Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use mount EFS file systems from another VPC?

4 minute read
0

I want to mount my Amazon Elastic File System (Amazon EFS) file system from another virtual private cloud (VPC).

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Connect VPCs

Connect the VPCs of your NFS client and your Amazon EFS file system with a VPC peering connection. Or, use an AWS Transit Gateway. This connection allows Amazon Elastic Compute Cloud (Amazon EC2) instances from the same or different AWS accounts to access EFS file systems in a different VPC.

Grant permissions to access and mount the cross-account EFS file system

To grant permissions to access and mount the cross-account EFS file system, add the following statement to your AWS Identity and Access Management (IAM) policy:

{            "Sid": "EfsPermissions",            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Resource": "arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id"
        }

Note: The preceding example statement allows the IAM role to have mount, write, and root access on the EFS file system. If your NFS client is an Amazon EC2 instance, then attach the IAM role to the instance.

Or, use the AWS CLI to assume the IAM role.

Note: The AWS CLI can't resolve the DNS of an EFS file system that's in another VPC. You must first determine the right mount target IP address for your client, and then configure the client. To mount the EFS file system, use the mount target IP address that's in the same Availability Zone as your NFS client.

Determine your instance's Availability Zone

Complete the following steps:

  1. Open the EC2 console.
  2. Choose Instances.
  3. Select your instance, and then choose Networking.
  4. Under Networking details, find the Availability Zone.

Or, run the describe-availability-zones command from an IAM entity that has read permissions for EC2:

aws ec2 describe-availability-zones --zone-name `curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`

Example output:

{    "AvailabilityZones": [
        {
            "State": "available", 
            "ZoneName": "us-east-2b", 
            "Messages": [], 
            "ZoneId": "use2-az2", 
            "RegionName": "us-east-2"
        }
    ]
}

Determine the mount target IP address for the local Availability Zone

Complete the following steps:

  1. Open the EFS console.
  2. Choose File Systems.
  3. Select your file system.
  4. Under Network, note the IP address for your Availability Zone.

Or, run the describe-mount-targets command from an IAM entity that has read permissions for EC2:

aws efs describe-mount-targets --file-system-id fs-cee4feb7

Note: Replace fs-cee4feb7 with your file system ID.

Example output:

aws efs describe-mount-targets --file-system-id fs-cee4feb7{    "MountTargets": [
        {
            "MountTargetId": "fsmt-a9c3a1d0", 
            "AvailabilityZoneId": "use2-az2", 
            "NetworkInterfaceId": "eni-048c09a306023eeec", 
            "AvailabilityZoneName": "us-east-2b", 
            "FileSystemId": "fs-cee4feb7", 
            "LifeCycleState": "available", 
            "SubnetId": "subnet-06eb0da37ee82a64f", 
            "OwnerId": "958322738406", 
            "IpAddress": "10.0.2.153"
        }, 
...
        {
            "MountTargetId": "fsmt-b7c3a1ce", 
            "AvailabilityZoneId": "use2-az3", 
            "NetworkInterfaceId": "eni-0edb579d21ed39261", 
            "AvailabilityZoneName": "us-east-2c", 
            "FileSystemId": "fs-cee4feb7", 
            "LifeCycleState": "available", 
            "SubnetId": "subnet-0ee85556822c441af", 
            "OwnerId": "958322738406", 
            "IpAddress": "10.0.3.107"
        }
    ]
}

In the preceding output, note the IP address that corresponds to the mount target in the instance's Availability Zone.

Mount the EFS file system

Complete the following steps:

  1. Run the following command to add the hosts entry to the /etc/hosts file in the NFS client: 
    echo "10.0.2.153 fs-cee4feb7.efs.us-east-2.amazonaws.com" | sudo tee -a /etc/hosts
    Note: Replace 10.0.2.153 with your mount target IP address, fs-cee4feb7 with your file system ID, and us-east-2 with your AWS Region.
  2. Use the mount helper to mount the EFS file system. By default, the mount helper uses DNS to resolve the IP address of your mount target. If you mount from another account or VPC, then you must manually resolve the EFS mount target IP address.

If you experience issues when you mount the file system, then see Troubleshooting mount issues.

Related information

Creating file system policies

Mounting EFS file systems from another VPC

Resource-based policy examples for Amazon EFS

Topics
Storage
Tags
Amazon Elastic File System
Language
English
AWS OFFICIALUpdated 4 months ago
No comments

Relevant content