Points that stuck when using passive with FTP in ec2

I'm Ito from the infrastructure team

When I had the opportunity to use FTP (vsftpd) passively on an ec2 instance, I had difficulty communicating via FTP, so
I would like to introduce some points to keep in mind.

vsftpd stands for Very Secure FTP Daemon

It's not just security groups

I think most people use security groups to control ec2 firewalls

The process is to use a security group to allow only the IP addresses that use FTP.
Also, when using passive FTP, you need to open the passive port in the security group.

Something like this

Then, we will configure it on the vsftpd side as well. This
is to use passive and set the port to use passive.

# vim /etc/vsftpd/vsftpd.conf pasv_enable=YES pasv_min_port=60000 pasv_max_port=60030

However, this alone won't connect..

Communication when vsftpd is passive on ec2

ec2 doesn't know the public IP address.
If you run ifconfig, it only returns the local IP address.

This means that passive communication is performed via the local IP address of the ec2 instance. This
means that "FTP communication is possible, but passive communication is not possible, so directory listing is not possible,"

just set the IP address that should be used for passive communication in vsftpd.

# vim /etc/vsftpd/vsftpd.conf pasv_address=<public IP>

FTP is now fine!!