Mount EFS from different VPC

Question

Based on recommendations from AWS I have created a VPC for each one of my customers (same region, same availability zone and same CIDRs).
Within each VPC I create an EFS file systems. Everything works fine for the various EFS and I can mount them on instances launched within the same VPC.

For management purposes (creating initial folders) and to transfer files I need to mount these EFSs on an instance launched from my main VPC. I tried to follow the instructions [here](https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html) to create a peering connection, but I am unable to do this because the two VPCs have overlapping CIDRs. Based on the same walkthrough the same prerequisite is required for the transit gateway.

Is there an alternative approach? I am not a network expert so please bear with me. If I have to use different CIDRs for different VPCs, would I not run out of addresses at some points?

Accepted Answer

If you have VPCs (or networks in general) with overlapping IP ranges my strongest recommendation in this situation is to use non-overlapping IP ranges. See this blog post for other alternatives but using different IP ranges is by far the cheapest and (despite appearances) the easiest.

When you create a VPC you get to choose how large the IP range for that VPC is. The default /16 (subnet mask: 255.255.0.0) range gives you 65,000 (give or take a few) IP addresses in your VPC. You probably don't need that many. Which means by creating a VPC with a smaller IP range you can have thousands of VPCs before you run out of IP addresses.

Answer

It's possible to cope with overlapping CIDRs but it adds complexity.  By far the best approach is to avoid overlaps if it's not too late.

Would you run out of addresses?  You can fit a lot of VPCs in the RFC 1918 ranges, for example in 10.0.0.0/8 you can fit 4096 /20 VPCs, and you can make VPCs as small as /28 if workable for you, with room for over a million of those.

If that's not enough, EFS doesn't support IPv6 yet but when it does you could consider IPv6-only VPCs - you'll never run out of addresses for those!

A workaround for comms between VPCs with overlapping CIDRs adds complexity as I said.  Basically you NAT the addresses, for example:
- Each VPC has a secondary address block, and these don't overlap.
- Secondary subnets on the server side contain an ALB front-ending the app.
- Secondary subnets on the client side contain NAT GWs. Note that the VPC needs an IGW as a prerequisite for NAT GW even if you're not using it for internet traffic.
- Attach the VPCs to TGW with static routes, no propagation, so you only have routes for the non-overlapping secondary CIDRs.

Answer

To mount an Amazon Elastic File System (EFS) from a different Virtual Private Cloud (VPC), you will need to set up a VPC peering connection between the two VPCs. Once the peering connection is established, you can mount the EFS file system in the target VPC by specifying its file system ID and the DNS name of the mount target in the other VPC. You may also need to configure the security groups and network access control lists for the mount target and the instances in the target VPC to allow access to the EFS file system.

Mount EFS from different VPC

関連するコンテンツ