AWS Resource Reference
      Back to home
      1. Arpio Documentation
      2. Reference Guides
      3. AWS Resource Reference

      Transfer Families (SFTP)

      SFTP Server Replication with Arpio

      Jump to:

       

      Arpio replicates the following Transfer Family resource types into your recovery environment: 

      Server

      Arpio will create copies of your selected servers into the recovery environment during failover.  The server copy will have the same general configuration as the original, including endpoint details and identity provider settings.

      One notable exception is the host key.  AWS does not allow Arpio (or any other client) to retrieve the private host key from a Server.  If you would like your replica server to have the same key as the original, you must place a copy of your private key into AWS Secrets Manager under the path /Arpio/TransferServer/server-id/HostKey.  This step is highly recommended as not doing so will cause your failover server to have a different host key.  Clients who have the original host key may refuse to connect to a server with a different key.

      If you created your primary Server using an AWS-supplied default key, there is no way to replicate that key.  You may want to issue a new key that is used in both your primary and replica environments and distribute the new public key to your clients.

      Some resource attributes, listed in the table below, do require translation.

      Attribute

      Translation

      EndpointDetails

      If a Server in your primary environment is connected to a VPC, the replicated instance in the recovery environment will be attached to the replicated version of that VPC in the recovery environment.   The VpcId, SubnetIds, SecurityGroupIds, and AddressAllocationIds properties of EndpointDetails will be updated to reflect the IDs for this replicated VPC.

      IdentityProviderDetails

      If a Server in your primary environment is using Lambda authentication, the Lambda will be replicated into your recovery environment and IdentityProviderDetails.Function will be updated to the ARN of the recovery environment Lambda.


      If a Server in your primary environment is using API Gateway authentication, the API Gateway will be replicated into your recovery environment.  IdentityProviderDetails.Url will be updated to the ARN of the recovery environment API Gateway.  The IdentityProviderDetails.InvocationRole property will also be updated to a replica of your invocation role that has access to the recovery API Gateway.

      LoggingRole

      Arpio will create a new role that targets resources in the recovery environment.  The LoggingRole property will be updated to the ARN of this new role.

      The following resources are automatically discovered and included in recovery points when a Server is selected.

      • API Gateways used as custom identity providers (and their dependent resources)
      • Lambda functions, versions, or aliases used as custom identity providers (and their dependent resources)
      • VPCs, Subnets, Security Groups, and Address Allocation IDs used in EndpointDetails.
      • The IAM role used in LoggingRole
      • The IAM role used to access the API Gateway (if applicable)
      • Any User or HostKey resources associated with this Server ID.

      User

      Arpio will create copies of Users for your selected Servers into the recovery environment during failover.  The server copy will have the same general configuration as the original.

      Some resource attributes, listed in the table below, do require translation.

      Attribute

      Translation

      HomeDirectory

      If the first path element is the name of a mirrored S3 bucket, it will be replaced with the name of the corresponding bucket in the recovery environment.  This allows the user to access files from a replica bucket in the recovery region.

      HomeDirectoryMappings

      If logical mappings are used, each mapping is examined and bucket names replaced in the same manner as described for HomeDirectory.

      Role

      Arpio will create a new role that targets resources in the recovery environment.  The Role property will be updated to the ARN of this new role.

      ServerId

      The replica User will belong to the replica Server in your recovery environment.

      The following resources are automatically discovered and included in recovery points when a Server is selected.

      • S3 buckets referenced in HomeDirectory or HomeDirectoryMappings.
      • IAM Roles used in the Role property

      HostKey


      If your Server uses any additional host keys, Arpio will attempt to replicate them.  However, for this to work, you must provide the private key.  This cannot be retrieved from the source environment by Arpio or any other AWS client.  Place the private key into AWS Secrets Manager at the path /Arpio/TransferHostKey/host-key-id/HostKey.

      If a private key is found in Secrets Manager, Arpio will create a copy of the HostKey that has the same Description and Tags as the original.

      Some resource attributes, listed in the table below, do require translation.

      Attribute

      Translation

      ServerId

      The replica HostKey will belong to the replica Server in your recovery environment.

       

      Use Cases

       

      Supported Use Cases

      If you are using AWS Transfer Families to implement SFTP services, Arpio can provide recovery for the following scenarios:

      • Protocol - SFTP only

      • Identity Providers

        • Service-Managed

        • Custom Identity Provider both Lambda and AWS Gateway

      • Domain - S3

      • Endpoint types - Public or VPC, but not VPC endpoint which was deprecated by AWS in 2021.

      • Host keys - either auto-generated or customer-provided

       

      Unsupported Use Cases

      • Workflows are not currently supported