Working with interface VPC endpoints in Amazon EFS
To establish a private connection between your virtual private cloud (VPC) and the Amazon EFS API, you can create an interface VPC endpoint. The endpoint provides secure connectivity to the Amazon EFS API without requiring an internet gateway, NAT instance, or virtual private network (VPN) connection. For more information, see Interface VPC Endpoints in the Amazon VPC User Guide.
Interface VPC endpoints are powered by AWS PrivateLink, a feature that enables private communication between AWS services using private IP addresses. To use AWS PrivateLink, create an interface VPC endpoint for Amazon EFS in your VPC using the Amazon VPC console, API, or CLI. Doing this creates an elastic network interface in your subnet with a private IP address that serves Amazon EFS API requests. You can also access a VPC endpoint from on-premises environments or from other VPCs using AWS VPN, AWS Direct Connect, or VPC peering. To learn more, see Accessing Services Through AWS PrivateLink in the Amazon VPC User Guide.
Creating an interface endpoint for Amazon EFS
To create an interface VPC endpoint for Amazon EFS, use one of the following:
-
com.amazonaws.
– Creates an endpoint for Amazon EFS API operations.region
.elasticfilesystem -
com.amazonaws.
– Creates an endpoint for the Amazon EFS API that complies with Federal Information Processing Standard (FIPS) 140-2region
.elasticfilesystem-fips.
For a complete list of Amazon EFS endpoints, see Amazon Elastic File System in the Amazon Web Services General Reference.
For more information about how to create an interface endpoint, see Creating an interface endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon EFS
To control access to the Amazon EFS API, you can attach an AWS Identity and Access Management (IAM) policy to your VPC endpoint. The policy specifies the following:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources on which actions can be performed.
For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.
The following example shows a VPC endpoint policy that denies everyone permission to create an EFS file system through the endpoint. The example policy also grants everyone permission to perform all other actions.
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" }, { "Action": "elasticfilesystem:CreateFileSystem", "Effect": "Deny", "Resource": "*", "Principal": "*" } ] }
For more information, see Using VPC Endpoint Policies in the Amazon VPC User Guide.