SFTP Gateway Support

3.0

CloudFormation: HA existing network

Overview

SFTP Gateway Professional versions 3.6.0 and later have a high availability (HA) feature.

This article shows you how to deploy SFTP Gateway with an HA configuration into an existing VPC network.

Before you begin

The Existing Network CloudFormation template uses public and private subnets. The EC2 instances and postgres database are deployed in the private subnets. You will need two public subnets and four private subnets before you begin deployment.

You can use the Launch VPC Wizard in the AWS console to create a VPC with public and private subnets. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-public-private-vpc.html for details.

Here is an overview of the network topology:

VPC Overview

  • Name: sftpgw-ha-vpc
  • CIDR Block: 10.0.0.0/16

Subnet Architecture

Public Subnets

Subnet NameAZCIDR BlockPurpose
sftpgw-ha-subnet-public1-us-east-1aus-east-1a10.0.0.0/20Public subnet AZ-A
sftpgw-ha-subnet-public2-us-east-1bus-east-1b10.0.16.0/20Public subnet AZ-B

Private Subnets

Subnet NameAZCIDR BlockPurpose
sftpgw-ha-subnet-private1-us-east-1aus-east-1a10.0.128.0/20Private subnet AZ-A
sftpgw-ha-subnet-private2-us-east-1bus-east-1b10.0.144.0/20Private subnet AZ-B
sftpgw-ha-subnet-private3-us-east-1aus-east-1a10.0.80.0/20Additional private subnet AZ-A
sftpgw-ha-subnet-private4-us-east-1bus-east-1b10.0.64.0/20Additional private subnet AZ-B

Routing Configuration

Route Tables

Route Table NameAssociated SubnetsRoutesPurpose
sftpgw-ha-rtb-public2 public subnets3 routesPublic subnet routing
sftpgw-ha-rtb-private1-us-east-1aprivate1 subnet1 routePrivate subnet AZ-A
sftpgw-ha-rtb-private2-us-east-1bprivate2 subnet1 routePrivate subnet AZ-B
private4-route-tableprivate4 subnet2 routesPrivate subnet with NAT
rtb-0cddf3e6bff98a3daprivate3 subnet2 routesPrivate subnet with NAT

Network Connectivity

Internet Gateway

  • Name: sftpgw-ha-igw
  • Function: Internet access for public subnets
  • Connected to: public1, public2

NAT Gateway

  • Name: sftpgw-361-existing-private
  • Type: Public NAT Gateway
  • Configuration: 1 ENI with 1 Elastic IP
  • Function: Outbound internet for private subnets

VPC Endpoints

  • S3 Gateway Endpoint: vpce-05743cddeb3632e9e
    • Type: Gateway endpoint
    • Service: Amazon S3
    • Purpose: Private S3 access

Architecture Summary

This VPC implements a multi-AZ, high-availability architecture:

  • High Availability: Multi-AZ deployment across us-east-1a and us-east-1b
  • Network Segmentation: 2 public + 4 private subnets
  • Secure Internet Access: NAT Gateway for outbound-only private subnet connectivity
  • Cost Optimization: S3 Gateway endpoint reduces data transfer costs
  • Security: Private subnets isolated from inbound internet traffic

Use Cases

  • Public Subnets: Load balancers, bastion hosts, NAT gateways
  • Private Subnets: Application servers, databases, internal services
  • S3 Endpoint: Cost-effective private access to S3 storage

CloudFormation AWS Marketplace deployment instructions

To deploy the HA Existing Network CloudFormation template, go to the AWS Marketplace.

You first need to subscribe to the SFTP Gateway product. Doing so allows your AWS account to use the SFTP Gateway AMI.

Click here to open the AWS Marketplace page for SFTP Gateway.

Click the Try for free button.

subscribe

Once you are subscribed, click Continue to Configuration.

Under the Fulfillment Option, choose CloudFormation Template and pick the following option:

  • SFTP Gateway (High Availability-Existing Network)

Under the Software version, select the latest version.

Under Region, select the appropriate region.

Once you are finished, click the Continue to Launch button.

On the Launch this software page, under Choose Action, select Launch CloudFormation.

Click Launch.

Launch

This will take you to the CloudFormation service in the AWS console.

Spinning up an HA CloudFormation stack

If you followed the instructions in the previous section, you should now be in the CloudFormation service within the AWS console.

The Template source should be pointing to a location on S3 corresponding to the CloudFormation template you specified.

You also have the ability to download the CloudFormation template via this link.

Template

To spin up a High Availability (Existing Network) CloudFormation stack of SFTP Gateway:

  1. The Template source is already selected, so click Next to continue.

  2. Enter the details for the stack:

    • Stack name: The name of your CloudFormation stack.

    • Bucket Access: The default is restricted, which limits access to S3 buckets following a naming convention. Choose open to allow access to all S3 buckets.

    • EC2 Type: Defaults to t3.medium. We recommend using m5.large for production workloads.

    • Disk Volume Size: Defaults to 32 GB. We use S3 as the file system, so this should be enough to accommodate the OS and rotated logs.

    • Key Pair: Choose a Key Pair that you have access to.

    • Desired Capacity: Defaults to 2. This determines how many instances you want to run.

    • DB Class: This is the database service instance class. Defaults to db.t3.micro, since SFTP Gateway is not database-heavy.

    • VPC: Select a VPC that has both public and private subnets.

    • VPCIPRange: Enter the CIDR of your VPC. This is needed for security group rules.

    • Public Subnet A: Select a public subnet in the above VPC.

    • Public Subnet B: Select another public subnet in the above VPC.

    • Private Subnet A: Select a private subnet in the above VPC. It will contain the database.

    • Private Subnet B: Select another private subnet in the above VPC. It will contain the database.

    • Private Subnet C: Select a private subnet in the above VPC. It will contain the EC2 instances.

    • Private Subnet D: Select another private subnet in the above VPC. It will contain the EC2 instances.

    • Input CIDR: Enter a CIDR range (e.g. 1.2.3.4/32) that represents the IP address your workstation. This opens an ingress rule for sysadmin use.

    • SFTP Input CIDR: Enter a CIDR range for the SFTP service. Defaults to 0.0.0.0/0.

    • WebAdminUsername: Optionally use this parameter and WebAdminPassword to initialize a username to log into web admin interface.

    • WebAdminPassword: Optionally use this parameter and WebAdminUsername to initialize a password to log into web admin interface. This password could show in cloud-init configuration logs. We recommend changing the password after logging in with the admin account to prevent a possible password leak.

  3. Stack Options: The stack options page can be left as is. Scroll to the bottom of the page and click Next.

  4. Review and create stack.

    • You must check the box that reads I acknowledge that AWS CloudFormation might create IAM resources to give CloudFormation permission to create IAM resources.

The stack creation progress can be monitored by selecting the stack and viewing the Events tab. Any errors that occur during creation will appear in the event log.

When the CloudFormation stack is created, go to the Outputs tab.

For the Hostname field, there will be a link to the Network Load Balancer's DNS hostname. Click this link, and it will take you to the web admin portal.

hostname

Then, configure SFTP Gateway as you normally would, by creating the first web admin account in the First Launch Experience.

PreviousNext