Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transfer Family: Vpc Endpoint does not support Transfer Family in eu-central-2 region #25878

Closed
zelu-zuehlke opened this issue Jun 7, 2023 · 15 comments
Closed

Transfer Family: Vpc Endpoint does not support Transfer Family in eu-central-2 region #25878

zelu-zuehlke opened this issue Jun 7, 2023 · 15 comments
Labels
@aws-cdk/aws-transfer Related to AWS Transfer for SFTP bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@zelu-zuehlke
Copy link

Describe the bug

During the creation of Transfer Family in eu-central-2 region from CDK inside of custom VPC, we are experiencing next error:

Stack Deployments Failed: Error: The stack named dev-NetworkStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: The Vpc Endpoint Service 'com.amazonaws.eu-central-2.transfer.server' does not exist (Service: AmazonEC2; Status Code: 400; Error Code: InvalidServiceName; Request ID: e457b8e0-e4f4-4a51-be1b-550122f14aea; Proxy: null)
error

When I listed all the supported vpc endpoint services in eu-central-2 region with command:
aws ec2 describe-vpc-endpoint-services
I'm unable to find com.amazonaws.eu-central-2.transfer.server.
Transfer Family was released last week in eu-central-2 region.

Expected Behavior

Transfer Family can be successfully created from CDK inside of custom VPC in eu-central-2 region.

Current Behavior

Stack Deployments Failed: Error: The stack named dev-NetworkStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: The Vpc Endpoint Service 'com.amazonaws.eu-central-2.transfer.server' does not exist (Service: AmazonEC2; Status Code: 400; Error Code: InvalidServiceName; Request ID: e457b8e0-e4f4-4a51-be1b-550122f14aea; Proxy: null)
error

Reproduction Steps

Steps to reproduce in eu-central-2:

  1. Create custom VPC in CDK
  2. Create VPC Endpoint for TRANSFER SERVER and attach it to VPC from step 1
    image
  3. Create Tranfer Family server and use VPC ENDPOINT from step 2:
    image
  4. Execute cdk deploy in eu-central-2

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.78.0

Framework Version

No response

Node.js Version

^10.9.1

OS

Windows

Language

Typescript

Language Version

No response

Other information

No response
@zelu-zuehlke zelu-zuehlke added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 7, 2023
@github-actions github-actions bot added the @aws-cdk/aws-transfer Related to AWS Transfer for SFTP label Jun 7, 2023
@pahud
Copy link
Contributor

pahud commented Jun 7, 2023

Are you able to find it as below?

% AWS_REGION=eu-central-2 aws ec2 describe-vpc-endpoint-services --query 'ServiceNames' | grep 'transfer'
    "com.amazonaws.eu-central-2.transfer",

and

 % AWS_REGION=eu-central-2 aws ec2 describe-vpc-endpoint-services --query 'ServiceDetails[?ServiceName == `com.amazonaws.eu-central-2.transfer`]'
[
    {
        "ServiceName": "com.amazonaws.eu-central-2.transfer",
        "ServiceId": "vpce-svc-0fb302eef78e00ea5",
        "ServiceType": [
            {
                "ServiceType": "Interface"
            }
        ],
        "AvailabilityZones": [
            "eu-central-2a",
            "eu-central-2b",
            "eu-central-2c"
        ],
        "Owner": "amazon",
        "BaseEndpointDnsNames": [
            "transfer.eu-central-2.vpce.amazonaws.com"
        ],
        "PrivateDnsName": "transfer.eu-central-2.amazonaws.com",
        "PrivateDnsNames": [
            {
                "PrivateDnsName": "transfer.eu-central-2.amazonaws.com"
            }
        ],
        "VpcEndpointPolicySupported": false,
        "AcceptanceRequired": false,
        "ManagesVpcEndpoints": false,
        "Tags": [],
        "PrivateDnsNameVerificationState": "verified",
        "SupportedIpAddressTypes": [
            "ipv4"
        ]
    }
]

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 7, 2023
@zelu-zuehlke
Copy link
Author

zelu-zuehlke commented Jun 7, 2023
edited
Loading

When we created Transfer Family in eu-central-1 region, it used com.amazonaws.eu-central-1.transfer.server as VPC Endpoint service, and not com.amazonaws.eu-central-1.transfer
The problem is that there isn't com.amazonaws.eu-central-2.transfer.server in eu-central-2 as an option for VPC Endpoint service.

Frankfurt:
image

Zurich:
image

@pahud are you saying that we should try to create Transfer Family with com.amazonaws.eu-central-2.transfer from CDK?

Thanks in advance.

@pahud
Copy link
Contributor

pahud commented Jun 7, 2023

Sorry I was wrong. I can confirm com.amazonaws.eu-central-2.transfer.server is not available in eu-central-2 from the AWS CLI as well as the console. I believe this might because it's not available in eu-central-2 so we can't create that even from the console. In this case it's not possible to provision that with CDK.

Please kindly reach out to AWS premium support to confirm the service availability. From what I can see from the console and CLI, it's very likely unavailable in eu-central-2.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 7, 2023
@Alex-Vol
Copy link

Alex-Vol commented Jun 8, 2023

VPC_ENDPOINT type has been deprecated and not available in newer regions. It is replaced by the managed VPC endpoint type.

https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint

@pahud pahud added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 9, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 10, 2023
@zelu-zuehlke
Copy link
Author

zelu-zuehlke commented Jun 12, 2023
edited
Loading

After trying with 'VPC' as the endpoint type:
image

I still have this error in Zurich region:

image

Now from AWS Console I can find: com.amazonaws.eu-central-2.transfer.server.c-0002 but there isn't com.amazonaws.eu-central-2.transfer.server which CF expects:

image

Can I somehow modify CfnServer object to expect this VPC Enpont Service value or this is some kind of misconfiguration on AWS side?

@github-actions github-actions bot removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Jun 12, 2023
@pahud
Copy link
Contributor

pahud commented Jun 13, 2023

@zelu-zuehlke

This works for me FYR.

    new transfer.CfnServer(this, 'SFTP', {
      endpointType: 'VPC',
      endpointDetails: {
        vpcId: vpc.vpcId
      },
      protocols: ['SFTP'],
      identityProviderType: 'SERVICE_MANAGED',
      domain: 'S3'
    });

@pahud pahud added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 13, 2023
@Alex-Vol
Copy link

VPC endpoint type is what we call managed VPC endpoint. With this you no longer need to create the VPC endpoint, the service manages the creation and deletion of the endpoint. What you specify instead is the vpcId for the creation of the endpoint and it works.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 14, 2023
@zelu-zuehlke
Copy link
Author

zelu-zuehlke commented Jun 16, 2023
edited
Loading

Without custom VPC Endpont (TRANSFER_SERVER) I can now create Transfer Server in eu-central-2 region with this code in CDK:
image

But now I don't have a way to get allocated IDs because we need them for NLB's target group.
Before, with transfer server endpoint, we used this property - vpcEndpointNetworkInterfaceIds, but now VPC managed endpoint doesn't have such a property.

I found also those issues which seem the same:
#11374
#14180

Do you have some idea how I should retrieve network interface ids now?

@zelu-zuehlke
Copy link
Author

At the end we used addressAllocationIds with EIPs in endpointDetails config of Transfer Server and removed usage of NLB.
https://aws.amazon.com/blogs/storage/use-ip-whitelisting-to-secure-your-aws-transfer-for-sftp-servers/

This was referenced Jul 26, 2023
Closed
Closed
@amouly
Copy link

amouly commented Jan 17, 2024
edited
Loading

At the end we used addressAllocationIds with EIPs in endpointDetails config of Transfer Server and removed usage of NLB. https://aws.amazon.com/blogs/storage/use-ip-whitelisting-to-secure-your-aws-transfer-for-sftp-servers/

@zelu-zuehlke Can you show an example of how your setup looks like? I also have to do the same, using the EIPs in endpointDetails, but I have doubts selecting the subnetIds.

Thanks.

@ashishdhingra
Copy link
Contributor

@zelu-zuehlke Good afternoon. Could you please confirm if this is still an issue or if we could close it.

@ashishdhingra ashishdhingra added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 9, 2024

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 9, 2024
@zelu-zuehlke
Copy link
Author

@ashishdhingra yep, it's solved now and it is not an issue anymore. Thanks

@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-transfer Related to AWS Transfer for SFTP bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pahud @amouly @Alex-Vol @ashishdhingra @zelu-zuehlke