|
|
Many organizations rely on SFTP (Secure File Transfer Protocol) as the industry standard for exchanging critical business data. Traditionally, connecting securely to private SFTP servers required custom infrastructure, manual scripting, or exposing endpoints to the public Internet.
Today, the SFTP connectors of the AWS Transfer family now support connecting to remote SFTP servers through an Amazon Virtual Private Cloud (Amazon VPC) environment. You can transfer files between Amazon Simple Storage Service (Amazon S3) and private or public SFTP servers using the security controls and network configurations already defined in your VPC. This feature helps you integrate data sources across on-premises environments, partner private servers, or Internet-connected endpoints with the operational simplicity of fully managed Amazon Web Services (AWS).
New options with SFTP connectors
Below are the key improvements:
- Connect to private SFTP servers – SFTP connectors can now reach endpoints that are only available within your AWS VPC connection. These include servers hosted in your VPC or shared VPC, on-premises systems connected via AWS Direct Connect, and partner servers connected via VPN tunnels.
- Safety and compliance – All file transfers are routed through security controls already in place in your VPC, such as the AWS Network Firewall or centralized ingress and egress controls. Private SFTP servers remain private and may not be exposed to the Internet. You can also present a static elastic IP or bring your own IP addresses (BYOIP) to meet partner whitelist requirements.
- Performance and simplicity – By using custom network resources such as NAT gateways, AWS Direct Connect, or VPN connections, connectors can leverage higher bandwidth capacity for large-scale transfers. You can configure connectors in minutes through the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS SDKs without creating custom scripts or third-party tools.
How VPC-based SFTP connections work
SFTP connectors use Amazon VPC Lattice resources to create a secure connection through your VPC. Key constructs include a resource configuration aa source gateway. A resource configuration represents an SFTP destination server that you specify using a private IP address or a public DNS name. The resource gateway provides SFTP connector access to these configurations and allows file transfers through your VPC and its security controls.
The following architecture diagram illustrates traffic flows between Amazon S3 and remote SFTP servers. 
As shown in the architecture, traffic flows from Amazon S3 through an SFTP connector to your VPC. A resource gateway is an entry point that handles incoming connections from the connector to your VPC resources. Outbound traffic is routed through your configured egress path using Amazon VPC NAT gateways with Elastic IPs for public servers or AWS Direct Connect and VPN connections for private servers. You can use existing IP addresses from your VPC CIDR range to simplify peer whitelists. Centralized firewalls in VPCs enforce security policies, and customer-owned NATs provide more bandwidth for large-scale traffic.
When to use this feature
With this capability, developers and IT administrators can streamline workflows while meeting security and compliance requirements in a variety of scenarios:
- Hybrid environment – Transfer files between Amazon S3 and on-premises SFTP servers using AWS Direct Connect or AWS Site-to-Site VPN without exposing endpoints to the Internet.
- Integration of partners – Connect to business partners’ SFTP servers that are only accessible via private VPN tunnels or shared VMs. This avoids creating your own scripts or managing third-party tools, reducing operational complexity.
- Regulated industries – Route file transfers through centralized firewalls and checkpoints in the VPC to comply with financial services, government or healthcare security requirements.
- High throughput transmissions – Use your own network configurations such as NAT gateways, AWS Direct Connect, or VPN connections with Elastic IP or BYOIP to handle large-scale, high-bandwidth traffic while maintaining IP addresses already on partner whitelists.
- A unified file transfer solution – Standardize on Transfer Family for both internal and external SFTP connectivity, reducing fragmentation between file transfer tools.
Start building with SFTP connectors
To start transferring files using SFTP connectors through your VPC environment, follow these steps:
First I will configure my VPC Lattice resources. In the Amazon VPC console under PrivateLink and Lattice in the navigation bar, i choose Resource gatewaystake your pick Create a resource gateway create one that will act as an entry point to my VPC. 
Next, under PrivateLink and Lattice in the navigation pane I choose Resource configuration and choose Create a resource configuration to create a resource configuration for my target SFTP server. Enter the private IP address or public DNS name and port (usually 22). 
Then I configure AWS Identity and Access Management (IAM) permissions. I ensure that the IAM role used to create the connector has transfer:* permissions and VPC Lattice permissions (vpc-lattice:CreateServiceNetworkResourceAssociation, vpc-lattice:GetResourceConfiguration, vpc-lattice:AssociateViaAWSService). I’m updating the trust policy for the IAM role to specify it transfer.amazonaws.com as a trusted director. This allows AWS Transfer Family to take over the role of creating and managing my SFTP connectors.
Then I create an SFTP connector through the AWS Transfer Family console. i choose SFTP connectors and then choose Create an SFTP connector. 
IN Connector configuration section, I choose VPC grid then enter the Amazon Resource Name (ARN) for as the output type Resource configuration, access role, and Connector Credentials. Optionally include a trusted host key for better security or override the default port if my SFTP server uses a non-standard port.
I will test the connection next. On Action menu, I choose Connection test to confirm that the connector can reach the target SFTP server.
Finally, after the status of the connector ACTIVEI can initiate file operations with my remote SFTP server by programmatically calling the Transfer Family API, such as StartDirectoryListing, StartFileTransfer, StartRemoteDeleteor StartRemoteMove. All traffic is routed through my VPC using my configured resources such as NAT gateways, AWS Direct Connect or VPN connections along with my IP addresses and security controls.
For a complete set of options and advanced workflows, see the AWS Transfer Family documentation.
Now available
SFTP connectors with VPC-based connectivity are now available in 21 AWS Regions. See AWS Services by Region for the latest supported AWS regions. You can now securely connect AWS Transfer Family SFTP connectors to private, on-premises, or Internet servers using custom VPC resources such as NAT gateways, elastic IP addresses, and network firewalls.
— Betty