Tutorial: Mount a file system from a different VPC
In this tutorial, you set up an EC2 instance to mount an EFS file system
that is in a different virtual private cloud (VPC). You do this using the EFS mount
helper. The mount helper is part of the amazon-efs-utils
set of tools. For
more information about amazon-efs-utils
, see Installing the Amazon EFS client.
The client's VPC and your EFS file system's VPC must be connected using either a VPC peering connection or a VPC transit gateway. When you use a VPC peering connection or transit gateway to connect VPCs, EC2 instances that are in one VPC can access EFS file systems in another VPC, even if the VPCs belong to different accounts.
Note
Using Amazon EFS with Microsoft Windows–based clients isn't supported.
Topics
Prerequisites
To complete this tutorial, you must have the following:
-
The
amazon-efs-utils
set of tools is installed on the EC2 instance before using this procedure. For instructions on installingamazon-efs-utils
, see Installing the Amazon EFS client. -
One of the following:
-
A VPC peering connection between the VPC where the EFS file system resides and the VPC where the EC2 instance resides. A VPC peering connection is a networking connection between two VPCs. This type of connection enables you to route traffic between them using private Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses. You can use VPC peering to connect VPCs within the same AWS Region or between AWS Regions. For more information, see Creating and Accepting a VPC Peering Connection in the Amazon VPC Peering Guide.
-
A transit gateway connecting the VPC where the EFS file system resides and the VPC where the EC2 instance resides. A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. For more information, see Getting Started with Transit Gateways in the Amazon VPC Transit Gateways Guide.
-
Step 1: Determine the ID of the mount target's Availability Zone
To ensure high availability of your file system, we recommend that you always use an EC2 mount target IP address that is in the same Availability Zone as your NFS client. If you are mounting an EFS file system that is in another account, ensure that the NFS client and EFS mount target are in the same Availability Zone ID. This requirement applies because Availability Zone names can differ between accounts.
To determine the Availability Zone ID of the EC2 instance
-
Connect to your EC2 instance. For more information, see Connect to your EC2 instance in the Amazon EC2 User Guide.
Determine the Availability Zone ID that the EC2 instance is in using the
describe-availability-zones
CLI command as follows.[ec2-user@ip-10.0.0.1] $
aws ec2 describe-availability-zones --zone-name
{ "AvailabilityZones": [ { "State": "available", "ZoneName": "us-east-2b", "Messages": [], "ZoneId": "use2-az2", "RegionName": "us-east-2" } ] }
The Availability Zone ID is returned in the
ZoneId
property,use2-az2
.
Step 2: Determine the mount target IP address
Now that you know the Availability Zone ID of the EC2 instance, you can now retrieve the IP address of the mount target that is in the same Availability Zone ID.
To determine the mount target IP address in the same Availability Zone ID
-
Retrieve the mount target IP address for your file system in the
use2-az2
AZ ID using thedescribe-mount-targets
CLI command, as follows.$
aws efs describe-mount-targets --file-system-id
file_system_id
{ "MountTargets": [ { "OwnerId": "111122223333", "MountTargetId": "fsmt-11223344", =====> "AvailabilityZoneId": "use2-az2", "NetworkInterfaceId": "eni-048c09a306023eeec", "AvailabilityZoneName": "us-east-2b", "FileSystemId": "fs-01234567", "LifeCycleState": "available", "SubnetId": "subnet-06eb0da37ee82a64f", "OwnerId": "958322738406", =====> "IpAddress": "10.0.2.153" }, ... { "OwnerId": "111122223333", "MountTargetId": "fsmt-667788aa", "AvailabilityZoneId": "use2-az3", "NetworkInterfaceId": "eni-0edb579d21ed39261", "AvailabilityZoneName": "us-east-2c", "FileSystemId": "fs-01234567", "LifeCycleState": "available", "SubnetId": "subnet-0ee85556822c441af", "OwnerId": "958322738406", "IpAddress": "10.0.3.107" } ] }
The mount target in the
use2-az2
Availability Zone ID has an IP address of 10.0.2.153.
Step 3: Add a host entry for the mount target
You can now make an entry in the /etc/hosts
file on the
EC2 instance that maps the mount target IP address to your EFS file system's
hostname.
To add a host entry for the mount target
-
Add a line for the mount target IP address to the EC2 instance's
/etc/hosts
file. The entry uses the formatm
. Use the following command to add the line to the file.ount-target-IP-Address
file-system-ID
.efs.region
.amazonaws.com.rproxy.goskope.comecho "10.0.2.153 fs-01234567.efs.us-east-2.amazonaws.com" | sudo tee -a /etc/hosts
Make sure that the VPC security groups for the EC2 instance and mount target have rules that allow access to the EFS file system, as needed. For more information, see Using VPC security groups for Amazon EC2 instances and mount targets.
Step 4: Mount your file system using the EFS mount helper
To mount your EFS file system, you first create a mount directory on the EC2 instance. Then, using the EFS mount helper, you can mount the file system with either AWS Identity and Access Management (IAM) authorization or an EFS access point. For more information, see Using IAM to control file system data access and Working with Amazon EFS access points.
To create a mount directory
-
Create a directory for mounting the file system using the following command.
$
sudo mkdir /mnt/efs/
To mount the file system using IAM authorization
Use the following command to mount the file system using IAM authorization.
$
sudo mount -t efs -o tls,iamfile-system-id
/mnt/efs/
To mount the file system using an EFS access point
Use the following command to mount the file system using an EFS access point.
$
sudo mount -t efs -o tls,accesspoint=access-point-id
file-system-id
/mnt/efs/
Now that you've mounted your EFS file system, you can test it with the following procedure.
To test the EFS file system connection
-
Change directories to the new directory that you created with the following command.
$ cd ~/mnt/efs
-
Make a subdirectory and change the ownership of that subdirectory to your EC2 instance user. Then navigate to that new directory with the following commands.
$ sudo mkdir getting-started $ sudo chown ec2-user getting-started $ cd getting-started
-
Create a text file with the following command.
$ touch test-file.txt
-
List the directory contents with the following command.
$ ls -al
As a result, the following file is created.
-rw-rw-r-- 1
username
username
0 Nov 15 15:32 test-file.txt
You can also mount your file system automatically by adding an entry to the
/etc/fstab
file. For more information, see Enabling automatic
mounting on existing EC2 Linux instances.
Warning
Use the _netdev
option, used to identify network file systems, when
mounting your file system automatically. If _netdev
is missing, your EC2
instance might stop responding. This result is because network file systems need to be
initialized after the compute instance starts its networking. For more information, see Automatic mounting fails and the instance is
unresponsive.
Step 5: Clean up resources and protect your AWS account
After you have finished this tutorial, perform the following seps to clean up your resources and protect your AWS account.
To clean up resources and protect your AWS account
-
Unmount the EFS file system with the following command.
$ sudo umount ~/efs
Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/
. -
Choose the EFS file system that you want to delete from the list of file systems.
-
For Actions, choose Delete file system.
-
In the Permanently delete file system dialog box, type the file system ID for the EFS file system that you want to delete, and then choose Delete File System.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Security Groups.
-
Select the name of the security group that you added the rule to for this tutorial.
Warning
Don't delete the default security group for your VPC.
-
For Actions, choose Edit inbound rules.
-
Choose the X at the end of the inbound rule you added, and choose Save.