the world 0.0.0.0/0. Within the web admin portal, you can restrict IP address ranges on a per-user basis.

The SSH protocol has been moved to TCP port 2222. (Remember to specify the port number -p 2222 when connecting via SSH.) This port should be restricted to SysAdmins.

Web ports 80 and 443 are used for the Web Admin Portal. It's important to restrict these ports to SysAdmins as well, because the Web Admin Portal lets you create an admin account on first launch.

Here's a table of the various ports and protocols.

Ports

Firewall Tags

When creating a VM instance you have the option of adding network tags, under the Networking section.

These tags are linked to firewall rules that you have created and when adding the tag on a VM it will then have the specific firewall rule you have created in the Firewall section.

Creating the Firewall

As refrenced prior in the article SFTP Gateway exposes the following ports, 22, 80, 443 and 2222.

Thus we will tailor the firewall to meet these requirements.

Under VPC Network select Firewall, then from there go to "Create a firewall rule" seen at the top of the page.

The name of the firewall rule allows lowercase letters, numbers and hyphens.

You have the ability to turn on firewall logging and to configure which network and priority you want for the firewall rule.

You also have the ability to choose the direction of traffic and action for specific traffic such as to allow/deny.

When creating a firewall rule you must select a target, such as a vm instance or a service account from the same or a separate project.

Targets

There is a source filter which allows you to choose between IPv4, IPv6, source tags and a service account. Since I have selected IPv4 I am able to enter in IPv4 ranges, such as your IP address or other IPv4 addresses you want to let through the firewall.

Source

You are also able to specify which ports and protocols the firewall rule applies to and for SFTP gateway select tcp and ports 22, 80, 443 and 2222.

Once you have configured the firewall rule to your liking you can create it.

Here is a example of what it woud look like when creating your VM instance:

Network

PreviousNext