CloudFormation: HA existing network
Overview
SFTP Gateway Professional versions 3.6.0
and later have a high availability (HA) feature.
This article shows you how to deploy SFTP Gateway with an HA configuration into an existing VPC network.
Before you begin
The Existing Network CloudFormation template uses public and private subnets. The EC2 instances and postgres database are deployed in the private subnets. You will need two public subnets and four private subnets before you begin deployment.
You can use the Launch VPC Wizard in the AWS console to create a VPC with public and private subnets. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-public-private-vpc.html for details.
Here is an overview of the network topology:
VPC Overview
- Name:
sftpgw-ha-vpc
- CIDR Block:
10.0.0.0/16
Subnet Architecture
Public Subnets
Subnet Name | AZ | CIDR Block | Purpose |
---|---|---|---|
sftpgw-ha-subnet-public1-us-east-1a | us-east-1a | 10.0.0.0/20 | Public subnet AZ-A |
sftpgw-ha-subnet-public2-us-east-1b | us-east-1b | 10.0.16.0/20 | Public subnet AZ-B |
Private Subnets
Subnet Name | AZ | CIDR Block | Purpose |
---|---|---|---|
sftpgw-ha-subnet-private1-us-east-1a | us-east-1a | 10.0.128.0/20 | Private subnet AZ-A |
sftpgw-ha-subnet-private2-us-east-1b | us-east-1b | 10.0.144.0/20 | Private subnet AZ-B |
sftpgw-ha-subnet-private3-us-east-1a | us-east-1a | 10.0.80.0/20 | Additional private subnet AZ-A |
sftpgw-ha-subnet-private4-us-east-1b | us-east-1b | 10.0.64.0/20 | Additional private subnet AZ-B |
Routing Configuration
Route Tables
Route Table Name | Associated Subnets | Routes | Purpose |
---|---|---|---|
sftpgw-ha-rtb-public | 2 public subnets | 3 routes | Public subnet routing |
sftpgw-ha-rtb-private1-us-east-1a | private1 subnet | 1 route | Private subnet AZ-A |
sftpgw-ha-rtb-private2-us-east-1b | private2 subnet | 1 route | Private subnet AZ-B |
private4-route-table | private4 subnet | 2 routes | Private subnet with NAT |
rtb-0cddf3e6bff98a3da | private3 subnet | 2 routes | Private subnet with NAT |
Network Connectivity
Internet Gateway
- Name:
sftpgw-ha-igw
- Function: Internet access for public subnets
- Connected to: public1, public2
NAT Gateway
- Name:
sftpgw-361-existing-private
- Type: Public NAT Gateway
- Configuration: 1 ENI with 1 Elastic IP
- Function: Outbound internet for private subnets
VPC Endpoints
- S3 Gateway Endpoint:
vpce-05743cddeb3632e9e
- Type: Gateway endpoint
- Service: Amazon S3
- Purpose: Private S3 access
Architecture Summary
This VPC implements a multi-AZ, high-availability architecture:
- High Availability: Multi-AZ deployment across
us-east-1a
andus-east-1b
- Network Segmentation: 2 public + 4 private subnets
- Secure Internet Access: NAT Gateway for outbound-only private subnet connectivity
- Cost Optimization: S3 Gateway endpoint reduces data transfer costs
- Security: Private subnets isolated from inbound internet traffic
Use Cases
- Public Subnets: Load balancers, bastion hosts, NAT gateways
- Private Subnets: Application servers, databases, internal services
- S3 Endpoint: Cost-effective private access to S3 storage
CloudFormation AWS Marketplace deployment instructions
To deploy the HA Existing Network CloudFormation template, go to the AWS Marketplace.
You first need to subscribe to the SFTP Gateway product. Doing so allows your AWS account to use the SFTP Gateway AMI.
Click here to open the AWS Marketplace page for SFTP Gateway.
Click the Try for free button.
Once you are subscribed, click Continue to Configuration.
Under the Fulfillment Option, choose CloudFormation Template and pick the following option:
- SFTP Gateway (High Availability-Existing Network)
Under the Software version, select the latest version.
Under Region, select the appropriate region.
Once you are finished, click the Continue to Launch button.
On the Launch this software page, under Choose Action, select Launch CloudFormation.
Click Launch.
This will take you to the CloudFormation service in the AWS console.
Spinning up an HA CloudFormation stack
If you followed the instructions in the previous section, you should now be in the CloudFormation service within the AWS console.
The Template source should be pointing to a location on S3 corresponding to the CloudFormation template you specified.
You also have the ability to download the CloudFormation template via this link.
To spin up a High Availability (Existing Network) CloudFormation stack of SFTP Gateway:
The Template source is already selected, so click Next to continue.
Enter the details for the stack:
Stack name: The name of your CloudFormation stack.
Bucket Access: The default is
restricted
, which limits access to S3 buckets following a naming convention. Chooseopen
to allow access to all S3 buckets.EC2 Type: Defaults to
t3.medium
. We recommend usingm5.large
for production workloads.Disk Volume Size: Defaults to
32 GB
. We use S3 as the file system, so this should be enough to accommodate the OS and rotated logs.Key Pair: Choose a
Key Pair
that you have access to.Desired Capacity: Defaults to
2
. This determines how many instances you want to run.DB Class: This is the database service instance class. Defaults to
db.t3.micro
, since SFTP Gateway is not database-heavy.VPC: Select a VPC that has both public and private subnets.
VPCIPRange: Enter the CIDR of your VPC. This is needed for security group rules.
Public Subnet A: Select a public subnet in the above VPC.
Public Subnet B: Select another public subnet in the above VPC.
Private Subnet A: Select a private subnet in the above VPC. It will contain the database.
Private Subnet B: Select another private subnet in the above VPC. It will contain the database.
Private Subnet C: Select a private subnet in the above VPC. It will contain the EC2 instances.
Private Subnet D: Select another private subnet in the above VPC. It will contain the EC2 instances.
Input CIDR: Enter a CIDR range (e.g.
1.2.3.4/32
) that represents the IP address your workstation. This opens an ingress rule for sysadmin use.SFTP Input CIDR: Enter a CIDR range for the SFTP service. Defaults to
0.0.0.0/0
.WebAdminUsername: Optionally use this parameter and WebAdminPassword to initialize a username to log into web admin interface.
WebAdminPassword: Optionally use this parameter and WebAdminUsername to initialize a password to log into web admin interface. This password could show in cloud-init configuration logs. We recommend changing the password after logging in with the admin account to prevent a possible password leak.
Stack Options: The stack options page can be left as is. Scroll to the bottom of the page and click Next.
Review and create stack.
- You must check the box that reads I acknowledge that AWS CloudFormation might create IAM resources to give CloudFormation permission to create IAM resources.
The stack creation progress can be monitored by selecting the stack and viewing the Events tab. Any errors that occur during creation will appear in the event log.
When the CloudFormation stack is created, go to the Outputs tab.
For the Hostname field, there will be a link to the Network Load Balancer's DNS hostname. Click this link, and it will take you to the web admin portal.
Then, configure SFTP Gateway as you normally would, by creating the first web admin account in the First Launch Experience.