Configuring Cerberus FTP Server on your AWS or Azure Platform

2.0 Background

The purpose of this white paper is to document the basic steps to create virtual server instances in AWS and Azure that can host Cerberus FTP Server. This paper will not make suggestions in terms of the CPU and RAM requirements of the servers beyond those suggested by our minimum requirements. Nor do we recommend or endorse one platform over the other as Cerberus customers successfully run and manage Cerberus FTP Server on each platform.

3.0 Running Cerberus FTP Server on Amazon Web Services (AWS)

3.1 Log Into AWS and Access EC2

Start by navigating to https://aws.amazon.com in a browser. This is the AWS ‘homepage’. To begin creating your AWS Cerberus FTP server, click on ‘Sign In to the Console’ at the upper right to access the login screen:

On this screen, you can either enter credentials for an existing account or create a new account. Bookmark https://signin.aws.amazon.com as this is where you will come from now on to log onto your AWS account to manage your virtual AWS server(s). Make sure ‘Root User’ is selected when you log in as you will be acting as the account owner to set up a new server.

INFORMATION SYSTEM ACTIVITY REVIEW (R) – § 164.308(a)(1)(ii)(D)

Once on the ‘AWS Management Console, click on ‘EC2’ under ‘All Services’ > ‘Compute’. If you have been in AWS before, you may see it under ‘Recently visited services’ and you can also click on it there.

3.2 Create

On the ‘EC2 Dashboard’, click on ‘Launch Instance’ to start the virtual server creation process.

3.2.1 Step 1: Choose an Amazon Machine Image

On this screen, you will need to select a pre-packaged Amazon Machine Image (AMI). This will form the basis of your AWS virtual server instance. All settings can be changed later, but to start with, you need to select an image here that contains the basic CPU, RAM, and storage options you are looking for. To run Cerberus FTP Server, selecting the most current Windows Server Base is the most appropriate, currently ‘Microsoft Windows Server 2019 Base’.

3.2.2 Step 2: Choose an Instance Type

On this screen, you will need to select an instance type appropriate for your use case. Using the Cerberus FTP Server minimum requirements as a baseline, we recommend no less than 2 vCPU’s and 4GiB of RAM. However, if you anticipate thousands of transfers an hour, you may want to consider a more capable instance, such as 4 vCPUs and 16GiB of RAM. Remember that this can be changed later if you find that your instance is having trouble handling the volume, or that you have chosen an instance that is excessive for your use case.

Select your desired instance in the first column of the table.

 Click ‘Next: Configure Instance Details’ at the bottom of the screen to move to the next section.

3.2.3 Step 3: Configure Instance Details

On this screen, you will configure the instance to suit your needs. For the most part, you will not need to change these settings, but you will need to obtain a static external IP address for users to access your virtual environment from outside. The ‘auto-assign Public IP’ setting requests a public IP address from Amazon’s public IP address pool to make your instance reachable from the Internet. In most cases, the public IP address is associated with the instance until it’s stopped or terminated, after which it’s no longer available for you to use. Because an FTP server requires a persistent public IP address, after launch you should navigate to ‘Network & Security > ‘Elastic IPs’ on the left-hand side navigation menu to allocate your own EIP, and associate it to your instance.

Click ‘Next: Add Storage’ after reviewing the instance details

3.2.4 Step 4: Add Storage

Update your desired storage size based on your file storage needs. Cerberus FTP Server itself requires less than 500MB.To access the Amazon documentation on EC2 storage, see ‘Storage – Amazon Elastic Cloud’

Click ‘Next: Add Tags’ after deciding on your storage needs.

3.2.5 Step 5: Add Tags

Apply tags if you wish. To help you manage your instances, images, and other Amazon EC2 resources, you can assign your metadata to each resource in the form of tags. Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type—you can quickly identify a specific resource based on the tags that you’ve assigned to it. This topic describes tags and shows you how to create them. See ‘Tag your Amazon EC2 Resources’ for more details.

Click ‘Next: Configure Security Group’ when done.

3.2.6 Step 6: Configure Security Group

A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. If you don’t specify a security group, Amazon EC2 uses the default security group.

For your Cerberus FTP Server instance, you should add new lines for each protocol you will be using. Amazon has pre-configured selections for SSH SFTP (port 22), HTTP (port 80), and HTTPS (port 443). Add descriptions that will tell you why you opened those ports (see screenshot). To add FTP (port 21), FTPS (port 990), and the FTP Passive Port Range (ports 11000-13000), select ‘Custom TCP’ from the ‘Type’ column, then enter the port number for each under ‘Port Range’ and a description.

Unless you know the exact source IP addresses of the users that will be accessing your file server, do not add Source IPs. If you do, these will be the only IPs that will be able to access your instance. See ‘Amazon EC2 security groups’ for more details on configuring your security group.

Click ‘Review and Launch’ when you have configured your security groups.

3.2.7 Step 7: Review Your Instance Setting

On this screen, review your chosen instance settings. If you will be making your FTP/SFTP/HTTPS file server externally available, you can ignore the warning about your security group being open to the world.

You can use the breadcrumb trail at the top of the page to navigate back to any of the settings pages to edit any settings you need to. Once you are happy with what you have, press ‘Launch’ to initiate the instance.

3.2.8 Step 8: Create New Key Pair

Next, you will create the key pair that will be necessary to securely connect to your instance. You will use this key pair any time you wish to connect to your AWS EC2 instance. To begin, click the drop-down and select ‘Create a new key pair’.

Once the key pair has been created, you will need to download it and save it at an accessible, but secure location on your machine.

3.3 Connect to the Instance

To connect, from the EC2 page, click to select your AWS instance on the left, and then click ‘Connect’ to begin the connection. To make sure you can connect, make sure that the instance state is ‘Running’.

3.3.1 Step 1: Connect To Instance

These instructions will go through connecting via the RDP (Remote Desktop Protocol) client. You can also connect via the AWS Session Manager or EC2 Serial Console. For more details on those options, see ‘Connect to your Windows Instance’. To start, click ‘RDP Client’ at the top of the page and then ‘Get Password’.

3.3.2 Step 2: Get Windows Password

You will now need to get the Windows password for your instance. For this, you will need the key pair you saved on your system. Press ‘Browse’ and locate the *.pem file you save.

3.3.3 Step 3: Decrypt Password

Once the key pair has been loaded, click ‘Decrypt Password’.

3.3.4 Step 4: Download Remote Desktop File

You can now connect to your instance via the RDP client of your choice. Before clicking on ‘Download remote desktop file’, copy the password at the bottom of the window as you will need to enter this when prompted to do so by the RDP client. In this example, we use the Windows RDP client.

3.3.5 Step 5: Open The Remote Desktop File

Once the remote desktop file is downloaded, you can select ‘Open’ to launch the RDP client.