Configuring Cerberus FTP Server on your AWS or Azure Platform
1.0 Introduction to Cerberus FTP Server on Cloud Hosts:
Cerberus FTP Server is a robust, easy to manage secure file transfer server solution. It is easy to host Cerberus on cloud virtual server platforms such as Amazon Web Services (AWS) or Microsoft Azure if these platforms have been configured correctly. This document summarizes the basic setup steps to create virtual servers in the Amazon and Azure Clouds which can then be used to host Cerberus FTP Server.
2.0 Background
The purpose of this white paper is to document the basic steps to create virtual server instances in AWS and Azure that can host Cerberus FTP Server. This paper will not make suggestions in terms of the CPU and RAM requirements of the servers beyond those suggested by our minimum requirements. Nor do we recommend or endorse one platform over the other as Cerberus customers successfully run and manage Cerberus FTP Server on each platform.
3.0 Running Cerberus FTP Server on Amazon Web Services (AWS)
3.1 Log Into AWS and Access EC2
Start by navigating to https://aws.amazon.com in a browser. This is the AWS ‘homepage’. To begin creating your AWS Cerberus FTP server, click on ‘Sign In to the Console’ at the upper right to access the login screen:
On this screen, you can either enter credentials for an existing account or create a new account. Bookmark https://signin.aws.amazon.com as this is where you will come from now on to log onto your AWS account to manage your virtual AWS server(s). Make sure ‘Root User’ is selected when you log in as you will be acting as the account owner to set up a new server.
INFORMATION SYSTEM ACTIVITY REVIEW (R) – § 164.308(a)(1)(ii)(D)
Once on the ‘AWS Management Console, click on ‘EC2’ under ‘All Services’ > ‘Compute’. If you have been in AWS before, you may see it under ‘Recently visited services’ and you can also click on it there.
3.2 Create
On the ‘EC2 Dashboard’, click on ‘Launch Instance’ to start the virtual server creation process.
3.2.1 Step 1: Choose an Amazon Machine Image
On this screen, you will need to select a pre-packaged Amazon Machine Image (AMI). This will form the basis of your AWS virtual server instance. All settings can be changed later, but to start with, you need to select an image here that contains the basic CPU, RAM, and storage options you are looking for. To run Cerberus FTP Server, selecting the most current Windows Server Base is the most appropriate, currently ‘Microsoft Windows Server 2019 Base’.
3.2.2 Step 2: Choose an Instance Type
On this screen, you will need to select an instance type appropriate for your use case. Using the Cerberus FTP Server minimum requirements as a baseline, we recommend no less than 2 vCPU’s and 4GiB of RAM. However, if you anticipate thousands of transfers an hour, you may want to consider a more capable instance, such as 4 vCPUs and 16GiB of RAM. Remember that this can be changed later if you find that your instance is having trouble handling the volume, or that you have chosen an instance that is excessive for your use case.
Select your desired instance in the first column of the table.
Click ‘Next: Configure Instance Details’ at the bottom of the screen to move to the next section.
3.2.3 Step 3: Configure Instance Details
On this screen, you will configure the instance to suit your needs. For the most part, you will not need to change these settings, but you will need to obtain a static external IP address for users to access your virtual environment from outside. The ‘auto-assign Public IP’ setting requests a public IP address from Amazon’s public IP address pool to make your instance reachable from the Internet. In most cases, the public IP address is associated with the instance until it’s stopped or terminated, after which it’s no longer available for you to use. Because an FTP server requires a persistent public IP address, after launch you should navigate to ‘Network & Security > ‘Elastic IPs’ on the left-hand side navigation menu to allocate your own EIP, and associate it to your instance.
Click ‘Next: Add Storage’ after reviewing the instance details
3.2.4 Step 4: Add Storage
Update your desired storage size based on your file storage needs. Cerberus FTP Server itself requires less than 500MB.To access the Amazon documentation on EC2 storage, see ‘Storage – Amazon Elastic Cloud’
Click ‘Next: Add Tags’ after deciding on your storage needs.
3.2.5 Step 5: Add Tags
Apply tags if you wish. To help you manage your instances, images, and other Amazon EC2 resources, you can assign your metadata to each resource in the form of tags. Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type—you can quickly identify a specific resource based on the tags that you’ve assigned to it. This topic describes tags and shows you how to create them. See ‘Tag your Amazon EC2 Resources’ for more details.
Click ‘Next: Configure Security Group’ when done.
3.2.6 Step 6: Configure Security Group
A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. If you don’t specify a security group, Amazon EC2 uses the default security group.
For your Cerberus FTP Server instance, you should add new lines for each protocol you will be using. Amazon has pre-configured selections for SSH SFTP (port 22), HTTP (port 80), and HTTPS (port 443). Add descriptions that will tell you why you opened those ports (see screenshot). To add FTP (port 21), FTPS (port 990), and the FTP Passive Port Range (ports 11000-13000), select ‘Custom TCP’ from the ‘Type’ column, then enter the port number for each under ‘Port Range’ and a description.
Unless you know the exact source IP addresses of the users that will be accessing your file server, do not add Source IPs. If you do, these will be the only IPs that will be able to access your instance. See ‘Amazon EC2 security groups’ for more details on configuring your security group.
Click ‘Review and Launch’ when you have configured your security groups.
3.2.7 Step 7: Review Your Instance Setting
On this screen, review your chosen instance settings. If you will be making your FTP/SFTP/HTTPS file server externally available, you can ignore the warning about your security group being open to the world.
You can use the breadcrumb trail at the top of the page to navigate back to any of the settings pages to edit any settings you need to. Once you are happy with what you have, press ‘Launch’ to initiate the instance.
3.2.8 Step 8: Create New Key Pair
Next, you will create the key pair that will be necessary to securely connect to your instance. You will use this key pair any time you wish to connect to your AWS EC2 instance. To begin, click the drop-down and select ‘Create a new key pair’.
Once the key pair has been created, you will need to download it and save it at an accessible, but secure location on your machine.
3.3 Connect to the Instance
To connect, from the EC2 page, click to select your AWS instance on the left, and then click ‘Connect’ to begin the connection. To make sure you can connect, make sure that the instance state is ‘Running’.
3.3.1 Step 1: Connect To Instance
These instructions will go through connecting via the RDP (Remote Desktop Protocol) client. You can also connect via the AWS Session Manager or EC2 Serial Console. For more details on those options, see ‘Connect to your Windows Instance’. To start, click ‘RDP Client’ at the top of the page and then ‘Get Password’.
3.3.2 Step 2: Get Windows Password
You will now need to get the Windows password for your instance. For this, you will need the key pair you saved on your system. Press ‘Browse’ and locate the *.pem file you save.
3.3.3 Step 3: Decrypt Password
Once the key pair has been loaded, click ‘Decrypt Password’.
3.3.4 Step 4: Download Remote Desktop File
You can now connect to your instance via the RDP client of your choice. Before clicking on ‘Download remote desktop file’, copy the password at the bottom of the window as you will need to enter this when prompted to do so by the RDP client. In this example, we use the Windows RDP client.
3.3.5 Step 5: Open The Remote Desktop File
Once the remote desktop file is downloaded, you can select ‘Open’ to launch the RDP client.
3.3.6 Step 6: Initiate the Connection
In this example, the remote desktop client prompts you that the publisher of this connection is not identified and asks if you wish to connect. Go ahead and click ‘Connect’.3.3.7 Step 7: Enter Your Password
RDP will next prompt you to enter the decrypted password. This will be the password you decrypted in step 4 above.3.3.8 Step 8: Accept Certificate Prompt and Open Instance
Select ‘Yes’ when prompted to connect despite the certificate error. Since the certificate was generated by Amazon, you do not need to be concerned about this error and you can decide to select ‘Don’t ask me again for connections to this computer if you wish.RDP should now open the AWS instance. You can now follow the steps outlined in the Cerberus Online Help to install and configure Cerberus FTP Server just as you would on an on-premises server.
4.0 Running Cerberus FTP Server with Microsoft Azure Cloud
Specifications of the hardware and software used to run the test appear below.
Azure Cloud VM (1 instance)
- AMD EPYC 7452 32-Core Processor with 1 Processor, 2 Cores (4 Threads), x64 processor
- 16 GiB RAM
- Windows Server 2019 Datacenter, 64-bit
- Storage: 127 GiB Premium SSD
- Cerberus 11.1.0.0 with FTP, FTPS and SFTP listeners
- Network capacity unlimited pay-as-you-go
4.1 Log Into Microsoft Azure Cloud
by navigating to https://portal.azure.com in a browser. This is the Azure ‘homepage’. You’ll be prompted to sign in with your Windows account or to choose another account. One of the benefits of Azure is that you can use your regular Windows account instead of having to maintain a separate account. Of course, you can choose to have a separate account, just for maintaining your Azure environment so that you can potentially share the account with other administrators.
Using your current account is convenient as you will not need to re-authenticate with Azure cloud hosting if you are using Windows.
4.2 Create Instance
Under ‘Azure services’, click ‘Virtual Machines’ and then ‘Create.’4.2.1 Step 1: Basics Tab
On this screen, start by Naming your ‘Resource Group’. It’s recommended you use something recognizable, like ‘Cerberus FTP Server’ or ‘FTP Server’. Do the same in the ‘Virtual Machine Name’. Leave the remaining settings alone for now. You’ll update them on other screens.4.2.2 Step 2: Select an Image
Next, you will select your ‘Image’. ‘Image’ should be the most recent ‘Windows Server Datacenter’ instance ‘with Containers. If this is not already pre-populated, click the ‘Image’ dropdown to select the correct Image.4.2.3 Step 3: Choose a VM Size
Now, click ‘Size’ to select a VM CPU and RAM size. Our recommendation is at least 2 vCPU’s and 8 GiB of RAM, but you may want to invest in a more powerful processor if you think you will be running thousands of processes an hour.
4.2.4 Step 4: Set Admin Username and Password
Now that you have selected the size, move on to the next section, ‘Administrator Account’ and set the administrator username and password for your new Azure instance.4.2.5 Step 5: Set Inbound Port Rules
Next, under the ‘Inbound Port Rules’, click the up arrow to see your options. If you plan to use the Cerberus Web client, select ‘HTTP (80)’ and ‘HTTPS (443)’. For SFTP, select ‘SSH (22)’. If you plan to use FTP or FTPS on ports 21 and 900, as well as the passive port range, you will do that in a later step.4.2.6 Step 6: Set Inbound Port Rules
Microsoft will pre populate ‘Premium SSD (locally-redundant storage). This is generally overkill for an FTP server with standard volumes of traffic (up to several hundred connections per hour). If you anticipate a high volume of traffic, then the Premium SSD may be best, however, in most cases, the Standard SSD is sufficient and lower cost. The default encryption at rest with a platform-managed key is fine for most Cerberus instances, but if you wish to explore the other options available to you, please refer to this document: Introduction to Azure Manage Disks4.2.7 Step 7: Networking, Management, Advanced and Tags Screens
For a basic Cerberus instance, you can just advance past the ‘Networking’, ‘Management’, ‘Advanced’ and ‘Tags’ screens, right to ‘Review & Create’. You are free to review the options available on these screens to see if you wish to include any in your Cerberus FTP Server VM, but they are not necessary in general, and many come at extra cost.
4.2.8 Step 8: Review Your Settings and Create Your Instance
On this screen, first, make sure that you have the ‘Validation Passed’ checkmark. This tells you that Microsoft has all the settings they need in order to create your Microsoft Azure instance. Review all the settings on the page and ensure you have set it up the way you want it to be. You can click on any of the breadcrumb links at the top of the page if you need to change anything. If you are happy with your setup, click ‘Create Instance’ to establish your instance.
4.2.9 Step 9: Complete Network Settings
Your instance will take a few minutes for Microsoft to set up. Once it is ready, if you plan to allow FTP and/or FTPS access to your server, click on ‘Virtual Machines’ or your VM’s name under ‘Recent Resources’ to see its settings.4.3 Connect to the Instance
This process will describe connecting to your Azure instance via the Remote Desktop Protocol (RDP). You can also connect with SSH or Bastion. See Azure for those instructions. Start by logging into Azure and click on ‘Virtual Machines’4.3.1 Step 1: Select Your Server
Next, click on the name of your server4.3.2 Step 2: Start Up the Server
Now, if your VM is not already running, select ‘Start’ at the top of the modal window that appears to start up the instance.4.3.3 Step 3: Connect to Instance
Once it is running, click on ‘Connect’, and select ‘RDP’ at the top of the modal window that appears4.3.4 Step 4: Download RDP File
Click ‘Download RDP File’4.3.5 Step 5: Open the Remote Desktop File
Once the remote desktop file is downloaded, you can select ‘Open’ to launch the RDP client.4.3.6 Step 6: Initiate the Connection
In this example the remote desktop client prompts you that the publisher of this connection is not identified and asks if you wish to connect. Go ahead and click ‘Connect’.4.3.7 Step 7: Enter Your Password
RDP will next prompt you to enter the decrypted password. This will be the admin username and password you set up when you created your instance.4.3.8 Step 8: Accept Certificate Prompt and Open Instance
Select ‘Yes’ when prompted to connect despite the certificate error. Since the certificate was generated by Azure, you do not need to be concerned about this error and you can decide to select ‘Don’t ask me again for connections to this computer’ if you wish.RDP should now open the AWS cloud hosting instance. You can now follow the steps outlined in the Cerberus Online Help to install and configure Cerberus just as you would on an on-premises server.
5.0 Install Cerberus FTP Server on Your Cloud VM
Now you are ready to install Cerberus FTP Server on your Cloud VM.
To download the Cerberus FTP Server executable onto your Cloud VM, navigate to the Cerberus FTP Server website at https://www.cerberuftp.com.
To install Cerberus, follow the steps in these documents
Much more documentation is available in our Online Help library and FAQ’s
For help with issues and questions related to the Cerberus application, you may contact Cerberus Support at support@cerberusftp.com. Our hours of operation are from 9am to 5pm Eastern USA Time.